1.1. These Regulations for personal data processing (hereinafter - the Regulations, these Regulations) were generated by LLC “MRSU-1” (also hereinafter - the Operator) and are applied in accordance with cl. 2, part 1, Art. 18.1. of the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data”.
These Regulations shall determine the Operator’s policy with regard to personal data processing.
All issues related to personal data processing, not regulated by these Regulations, shall be resolved in accordance with the applicable personal data law of the Russian Federation.
The Regulations and amendments thereto shall be approved by the Operator’s manager and introduced by the Operator’s order.
1.2. In accordance with cl. 1 of Art. 3 of the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data”, the personal data of clients or individuals shall mean any information relating to a client or an individual, directly or indirectly identified or be identified on the basis of such information (hereinafter – the “personal data”).
1.3. LLC “MRSU-1” shall be an operator organizing and (or) carrying out personal data processing, as well as defining the purposes and content of personal data processing.
1.4. The purpose of personal data processing shall be:
ensuring the protection of human and civil rights and freedoms by personal data processing, including protection of privacy rights, personal and family secrets;
rendering by the Operator to individuals and legal entities of services related to the Operator’s business activities, including the Operator’s contacts with such persons, including by e-mail, by phone, to the address provided by a person;
sending consultations, replies to applicants using means of communication and their contract data;
marketing of Operator’s goods, works and services by making direct contacts with a potential client by means of communication (allowed only with the prior consent of the subject of personal data).
1.5. The processing shall be organized by the Operator on the principles:
legitimacy of the purposes and methods of personal data processing, good faith and fairness in the Operator’s activities;
reliability of personal data, their sufficiency for processing, inadmissibility of personal data processing that are redundant to the purposes stated by collecting of personal data;
processing of those personal data that meet the purposes of their processing;
conformity of the content and volume of the processed personal data to the stated processing purposes. The processed personal data should not be redundant to the stated purposes of their processing;
inadmissibility of combining databases containing personal data, processing of which is carried out for the purposes not compatible with each other;
ensuring the accuracy of personal data, their sufficiency, and, if necessary, relevance to the purposes of personal data processing. The Operator shall take the necessary measures or ensure their acceptance for the removal or refinement of incomplete or inaccurate data;
storage of personal data in a form that allows you to identify the subject of personal data no longer than the purposes of their processing require that.
1.6. The processing of personal data is carried out in compliance with the principles and rules provided for by the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data” and these Regulations.
1.7. Personal data shall be processed with and without automation tools.
1.8. In accordance with the purposes and objectives to be sought, before personal data processing the Operator shall appoint a person to be in charge of organization of personal data processing.
1.9. A person in charge of organization of personal data processing shall receive instructions directly from the Operator’s executive body and shall report to the latter.
1.10. A person in charge of organization of personal data processing shall be entitled to execute and sign a notice provided for by Parts 1 and 3 of Art. 22 of the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data”.
1.11. The Operator’s employees, who directly carry out personal data processing, shall be familiarized, prior to starting work, with the provisions of personal data law of the Russian Federation, including requirements for personal data protection, documents defining the Operator’s policy, internal policies and procedures for personal data processing, and also these Regulations and amendments thereto.
1.12. By personal data processing, the Operator applies legal, organizational and technical measures to ensure personal data security in accordance with Art. 19 of the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data”.
1.13. By collecting personal data and using information and telecommunications networks, the Operator is required to publish in the relevant information and telecommunications network a document specifying its policy for personal data processing and information on the requirements implemented for personal data protection, and also to provide access to the said document using means of the relevant information and telecommunications network.
1.14. Terms of personal data processing by the Operator. Personal data processing is allowed in the following cases:
personal data processing is carried out with the consent of the subject of personal data to the processing of his personal data;
personal data processing is required to achieve the purposes stipulated by the international treaty of the Russian Federation or by law and to perform the functions, powers and duties imposed on the Operator by the laws of the Russian Federation;
personal data processing is required for the execution of a contract, a party to which, acting as a beneficiary or guarantor, is the subject of personal data, as well as if the Operator has exercised its right to assign rights (claims) under such contract, and also to conclude a contract on the initiative of the subject of personal data or a contract, according to which the subject of personal data will be a beneficiary or a guarantor;
personal data processing is required to protect the life, health or other vital interests of the subject of personal data if it is impossible to obtain the consent of the subject of personal data;
personal data processing is required to exercise the rights and legitimate interests of the Operator or third parties or to achieve socially significant purposes provided that the rights and freedoms of the subject of personal data are not violated thereby;
personal data processing is carried out for statistical or other research purposes, with the exception of the purposes specified in Art. 15 of the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data”, pending depersonalization of personal data;
processing of personal data is carried out, when access of an unlimited circle of persons thereto is provided by the subject of personal data or at his request;
processing of personal data, that shall be subject to publication or mandatory disclosure in accordance with the Federal Law, is carried out.
1.15. The storage of personal data shall be carried out in a form that allows to identify the subject of personal data no longer than the purposes of their processing require that, and they must be destroyed upon achievement of the processing purposes or in the event there is no further need to achieve them in the manner provided for in the Regulation on Personal Data Storage by the Operator.
1.16. Personal data processed in information systems should be protected from unauthorized access and copying. The safety of personal data by processing them in information systems is provided through personal data protection system that includes organizational measures and data security tools. The hardware and software shall meet the requirements established in accordance with the laws of the Russian Federation, to ensure data protection.
1.17. They may communicate with federal executive authorities on the processing and protection of personal data of the subjects, whose personal data are processed by the Operator, as the laws of the Russian Federation permit.
2. ENSURING BY THE OPERATOR OF THE RIGHTS OF A SUBJECT OF PERSONAL DATA
2.1. Subjects of personal data or their representatives have the rights provided for by Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data” and other laws and regulations for personal data processing.
2.2. The Operator ensures the rights of subjects of personal data in the manner established by Chapters 3 and 4 of the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data”.
2.3. The Operator is obliged to provide free of charge to a subject of personal data or his representative the opportunity to get acquainted with personal data relating to such subject of personal data at the location of the Operator during the Operator’s working hours.
2.4. The right of a subject of personal data to access his personal data may be restricted in accordance with federal laws.
2.5. In case of representation of the interests of the subject of personal data by a representative, authorities of such representative are confirmed by a power of attorney executed in accordance with the established order.
2.6. Should a written consent to use of personal data be granted by the subject of personal data, it is sufficient for such consent if it is in writing.
2.7. The Operator guarantees the safety and confidentiality of the personal data used.
2.8. Personal data processing for marketing of goods, works and services, by making direct contacts with a potential client by means of communication, is allowed only with the prior consent of the subject of personal data.
3. RECEIVING, PROCESSING, STORAGE OF PERSONAL DATA
3.1. The Operator shall establish the following procedure for receiving personal data:
3.1.1. When applying for Operator’s services, the client submits the data specified in the corresponding forms.
3.1.2. The Operator does not receive or process the client’s personal data about his race, political views, religious and philosophical convictions, state of health, intimate life, unless otherwise provided by law.
3.1.3. In the cases directly related to the issues of labor relations, in accordance with Art. 24 of the Constitution of the Russian Federation, the Company shall be entitled to receive and process data on client’s private life only with his written consent.
3.1.4. If the client accepts an offer placed on the Operator’s site or concludes another contract with the Operator, the processing of the client’s personal data is carried out for the execution of the appropriate contract that came into effect after acceptance of the offer terms by the client or conclusion of another contract, respectively.
3.1.5. The Operator also has the right to process personal data of the clients who applied to the Operator of individuals only with their consent to use of personal data.
3.2. The client’s consent to personal data processing is not required in the following cases:
personal data are publicly available;
personal data processing is carried out on the basis of the federal law, establishing its purpose, conditions for receiving of personal data and circle of the subjects, whose personal data are to be processed, and also on a certain authority of the Company;
on demand of authorized state bodies - in cases provided for by federal law;
processing of personal data for the execution of the contract concluded with the Operator;
processing of personal data is carried out for statistical or other scientific purposes, pending depersonalization of personal data;
personal data processing is required for protection of life, health or other vital interests of the client, if it is impossible to obtain his consent.
3.3. The Operator ensures the safe storage of personal data, including: storage, integration, registration and use of documents containing personal data is performed in the form of a separate archive of the Operator.
3.4. The storage of personal data shall be carried out in a form that allows to identify the subject of personal data no longer than the purposes of personal data processing require that, unless the period of personal data storage is stipulated by federal law or a contract, a party to which, acting as a beneficiary or guarantor, is the subject of personal data. The processed personal data are to be destroyed or depersonalized upon achievement of the processing purposes or in the event there is no further need to achieve such purposes, unless otherwise provided by federal law.
4. PERSONAL DATA TRANSFER
4.1. Personal data are transmitted subject to the following requirements:
it is forbidden to disclose personal data to a third party without the written consent of the client, except when it is required to prevent a threat to client’s life and health, and in other cases provided for by laws;
not to disclose personal data for commercial purposes without the written consent of the subject of such data;
to warn persons receiving personal data that these data can only be used for the purposes for which they are communicated and to require from these persons to confirm that this rule is observed;
to allow access to personal data only to so authorized persons, and the said persons shall also have the right to receive those personal data that are necessary for performing specific functions;
not to request data about health state of the client, except for those details that relate to the issue of the client’s ability to fulfill his obligations under the contract with the Operator;
to transfer client’s personal data to his representatives in the manner established by the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data”.
5. ACCESS TO PERSONAL DATA
5.1. The right of access to personal data is given to:
Operator’s manager;
Operator’s employees working with the clients;
employees of accountant’s department;
employees who provide technical support for the Operator’s activities.
5.2. For personal data protection the clients have the following rights:
to full information about their personal data and processing of such data;
free and chargeless access to their personal data, including the right to receive copies of any record containing personal data, except as provided for by federal law;
to determine their representatives to protect their personal data;
to require to exclude or correct incorrect or incomplete personal data, as well as data processed in violation of the requirements of the Federal Law dated 27/07/2006 No. 152-FZ “On Personal Data”.
5.3. It is allowed to copy and take excerpts of personal data only for business purposes with the manager’s permission.
6. RESPONSIBILITY FOR PERSONAL DATA PROCESSING LAW VIOLATION
6.1. Persons being guilty of violation of rules of personal data handling, shall incur disciplinary, administrative, civil or criminal responsibility in accordance with federal laws.
6.2. Managers of the Operator’s structural units shall incur personal responsibility for fulfillment of duties by their subordinate employees.