PERSONAL DATA PROTECTION

Document «Data protection and processing policy»
__________________________________

APPROVING

President of the Aid Fund
for compatriots who appeared
to be found in social humanitarian problems
«HUMANITARIAN WORLD»

A.F. Golodniy
1st September, 2019
__________________________________

 

DATA PROTECTION AND PROCESSING POLICY
of the Aid Fund for compatriots who appeared
to be found in social humanitarian problems
«HUMANITARIAN WORLD»

Moscow
2019

 

1. GENERAL PROVISIONS

1.1. The present Data Protection and Processing Policy (hereinafter – Policy) is drawn up in conformity with с Clause 2 Art. 18.1 of the Federal Law of 27.07.2006 № 152-ФЗ «On Personal Data» (hereinafter –Law on Personal Data), and other legal and regulatory instruments concerning data protection and processing and applies to all personal data (hereinafter – Data), that the Aid Fund for compatriots who appeared to be found in social humanitarian problems «HUMANITARIAN WORLD» (hereinafter – the Operator, the Fund) can get from the personal data subject being a party to a civil contract, as well as from the personal data subject being in legal relationship with the Operator governed by the labor legislation (hereinafter – Employee).

1.2. The Operator ensures protection of personal data being processed from unauthorized access and disclosure, misuse (improper use) or loss in compliance with the Law on Personal Data requirements.

1.3. Policy modification and amendments

1.3.1. The Operator has the right to modify and make amendments to the present Policy. When the Policy is amended the date of the last update is indicated in the Policy headline. Unless otherwise stipulated, the new version of the Policy enters into force from the date of its placing on the web-site.


2. TERMINOLOGY AND ABBREVIATIONS

Personal data – any information, directly or indirectly related to identified or identifiable natural person (personal data subject).

Personal data operator (operator) – public authority, municipal body, legal entity or natural person, acting on his or her own or jointly with other bodies, legal entities or natural persons, organizing and (or) performing personal data processing, as well as defining personal data processing purposes, scope of personal data subject to processing, actions (operations) performed with personal data.

Personal data processing – any action (operation) or a combination of actions (operations) with personal data, performed with or without use of automation techniques.

Personal data processing includes, inter alia, the following:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • specification (updating, modification);
  • extraction;
  • usage;
  • transfer (dissemination (disclosure), provision, allowing access);
  • sanitization;
  • blockage;
  • deletion;
  • erasure (destruction).

Аutomated personal data processing – personal data processing with the use of computer technologies.

Personal data dissemination (disclosure) – actions aimed at personal data disclosure to one or more specific persons.

Personal data provision – actions aimed at personal data disclosure to a specific person or to a specific group of persons.

Personal data blockage – temporary suspension of personal data processing (except when processing is required for personal data clarification).

Personal data erasure (destruction) – actions resulting in impossibility to restore personal data in the database system and (or) in destruction of personal data material carrier.

Personal data sanitization – actions resulting in impossibility to determine, without additional information, personal data affiliation to a specific personal data subject.

Database – a set of personal data being stored and information technologies and technical tools used for personal data processing.

Cross-border transfer of personal data – transfer of personal data to a foreign State, state authority of a foreign State, foreign natural person or legal entity.


3. PROCEDURE AND TERMS OF PERSONAL DATA STORAGE AND PROCESSING

3.1. Personal data processing shall be performed by the Operator in compliance with the requirements imposed by the Russian Federation legislation.

3.2. Personal data processing shall be performed with the respective consent given by the personal data subject, as well as without such a consent when stipulated by the Russian Federation legislation.

3.3. The Operator is entitled to perform both automated and non-automated personal data processing.

3.4. The Operator’s employees are allowed to perform personal data processing provided that it is included in their  job duties.

3.5. Personal data processing shall be performed by means of:

  • acquiring personal data in oral and written form directly with personal data subject consent for his or her personal data processing;
  • acquiring personal data from public sources;
  • entering data into the Operator’s journals, registers and information systems;
  • using other means of personal data processing.

3.6. Unless otherwise stipulated by the federal law, personal data dissemination and disclosure to third parties without personal data subject consent is not admissible.

3.7. Personal data shall be transferred to investigative authorities, Federal Tax Service, Pension Fund, Fund of Social Insurance and other authorized executive bodies and organizations in compliance with the Russian Federation legislation requirements.

3.8. The Operator Оператор shall undertake the necessary legal, organizational and technical measures for personal data protection from unauthorized or accidental access, erasure, modification, blockage, disclosure (dissemination) and other unauthorized actions, including but not limited to:

  • defining personal data security threats данных при их обработке;
  •  enacting by-laws and other acts regulating personal data protection and processing;
  • appointing persons responsible for the personal data protection in the Operator’s structural units and information systems;
  • creating necessary conditions for the work with personal data;
  • organizing accounting of documents containing personal data;
  • organizing work with databases where the personal data is stored;
  • keeping personal data in a secure condition that excludes possibility of unauthorized access;
  • provided training for the Operator’s employees responsible for the personal data processing.

3.9. Should the personal data storage period not be established by the federal law or an agreement, The Operator shall store personal data in a form allowing to identify personal data subject, within a period not exceeding the necessary term for the purpose of processing personal data.

3.10. When collecting personal data, including by means of information and communication network “the Internet”, the Operator shall ensure record, systematization, accumulation, storage, specification (updating, modification), retrieval of the Russian Federation citizens personal data with the use of databases located on the Russian Federation territory, except for the cases stipulated in the Law on Personal Data.

3.11. Purposes of personal data processing:

3.11.1. Processing shall only concern personal data subject to the processing purposes.

3.11.2. The Operator shall perform personal data processing for the following purposes:

  • enforcement of the Constitution, federal laws and other legal and regulatory acts of the Russian Federation;
  • exercising its professional activity in conformity with the articles of LLC «Alfa» ;
  • personnel management;
  • providing assistance to the staff members in employment, receiving education, career development, ensuring their personal safety, control of quantity and quality of the work performed, ensuring the safety of property;
  • recruitment for the Operator;
  • registration of the employees in the mandatory security pension system;
  • filling in the required reporting forms and handing them over to the executive bodies and other authorized entities;
  • participating in civil legal relations;
  • accounting;
  • exercising access control (permit regime).

3.11.3. Processing of the employees personal data exclusively with the purpose of enforcement of laws and other legal and regulatory acts.

3.12. Categories of personal data subjects.

Processing concerns personal data of the following PD subjects:

  • natural persons being in labor relations with the Fund;
  • natural persons who have quitted a job in the Fund;
  • natural persons being job applicants;
  • natural persons being in a civil legal relations with the Fund.

3.13. Personal data subject to processing by the Operator:

  • data acquired when participating in labor relations;
  • data acquired in the recruitment process;
  • data acquired when participating in civil legal relations.

3.14. Personal data storage.

3.14.1. Personal data of the subjects can be acquired, further processed and transmitted for storage both in hard copies and in electronic format (electronic personal data).

3.14.2. Hardcopy personal data shall be stored in lockers or locked rooms with restricted access.

3.14.3. Personal data  processed for various purposed with the use of automation techniques shall be stored in the respective folders.

3.14.4. Storing and placing documents containing personal data in open electronic catalogues (file-sharing sites) are not permitted.

3.14.5. Personal data shall be stored in a form allowing to identify personal data subject for a period not exceeding the period necessary for the processing purposes. Upon fulfilling the processing purposes or should such purposes cease to exist, personal data in question shall be subject to erasure.

3.15. Personal data erasure.

3.15.1. Documents (material carriers) containing personal data are subject to destruction by means of fragmentation (shredding), chemical decomposition, conversion into amorphous mass or powder. Hardcopy carriers can be destructed with the use of shredder.

3.15.2. Electronic personal data is subject to destruction by means of erasure or formatting the electronic medium.

3.15.3. Personal data erasure (destruction) is documented by the act of the data carriers destruction (erasure).


4. PERSONAL DATA PROTECTION

4.1. In compliance with the regulatory acts, the Operator has created a personal data protection system (PDPS), comprising sub-systems of legal, organizational and technical protection.

4.2. Legal protection sub-system refers to a set of legal, institutional and regulatory  documents governing PDPS creation, functioning and modification.

4.3. Organizational protection sub-system comprises organization of PDPS command structure, authorization system, ensuring information security when dealing with employees, partners and third parties.

4.4. Technical protection sub-system comprises a set of hardware and software for the personal data protection.

4.4. The Operator shall take the following key measures for the personal data protection:

4.5.1. Appointing a person responsible for the personal data processing,  organizing training for the employees, exercising internal control over compliance with the PD protection requirements by the company and its employees.

4.5.2. Determining current threats to the personal data safety in terms of its processing and developing new measures and activities for the PD protection.

4.5.3. Drafting personal data processing policy.

4.5.4. Establishing rules of access to the personal data being processes in the database, as well as registering and recording all actions performed with the personal data stored in the database.

4.5.5. Setting the employees’ individual access codes to the information system according to the employees professional duties.

4.5.6. Applying data protection means after the respective conformity assessment procedure.

4.5.7. Certified anti-virus software with regularly updated databases.

4.5.8. Compliance with the conditions ensuring personal data safety and excluding the possibility of unauthorized access to it.

4.5.9. Detection of unauthorized access to personal data and taking the respective measures.

4.5.10. Restoring personal data that has been modified or erased due to unauthorized access.

4.5.11. Providing training to the Operator’s employees directly involved in the personal data processing so the processing is carried out in conformity with the Russian Federation legislation on personal data, including the requirements for personal data protection, by-laws and other documents specifying the Operator’s policy regarding personal data processing.

4.5.12. Exercising internal control and auditing.


5. BASIC RIGHTS OF PERSONAL DATA SUBJECT AND RESOUNSIBILITIES OF THE OPERATOR

5.1.Basic rights of PD subjects.

Personal data subject is entitled to access his or her personal data and the following information

  • confirmation of the personal data processing by the Operator;
  • legal ground and purposes of the personal data processing;
  • purposes and means of personal data processing used by the Operator;
  • official name and location of the Operator, information on persons (excluding the Operator’s employees) having access to the personal data or to whom it may be disclosed under the contract with the Operator or under the federal law;
  • personal data processing time, including its storage time;
  • procedural aspects of the PD subject exercise of his or her rights herein stipulated;
  • official name or credentials, address of the person involved in the personal data processing upon the Operator’s instructions, if there is any;
  • sending appeals and requests to the Operator;
  • filing complaints against regarding actions or omissions of the Operator.

5.2. The Operator’s responsibilities.

The Operator shall:

  • when collecting personal data, provide information on its processing;
  • when personal data was acquired by means other than directly from the subject itself, notify the subject;
  • in case of the subject’s refusal to provide personal data, explain the consequences of such a refusal;
  • provide unrestricted access, by publishing or other means, to the document defining the Operator’s policy in terms of personal data processing, to the information on the implemented requirements for the personal data protection;
  • take the necessary legal, organizational and technical measures or ensuring their being in effect in terms of personal data protection from unauthorized or accidental access, erasure (destruction), modification, blockage, copying, unauthorized provision, dissemination (disclosure), and other unlawful actions;
  • respond to appeals and requests sent by PD subjects, their representatives and an authorized body for the protection of PD subjects rights.