This order for the processing of personal data (hereinafter referred to as the Order) was developed in accordance with the Federal Law of 27.07.2006. No. 152-FZ "On Personal Data". This order determines the procedure for processing personal data and measures to ensure the security of personal data in CardsProService LLC in order to protect the rights and freedoms of a person and citizen when processing his personal data, including protecting the rights to privacy, personal and family secrets.
1. TERMS AND DEFINITIONS
1) Personal Information- any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data);
2) Operator (Customer) - a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
3) Processing of personal data- any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
4) Automated processing of personal data- processing of personal data using computer technology;
5) Dissemination of personal data- actions aimed at disclosing personal data to an indefinite circle of persons;
6) Providing personal data- actions aimed at disclosing personal data to a certain person or a certain circle of persons;
7) Blocking personal data- temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
8) Destruction of personal data- actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
9) Authorized persons of the Customer- persons acting in accordance with the agreement on
confidentiality concluded with the Customer.
10) ABOUTanonymization of personal data- actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information;
11) Information system of personal data- a set of personal data contained in databases and information technologies and technical means that ensure their processing;
12) Cross-border transfer of personal data- transfer of personal data to
the territory of a foreign state to an authority of a foreign state, a foreign natural person or a foreign legal entity;
13) Executor- CardsProService LLC (123610, Moscow, Krasnopresnenskaya embankment, building 12, office building 1, room Id, room 42; OGRN 1157746550070).
2. ORDERING THE PROCESSING OF PERSONAL DATA
2.1. The Customer, being the Operator of personal data, in accordance with paragraph 3 of Art. 6 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, instructs, and the Contractor undertakes to process personal data of subjects, in the interests of the Customer and in pursuance
User agreement.
3. ORDER OF INTERACTION OF THE PARTIES
3.1. The basis for the Contractor for #nbsp; processing of personal data of subjects, carried out in the interests of the Customer, is the User Agreement.
3.2. The procedure for organizing the collection of consents of personal data subjects for the processing and transfer of their personal data, as well as the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data:
3.2.1. Purpose of personal data processing.
The processing of personal data is entrusted in order to implement loyalty programs.
3.2.2. List of personal data, the processing of which is entrusted to the Contractor
- Full Name;
- Place, year and date of birth;
- Contact number;
- Registration address;
- Address of the place of actual residence (stay);
- Passport data (series, passport number, by whom and when issued);
- Phone number (home, work, mobile).
- Collection of personal data.
- Systematization of personal data.
- Accumulation of personal data.
- Use of personal data for the implementation of loyalty programs and communication with personal data subjects.
- Storage of personal data.
- Clarification (update, change) of personal data:
- Extraction (unloading) - by additional written order of the Customer.
- Depersonalization of personal data:
-
- at the legal request of the subject of personal data, with the obligatory written notification of the Customer;
- at the request of state regulatory authorities for the protection of the rights of subjects of personal data, with a mandatory written notification of the Customer. - Blocking of personal data:
- by additional written order of the Customer;
- at the legal request of the subject of personal data, with the obligatory written notification of the Customer;
- at the request of state regulatory authorities for the protection of the rights of subjects of personal data, with a mandatory written notification of the Customer. - Deletion of personal data:
- by additional written order of the Customer;
- at the legal request of the subject of personal data, with the obligatory written notification of the Customer;
- at the request of state regulatory authorities for the protection of the rights of subjects of personal data, with a mandatory written notification of the Customer. - Destruction of personal data - by additional written order of the Customer.
The processing of personal data should be limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.
It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.
Only personal data that meet the purposes of their processing are subject to processing.
The content and scope of the processed personal data must correspond to the stated purposes of processing. The processed personal data should not be excessive in relation to the stated purposes of their processing.
When processing personal data, the accuracy of personal data, their sufficiency, as well as relevance in relation to the purposes of processing personal data, must be ensured.
The storage of personal data should be carried out in a form that allows to determine the subject of personal data, no longer than required by the purposes of processing personal data, unless otherwise specified by the terms of the contract. The processed personal data is subject to destruction or depersonalization upon achievement of the purposes of processing or in case of loss of the need to achieve these purposes, unless otherwise specified by the terms of the contract.
3.2.5. Organization of personal data protection
Objects of protection
- information containing personal data of subjects;
- machine media containing personal data of subjects;
- personal data information systems;
- personal data of subjects contained in electronic databases of personal data information systems.
To ensure the security of personal data, the Contractor must take the following measures:
- Necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.
- Ensuring access of the Contractor's employees to personal data processed on behalf of the Customer, after signing the Obligation on non-disclosure of personal data, studying the Customer's requirements for the processing and protection of personal data, local regulations governing the organization and ensuring the protection of personal data and passing instruction on the procedure for contacting with personal data.
- Determination of threats to the security of personal data during their processing in information systems of personal data.
- Application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to meet the requirements for the protection of personal data, the implementation of which ensures the levels of personal data protection established by the Government of the Russian Federation.
- Evaluation of the effectiveness of the measures taken to ensure the security of personal data before the commissioning of the personal data information system.
- Accounting for machine carriers of personal data.
- Detection of facts of unauthorized access to personal data and taking action.
- Recovery of personal data modified or destroyed due to unauthorized access to them.
- Establishment of rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system.
- Control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.
The destruction of personal data of subjects can be carried out by the Contractor, only:
- by additional written order of the Customer;
- at the legal request of the subject of personal data, with the obligatory written notification of the Customer;
- at the request of state regulatory authorities for the protection of the rights of subjects of personal data, with a mandatory written notification of the Customer.
3.2.8. The procedure for terminating the processing of personal data
The termination of the processing of personal data is carried out:
- in the event of termination of the contractual relationship that is the basis for the processing of personal data;
- by additional written order of the Customer;
- by written order of state regulatory authorities.
4. RIGHTS AND OBLIGATIONS OF THE PARTIES
4.1. The customer undertakes:
4.1.1. In the event that the subject of personal data withdraws consent to the processing of personal data and there are no grounds specified in paragraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Federal Law of July 27, 2006 No. 152-FZ "On personal data that can be processed
personal data without the consent of the subject, send the Contractor a written order to carry out work to delete or depersonalize the personal data of the subject.
4.1.2. Upon receipt of a request from the subject of personal data to provide the information specified in Part 7 of Article 14 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data", or the subject's requirements for the thinning of his personal data, their blocking or destruction in the event of if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, send the Contractor a written order to
providing information, or performing specific actions with the personal data of the subject.
4.2. The Contractor undertakes:
4.2.1. Carry out the processing of personal data on a legal basis, in strict accordance with the terms of this Order.
4.2.2. At the first written request of the Customer, transfer (return) the personal data bases processed on his behalf in the manner specified in the request.
4.2.4. At the request of the authorized body for the protection of the rights of personal data subjects, provide evidence of receipt of the consents of personal data subjects collected under this Order for the processing of their personal data or evidence of the existence of the grounds specified in paragraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of Article 11 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data", allowing the processing of personal data without the consent of the subject.
This information is any action or operation with the personal data of the subject: collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, destruction.
Why collect information about the subject and give consent to its analysis?
For client/patient
Information about the state of health of a citizen belongs to a special category of personal data. According to Part 2, Clause 4, Art. 10 of the Federal Law No. 152, the processing of such information is allowed without the consent of the subject, provided that it is carried out for the purposes of:
- establishing a diagnosis;
- disease prevention;
- provision of medical and medical-social services.
This rule is true for situations where the processing is carried out by a professional doctor who is obliged to keep medical secrets in accordance with the legislation of the Russian Federation.
Exceptions are those situations where it is impossible to obtain consent, but is necessary to protect the life or health of the patient.
If a person uses any service - concludes an agreement, draws up a loan - that is, he is a client, personal information about him can also be processed in accordance with Federal Law No. 152.
Customer data can be used to:
- Provision of consulting, information and intermediary services.
- Conclusion and execution of the contract with the client.
- Managing HR and accounting services.
- Other transactions not prohibited by the legislation of the Russian Federation.
For an organization employee
- Registration of civil law contracts with citizens, provided for by the Legislation of the Russian Federation and the Charter of the enterprise.
- Personnel records, compliance with laws and, registration of obligations under labor and civil law contracts.
- Assistance with employment, education or promotion, registration and use of benefits.
- Ensuring the personal safety of the employee and the safety of property.
- Compliance with the requirements of tax and pension legislation when calculating contributions for pension insurance.
- Formation of statistics in accordance with the Labor, Tax Codes and federal laws.
- Control of the work performed by the employee.
(Article 86 of the "Labor Code of the Russian Federation" dated December 30, 2001 No. 197-FZ). Personal information about an employee that is classified as "special" is not subject to processing by the employer.
The validity period of the Consent to the processing of personal data must be established, it can be a specific date or event, for example, dismissal or withdrawal of consent by an employee.
Examples
Banking
Bank "Financial". The purpose of processing the client's personal data is to carry out banking and other operations, including:
- Opening and maintaining bank accounts.
- Transfer of funds through bank accounts.
- Transfer of funds from individuals - individuals and legal entities without opening a bank account.
- Purchase and sale of foreign currency.
- Provision of consulting and information services, including through an e-mail address.
Medical organization
Medical organization "Health". Purpose of processing:
- Organization of medical care.
- Issuance of concessionary prescriptions.
- Payment of bills in the CHI and VHI system.
- Use for statistics and research work.
- Informing via SMS notification about the results of analyzes, ongoing promotions and the work schedule of specialists.
Conclusion
With, a client or a patient, not everything is as simple as it seems at first glance. Just like that, without consent and warning, they cannot be transferred to third parties or used for those purposes with which the subject does not agree. If a person is faced with the fact that his personal data has been leaked, he can always apply to Roskomnadzor or to the court.
Didn't find an answer to your question? Find out, how to solve your problem - call right now:
In accordance with Part 2 of Art. 85 of the Labor Code of the Russian Federation processing of personal data of an employee - is the receipt, storage, combination, transfer or any other use of the employee's personal data.
The processing of the employee's personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assisting the employee in employment, training and promotion, ensuring metropolitan security, as well as controlling the quantity and quality of work performed by him and ensuring the safety of property (clause 1 article 86 of the Labor Code of the Russian Federation).
According to paragraph 3 of Art. 3 of the Federal Law “On Personal Data”, the processing of personal data is actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking , destruction of personal data. It should be borne in mind that regardless of the number of functional operations listed in the legislation, legal regulation should cover all stages of the processing of personal data - from receipt to destruction, without any exceptions and exceptions.
The said Law refers to the principles of personal data processing as follows:
- lawfulness of the purposes and methods of processing and good faith;
- compliance of the purposes of processing with the purposes predetermined and declared during the collection of personal data, as well as the authority of the operator;
- compliance of the volume and nature of the processed data, methods of processing with the purposes of their processing;
- the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is not related to the purposes stated during the collection of data;
- the inadmissibility of combining personal data information systems databases created for incompatible purposes.
The processing of personal data of an employee begins with their receipt. As a general rule, all personal data should be obtained from the employee himself. In exceptional cases, when the employee's personal data can only be obtained from a third party, the employee must be notified of this in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, alleged sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the employee's refusal to give written consent to receive them (clause 3 of article 86 of the Labor Code of the Russian Federation). However, the employer does not have the right to receive and process the personal data of the employee about his political, religious and other beliefs and private life (clause 4 of article 86 of the Labor Code of the Russian Federation). Also, the employer cannot request information about the health status of the employee, if this does not apply to resolving the issue of the employee's ability to perform a labor function (Article 88 of the Labor Code of the Russian Federation).
The Labor Code of the Russian Federation imposes separate requirements on the organization and technology of processing personal data by the employer. The obligation to familiarize employees and their representatives against signature with the documents of the employer establishing the procedure for processing personal data of employees, as well as their rights and obligations in this area, implies the need to develop and adopt an appropriate local regulatory legal act. Such an act, depending on the specifics of the activity and the discretion of the employer, may be referred to as a regulation or instruction and, as a rule, includes the following sections:
- basic concepts and provisions;
- processing of personal data of an employee;
- formation of personal data of the employee;
- accounting, storage and transfer of personal data of an employee;
- the rights and obligations of the employee in the field of processing and protection of his personal data.
Such a local regulatory legal act determines the confidentiality regime (limited access) of the employee's personal data with a specific employer. Employees of the employer who receive the personal data of the employee are required to comply with this regime, which must be indicated not only in their job descriptions, but also in the employment contracts concluded with them. The regulation (instruction) on the protection of personal data is the main document reflecting the specifics of the processing and transfer of personal data of an employee within a particular organization, from a certain individual entrepreneur. If there is an automated component within the framework of this activity, the employer does not have the right to make decisions regarding the employee based on personal data obtained solely as a result of their automated processing or electronic receipt (clause 6 of article 86 of the Labor Code of the Russian Federation). An employer may not be limited to adopting a provision on the protection of personal data of employees in his organization. However, the presence of this local act is mandatory, and its absence is considered by the state labor inspectorate as a serious violation of labor legislation.
For this and other violations of the rules governing the receipt, processing and employee, the employer may bring the perpetrators to material, disciplinary liability, and the relevant state bodies - to civil, administrative and criminal.
It is carried out on the basis of the implementation of laws and other regulations.
What is the processing of personal data? This process includes the following steps:
Legal regulation of work with personal data covers all processes and stages of work with them.
Target
What is the processing of personal data for? The processing of personal data of an employee is carried out at the enterprise, in the organization in order to facilitate him.
Main purposes of personal data processing:
- in employment;
- in the device in an educational institution or for training, for advanced training;
- in order to protect the organization of labor;
- for promotion and control, for career opportunities;
- to control the quantity and quality of work performed.
The legislation provides for the accumulation and transmission of personal data of an employee solely for the purpose of his development and the appropriate use of his abilities and experience. ,
include multifunctional goals.
The purpose of processing employees' personal data includes the use and processing of personal data through their synthesis and interconnection, which determine the relevance of the employee's capabilities in the context of the organization of the production process.
The goals set and announced for the processing of personal data cannot be changed without notifying the employee.
Who is carried out?
Personal data is understood as such information that contains basic information about a person of interest to a certain circle of representatives of state and other services.
In particular, in production (in an organization), personal data is of interest to the employer, who manages the organization of labor in production based on information about his employees.
The employer has the right to request any personal data available in the employee's records. In addition to him, access to personal data has a limited circle of persons who carry out operational work. As a rule, these are the secretariat and personnel officers.
An operator carrying out information activities with personal data, before starting the designated work, is instructed. He gets acquainted with the rules of work and principles prohibiting the disclosure of information contained in personal data.
The implementation of the listed types of work can pursue only those goals that caused the collection of information. Misuse of personal data or their disclosure is considered a gross violation, for which liability is imposed.
Violations
As discussed earlier, violations in the processing of personal data are considered:
The operator's work with personal data is subject to strict control by authorized services, and for shortcomings, unintentional or deliberate violations, the operator is held liable.
For all unauthorized actions in the processing of personal data, punishment may follow: disciplinary, administrative, in some cases - criminal.
On July 1, 2017, Federal Law No. 13-FZ of February 7, 2017 came into force, which amends Art. 13.11 of the Code of Administrative Offenses and provides for the expansion of the list of grounds for bringing to administrative responsibility for illegal x and a significant increase in fines.
One of the mandatory documents that a personal data operator must prepare in order to comply with the requirements of the Federal Law of July 27, 2006 No. 152-FZ is called the Personal Data Processing Policy, which explains how the company works with the data of employees, customers and other individuals. This file is freely available on almost all sites that have any form of collecting personal data.
How to draw up a Personal Data Processing Policy correctly, which sections must be included? Roskomnadzor provides clarifications on these issues.
Structure of the Personal Data Processing Policy
- General provisions
- Purposes of collecting personal data
- Legal grounds for the processing of personal data
- Scope and categories of processed personal data, categories of personal data subjects
- The procedure and conditions for the processing of personal data
- Updating, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data
1. General goals
In this section, you actually answer the question - what is the Personal Data Processing Policy for? It also explains the basic concepts that are used in the document, as well as the rights and obligations of the operator and the subject of personal data.
2. Purposes of collecting personal data
Art. 5 of the Federal Law of July 27, 2006 No. 152-FZ requires the definition of specific, legitimate purposes for collecting data. Therefore, personal data that does not correspond to these purposes may not be processed.
Roskomnadzor indicates that the purposes of processing personal data may occur, including:
- from the analysis of legal acts regulating the activities of the operator;
- from the purposes of the activities actually carried out by the operator;
- from activities that are provided for by the constituent documents of the operator;
- from specific business processes of the operator in specific information systems of personal data (according to the structural divisions of the operator and their procedures in relation to certain categories of personal data subjects).
3. Legal grounds for the processing of personal data
Federal Law No. 152-FZ of July 27, 2006 is not a legal basis for the processing of personal data. This role is performed by the legal acts in accordance with which the operator processes the data.
Thus, in the Data Processing Policy, as legal grounds, you can specify: federal laws and regulatory legal acts adopted on their basis that regulate relations related to the activities of the operator; statutory documents of the operator; contracts concluded between the operator and the subject of personal data; consent to the processing of personal data (in cases not expressly provided for by the legislation of the Russian Federation, but corresponding to the authority of the operator).
4. Scope and categories of processed personal data, categories of personal data subjects
It is important that the amount of personal data processed does not diverge from the stated purposes of processing.
The categories of personal data subjects may include: employees - both current and former, candidates for vacancies, relatives of employees, customers and counterparties (individuals), representatives or employees of clients and counterparties.
Roskomnadzor draws attention to the fact that for each category of subjects and in relation to specific purposes, all processed personal data should be indicated. Separately, all cases of processing special categories of personal data and biometric personal data (if applicable) are described.
5. Procedure and conditions for processing personal data
What is included in this section:
- list of actions performed with personal data;
- ways of processing personal data;
- terms of personal data processing.
If, as part of achieving the goals of processing personal data, the operator interacts with third parties, then he needs to:
- explain the conditions for the transfer of personal data to third parties (including cross-border data transfer);
- indicate the name and location of third parties;
- indicate the purposes of data transfer and their scope;
- list the processing actions, methods and other conditions of processing, including the requirements for the protection of processed personal data.
The operator has the right to transfer personal data to the bodies of inquiry and investigation, as well as other authorized bodies on the grounds provided for by law.
The Personal Data Processing Policy should include information on compliance with the requirements for the confidentiality of personal data (they are named in Article 7 of the Federal Law of July 27, 2006 No. 152-FZ) and information on taking measures (Part 2 of Article 18.1, Part 1 of Art. 19).
In addition, the operator must specify the condition for terminating the processing of personal data. This may be the achievement of the purposes of processing, the expiration of the consent to processing, the withdrawal of the consent of the subject of personal data to processing, the identification of illegal data processing.
Special attention should be paid to such an issue as the storage of personal data. First, the deadlines must be called. Secondly, databases located on the territory of the Russian Federation are used. Thirdly, it takes into account the fact that the storage must be carried out in a form that allows the identification of the subject of personal data no longer than required by the purposes of processing. Fourth, it is necessary to mention other storage conditions, including when processing data without using automation tools.
6. Update, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data
According to Art. 21 No. 152-FZ, personal data must be updated by the operator if the fact of inaccuracy of personal data is confirmed. The same applies to the confirmation of the fact of illegal processing.
Personal data is subject to destruction when the purposes of their processing are achieved and in the event that the subject of personal data withdraws consent to their processing, unless: otherwise provided by the contract, the party to which, the beneficiary or guarantor of which is the subject of personal data; otherwise is not provided by another agreement between the operator and the subject of personal data. The operator is not entitled to process without the consent of the subject of personal data on the grounds provided for by Federal Law No. 152-FZ of July 27, 2006 or other federal laws.
Based on Art. 20, the operator is obliged to inform the subject of personal data about the processing of personal data carried out by him upon request.
Roskomnadzor recommends that the Personal Data Processing Policy include regulations for responding to requests and appeals from personal data subjects, their representatives, authorized bodies regarding data inaccuracy, illegal processing, withdrawal of consent and access to their data. It will not be superfluous to add the appropriate forms of requests and appeals to the Policy.
Placement of the Personal Data Processing Policy in the office and on the website
Any person whose data is processed by the company has the right to get acquainted with the Personal Data Processing Policy. Therefore, it must be placed in a public place. For example, use an information stand for this.
If the company collects personal data via the Internet, then it is obliged to place the Policy on the website. The site visitor can view it by clicking on the link.
To stay up to date on the most important business changes, join our channel on