Regulations on the processing and protection of personal data. Instruction for the processing of personal data Purpose of processing personal data why is it needed

This information is any action or operation with the subject’s personal data: collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, deletion, destruction.

Why collect information about the subject and consent to its analysis?

For the client/patient

Information about a citizen’s health status belongs to a special category of personal data. According to Part 2, Clause 4, Art. 10 Federal Law No. 152, processing of such information is permitted without the consent of the subject, provided that it is carried out for the purposes of:

  • establishing a diagnosis;
  • disease prevention;
  • provision of medical and medical-social services.

This rule is valid for situations where the processing is carried out by a professional doctor who is obliged to maintain medical confidentiality in accordance with the legislation of the Russian Federation.

The exception is those situations where it is impossible to obtain consent, but is necessary to protect the life or health of the patient.

If a person uses any service - enters into an agreement, applies for a loan - that is, he is a client, personal information about him can also be processed in accordance with Federal Law No. 152.

Client data can be used for:

  1. Providing consulting, information and intermediary services.
  2. Conclusion and execution of an agreement with a client.
  3. Conducting HR and accounting services.
  4. Other transactions not prohibited by the legislation of the Russian Federation.

For an employee of the organization

The employer has the right to his employees, it is enshrined in Art. 22 Federal Law No. 152. Purposes of processing personal data in the organization:

  • Registration of civil contracts with citizens provided for by the Legislation of the Russian Federation and the Charter of the enterprise.
  • Personnel records, compliance with laws and regulations, registration of obligations under employment and civil law contracts.
  • Assistance in finding employment, obtaining education or promotion, registration and use of benefits.
  • Ensuring the personal safety of the employee and the safety of property.
  • Compliance with the requirements of tax and pension legislation when calculating contributions to pension insurance.
  • Formation of statistics in accordance with the Labor, Tax Codes and federal laws.
  • Monitoring the work performed by the employee.

(Article 86 of the “Labor Code of the Russian Federation” dated December 30, 2001 No. 197-FZ). Personal information about an employee classified as “special” is not subject to processing by the employer.

The validity period of the Consent to the processing of personal data must be established; this may be a specific date or event, for example, dismissal or withdrawal of consent by an employee.

Examples

Banking sector

Bank "Financial" The purpose of processing the client’s personal data is to carry out banking and other operations, including:

  1. Opening and maintaining bank accounts.
  2. Transfer of funds to bank accounts.
  3. Transfer of funds from individuals - individuals and legal entities without opening a bank account.
  4. Purchase and sale of foreign currency.
  5. Providing consulting and information services, including through an email address.

Medical organization

Medical organization "Health". Purpose of processing:

  • Organization of medical care.
  • Issuing preferential prescriptions.
  • Payment of bills in the compulsory medical insurance and voluntary medical insurance system.
  • Use for statistics and research work.
  • Informing via SMS notifications about test results, ongoing promotions and specialists’ work schedules.

Conclusion

With a client or patient, not everything is as simple as it seems at first glance. Just like that, without consent and warning, they cannot be transferred to third parties or used for purposes with which the subject does not agree. If a person is faced with the fact that his personal data has been leaked, he can always contact Roskomnadzor or the court.

Didn't find the answer to your question? Find out, how to solve exactly your problem - call right now:

Since the end of summer, the Law on Personal Data has been in force in a new version. The rules for obtaining and protecting information have changed. For the employer, this means only one thing - additional paperwork. In this article we will talk about how to draw up regulations on working with personal data of employees and appoint someone responsible for organizing work with personal data.

What is personal data

Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as Law No. 152-FZ) defines Personal Information as any information directly or indirectly related to to an individual (to the subject of personal data). This is stated in paragraph 1 of Art. 3 of Law No. 152-FZ.

According to Part 1 of Art. 85 of the Labor Code, personal data of an employee means information relating to a specific employee, which is necessary for the employer in connection with labor relations. We are talking about data such as:

  • Full Name;
  • Date and place of birth;
  • address;
  • Family status;
  • position (profession);
  • salary, other income;
  • ownership of real estate, cash deposits, etc.;
  • education, qualifications, professional training, information on advanced training;
  • habits and hobbies, including harmful ones (alcohol, drugs, etc.);
  • biographical facts and previous work activity (place of work, amount of earnings, criminal record, military service, work in elected positions, public service, etc.);
  • physiological characteristics, health;
  • business and other personal qualities;
  • other information.

The list of personnel documents containing personal data of employees is given in table. 1 on p. 76.

Table 1. Documents containing personal data of employees

N Document Intelligence
1 Questionnaire, autobiography, personal
personnel records sheet
(to be completed upon admission to
work)		 Personal and biographical information
employee
2 Copy of the document,
identification document
employee		 Full name, date of birth, address
registration, marital status,
family composition
3 Personal card (form N T-2,
approved by the Resolution
Goskomstat of Russia
dated 01/05/2004 N 1)		 FULL NAME. employee, place of birth,
family composition, education, and
identification document details
personality
4 Employment history Information about work experience, previous
places of work
5 Copies of certificates of conclusion
marriage, birth of children		 Family composition, changes in family
position
6 Military registration documents Information about the employee’s attitude towards
military duty required
to the employer to implement
military registration of employees
7 Certificate of income from previous
places of work		 Full name, information about the amount of income and
withheld personal income tax
8 Education documents Confirms the qualifications of the employee,
justify the occupation of a certain
positions
9 Mandatory documents
pension insurance		 Full name, personal data
10 Employment contract Information about the employee's position,
salary, place of work,
workplace, as well as other
employee personal data
11 Orders for personnel Information about admission, transfer,
dismissal and other events,
related to work activities
employee

Personal data processing operator

According to Law N 152-FZ, the person (legal or individual) who organizes and (or) carries out the processing of personal data, determines its composition, the purposes of processing, and the actions performed with personal data is called operator(Clause 2 of Article 3 of Law No. 152-FZ). In our case, this is the employer.

Processing of personal data- any action performed with them. Operations for processing personal data:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (update, change);
  • extraction;
  • usage;
  • transmission (distribution, provision, access);
  • depersonalization;
  • blocking;
  • deletion;
  • destruction of personal data.

Regulations on working with personal data

The procedure for processing personal data by the operator may be established in the Regulations on working with personal data of employees (hereinafter referred to as the Regulations). There is no unified form of the document. Let's consider how to draw up this document taking into account the requirements of Law N 152-FZ. The regulation consists of several sections. They are presented in table. 2. It also briefly indicates the information that the sections should contain. Detailed information is presented in a fragment of the Regulations on personal data of employees, which is given on p. 80.

Table 2. Structure of the Regulations on personal data of employees

N Duty Section Contents
1 General provisions Purpose of adoption of the Regulations
Issues governed by the Regulations
Links to regulations. Point to
on the basis of which documents is it compiled?
Position.
In organizations where government officials work
civil servants, reference is given to:
- Federal Law of July 27, 2004 N 79-FZ
"On the state civil service of the Russian
Federation";
- Decree of the President of the Russian Federation dated May 30, 2005 N 609 “On
approval of the Personal Data Regulations
state civil servant
Russian Federation and maintaining his personal
affairs";
- regulatory acts of a constituent entity of the Russian Federation
2 Basic concepts.
Composition of personal
employee data		 Basic concepts. Definitions of concepts are given
"personal data", "processing of personal
data", "use of personal data",
the storage period for documents, etc. is indicated.
It must be stated separately what applies to
personal data in a specific company with
taking into account its features (data used in
work, for example, information about working on sensitive
objects, on obtaining access to
state secret, about health compliance
for professions associated with heavy and harmful
conditions, etc.)
List of documents of the organization that
contain personal data
3 Receipt
personal data
workers		 Procedure for obtaining personal data.
Indicates that the data is received and processed
based on the written consent of the employee.
Indicates cases where consent is not required
4 Usage
personal data		 Purposes for using personal information of employees
5 Treatment
personal data		 Conditions observed when processing personal data
employee data
6 Broadcast
personal data
(Access to
personal data)		 The procedure for transferring personal data internally
organizations (internal access), third parties
and government agencies (external access)
7 Responsibility for
violation of norms,
regulating
processing and protection
personal data		 Identifies those who are responsible for
violation of storage and use rules
personal data

Fragment of the Regulations on personal data of employees

Introduction of the Regulations into force

The regulation on personal data is approved by the head of the company and put into effect by order of the organization (a sample is given on p. 90). A record of approval of the Regulations must be made in the register of local regulations.

If there is a trade union

If the company has a trade union, the Regulations must be agreed upon with it. To do this, the draft regulations are sent to the elected body of the trade union (Article 372 of the Labor Code of the Russian Federation). He must express his opinion (in writing) no later than five working days from the date of receipt of the project. If the union does not agree with the project or has proposals for its improvement, the administration has two options. The first is to agree. The second is to conduct additional consultations with the trade union within three days after receiving a reasoned opinion in order to achieve a mutually acceptable solution. If this does not help, a protocol of disagreement should be drawn up. After this, the administration has the right to adopt the Regulations without taking into account the demands of the trade union. However, he will be able to appeal the Regulations or begin the procedure for a collective labor dispute in the manner prescribed by Chapter. 61 Labor Code.

Familiarization of employees with the Regulations

Employees must be familiar with the Regulations against signature (clause 8 of Article 86 of the Labor Code of the Russian Federation). This fact can be recorded:

  • in the text of the employment contract for each employee (listing of local regulations with which the employee is familiar with before signing the contract);
  • - a sheet for familiarizing yourself with the Regulations (sample on p. 91);
  • - a logbook for familiarizing employees with local regulations (sample on p. 91).

Sample sheet for familiarization with local regulations

N
p/p		 Name of local regulatory act date Signature
1 Internal labor regulations
LLC "Black Forest"		 03.10.2011 Evstakhov
2 Regulations on remuneration, bonuses and
social security of employees of Cherny LLC
forest"
03.10.2011
Evstakhov
3 Information security instructions,
approved by Order dated June 15, 2008 N 1		 03.10.2011 Evstakhov
4 Statement on personal data 03.10.2011 Evstakhov
5 Provision on liability
workers for damage caused to Black Forest LLC		 03.10.2011 Evstakhov

Fragment of the introduction logRegulationsabout personal data

Note. Personal data storage period

Local regulations (regulations, instructions) on personal data must be stored permanently. As for employee statements of consent to data processing (they will be discussed in future issues), and other employee documents, they are stored for 75 years. This is stated in the List approved by Order of the Ministry of Culture of Russia dated August 25, 2010 N 558.

Administrative responsibility

Administrative liability measures (mostly fines are provided, disqualification is not applied in this case) for an enterprise and its officials for violating the procedure for receiving, processing, storing and protecting personal data of employees are given in Table. 3.

Table 3. Responsibility for violating the procedure for obtaining, processing, storing and protecting personal data of employees

In accordance with Part 2 of Art. 85 Labor Code of the Russian Federation processing of employee personal data - this is the receipt, storage, combination, transfer or any other use of the employee’s personal data.

The processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting the employee in employment, training and promotion, ensuring the capital’s security, as well as monitoring the quantity and quality of the work he performs and ensuring the safety of property (clause 1 Article 86 of the Labor Code of the Russian Federation).

According to paragraph 3 of Art. 3 of the Federal Law “On Personal Data”, the processing of personal data is actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking , destruction of personal data. It should be borne in mind that regardless of the number of functional operations listed in the legislation, legal regulation must cover all stages of the processing of personal data - from receipt to destruction, without any exceptions or exemptions.

The principles for processing personal data include the following:

  • legality of the purposes and methods of processing and fairness;
  • compliance of the purposes of processing with the goals predetermined and stated when collecting personal data, as well as with the powers of the operator;
  • compliance of the volume and nature of the data processed, methods of processing with the purposes of their processing;
  • the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is not related to the purposes stated when collecting data;
  • the inadmissibility of combining databases of personal data information systems created for incompatible purposes.

The processing of an employee’s personal data begins with its receipt. As a general rule, all personal data should be obtained from the employee himself. In exceptional cases, when the employee’s personal data can only be obtained from a third party, the employee must be notified of this in advance and written consent must be obtained from him. The employer is obliged to inform the employee about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the employee’s refusal to give written consent to receive it (Clause 3 of Article 86 of the Labor Code of the Russian Federation). However, the employer does not have the right to receive and process the employee’s personal data about his political, religious and other beliefs and private life (Clause 4 of Article 86 of the Labor Code of the Russian Federation). Also, the employer cannot request information about the employee’s health status if this does not relate to the issue of the employee’s ability to perform a labor function (Article 88 of the Labor Code of the Russian Federation).

The Labor Code of the Russian Federation imposes certain requirements on the organization and technology of processing personal data by the employer. The obligation to familiarize employees and their representatives, against signature, with the employer’s documents establishing the procedure for processing employees’ personal data, as well as their rights and responsibilities in this area, presupposes the need to develop and adopt an appropriate local regulatory legal act. Such an act, depending on the specifics of the activity and the discretion of the employer, can be called a regulation or instruction and, as a rule, includes the following sections:

  • basic concepts and provisions;
  • processing of employee personal data;
  • generation of employee personal data;
  • recording, storage and transfer of employee personal data;
  • rights and obligations of the employee in the field of processing and protection of his personal data.

Such a local regulatory legal act defines the confidentiality regime ( limited access) personal data of an employee at a specific employer. The employer’s employees who receive the employee’s personal data are required to comply with this regime, which must be indicated not only in their job descriptions, but also in the employment contracts concluded with them. The regulation (instruction) on the protection of personal data is the main document reflecting the specifics of the processing and transfer of an employee’s personal data within a specific organization, for a specific individual entrepreneur. If there is an automated component within this activity, the employer does not have the right to make decisions regarding the employee based on personal data obtained solely as a result of their automated processing or electronic receipt (clause 6 of Article 86 of the Labor Code of the Russian Federation). An employer may not be limited to adopting a provision on the protection of personal data of employees in its organization. However, the presence of this local act is mandatory, and its absence is considered by the state labor inspectorate as a serious violation of labor legislation.

For this and other violations of the rules governing receipt, processing and the employee, the employer can bring the perpetrators to material and disciplinary liability, and the relevant government bodies to civil, administrative and criminal liability.

Nowadays, no activity can be done without information. Each organization stores information about employees, partners, and clients. Unauthorized access to them leads to their loss or modification, which negatively affects the company's activities. The purposes of processing personal data in organizations are the same, since this is enshrined in law. This is discussed in the article.

What does processing mean?

Each person can get acquainted with information about another citizen both when performing work duties and during non-work communication, when browsing the Internet, reading a newspaper. This collection of information is not considered processing. This is just an overview of the information.

If personal information is specifically collected for use or storage, then this will be the processing of personal data. This process is observed in educational institutions and hospitals. Information is registered, entered into databases, classified for use for legal purposes. If a writer or journalist collects information, he can use it for creative purposes.

Processing methods

Personal information is processed in 2 ways:

  1. Automated.
  2. Not automated.

The second option involves processing performed with the participation of a citizen. If this happens without automation tools, then the data must be separated from other information. This is done by marking, for example, in the margins of forms. It is prohibited to place personal information on a single medium if it is known that the purposes of processing personal data are incompatible.

If personal information of citizens is classified into different categories, then it is necessary to use an individual medium for each type. Which systems can be classified as automated and which are not? This is revealed by the following facts:

  1. Personal information contained in the personal data system may be processed through a non-automated process if its use is carried out in the personal presence of a person.
  2. It cannot be said that the data is processed automatically, given that it is in information system personal information.

Automated processing is performed using computing tools. Processing refers to all actions that are performed on the provided data. This process includes collection, recording, use, destruction.

Goals

The purposes of processing personal data in the organization are the same. Information is needed for:

  1. Conclusion, execution, termination of contracts in cases provided for by law and the Charter of the organization. Such transactions can occur with citizens, individual entrepreneurs, and legal entities.
  2. Personnel records of the enterprise, compliance with the law, conclusion and fulfillment of obligations under agreements.
  3. assistance to employees in employment, training, and use of benefits.
  4. Compliance with tax legislation regarding the payment of taxes and the transfer of personal data to the Pension Fund.
  5. Filling out statistical documents based on legal norms.

Each purpose for processing personal data in an organization is mandatory, as it is enshrined in law. That is why all institutions require information about employees, clients, and partners. The purposes of processing personal data allow us to conduct business in a legal manner.

Rules and order

The manager must receive the following information about his employees:

  1. Education.
  2. Work experience, previous position.
  3. Data about the family and their work.
  4. Health information.

When processing employee information, HR specialists must follow several rules:

  1. Process information based on legal norms, assist in employment, assist in training and career advancement, monitor the quality of assignments performed.
  2. Personal information is provided by the employee. If for some reason they cannot be obtained from the employee, but only from a third party, it is necessary to obtain written consent to disclose the information.
  3. A career employee cannot independently use information about religious orientation or trade union activities if this is not related to work. If this information concerns a work relationship, written permission is required.
  4. The manager controls the employees of the personnel department, as well as their compliance with these rules.
  5. All employees must sign to confirm that they are familiar with the rules of the regulations.

The purposes of processing personal data according to Law No. 152 are mandatory for every employer. Based on Art. 22, the manager can take actions with the personal information of employees without notifying Roskomnadzor.

Principles

It is important to know not only the purposes for collecting and processing personal data, but also the principles. They are indicated in Art. 5 ch. 2 Federal Law No. 152:

  1. It is important to respect the legality and integrity of the purposes and methods of processing.
  2. Compliance with the purposes stated at the time of collection.
  3. Correspondence of the volume and nature of the information processed and methods to the goals.
  4. Reliability of information.
  5. It is inadmissible to combine databases for incompatible purposes.
  6. Storage in a form that allows the data subject to be identified, and for no longer than required by the purposes. Then they are destroyed.

The purposes of processing the employee’s personal data are achieved using the conditions specified in Art. Chapter 6 2:

  1. Processing is carried out with the consent of the subjects.
  2. If this is contractually entrusted to another person, then confidentiality is important.
  3. Processing of special information in a special manner.

There are a few exceptions where subject permission is not required. This happens when:

  1. The procedure is carried out on the basis of the Federal Law, which establishes its purpose, conditions, and the range of subjects whose information is subject to processing.
  2. Everything is done to fulfill the contract.
  3. Requires fulfillment of statistical and other scientific purposes.
  4. It is necessary to protect life, health, and vital interests if it is impossible to obtain permission.
  5. Postal delivery is in progress.
  6. The professional activity of a journalist is carried out.
  7. Information subject to publication on the basis of the law is processed.

Agreement

To protect a person from unwanted use of information about him, his consent to the processing of personal data is required. The purpose of processing must be lawful, otherwise it is prohibited. Consent is provided when applying for a job, opening a bank account, and for other important transactions.

There is no single form of permission. It is drawn up in free form on the form used by the enterprise. The period during which the permit is valid is indicated in the document itself. The purposes of processing personal data in the organization are also indicated there.

Responsibility of the organization

The specialist responsible for receiving, processing, and storing personal information is appointed by the director of the institution. It also determines the persons who have access to the information. The document must be executed by order. Typically the following are responsible for processing information:

  1. Heads of HR department.
  2. Personnel inspectors.
  3. HR managers.
  4. Deputy HR managers.
  5. HR specialists.

Based on Federal Law No. 152, the employee collecting and processing personal data is an operator. This is what the leader is. The purposes of processing personal data in an educational institution are the same as in organizations.

Transfer and storage

Documentation with personal information about employees is stored in fireproof cabinets or safes. The director of the personnel department must have the keys to them. If he is absent, then the deputy is in charge. If it is necessary to transfer personal information of an employee, the personnel employee must remember the following rules:

  1. It is prohibited to transfer personal information to third parties without written permission. The exception is cases when data is required to prevent harm to health and in situations established by law. It is also prohibited to disclose information for commercial purposes without consent.
  2. If it is necessary to transfer employee data, then it is necessary to notify those for whom this information is used that the information can only be used for the purpose of the request.
  3. A personnel employee may use only the information necessary to perform his or her job duties.
  4. The personnel employee does not have the right to find out information about the employee’s health status.

An exception is considered to be circumstances related to the performance of employees’ duties.

Responsibility

If employees violate the procedure for collecting, processing, and issuing information, they bear disciplinary and criminal liability according to the law. In Art. 5 of the Federal Law states that personal information collected for processing by automated principles or other means must be produced in such a form that the data subject can be identified.

The determination of the subject cannot be longer than required for processing. If it is completed, then personal data cannot be destroyed for some time. Personal data of employees is stored in the institution for 75 years. Thus, every enterprise must comply with the rules for storing and processing information.

This instruction for the processing of personal data (hereinafter referred to as the Instruction) was developed in accordance with the Federal Law of July 27, 2006. No. 152-FZ “On Personal Data”. This instruction defines the procedure for processing personal data and measures to ensure the security of personal data at CardsProService LLC in order to protect the rights and freedoms of individuals and citizens when processing their personal data, including the protection of rights to privacy, personal and family secrets.

1. TERMS AND DEFINITIONS

1) Personal Information- any information relating to a directly or indirectly identified or identifiable individual (subject of personal data);

2) Operator (Customer) - state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

3) Processing of personal data- any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

4) Automated processing of personal data- processing of personal data using computer technology;

5) Dissemination of personal data- actions aimed at disclosing personal data to an indefinite number of persons;

6) Providing personal data- actions aimed at disclosing personal data to a certain person or a certain circle of persons;

7) Blocking personal data- temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);

8) Destruction of personal data- actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material media of personal data are destroyed;

9) Authorized persons of the Customer- persons acting in accordance with the agreement on
confidentiality concluded with the Customer.

10) ABOUTdepersonalization of personal data- actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without the use of additional information;

11) Personal data information system- the totality of personal data contained in databases and ensuring their processing information technologies And technical means;

12) Cross-border transfer of personal data- transfer of personal data to
the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity;

13) Executor- CardsProService LLC (123610, Moscow, Krasnopresnenskaya embankment, building 12, office building 1, room Id, room 42; OGRN 1157746550070).

2. ORDER TO PROCESS PERSONAL DATA

2.1. The Customer, being the Operator of personal data, in accordance with clause 3 of Art. 6 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, instructs, and the Contractor undertakes to process personal data of subjects, in the interests of the Customer and in pursuance of
User Agreement.

3. PROCEDURE FOR INTERACTION OF THE PARTIES

3.1. The basis for the Contractor to process personal data of subjects carried out in the interests of the Customer is Terms of use.

3.2. The procedure for organizing the collection of consents of personal data subjects for the processing and transfer of their personal data, as well as the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data:

3.2.1. Purpose of processing personal data.

The processing of personal data is entrusted for the purpose of implementing loyalty programs.

3.2.2. List of personal data, the processing of which is entrusted to the Contractor

  • Full Name;
  • Place, year and date of birth;
  • Contact number;
  • Registration address;
  • Address of place of actual residence (stay);
  • Passport data (series, passport number, by whom and when issued);
  • Telephone number (home, work, mobile).
3.2.3. List of actions (operations) with #nbsp;personal data that the Contractor is entrusted to perform:
  • Collection of personal data.
  • Systematization of personal data.
  • Accumulation of personal data.
  • Use of personal data for the implementation of loyalty programs and communication with subjects of personal data.
  • Storage of personal data.
  • Clarification (updating, changing) of personal data:

  • Extraction (unloading) - upon additional written instructions from the Customer.
  • Depersonalization of personal data:
    -
    - at the legal request of the subject of personal data, with mandatory written notification to the Customer;
    - at the request of state regulatory authorities for the protection of the rights of personal data subjects, with mandatory written notification to the Customer.
  • Blocking personal data:
    - upon additional written instructions from the Customer;
    - at the legal request of the subject of personal data, with mandatory written notification to the Customer;
    - at the request of state regulatory authorities for the protection of the rights of personal data subjects, with mandatory written notification to the Customer.
  • Deleting personal data:
    - upon additional written instructions from the Customer;
    - at the legal request of the subject of personal data, with mandatory written notification to the Customer;
    - at the request of state regulatory authorities for the protection of the rights of personal data subjects, with mandatory written notification to the Customer.
  • Destruction of personal data - upon additional written instructions from the Customer.
3.2.4. Procedure for processing personal data

The processing of personal data must be limited to the achievement of specific, pre-defined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.
It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.
Only personal data that meets the purposes of their processing are subject to processing.
The content and volume of personal data processed must correspond to the stated purposes of processing. The personal data processed should not be redundant in relation to the stated purposes of their processing.
When processing personal data, the accuracy of personal data, their sufficiency, as well as relevance in relation to the purposes of processing personal data must be ensured.
The storage of personal data must be carried out in a form that allows identifying the subject of personal data, no longer than required by the purposes of processing personal data, unless otherwise specified by the terms of the contract. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in the event of the loss of the need to achieve these goals, unless otherwise determined by the terms of the contract.

3.2.5. Organization of personal data protection

Objects of protection

  • information containing personal data of subjects;
  • computer media containing personal data of subjects;
  • personal data information systems;
  • personal data of subjects contained in electronic databases of personal data information systems.
3.2.6. Measures to organize and ensure the security of personal data

To ensure the security of personal data, the Contractor must take the following measures:

  • Necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data.
  • Providing access to the Contractor's employees to personal data processed on behalf of the Customer, after they have signed an Obligation of Non-Disclosure of Personal Data, studying the Customer's requirements for the procedure for processing and protecting personal data, local regulations regulating the procedure for organizing and ensuring the protection of personal data and undergoing training on the procedure for handling with personal data.
  • Identification of threats to the security of personal data during their processing in personal data information systems.
  • Application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation.
  • Assessing the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system.
  • Accounting for computer storage media of personal data.
  • Detection of facts of unauthorized access to personal data and taking measures.
  • Restoration of personal data modified or destroyed due to unauthorized access to it.
  • Establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system.
  • Monitoring the measures taken to ensure the security of personal data and the level of security of personal data information systems.
3.2.7. Destruction of personal data

Destruction of personal data of subjects can be carried out by the Contractor only:

  • upon additional written instructions from the Customer;
  • at the legal request of the subject of personal data, with mandatory written notification to the Customer;
  • at the request of state regulatory authorities for the protection of the rights of personal data subjects, with mandatory written notification to the Customer.
The destruction of processed personal data of subjects must be guaranteed and ensure the impossibility of restoring the content of personal data in the personal data information system or the media containing them.

3.2.8. Procedure for terminating the processing of personal data

Termination of processing of personal data is carried out:

  • in case of termination of the contractual relationship that is the basis for the processing of personal data;
  • upon additional written instructions from the Customer;
  • by written order of government regulatory authorities.
In all cases of termination of the processing of personal data, the further purpose of the databases is determined by the Customer with the preparation of a written notice of the further purpose of the personal data bases.

4. RIGHTS AND OBLIGATIONS OF THE PARTIES

4.1. The customer undertakes:

4.1.1. If the subject of personal data withdraws consent to the processing of personal data and there are no grounds specified in paragraphs 2 - 11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Federal Law of July 27, 2006 No. 152-FZ “On personal data" allowing processing
personal data without the consent of the subject, send a written order to the Contractor to carry out work to delete or depersonalize the subject’s personal data.

4.1.2. Upon receipt of a request from the subject of personal data to provide the information specified in Part 7 of Article 14 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, or the subject’s demands for the refinement of his personal data, their blocking or destruction in the event , if personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, send a written order to the Contractor to
providing information or performing specific actions with the subject’s personal data.

4.2. The Contractor undertakes:

4.2.1. Process personal data legally, in strict accordance with the terms of this Instruction.

4.2.2. At the first written request of the Customer, transfer (return) the personal data bases processed on his behalf in the manner specified in the request.

4.2.4. At the request of the authorized body for the protection of the rights of personal data subjects, provide evidence of receipt of the consents of personal data subjects collected within the framework of this Instruction for the processing of their personal data or proof of the existence of the grounds specified in paragraphs 2 - 11 of part 1 of article 6, part 2 of article 10 and part 2 of Article 11 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data,” allowing the processing of personal data without the consent of the subject.



RELATED ARTICLES