List of Terms and Definitions
The following terms and definitions are used in this document:
Automated processing of personal data - Processing of personal data by means of computer technology.
Blocking of personal data - Temporary termination of personal data processing (except when processing is necessary to clarify personal data).
Information system of personal data - The combination of personal data contained in databases of personal data and information technology and technical means ensuring the processing of personal data.
Personal data depersonalization - Actions, as a result of which it becomes impossible, without the use of additional information, to determine the identity of the personal data to a particular personal data subject.
Processing of personal data - Any action (operation) or a set of actions (operations) performed with or without the use of automation with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of personal data.
Operator - State authority, municipal body, legal entity or individual, independently or jointly with other persons, organizing and (or) carrying out processing of personal data, as well as determining the purpose of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.
Personal data - Any information relating to a directly or indirectly identified or identifiable individual (personal data subject).
Provision of personal data - Actions aimed at disclosure of personal data to a certain person or a certain circle of persons.
Transboundary transfer of personal data - Transfer of personal data to a foreign country to a foreign authority, a foreign individual or a foreign legal entity.
Dissemination of personal data - Actions aimed at disclosure of personal data to an indefinite circle of persons.
Destruction of personal data - Actions, in the result of which it becomes impossible to restore the content of personal data in information system of personal data and (or) as a result of which tangible media personal data is destroyed.
1. General provisions
This policy on processing and security of personal data (hereinafter - Policy) is developed in accordance with Article 18.1 of the Federal Law of 27.07.2006 № 152-FZ "On Personal Data" and is the main internal regulatory document of "EVR" Limited Liability Company and "Synergy" Limited Liability Company (hereinafter - Company), defining the key areas of its activities in the processing and security of personal data (hereinafter - PP), the operator of which is the Company.
The Policy was developed in order to implement the requirements of the legislation in the field of processing and security of Personal Data and is aimed at ensuring protection of rights and freedoms of a person and a citizen when processing his/her Personal Data in the Company.
2. Principles and objectives of personal data processing
The Company processes Personal Data in a lawful and fair manner, and is limited to achieving specific, predetermined and legitimate objectives. Only Personal Data satisfying the purposes for which it is processed shall be processed. The content and scope of Personal Data processed by the Company shall comply with the stated processing purposes, and no excessive processing of Personal Data shall be permitted.
When processing Personal Data, the Company shall ensure their accuracy, adequacy and, if necessary, relevance in relation to the purpose of Personal Data processing. The Company shall take necessary measures (shall ensure that they are taken) to remove or clarify incomplete or inaccurate Personal Data.
The Company shall store Personal Data in a form that allows identifying the subject of Personal Data no longer than required by the purposes of Personal Data processing, unless the term of personal data storage is established by federal law or an agreement, to which the subject of Personal Data is a party, beneficiary or guarantor. Processed Personal Data shall be destroyed or depersonalized upon attainment of the processing objectives or when it is no longer necessary to attain such objectives, unless otherwise provided for by federal law.
The purposes of processing, composition and contents of Personal Data, as well as categories of Personal Data subjects, whose data are processed by the Company, shall be contained in the Company's notice on processing Personal Data, sent to the authorized body for the protection of the rights of Personal Data subjects (Roskomnadzor), and updated in case they change.
In the course of its activities, the Company may provide and (or) assign processing of Personal Data to another person with the consent of the subject of Personal Data, unless otherwise provided for by federal law. In this case, the obligatory condition of providing and (or) entrusting the processing of Personal Data to another person is the obligation of the parties to respect the confidentiality and security of Personal Data during their processing.
The Company shall not place a subject's Personal Data in publicly available sources without his/her prior consent.
In the course of its business, the Company may transfer Personal Data across borders to foreign governments, foreign individuals or legal entities. In this case, the issues of adequate protection of the rights of the subjects of Personal Data and ensuring the security of their Personal Data in the cross-border transfer are the highest priority for the Company, which is implemented in accordance with the legislation of the Russian Federation on the processing of Personal Data.
The cross-border transfer of Personal Data to foreign countries that do not provide adequate protection for the rights of Personal Data subjects shall only take place if the subject of Personal Data consents in writing to the cross-border transfer of his/her Personal Data or performs an agreement to which the subject of Personal Data is a party, as well as in other cases provided for by law.
3. Scope and categories of processed personal data, categories of personal data subjects
The contents and volume of processed personal data in the Company for each subject, as well as objectives, terms of storage and legal grounds for processing are presented in the "List of personal data being processed in "EVR" LLC and "Synergy" LLC.
4. Rights of the subject of personal data
4.1 The consent of the subject of personal data on the processing of their personal data
The subject of personal data decides to provide its personal data and consents to their processing freely, willingly and in their own interest. Consent to the processing of personal data may be given by the subject of personal data or his/her representative in any form allowing to confirm the fact of its receipt, unless otherwise provided by federal law.
The obligation to provide proof of consent to the subject of personal data processing of his personal data or proof of the existence of the grounds referred to in 152-FZ, is the responsibility of the Company.
4.2 Rights of the subject of personal data
Subject of personal data has the right to receive information from the Company, related to the processing of his personal data, unless such right is limited in accordance with federal law. The subject of personal data has the right to demand from the Company to clarify his personal data, blocking or destruction of personal data, if personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of treatment, as well as to take statutory measures to protect their rights.
The processing of personal data for the purpose of promoting goods, works, services in the market through direct contact with the potential consumer by means of communication, as well as for political agitation purposes, is allowed only with the prior consent of the personal data subject. Said processing of personal data shall be deemed carried out without the prior consent of the subject of personal data, unless the Company can prove that such consent was obtained.
The Company shall immediately cease processing of personal data for the above purposes at the request of the personal data subject.
No decisions may be made based solely on automated personal data processing that produce legal consequences with respect to the personal data subject or otherwise affect his rights and legitimate interests, except as provided by federal law, or with the consent in writing of the personal data subject.
If the subject of personal data considers that the Company carries out the processing of his personal data in violation of the requirements of 152-FZ or otherwise violates his rights and freedoms, the subject of personal data may appeal against the action or inaction of the Company by filing a complaint to the competent authority to protect the rights of subjects of personal data or in court.
Personal data subjects have the right to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral harm in court.
5. Main steps to ensure security of personal data
In order to ensure security of Personal Data during their processing, the Company independently determines the composition and list of measures necessary and sufficient to fulfill obligations under the legislation in the field of processing and security of Personal Data. Such measures include, in particular:
-Appointing a person responsible for organizing the processing of Personal Data;
- Issuance of documents defining the Company policy in relation to the processing of Personal Data, local acts on the processing of Personal Data, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation in the field of processing and security of Personal Data, and eliminating the consequences of such violations;
- Applying legal, organizational and technical measures to ensure PP security;
Exercising internal control over PP processing compliance with the PP processing and security legislation and regulations adopted in accordance with it, PP protection requirements, Company policy regarding PP processing, Company local acts;
- Assessment of damage which may be caused to the subjects of Personal Data in case of a breach of the requirements of the law in the field of processing and security of Personal Data, the correlation of this damage and the Company's security measures for Personal Data;
- Making the Company employees directly engaged in processing Personal Data acquainted with the provisions of the law in the field of processing and security of Personal Data;
- Organizing the acceptance and processing of requests and inquiries from Personal Data subjects or their legal representatives, as well as control over the acceptance and processing of such requests and inquiries.
The Company's management is aware of the importance and necessity of ensuring the security of Personal Data and encourages continuous improvement of the system of protection of Personal Data processed as part of the Company's core business.
6. Final Provisions
Other rights and obligations of the Company as operator of personal data are defined by the legislation of the Russian Federation in the field of personal data.
Officials of the Company, guilty in violation of the rules governing the processing and protection of personal data shall bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by federal law.