Policy regarding the processing of personal data of the limited liability company “Alfa”
- General Provisions
1.1. This Policy regarding the processing of personal data (the “Policy”) is accepted and operates in the Limited Liability Company Alfa (address: Russia, 630128, Novosibirsk, Demakova St., OGRN 1135476146101, hereinafter referred to as “the Company” ).
1.2. The Company collects, uses and protects personal data that personal data subjects and other authorized persons provide to the Company when using the Company’s websites and mobile applications (hereinafter referred to as “sites”) from any device and in communication with the Company in any form, in accordance with this Policy .
1.3. Using the Company’s sites and providing the Company with personal data, the subject of personal data agrees to the processing of his personal data in accordance with this Policy.
1.4. The policy is subject to publication on the Internet on the Company’s website.
1.5. Basic concepts.
The concepts in this Policy are used in the meaning defined by the legislation of Russia on personal data, in particular:
“Personal data” means any information relating directly or indirectly to a specified or determined individual (subject of personal data);
“Processing of personal data” means the performance of any actions or combination of actions with respect to your personal data, including collection, recording, systematization, accumulation, storage, updating and modification, extraction, use, transfer (distribution, provision, access), depersonalization, removal and destruction, both with and without the use of automated personal data processing systems;
“Provision of personal data” – actions aimed at disclosing personal data to a specific person or a certain circle of persons;
“Distribution of personal data” – actions aimed at disclosing personal data to an undefined circle of persons;
“Cross-border transfer of personal data” means the transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity;
“Blocking of personal data” – temporary termination of the processing of personal data (except for cases when processing is necessary to clarify personal data);
“Destruction of personal data” – actions, as a result of which it becomes impossible to restore the contents of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
“Depersonalization of personal data” – actions resulting in the impossibility of using additional information to determine the ownership of personal data to a specific subject of personal data;
“Personal data information system” – a set of personal data contained in databases and providing their processing of information technology and technical means.
- Purposes of personal data processing
2.1. The company performs processing of personal data for the following purposes:
1) ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, local regulations of the Company;
2) the exercise of the functions, powers and duties imposed by the legislation of Russia on the Company, including the provision of personal data to public authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Fund for Mandatory Medical Insurance;
3) carrying out measures to counteract money laundering,
obtained through criminal means, and financing of terrorism;
4) regulation of labor relations with employees of the Company (assistance in employment, training and promotion, personal security, control of the quantity and quality of work performed, ensuring the safety of property);
5) provision of additional guarantees and compensations to employees of the Company and their family members, including non-state pension provision, voluntary medical insurance, medical services and other types of social security;
6) protection of life, health or other vital interests of subjects of personal data;
7) provision of information of a notification or marketing nature, including about goods, works, services, promotions, events (for which there is
the client’s prior consent to receive them);
8) consideration of the possibility of conclusion, preparation, conclusion, execution and termination of contracts with counterparties, including with subjects of personal data;
9) carrying out measures to resolve applications, claims, customer reports on the quality of service, the provision of products, the activities of sales channels;
10) formation of reference materials for internal information support of the Company’s activities;
11) execution of judicial acts, acts of other bodies or officials subject to enforcement in accordance with the legislation of Russia on enforcement proceedings;
12) the exercise of the rights and legitimate interests of the Company in the framework of carrying out the activities provided for by the charter and other local regulatory acts of the Company or third parties or achieving socially significant goals.
2.2. Other purposes of personal data processing that are not inconsistent with the laws of Russia, the purposes, tasks and activities of the Company are allowed, and the consent of the personal data subject has been obtained for the processing of this processing, or its receipt is not required in accordance with Russian legislation.
- Legal basis for processing personal data
Legal grounds for the processing of personal data by the Company, in particular, are:
- Labor Code of the Russian Federation;
- The Civil Code of the Russian Federation;
- The Tax Code of the Russian Federation;
- Federal Law No. 115-FZ of 07.08.2001 “On Counteracting the Legalization (Laundering) of Proceeds from Crime and Financing of Terrorism”;
- Federal Law No. 27-F3 of April 1, 1996 “On Individual (Personalized) Accounting in the Mandatory Pension Insurance System”;
- Federal Law No. 149-F3 of 27.07.2006 “On Information, Information Technologies and Information Protection”;
- Federal Law No. 125-F3 of 22.10.2004 “On Archival Affairs in the Russian Federation”;
- Decree of the President of the Russian Federation of March 6, 1997, No. 188 “On Approving the List of Confidential Information”;
- Decree of the Government of the Russian Federation of September 15, 2008 No. 687 “On approval of the Regulation on the specifics of processing personal data, carried out without the use of automation equipment”;
- Decree of the Government of the Russian Federation of July 6, 2008, No. 512 “On approving the requirements for material carriers of biometric personal data and technologies for storing such data outside the personal data information systems”;
- Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 “On approval of the requirements for the protection of personal data when processing them in personal data information systems”;
- Order of FSTEC of Russia No. 55, Federal Security Service of Russia No. 86, Ministry of Information and
- Communications of Russia No. 20 dated February 13, 2008 “On Approval of the Procedure for the Classification of Information Systems for Personal Data”;
- Order FSTEC of Russia of February 18, 2013 No. 21 “On the approval of the composition and content of organizational and technical measures to ensure the safety of personal data when processing them in personal data information systems”;
- Order of Roskomnadzor from September 5, 2013 No. 996 “On approval of requirements and methods for the depersonalization of personal data”;
- charter and local regulations of the Company;
- contracts entered into by the Company in which the personal data subject is a party, beneficiary or guarantor;
consent to the processing of personal data provided to the Company by a personal data subject or its representative.
- The volume and categories of personal data being processed, categories of personal data subjects
4.1. The company processes the personal data of the following categories of subjects:
1) individuals who applied to the Company for employment purposes and who provided their personal data;
2) natural persons who are, as well as previously employed in the Company;
3) individuals who have provided their personal data in connection with the conclusion of a student agreement and other civil law contract, the subject of which is the performance of work (rendering services) by an individual of the Company that concluded such contracts, as well as individuals whose contractual relations with them terminated;
4) individuals who are affiliated persons and (or) heads of the Company and (or) managers, participants (shareholders) and (or) employees of a legal entity that is an affiliated person with respect to the Company, as well as natural persons who are beneficial owners of the Company;
5) individuals representing the interests of the Company before third parties on the basis of a power of attorney, as well as representatives of legal entities representing the interests of the Company before third parties on the basis of a power of attorney;
6) individuals who have provided their personal data in connection with the conclusion of contracts for which the Company sells or provides goods to an individual, performs work or services for him, or any other agreements (agreements) that are concluded or may be concluded between the Company in the future and a natural person, as well as in connection with the filing and filing with the Company of any applications, statements expressing the intention of an individual to receive goods from the Company or use the works (services) performed (provided mi) the Company;
7) individuals who applied to the Company for any type of request and who provided their personal data in this regard;
8) users (visitors) of the Company’s sites and users of mobile applications of the Company who provided their personal data by filling in the forms of such sites and mobile applications;
9) representatives of the above-mentioned individuals;
10) representatives, beneficiaries and beneficial owners of customers (counterparts) of the Company, as well as representatives of legal entities that apply to the Company for any type of request;
4.2. The company processes the following personal data of the above-mentioned subjects: surname, first name, patronymic; citizenship; year, month, date of birth; place of birth, address; profession, position; INN; SNILS; contact information (phone, e-mail); information on bank accounts, details for the transfer of electronic funds; information about property and liabilities. The Company has the right to process other categories of personal data if the consent to such processing is provided by the personal data subject or its representative or if it is necessary to fulfill the obligations established by the legislation of Russia.
4.3. The categories of personal data processed in accordance with the Policy for each specific category of personal data subjects are determined on the basis of the principle of reasonable sufficiency in order to achieve the purposes of processing personal data.
4.4. The company does not process personal data relating to special categories in accordance with the legislation of Russia on personal data, and biometric personal data, except in cases specifically stipulated in the Policy.
4.5. The processing of health information is carried out in accordance with the Labor Code of the Russian Federation, the Federal Law “On Compulsory Medical Insurance in the Russian Federation”, Part 2 of Art. 10 of the Federal Law “On Personal Data”.
- The procedure and conditions for the processing of personal data
5.1. The company collects, records, systemizes, accumulates, stores, updates (updates, changes), retrieves, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes and destroys personal data.
5.2. Methods of processing personal data in the Company:
5.2.1. Automated and mixed processing is applied to personal data:
– processed in accordance with labor law;
– made by the subject of personal data to the public;
– received by the Company in connection with the conclusion of a contract to which the personal data subject is a party, if personal data is not disseminated, and is not provided to third parties without the consent of the personal data subject and used by the Company solely for the performance of the said contract and conclusion of contracts with the personal data subject.
5.2.2. Non-automated processing of personal data is applied to other personal data.
5.3. The Company has the right to entrust processing of personal data to another person with the consent of the personal data subject on the basis of a contract concluded with that person. The contract must contain a list of actions (operations) with personal data that will be performed by the person processing personal data, the purpose of processing, the duty of such person to respect the confidentiality of personal data and ensure the safety of personal data during processing, as well as the requirements for protection of the processed personal data in According to Article 19 of the Federal Law “On Personal Data”.
5.4. The company does not disclose to third parties without the consent of the personal data subject and does not disseminate personal data unless otherwise provided by federal law.
- Protection of personal information
In the processing of personal data, the Company takes all necessary legal, organizational and technical measures to protect them from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful acts against them. Ensuring the security of personal data is achieved, in particular, in the following ways:
6.1. Appointment of the person responsible for organizing the processing and ensuring the security of personal data.
6.2. Implementation of internal control and (or) audit compliance of personal data processing with the Federal Law “On Personal Data” and regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, local acts.
6.3. Familiarization of employees of the Company directly carrying out the processing of personal data with the provisions of the Russian legislation on personal data, including requirements for the protection of personal data, local acts regarding the processing of personal data and / or training of these employees.
6.4. Restriction and delineation of access of employees and other persons to personal data and processing facilities, monitoring of actions with personal data.
6.5. Identification of threats to the security of personal data when processing them in personal data information systems.
6.6. The use of security tools (antivirus, firewalls, means of protection against unauthorized access, means of cryptographic protection of information), including those who passed the procedure for assessing compliance in accordance with the established procedure.
6.7. Back up information for recovery.
6.8. Evaluation of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of an information system for personal data.
6.9. Accounting of computer carriers of personal data.
6.10. Identification of the facts of unauthorized access to personal data and taking appropriate measures.
6.11. Recovering personal data, modified or destroyed due to unauthorized access to them.
6.12. Establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions performed with personal data in the personal data information system.
6.13. Control over the measures taken to ensure the security of personal data and the level of security of information systems of personal data.
- Updating, rectification, deletion and destruction of personal data
7.1. Updating and correction of personal data is carried out on the basis of information submitted by the subject of personal data, his representative or authorized body for the protection of the rights of subjects of personal data. Within seven working days from the date of receipt of the relevant information, the Company is obliged to clarify the personal data or to provide for their clarification (if the processing of personal data is performed by another person acting on behalf of the Company) and to remove the blocking of personal data.
7.2. The company has set the following terms and conditions for the termination of the processing of personal data:
7.2.1. Achieving the goals of processing personal data and maximum retention periods is within 30 days.
7.2.2. Loss of the need to achieve the goals of processing personal data – within 30 days.
7.2.3. Provision by the subject of personal data or his legal representative of information confirming that personal data is illegally obtained or not necessary for the stated purpose of processing – within 7 days.
7.2.4. Inability to ensure the legality of processing personal data – within 10 days.
7.2.5. Recall by the subject of personal data consent to the processing of personal data, if the retention of personal data is no longer required for the processing of personal data – within 30 days.
7.3. After the deadline specified in Clause 7.2 of the Policy, the Company is obliged to destroy personal data or ensure their destruction if:
– the other is not stipulated by the contract, the party of which, the beneficiary or guarantor under which is the subject of personal data;
The Company has no right to process personal data without the consent of the subject on the grounds provided for by the Federal Law “On Personal Data” or other federal laws.
- Responding to requests from subjects of personal data
8.1. The Company is obliged to inform the subject of personal data or its representative in the manner provided for in Article 14 of the Federal Law “On Personal Data” on the availability of personal data relating to the relevant personal data subject and to provide an opportunity to review these personal data when the subject of personal data or his representative, or within thirty days from the date of receipt of the request of the subject of personal data or his representative.
8.2. In case of refusal to provide information on the availability of personal data on the relevant personal data subject or personal data to a personal data subject or its representative upon their application or upon receipt of a request from a personal data subject or its representative, the Company is obliged to give a motivated answer in writing, containing a reference to the provision federal law, which is the basis for such refusal, within a period not exceeding thirty days from the date of the request of the subject of personal data or representative, or from the date of receipt of the request the personal data subject or his representative.
8.3. The company is obliged to provide free of charge to the subject of personal data or his representative the opportunity to get acquainted with personal data relating to this subject of personal data.
8.4. An appeal of a personal data subject or its representative may be sent to the Company in any way that allows to establish reliably the contents of the appeal that sent his person and the availability of the corresponding right to appeal from such person.