The policy of processing personal data

The policy of processing personal data in «Ameria Russ» LLC

  1. GENERAL PROVISIONS

1.1 The policy of processing personal data in «Ameria Russ LLC» (hereinafter referred to as the Policy) defines the main principles, purposes, conditions and methods for processing personal data, lists of subjects and the composition of personal data processed by «Ameria Russ» (the Company), actions and operations performed with personal data, the rights of subjects of personal data, and also contains information about the requirements for protecting personal data implemented in the Company.
1.2. The policy was adopted with the aim of protecting human and civil rights and freedoms while processing personal data, including protection of privacy rights, personal and family secrets.
1.3. Local regulations and other documents regulating the processing of personal data in the Company, including when processing them in information systems containing personal data, are developed in the Company subject to the provisions of the Policy.
1.4. The following basic terms are used in the Policy:

  • personal data – any information related directly or indirectly to a certain or determined individual (subject of personal data);
  • operator of personal data (operator) – a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) processing personal data, defining personal data processing purposes, the composition of personal data to be processed, actions (operations) performed with personal data;
  • processing of personal data – any action (operation) or a set of actions (operations) with personal data, performed with the use of automation or without using them. Personal data processing includes, but is not limited to: collection, recording, systematization, accumulation, storage, updating (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction;
  • automated processing of personal data – processing of personal data by means of computer facilities;
  • distribution of personal data – actions aimed at disclosing personal data to an undefined circle of persons;
  • provision of personal data – actions aimed at disclosing personal data to a specific person or a certain number of persons;
  • blocking of personal data – temporary termination of processing of personal data (except for cases when processing is necessary for clarification of personal data);
  • destruction of personal data – actions resulting in the impossibility to restore the contents of personal data in the personal data information system and (or) as a result of which material data carriers of personal data are destroyed;
  • depersonalization of personal data – actions resulting in the impossibility of using additional information to determine the ownership of personal data to a specific subject of personal data;
  • personal data information system – a set of personal data contained in databases and providing them with information technology and technical tools;
  • cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity.

1.5. The main duties of the Company are:

1.5.1. Officials of the Company whose duties include processing requests and appeals of personal data subjects are obliged to provide each subject the opportunity to get acquainted with documents and materials containing their personal data, unless otherwise provided by law.

1.5.2. The Company undertakes not to take decisions based solely on automated processing, which generate legal consequences with respect to the subjects of personal data or otherwise affect their rights and legitimate interests.
1.6. Rights and obligations of subjects of personal data
In order to protect their personal data stored in the Company, a person of personal data has the right:

  • receive free access to their personal data, including the right to receive copies of any record containing personal data;
  • obtain information regarding the processing of his personal data
  • require exclusion or correction of incorrect or incomplete personal data;
  • supplement personal data of an evaluation character with a statement expressing his own point of view;
  • determine their representatives to protect their personal data;
  • demanding the preservation and protection of their personal and family secrets;
  • аppeal in court any illegal actions or inaction of the Company when processing and protecting its personal data.

Employees of the Company are obliged:

  • in cases provided for by law or by agreement, transfer to the Company reliable documents containing personal data;
  • not to provide incorrect personal data, and in case of changes in personal data, the detection of errors or inaccuracies in them (name, place of residence, etc.), immediately inform the Company about it.
  1. PURPOSE OF PERSONAL DATA COLLECTION

2.1. Personal data is processed in the Company in order to:

  • ensuring compliance with the Constitution of the Russian Federation, laws and other regulatory legal acts of the Russian Federation;
  • regulation of labor relations with the Company’s employees;
  • preparation, conclusion, execution and termination of contracts with counterparties;
  • еxecution of judicial acts, acts of other bodies or officials subject to enforcement in accordance with the law of the Russian Federation on enforcement proceedings;
  • еxercising the rights and legitimate interests of the Company in the framework of carrying out activities specified in the Charter and other local regulatory acts of the Company;
  • for other legitimate purposes.

2.2. The Company performs processing of personal data of employees of the Company and other subjects of personal data that do not consist with the Company in labor relations, in accordance with the following principles:

  • processing of personal data is carried out on a legal and fair basis;
  • processing of personal data is limited to the achievement of specific, pre-defined and legitimate purposes. It is not allowed to process personal data incompatible with the purpose of collecting personal data;
  • It is not allowed to combine databases containing personal data, processing of which is carried out for purposes incompatible with each other;
  • only personal data that is suitable for processing purposes is subject to processing;
  • the content and volume of processed personal data is consistent with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing;
  • during processing personal data provided the accuracy of personal data, their sufficiency, and, if necessary, the relevance to the purposes of processing personal data. The Company takes the necessary measures or ensures their acceptance to remove or update incomplete or inaccurate personal data;
  • the storage of personal data is carried out in a form that allows the subject of personal data to be determined no longer than the purpose of personal data processing requires, if the period of personal data storage is not established by a federal law, a contract to which the subject of personal data is a part of whose beneficiary or guarantor is the subject of personal data;
  • processed personal data is destroyed or depersonalized upon achievement of processing objectives or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.
  1. LEGAL BASIS FOR PERSONAL DATA PROCESSING

3.1. The policy of processing personal data in the Company is determined in accordance with the following regulatory legal acts:

  • The Labor Code of the Russian Federation;
  • Decree of the President of the Russian Federation of March 6, 1997, No. 188 “On Approving the List of Confidential Information”;
  • Decree of the Government of the Russian Federation of September 15, 2008, No. 687 “On approval of the Regulations on the Specifics of Processing Personal Data Performed Without the Use of Automation Means”;
  • Resolution of the Government of the Russian Federation of July 6, 2008, No. 512 “On approval of requirements for material carriers of biometric personal data and technologies for storing such data outside of personal data information systems”;
  • Decree of the Government of the Russian Federation of 1 November 2012 No. 1119 “On approval of the requirements for the protection of personal data when processing them in personal data information systems”;
  • Order of Roskomnadzor from September 5, 2013 No. 996 “On approval of requirements and methods for the depersonalization of personal data”;
  • other regulatory legal acts of the Russian Federation and regulatory documents of authorized state authorities.

3.2. In order to implement the provisions of the Policy, the Company develops appropriate local regulations and other documents, including:

  • Regulations on the work with personal data of the Company’s employees;
  • other local regulations and documents regulating the processing of personal data in the Company.
  1. VOLUME AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORY OF PERSONAL DATA SUBJECTS
    4.1. The volume of personal data processed by the Company is determined in accordance with the laws of the Russian Federation and local regulatory acts of the Company, taking into account the purposes of processing personal data specified in section 2 of the Policy.
    4.2. Processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life is allowed in cases where:
  • the subject of personal data has agreed in writing to process his personal data;
  • personal data is made publicly available by the person of personal data;
  • processing of personal data is carried out in accordance with the legislation on state social assistance, labor legislation, the legislation of the Russian Federation on pensions for state pensions, on labor pensions;
  • processing of personal data is necessary to protect the life, health or other vital interests of the person’s personal data or the life, health or other vital interests of others and obtaining the consent of the person’s personal data is impossible;
  • processing of personal data is carried out for medical and preventive purposes, with a view to establishing a medical diagnosis, providing medical and medico-social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and required to maintain medical secrecy in accordance with the legislation of the Russian Federation;
  • processing of personal data is necessary to establish or implement the rights of the person’s personal data or third parties, as well as in connection with the implementation of justice;
  • processing of personal data is carried out in accordance with the legislation on compulsory types of insurance, with insurance legislation.

4.3. Processing of special categories of personal data, carried out in the cases provided for by Clause 4 of Article 10 of the Federal Law-152, must be immediately terminated if the reasons for their processing have been eliminated, unless otherwise provided by federal law.
4.4. The processing of personal data on the criminal record can be carried out by the Operator only in cases and in the manner determined in accordance with federal laws.
4.5. Biometric personal data.
Information that characterizes the physiological and biological characteristics of a person on the basis of which it is possible to establish his identity – biometric personal data – can be processed in the Company only with the consent of the subject of personal data in writing.
4.3. The Company processes the personal data of the following categories of persons:

  • candidates, employees, relatives of workers, persons who previously had labor relations with the Company;
  • individuals under civil-law contracts, authors of the results of intellectual activity;
  • counterparties – individuals, representatives and employees of counterparties (legal entities).

4.3.1. The volume of processed personal data of the Company’s employees.

When applying for employment in the Company, the employee of the personnel management department processes the following personal and biographical data of the employee.

  • general information (full name of the worker, date of birth, place of birth, citizenship, education, occupation, work experience, marital status, family composition, passport data, registration address, residential address);
  • information on military registration;
  • other data required for employment in accordance with the requirements of labor and migration legislation.

In the future, in the personal card of the employee in the form of T-2, they write an information:

  • about transfers to another job;
  • attestation, advanced training, professional retraining;
  • awards (promotions), honorary titles;
  • social benefits for which the employee is entitled in accordance with the law.

The purposes of processing personal data of the Company’s employees:

  • maintenance of personnel records;
  • track of work time time of employees;
  • calculation of employees’ wages;
  • conducting tax accounting;
  • conducting military records;
  • submission of regulated reporting to state bodies;
  • compulsory and voluntary medical insurance of employees;
  • booking and paying for tickets and hotel rooms for employees;
  • archiving of data;
  • assistance to the employee in employment, training, promotion, use of various benefits.

The receipt and processing of personal data of an employee of the Company must be carried out exclusively for the specified purposes.

The personal data obtained to achieve the above goals are reflected in the employee’s personal file in accordance with the requirements of the labor legislation and internal regulatory documents of the Company regulating personnel records and records.
4.3.2. Personal data of individuals under contracts of a civil law nature, authors of the results of intellectual activity; counterparties – individuals and representatives and employees of counterparties (legal entities).
The composition and volume of personal data of the persons mentioned is determined in accordance with the internal regulatory documents of the Company governing the activities for the implementation of statutory goals, the implementation of transactions in accordance with the legislation of the Russian Federation, on the basis of approved forms of documents (contracts/questionnaires and applications).
The objectives of processing personal data of these persons: – implementation of the Company’s statutory goals and the implementation of transactions in accordance with the legislation of the Russian Federation.
5. PROCEDURE AND TERMS OF PERSONAL DATA PROCESSING
5.1. To prevent unauthorized access to personal data, the following organizational and technical measures are applied in the Company:

  • legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data;
  • appointment of officials responsible for organizing the processing and protection of personal data;
  • familiarize employees of the Company who directly handle processing and protection of personal data with the provisions of the legislation of the Russian Federation and local regulations of the Company in the field of personal data, including requirements for the protection of personal data, and training of these employees;
  • restriction of the composition of persons admitted to the processing of personal data;
  • familiarization of subjects with the requirements of the federal legislation and regulatory documents of the Company for the processing and protection of personal data;
  • organization of accounting, storage and circulation of media containing information with personal data;
  • identification of threats to the security of personal data during processing, generation of threat models based on them;
  • development of a personal data protection system based on the threat model;
  • use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such means is necessary to neutralize current threats;
  • checking the readiness and effectiveness of using information protection tools;
  • delineation of users’ access to information resources and software and hardware information processing;
  • registration and recording of actions of users of information systems of personal data;
  • use of anti-virus tools and means of restoring the protection of personal data;
  • application of firewall, intrusion detection, security analysis and cryptographic protection of information, if necessary;
  • organization of a pass-through regime to the territory of the Company, security of premises with technical means for processing personal data.
  • the publication of local-normative acts defining the policy and issues of processing and protecting personal data in the Company.

Society in the processing of personal data:

  • publishes or otherwise provides unrestricted access to this Policy;
  • informs the personal data subjects or their representatives about the availability of personal data related to the relevant subjects in accordance with the established procedure, provides an opportunity to get acquainted with these personal data when applying for and (or) receiving requests from the said subjects of personal data or their representatives, unless otherwise established by law Russian Federation;
  • terminates processing and destroys personal data in cases stipulated by the legislation of the Russian Federation in the field of personal data;
  • commits other acts provided for by the legislation of the Russian Federation in the field of personal data.

5.2. Processing of personal data in the Company is carried out with the consent of the subject of personal data to process his personal data, unless otherwise provided by the legislation of the Russian Federation in the field of personal data.
5.3. The Company collects, records, systemizes, accumulates, stores, updates (updates, changes), extracts, uses, transfers (distributes, provides, accesses), impersonates, blocks, deletes and destroys personal data.
5.4. Processing of personal data in the Company is carried out in the following ways:

  • without the use of computer facilities (manual processing of personal data);
  • automated processing of personal data with the transfer of information received through information and telecommunications networks or without it.

  1. ACTUALIZATION, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA, ANSWERS TO THE REQUESTS OF SUBJECTS TO ACCESS PERSONAL DATA

6.1. In the event that the subject provides personal data about incomplete, obsolete, unreliable or illegally obtained personal data, the Company must make the necessary changes, destroy or block them, and notify the subject of personal data about their actions.
6.2. In the case of confirmation of the fact of inaccuracy of personal data, personal data are subject to their updating by the operator, or the processing of such data should be terminated if it is illegitimate.
6.3. When personal data processing purposes are reached, as well as in case of expiration of the consent to process personal data or the subject of personal data withdraws consent to their processing, personal data shall be destroyed if:

  • оther is not provided by the contract, the party to which the beneficiary or guarantor is the subject of personal data;
  • the operator is not entitled to process personal data without the consent of the subject on the grounds provided for by the Federal Law “On Personal Data” or other federal laws;
  • other is not stipulated by other agreement between the operator and the subject of personal data.

6.4. The operator is obliged to inform the subject of personal data or his representative about the processing of personal data of such a subject carried out by him at the request of the latter.