Purpose and scope of application.
1.1. Personal Data Processing Policy document (hereinafter referred to as “Policy”) defines the basic principles of processing personal data, as well as the requirements to the personal data protection in LLC “MUS” (hereinafter referred to as “Operator”). A Policy is a public document.
1.2. The Policy is valid indefinitely after approval and until update new version.
1.3. The Policy uses terms and definitions in accordance with their meanings, as defined in the Federal Law No. 152-FZ “On Personal Data”.
1.4. The Policy applies to all employees of the Operator (including workers under labor contracts and workers under work contracts) and all structural divisions of the Company, including separate divisions. The requirements of the Policy are also taken into account and presented in relation to other persons when it is necessary for them to participate in the processing of personal data by the Operator as well as in cases when they are transferred to them in the prescribed manner based on agreements, contracts, processing orders.
Details of personal data processing.
2.1. Personal Data are processed by Operator with or without application of automation technologies or software.
2.2. Personal Data Processing any action performed towards personal data including the acquisition, recording, systematization, accumulation, storage, clarification, updating and alteration, extraction, use, transfer (distribution, representation, providing access), depersonalization, blocking, deleting and annihilation.
2.4. Personal Data Processing is performed on legitimate equitable basis and based on the following statutory acts:
The Constitution of the Russian Federation;
The Labor Code of Russian Federation;
The Civil Code of the Russian Federation;
The Tax Code of the Russian Federation;
The Federal Law No. 152-FZ “On Personal Data”, dated July 27, 2006;
The Federal Law No. 1-FZ “On Electronic Digital Signature”, dated January 10, 2002;
The Federal Law No. 63-FZ “On Electronic Signature”, dated April 06, 2011;
The Federal Law No. 99-FZ “On Licensing of Some Activities”, dated May 04, 2011;
The Federal Law No. 126-FZ “On Communications”, dated July 7, 2003;
The Federal Law No. 27-FZ “On Individual (Personalized) Accounts in the System of Compulsory Pension Insurance”, dated April 01, 1996;
The Federal Law No. 212-FZ “On Insurance Contributions to the Pension Fund of the Russian Federation”, dated July 24, 2009;
The Federal Law No. 125-FZ “About Archiving in the Russian Federation”, dated October 22, 2004;
The Law No. 3266-1 “About Education”, dated July 10, 1992;
Charter of LLC “MUS”.
2.4. The content and volume of the processed personal data are determined based on the processing purpose. Personal data that is redundant or incompatible with respect to the following main purposes is not processed.
conclusion of labor relations with individuals;
fulfillment of contractual obligations of the Operator;
performing the functional of a certification center;
compliance with applicate labor, accounting, pension and other legislation of the russian Federation.
2.5. The main categories of data whose are processed by Operator include:
individuals employed and contracted by Operator;
individuals employed and contracted by Operator’s counterparties;
individuals to whom Operator provides services as part of its statutory activities and job seekers.
2.6. For the specified categories of subjects, there can be processed:
last name, first name middle name, date of birth, place of birth, address, family status, social status, property status, education, profession, income, INN (Taxpayer Identification Number, SNILS (Personal Pension Account Number, contact information (phone, email address), other information as may be required by standard forms and standard processing procedure.
2.7. There are ensured the accuracy and sufficiency of personal data and relevance for the purposes of personal data processing. Inaccurate or incomplete personal data are updated.
2.8. Non-public personal data are kept confidential.
2.9. Personal data shall be processed and stored within the time period needed to achieve the purpose of personal data processing or unless there are legitimate reasons for further processing, for example, federal law or an agreement with the subject of personal data hasn’t established appropriate storage period.
The personal data shall be annihilation or anonymized upon the following events:
the purpose of personal data processing are achieved or maximum storage period is exceeded by 30 days;
there is no further need to accomplish the purpose of personal data processing within 30 days;
the data subject or his legal representative provides evidence that the personal data are illegally obtained or not required for the purpose of processing within 7 days;
it is impossible ensure the legitimate processing of personal data within 10 days;
the data subject revokes consent to personal data processing or the personal data need no longer be stored for purpose of personal data processing within 30 days;
the data subject revokes consent to personal data processing used it for contracts with potential consumers in the promotion of goods and services within 2 days;
expiration of limitation periods for legal relationshipsin which processed personal data.
Liquidation or reorganization of the Operator.
2.10. Personal data processing under Operator's contracts and other agreements and personal data processing instructions given and recieved by Operator is carried out in accordance with the terms of these contracts, agreements of the Operator or agreements with persons who are entrusted with the processing. The agreements may determine:
purposes, conditions, terms of processing data;
obligations or agreements including measures to keep confidenciality;
rights, obligations and responsibilities of the parties the processings personal data.
2.11. Beyond the scope of explicit provision of the current legistation or the contract, processing shall be subject to the prior consent of the data subject. The consent can be expressed in the form of action, acceptance the terms of contract, affixing appopriate marks, fillings forms or in writing as stipulated by law. A mandatory case of obtaining prior consent is contract with a potential consumer when promoting the Operator's goods and services on the market.
2.12. The Operator is registered in the register of the authorized body for the protection of the rights of personal data subject under No. 09-0066830. The register contains information about the Operator, including: name of organization, contact infotmation, information about the processing of personal data and securities measures.
Personal data security measures.
3.1. The Operator takes the necessary legal organizational and technical measures to ensure the security of personal data to protect it from unauthorized (including accidental) access, annihilation, changes, blocking access and other unauthorized actions. The measures including:
appointment of employees responsible for organizing the processing and ensuring the sucurity of personal data;
verification contracts and inclusion the clauses on securing confidentiality of personal data;
publication of local acts on the processing of personal data, familization of employees, user trainings;
security of premises and processing facilities, access control, security, video monitoring;
control and selectable access to personal data and processing facilities, monitoring of actions with personal data;
definition of threats to the security of processing data personal and create threats modeling on their basis;
using special software and security tools protection including those that having passed the conformity assessment procedure in the established order;
accounting and storage of information carriers, excluding their theft, substitution, unauthorized copying and annihilation;
backup information for recovery;
The internal controls for following the established procedure, verification of the effectiveness of measures, incident responce.
Data subject rights.
4.1. The data subject shall be entitled to revoke consent to the processing of personal data bygiving notice thereof Operator by post or in person.
4.2. The data subject is entitled to recieve information pertaining to the processing of his personal data, including details such as:
acknowledgement of processing of personal data by Operator;
statutory authority and purpose of personal data processing;
personal data processing purposes and procedures used by Operator;
Operator's name and place of business, details of the persons (other than Operator's staff/employees) who have access to the personal data or to whom personal data can be disclosed under contract with Operator or by federal law;
the data subject's personal data being processed and the source thereof unless alternative arragements are stipulated by federal law for the sourcing of such data;
the time frame for the processing of personal data, including the lenght ot the storage thereof;
arragements for the exercise by the data subject ot the rights provided by the Federal Law on Personal Data;
information about completed or anticipated cross-border transfer of personal data;
the business name or the last name, first name and middle name, adress of the Operator tasked by Operator to process personal data where processing is outsoursed;
other detais as may be required by the Federal Law on Personal Data or other federal laws.
4.3. The data subject shall be entitled to demand that Operator update, block or annihilation his personal data where personal data are incomplete, outdated, innacurate. The illegally, obtained or not required for the stated purpose or processing as well as use.
4.4. If data subject believes that Operator performs the processing of his personal data in violation of the requirements of the Federal Law on Personal Data or otherwise violates his rights and freedoms, the data subject shall be entitled to appeal against Operator's acts or omissions to the competent authority in charge of protecting the rights of data subject (Federal Communications, Information Technology and Media Oversight Agency — Roskomnadzor) or through the court.
4.5. The data subject is entitled to seek redress against those who infringe their rights and legitimate interests, including pecuniary and moral injury by legal means.
Roles and responsibilities.
5.1. Operator's rights and duties are determined by the current legistation and Operator's agreements.
5.2. Control the implementation of the requirments of this Policy is carried out by in charge person for the processing of personal data and Information Security Department ot the Operator (in the extent of their authority).
5.3. The person responsible for personal data processing by the Operator's order shall bear responsibility before the Operator, accordance with the terms of a civil law contract or confidentiality agreement between Operator and the counterparty.
5.4. Persons guilty of a breach of regulations governing personal data processing and security shall be subject to financial punishments, disciplinary action, administrative sanctions, civil or criminal liability in the manner prescribed by federal laws and Operator's by laws and agreements.
5.5. The Policy shall be developed by in charge person of the processing of personal data and shall enter into force when approved by head of Operator. Please email your comments and suggestions to amend the Policy at [email protected]. The Policy is reviewed annually for keep up the date and update as needed.