Personal Data Processing Policy

Content

1. Introduction.

1.1. General information.

1.2. Terms and definitions.

1.3. The list of abbreviations used.

2. Principles of personal data processing.

3. Purposes, composition and grounds for processing personal data.

3.1. Processing of personal data in order for the Company, as an employer, to perform its functions and duties.

3.2. Processing of personal data in order to ensure proper fulfillment of the terms of contracts by contractors.

3.3. Processing of personal data for the purpose of filling vacant positions of the Company.

3.4. Processing of personal data authorized by the subject for distribution.

4. Conditions for processing personal data.

5. Confidentiality of personal data.

6. Ensuring the security of personal data.

7. The rights of the subject of personal data.

8. Responsibility.

1. Introduction

1.1. General information

This Policy in the field of personal data processing (hereinafter referred to as the Policy) of the Joint–Stock Company «Vintegra Security» (hereinafter referred to as JSC «Vintegra Security», the Company)It was developed in order to define the general principles and conditions of personal data processing in the Company, as well as the basic measures to ensure the security of personal data during their processing in the Company’s personal data information systems.

In order to ensure compliance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 «On Personal Data», the Company defines the most important tasks:

— ensuring the legality of personal data processing in the Company;

— ensuring an appropriate level of security of personal data processed in the Company.

This Policy applies to all personal data processing processes carried out by the Company.

The legislative basis of this Policy is the Constitution of the Russian Federation, Federal Law of the Russian Federation No. 152-FZ dated July 27, 2006 «On Personal Data», federal laws, Decrees of the President of the Russian Federation, resolutions of the Government of the Russian Federation, other regulatory legal acts in the field of processing and ensuring the security of personal data, as well as the governing documents of the FSTEC of Russia and the FSB of Russia.

This Policy is subject to publication on the Company’s website with unrestricted access to it, as a document defining the Company’s policy regarding the processing of personal data.

1.2. Terms and definitions

Automated processing of personal data is the processing of personal data using computer technology.

Personal data security is the state of protection of personal data from illegal actions, characterized by the ability of users, technical means and information systems to ensure the confidentiality, integrity and accessibility of personal data during their processing, regardless of the form of their presentation.

Blocking of personal data is the temporary termination of the processing of personal data (except in cases where processing is necessary to clarify personal data).

Accessibility of personal data is the ability to freely obtain authorized access to personal data by persons who have the right to such access.

Information protection is an activity aimed at preventing leakage of protected information, unauthorized and unintended impacts on protected information.

Confidentiality of personal data is a mandatory requirement for the operator or other person who has access to personal data not to disclose to third parties and not to allow their dissemination in the absence of the consent of the personal data subject or other legitimate reason.

Unauthorized access to information is access to information that violates the rules of access control using standard tools provided by computer technology or automated systems.

Depersonalization of personal data is an action that makes it impossible to determine the identity of personal data to a specific personal data subject without using additional information.

Personal data processing is any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Personal data is any information related directly or indirectly to a specific or identifiable individual (subject of personal data).

Provision of personal data -actions aimed at disclosing personal data to a certain person or a certain circle of persons.

Dissemination of personal data -actions aimed at disclosing personal data to an indefinite circle of persons.

An information security tool is a software or hardware-software tool designed to solve various information protection tasks, including preventing leaks and ensuring the security of protected information.

Threats to the security of personal data are a set of conditions and factors that create a danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, dissemination of personal data, as well as other unauthorized actions during their processing in the personal data information system.

Destruction of personal data — actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.

The integrity of personal data is the ability of a computer hardware or information system to ensure the immutability of personal data in conditions of accidental and/or intentional distortion (destruction).

1.3. List of abbreviations used

Company – Joint-Stock Company «Vintegra Security»

2. Principles of personal data processing

The processing of personal data in the Company is carried out on a lawful and fair basis in accordance with the following principles:

— The Company processes personal data in compliance with the principles, rules and in cases provided for by Federal Law of the Russian Federation No. 152-FZ dated July 27, 2006 «On Personal Data», taking into account the protection of the interests of the parties to the processing process;

the processing of personal data should be limited to achieving specific, predetermined and legitimate goals. Processing of personal data incompatible with the purposes of personal data collection is not allowed;
it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
only personal data that meet the purposes of their processing are subject to processing;
the content and volume of the processed personal data must correspond to the stated purposes of processing. The processed personal data should not be redundant in relation to the stated purposes of their processing;
when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing must be ensured. The Company takes the necessary measures or ensures that they are taken to delete or clarify incomplete or inaccurate data;
the storage of personal data must be carried out in a form that allows you to identify the subject of personal data, no longer than the purposes of personal data processing require, unless the period of storage of personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.

3. Purposes, composition and grounds of personal data processing

The Company processes personal data for the purposes of:

the fulfillment by the Company as an employer of its functions and responsibilities;

— ensuring proper fulfillment of the terms of contracts by contractors;

filling vacant positions of the Company.

The list of processed data given in paragraphs 3.1, 3.2, 3.3 is exhaustive. At the same time, in exceptional cases, it is allowed to collect additional data about the subject, which is necessarily reflected in the consent of the subject to the processing of his personal data or as part of a contract concluded with the subject.

The collection and processing of special categories of personal data and biometric personal data is not carried out.

The Company does not process personal data for the purposes of advertising, promotion of goods and services or political agitation.

The Company does not create publicly available sources of personal data.

The composition of personal data must comply with the principle of their sufficiency to achieve the purposes of processing. The absence of redundancy of the processed personal data is monitored.

3.1. Processing of personal data in order for the Company, as an employer, to perform its functions and duties

In order to fulfill the Company’s functions and responsibilities as an employer: compliance with laws and other regulatory legal acts, execution of concluded employment contracts, including assistance to employees in training, advanced training and promotion, ensuring personal safety, monitoring the quantity and quality of work performed and ensuring the safety of property; calculation and payment of wages, other charges, calculation and transfer of taxes and insurance premiums; maintaining military records; provision of additional services to employees at the expense of the employer (transfer of income to payment cards, insurance at the expense of the employer, provision of business trips) and financial assistance, payment of alimony and other deductions; provision of benefits and guarantees to employees provided by law for persons with (adopted) children, persons with family responsibilities, the Company processes the following personal data employees of the Company:

last name, first name, patronymic;
date and place of birth;
Paul;
citizenship;
details of the identity document;
address of residence and registration;
marital status;
information about the place of work and position, profession;
information about the financial situation;
income;
insurance number of the individual personal account (SNILS);
military registration data;
information about education, qualifications or availability of social knowledge, academic degree;
information on professional development and professional retraining;
work experience, information about previous jobs and positions held, indicated in the work record;
bank account details;
phone number;
email address;
information about the presence of disability;
information on the presence (absence) of a criminal record and (or) the fact of criminal prosecution;
information about participation in the management bodies of other organizations;
taxpayer identification number (TIN);
information about the right to receive tax deductions and benefits;
details of the document containing information about the death and the following personal data of relatives of employees of the Company, necessary for registration of the personnel nomenclature of cases (unified form T-2):
last name, first name, patronymic;
degree of kinship;
year of birth.

The processing of personal data of an employee and his relatives in order for the Company to perform its functions and duties as an employer is carried out on the basis of the need for such processing to comply with the requirements of the federal legislation of the Russian Federation, the need for such processing to fulfill the terms of employment contracts concluded with employees, and on the basis of the consent of the personal data subject to the processing of his personal data.

Processing is carried out both automatically and without the use of automation tools.The following actions may be performed to process personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, depersonalization, blocking, deletion, destruction, transfer (provision, access).

The processing of personal data of an employee and his relatives is carried out during the term of his employment relationship with the Company. After termination of the employee’s employment relationship, only those documents containing the personal data of the dismissed employee, the retention period of which is established by the legislation of the Russian Federation, are subject to processing and storage.

3.2. Processing of personal data in order to ensure proper fulfillment of the terms of contracts by contractors

In order to ensure proper fulfillment of the terms of contracts by contractors, the Company processes the personal data of the subjects with whom contracts are concluded and their representatives:

last name, first name, patronymic;
details of the identity document;
position;
insurance number of the individual personal account (SNILS);
taxpayer identification number (TIN);
information about education, qualifications or availability of social knowledge, academic degree (for specific types of activities);
information on advanced training and professional retraining (for specific types of activities).

The processing of personal data of subjects in order to properly fulfill the terms of contracts by contractors is carried out on the basis of the need for such processing for the performance of the contract, the party, beneficiary or guarantor of which is the subject of personal data.

Processing is carried out both automatically and without the use of automation tools. To process the personal data of contractors under contracts and their representatives, the Company may perform the following actions: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, depersonalization, blocking, deletion, destruction, transfer (provision, access).

The processing of personal data of subjects in order to ensure proper fulfillment of the terms of contracts by contractors must be terminated upon achievement of the processing goals (objectives of the contract), the processing period specified in the contract, or in case of loss of the need to achieve these goals (termination of the contract). Upon the occurrence of these conditions, the personal data of the subjects are subject to destruction (deletion) or depersonalization, with the exception of documents containing personal data, the retention periods of which are established by the legislation of the Russian Federation.

3.3. Processing of personal data for the purpose of filling vacant positions of the Company

In order to fill vacant positions, the Company processes the personal data of subjects applying for vacant positions:

FULL NAME;
Paul;
date of birth;
passport data;
information about work experience;
insurance number of the FIU;
registration address;
data on citizenship (country);
military registration data (relation to military duty, reserve category,
military rank, composition of accounting, VUS, fitness for military service, attitude to military registration, period of service in the army, participation in the war);
data on disability (series, number of the certificate of disability, date of issue of the certificate, date of disability, disability group, degree of restriction of work, conclusion on working conditions, validity period of the certificate, date of the next re-examination according to the rehabilitation card, the sign «disabled childhood»);
marital status;
information about education (type of education, educational institution, specialty, diploma series and number, form of study, graduation date);
the number of the MHI policy;
other information provided as part of the resume.

The processing of personal data of subjects for the purpose of filling vacant positions of the Company is carried out on the basis of the consent of the subject to the processing of his personal data given to the Company or in the user agreement when using the service that provides services to assist in the search for jobs and candidates.

Processing is carried out both automatically and without the use of automation tools.When processing personal data, the Company may perform the following actions: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, depersonalization, blocking, deletion, destruction.

Processing is carried out for the period of making a decision on admission or refusal to hire an applicant. After the decision is made, the information provided by the applicant must be deleted (destroyed) within 30 days.

3.4. Processing of personal data authorized by the subject for distribution

If necessary, the Company may process personal data authorized by the personal data subject for dissemination.

The processing of personal data authorized by the subject for distribution is allowed only with the consent of the subject of personal data, issued separately from other consents of the subject to the processing of his personal data.

In consent to the processing of personal data authorized by the subject of personal data for dissemination, the subject has the right to establish prohibitions on the transfer (except for granting access) of these personal data by the Company to an unlimited number of persons, as well as prohibitions on processing or conditions for processing (except for obtaining access) of these personal data by an unlimited number of persons. The refusal of the Company to establish prohibitions and conditions by the subject is not allowed.

The silence and inaction of the subject under no circumstances can be considered consent to the processing of personal data authorized for dissemination.

The transfer (distribution, provision, access) of personal data authorized by the subject for distribution must be terminated at any time at the request of the subject of personal data.

The subject of personal data has the right to request the termination of the transfer (distribution, provision, access) of his personal data previously authorized for distribution to the Company in case of non-compliance with the requirements for processing personal data authorized for distribution, or to apply to the court with such a request.

4. Terms of personal data processing

The Company independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of personal data processing obligations provided for by Federal Law No. 152-FZ dated July 27, 2006 «On Personal Data» and regulatory legal acts adopted in accordance with it, unless otherwise provided by federal laws.

The Company, in the course of its activities, on the basis of an agreement, may provide and (or) entrust the processing of personal data to third parties with the consent of the personal data subject, unless otherwise provided by federal law. At the same time, the condition for such provision and/or assignment is the obligation of a third party processing personal data on behalf of the Company to comply with the principles and rules of personal data processing, confidentiality of personal data and ensure the security of personal data during their processing.

The terms of personal data processing (retention periods) are determined in accordance with the purposes of personal data processing and are fixed for each purpose of processing and category of subjects. Storage periods may also be established by an agreement to which the party, beneficiary or guarantor, under which the subject of personal data is, the requirements of the legislation of the Russian Federation and regulatory documents of the regulator.

The Company does not collect personal data on political, religious and other beliefs, the private life of the subject of personal data, his membership in the Company and other associations, including trade unions.

5. Confidentiality of personal data

The Company ensures the confidentiality of personal data of subjects in accordance with the requirements of the Federal Law of the Russian Federation dated July 27, 2006 No. 152-FZ «On Personal Data».

Access to personal data and their provision to third parties are limited by the requirements of the federal legislation of the Russian Federation and internal regulatory documents of the Company and are provided in strict accordance with the legislation of the Russian Federation.

Employees of the Company who have received access to personal data assume obligations to ensure the confidentiality of the processed personal data, which are determined by:

an employment contract;
internal regulatory documents of the Company.

6. Ensuring the security of personal data

The security of personal data processed by the Company is ensured by the implementation of legal, organizational, technical and programmatic measures aimed at protecting personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to personal data.

To ensure the security of personal data during their processing, the Company applies the following organizational and technical measures:

internal control of compliance of personal data processing with the legislation of the Russian Federation;
assessment of the harm that may be caused to personal data subjects in case of violation of Federal Law No. 152-FZ dated July 27, 2006 «On Personal Data»;
familiarization of the Company’s employees with the rules for working with personal data and local acts on personal data processing;
security and fire alarm systems;
access control and management system;
the use of anti-virus protection, firewall protection, backup;

The objects of protection are:

personal data processed and stored on servers, at users’ automated workplaces;
personal data transmitted through communication channels and lines;
personal data stored in documented form on paper;
application and system software for servers, automated workstations used for processing personal data;
hardware of software and hardware complexes, server equipment, automated workstations, communication equipment;
information protection tools for personal data information systems.

The Company implements a personnel policy (careful selection of personnel and motivation), which allows to exclude or minimize the possibility of violating the security of personal data by its employees.

7. Rights of the personal data subject

The subject of personal data has the right to:

to demand clarification of their personal data, their blocking or destruction if the personal data is incomplete, outdated, unreliable, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights;
to receive information from the Company regarding the processing of his personal data, including information containing:

· confirmation of the processing of personal data;

· legal grounds and purposes of personal data processing;

· purposes and methods of personal data processing used by the Company;

· information about persons (with the exception of employees of the Company) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Company or on the basis of federal law;

· processed personal data related to the relevant personal data subject, the source of their receipt, unless another procedure for providing such data is provided for by federal law;

· terms of processing of personal data, including the terms of their storage;

· the procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law of the Russian Federation dated July 27, 2006 No. 152-FZ «On Personal Data»;

· Information about the transborder data transfer that has been carried out or is expected to be carried out;

· the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the Company, if processing has been or will be entrusted to such a person.

to require notification of all persons who have previously been informed of incorrect or incomplete personal data about all exceptions, corrections or additions made in them;
withdraw consent to the processing of your personal data in the cases provided for by law;
to appeal to the authorized body for the protection of the rights of personal data subjects or in court against illegal actions or omissions in the processing of their personal data;

— to protect their rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.

To obtain information regarding the processing of their personal data, or to withdraw consent to the processing of personal data of the subject, the requirement to clarify, block, destroy personal data, the subject may send the Company an appropriate appeal to the address: 115419, Moscow 2nd Roshchinsky passage, 8c2.