Personal data processing policy for the site - sample generator

1.1. The policy of personal data processing at PJSC Gazprom (hereinafter referred to as the Policy) defines the basic principles, goals, conditions and methods of processing personal data, lists of subjects and personal data processed at PJSC Gazprom, the functions of PJSC Gazprom in processing personal data, rights subjects of personal data, as well as the requirements for personal data protection implemented in PJSC Gazprom.

1.2. The policy was developed taking into account the requirements of the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation in the field of personal data.

1.3. The provisions of the Policy provide the basis for the development of local regulations governing the processing of personal data of PJSC Gazprom employees and other personal data subjects in PJSC Gazprom.

1.4. The policy is the basis for the development by PJSC Gazprom subsidiaries and organizations of local regulations that determine the policy for processing the personal data of these organizations.

2. Legislative and other regulatory legal acts of the Russian Federation, according to which the Policy of personal data processing in PJSC Gazprom is determined

2.1. The policy of personal data processing at PJSC Gazprom is determined in accordance with the following regulatory legal acts:

  • Labor Code of the Russian Federation
  • Federal Law of July 27, 2006 No. 152-ФЗ “On Personal Data”,
  • Decree of the President of the Russian Federation of March 6, 1997 No. 188 “On Approval of the List of Confidential Information”,
  • Resolution of the Government of the Russian Federation of September 15, 2008 No. 687 “On Approval of the Regulation on Peculiarities of Processing Personal Data Performed Without the Use of Automation Tools”,
  • Resolution of the Government of the Russian Federation dated July 6, 2008 No. 512 “On approval of requirements for tangible carriers of biometric personal data and technologies for storing such data outside personal data information systems”,
  • Resolution of the Government of the Russian Federation of November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data when processing them in personal data information systems”,
  • Order of the FSTEC of Russia No. 55, the Federal Security Service of Russia No. 86, the Ministry of Information Technologies and Communications of the Russian Federation No. 20 of February 13, 2008 “On Approval of the Procedure for Classifying Personal Information Information Systems”
  • Order of the FSTEC of Russia of February 18, 2013 No. 21 “On Approval of the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data During Processing in Personal Data Information Systems”
  • Roskomnadzor Order No. 996 of September 5, 2013 “On Approving Requirements and Methods for Depersonalizing Personal Data”,
  • other regulatory legal acts of the Russian Federation and regulatory documents of the authorized government bodies.

2.2. In order to implement the provisions of the Policy, PJSC Gazprom develops relevant local regulatory acts and other documents, including:

  • Regulation on the processing of personal data in PJSC Gazprom,
  • provision for ensuring the security of personal data when it is processed in the personal data information systems of PJSC Gazprom, its subsidiaries and organizations,
  • the list of positions of structural subdivisions of the Administration of PJSC Gazprom, its branches and representative offices, during the substitution of which personal data is processed,
  • regulations for the processing of personal data of the structural units of the administration of PJSC Gazprom, its branches and representative offices,
  • other local regulations and documents regulating personal data processing in PJSC Gazprom.

3. The main terms and definitions used in the local regulatory acts of PJSC Gazprom regulating personal data processing issues

Personal data - any information relating to a directly or indirectly determined or determined individual (subject of personal data).

Information - information (messages, data) regardless of the form of their presentation.

Operator - a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

Personal data processing - any action (operation) or set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including the collection, recording, systematization, accumulation, storage, refinement (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Automated processing of personal data - processing of personal data using computer technology.

Provision of personal data - actions aimed at disclosing personal data to a specific person or a particular circle of persons.

Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons.

Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.

Blocking of personal data - a temporary cessation of the processing of personal data (unless it is necessary to process personal data).

The destruction of personal data is an action that results in the impossibility of restoring the content of personal data in the information system of personal data and (or) as a result of which the material carriers of personal data are destroyed.

Anonymization of personal data is an action in which it becomes impossible without the use of additional information to determine the identity of personal data to a specific subject of personal data.

Personal Data Information System - a set of personal data contained in databases and information technologies and technical means ensuring their processing.

4. Principles and objectives for the processing of personal data

4.1. PJSC Gazprom, being an operator of personal data, processes personal data of employees of PJSC Gazprom and other personal data subjects who are not in labor relations with PJSC Gazprom.

4.2. The processing of personal data in PJSC Gazprom is carried out taking into account the need to protect the rights and freedoms of employees of PJSC Gazprom and other personal data subjects, including the protection of the right to privacy, personal and family secrets, based on the following principles:

  • personal data processing is carried out at PJSC Gazprom on a legal and fair basis,
  • the processing of personal data is limited to the achievement of specific, predetermined and legitimate goals,
  • processing of personal data that is incompatible with the purposes of collecting personal data is not allowed,
  • it is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other,
  • only personal data are processed that meets the purposes of their processing,
  • the content and volume of personal data processed is consistent with the stated processing objectives. The redundancy of the processed personal data is not allowed in relation to the stated purposes of their processing,
  • the processing of personal data ensures the accuracy of personal data, their sufficiency, and, if necessary, their relevance to the purposes of processing personal data. PJSC Gazprom takes necessary measures or ensures their adoption to remove or clarify incomplete or inaccurate personal data,
  • personal data is stored in a form that allows determining the subject of personal data no longer than the purpose of processing personal data requires, unless the period for storing personal data is established by federal law, an agreement to which the beneficiary or guarantor is personal data subject,
  • The personal data processed is destroyed or depersonalized upon the achievement of processing objectives or in the case of the loss of the need to achieve these objectives, unless otherwise provided by federal law.

4.3. Personal data is processed at PJSC Gazprom in order to:

  • ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, local regulatory acts of PJSC Gazprom,
  • implementation of the functions, powers and responsibilities assigned by the legislation of the Russian Federation to PJSC Gazprom, including the provision of personal data to state authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Mandatory Medical Insurance Fund, and also to other government agencies,
  • regulation of labor relations with employees of PJSC Gazprom (employment assistance, training and promotion, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property),
  • Providing employees of PJSC Gazprom and their family members with additional guarantees and compensations, including non-state pension benefits, voluntary medical insurance, medical care and other types of social security,
  • protection of life, health or other vital interests of personal data subjects,
  • preparation, conclusion, execution and termination of contracts with counterparties,
  • providing access and internal control regimes at the facilities of PJSC Gazprom,
  • formation of reference materials for internal information support of the activities of PJSC Gazprom, its branches and representative offices, as well as subsidiaries and organizations of PJSC Gazprom,
  • execution of judicial acts, acts of other bodies or officials to be executed in accordance with the legislation of the Russian Federation on enforcement proceedings,
  • implementation of the rights and legitimate interests of PJSC Gazprom in the framework of the implementation of activities stipulated by the Charter and other local regulatory acts of PJSC Gazprom, or third parties or the achievement of socially significant goals,
  • for other legitimate purposes.

5. The list of entities whose personal data are processed by PJSC Gazprom

5.1. PJSC Gazprom processes personal data of the following categories of subjects:

  • employees of the structural divisions of the administration of PJSC Gazprom, its branches and representative offices,
  • employees of subsidiaries and organizations of PJSC Gazprom,
  • other subjects of personal data (to ensure the implementation of the processing objectives specified in section 4 of the Policy).

6. List of personal data processed by PJSC Gazprom

6.1. The list of personal data processed by PJSC Gazprom is determined in accordance with the legislation of the Russian Federation and local regulatory acts of PJSC Gazprom, taking into account the purposes of processing personal data specified in Section 4 of the Policy.

6.2. The processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, intimate life, is not carried out at PJSC Gazprom.

7. Functions of PJSC Gazprom in processing personal data

7.1. PJSC Gazprom when processing personal data:

  • takes measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Russian Federation and local regulations of PJSC Gazprom in the field of personal data,
  • takes legal, organizational and technical measures to protect personal data from unlawful or accidental access to them, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data,
  • appoints the person responsible for organizing the processing of personal data in PJSC Gazprom,
  • publishes local regulations defining policies and issues of processing and protection of personal data in PJSC Gazprom,
  • Provides employees of PJSC Gazprom, its branches and representative offices that directly process personal data with the provisions of Russian law and local regulations of PJSC Gazprom in the field of personal data, including personal data protection requirements, and train these employees ,
  • publishes or otherwise provides unrestricted access to this Policy;
  • informs the subjects of personal data or their representatives about the availability of personal data related to the respective subjects in the prescribed manner, provides an opportunity to get acquainted with this personal data when accessing and (or) receiving requests from specified personal data subjects or their representatives, unless otherwise provided by the legislation of the Russian Federation,
  • stops processing and destroys personal data in cases provided for by the legislation of the Russian Federation in the field of personal data,
  • performs other actions stipulated by the legislation of the Russian Federation in the field of personal data.

8. Conditions for processing personal data in PJSC Gazprom

8.1. The processing of personal data in PJSC Gazprom is carried out with the consent of the subject of personal data to the processing of his personal data, unless otherwise provided by the legislation of the Russian Federation in the field of personal data.

8.2. PJSC Gazprom, without the consent of the subject of personal data, does not disclose it to third parties and does not distribute personal data, unless otherwise provided by federal law.

8.3. PJSC Gazprom has the right to entrust the processing of personal data to another person with the consent of the subject of personal data on the basis of an agreement with this person. The contract should contain a list of actions (operations) with personal data that will be performed by the person performing the processing of personal data, processing purposes, the obligation of such a person to maintain the confidentiality of personal data and ensure the safety of personal data during their processing, as well as the requirements for the protection of personal data being processed in accordance with Article 19 of the Federal Law “On Personal Data”.

8.4.For the purpose of internal information support, PJSC Gazprom may create internal reference materials which, with the written consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation, may include his last name, first name, patronymic name, place of work, position, year and place of birth , address, subscriber number, e-mail address, other personal data reported by the subject of personal data.

8.5. Access to personal data processed at PJSC Gazprom is allowed only to employees of PJSC Gazprom who occupy positions included in the list of positions of structural subdivisions of the PJSC Gazprom administration, its branches and representative offices, which are replaced when processing personal data.

9. The list of actions with personal data and methods for their processing

9.1. PJSC Gazprom carries out the collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction of personal data.

9.2. The processing of personal data at PJSC Gazprom is carried out in the following ways:

  • manual processing of personal data
  • automated processing of personal data with or without transferring the information received through information and telecommunication networks,
  • mixed processing of personal data.

10. Rights of personal data subjects

10.1. The personal data subjects are entitled to:

  • full information about their personal data processed by PJSC Gazprom,
  • access to their personal data, including the right to receive a copy of any record containing their personal data, except as required by federal law, as well as access to relevant medical data with the help of a medical specialist of their choice,
  • specification of their personal data, their blocking or destruction in case personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing,
  • withdrawal of consent to the processing of personal data,
  • the adoption of measures provided by law for the protection of their rights,
  • appeal against the actions or omissions of PJSC Gazprom, carried out in violation of the requirements of the legislation of the Russian Federation in the field of personal data, to an authorized body for the protection of the rights of personal data subjects or to court,
  • the exercise of other rights provided for by the legislation of the Russian Federation.

11. Measures taken by PJSC Gazprom to ensure the performance of operator duties in the processing of personal data

11.1. The measures necessary and sufficient to ensure that PJSC Gazprom fulfills the operator’s obligations as provided for by the legislation of the Russian Federation in the field of personal data include:

  • appointment of the person responsible for organizing the processing of personal data in PJSC Gazprom,
  • adoption of local regulations and other documents in the field of processing and protection of personal data,
  • organizing training and conducting methodological work with employees of the structural divisions of the PJSC Gazprom administration, its branches and representative offices occupying positions included in the list of positions of the structural subdivisions of the PJSC Gazprom administration, its branches and representative offices, which are replaced when processing personal data,
  • obtaining the consent of the subjects of personal data to the processing of their personal data, with the exception of cases provided for by the legislation of the Russian Federation,
  • separation of personal data processed without the use of automation, from other information, in particular by recording them on separate material media of personal data, in special sections,
  • provision of separate storage of personal data and their material carriers, which are processed for different purposes and which contain different categories of personal data,
  • imposing a ban on the transfer of personal data through open communication channels, computer networks outside the controlled area, the PWN Gazprom PWRD and the Internet without taking measures to ensure the security of personal data established by PJSC Gazprom (except for publicly available and / or impersonal personal data)
  • storage of material carriers of personal data in compliance with the conditions ensuring the safety of personal data and excluding unauthorized access to them,
  • implementation of internal control over the compliance of personal data processing with the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it, the requirements for personal data protection, this Policy, local regulatory acts of PJSC Gazprom,
  • other measures stipulated by the legislation of the Russian Federation in the field of personal data.

11.2. Measures to ensure the security of personal data when they are processed in personal data information systems are established in accordance with the local regulations of PJSC Gazprom, which regulate the security of personal data when they are processed in the personal data systems of PJSC Gazprom.

12. Control over compliance with the laws of the Russian Federation and local regulations of PJSC Gazprom in the field of personal data, including requirements for the protection of personal data

12.1. Monitoring of compliance with the structural subdivisions of the Administration of PJSC Gazprom, its branches and representative offices of the legislation of the Russian Federation and local regulatory acts of PJSC Gazprom in the field of personal data, including requirements for the protection of personal data, is carried out in order to verify compliance of personal data processing in structural the divisions of the administration of PJSC Gazprom, its branches and representative offices to the legislation of the Russian Federation and the local regulatory acts of PJSC Gazprom in the field of personal data, including requirements for the protection of personal data, as well as the measures aimed at preventing and detecting violations of Russian legislation in the field of personal data, detection of possible leakage channels and unauthorized access to personal data, the consequences of such violations.

12.2. Internal control over the compliance of the structural divisions of PJSC Gazprom with its branches and representative offices of the Russian legislation and local regulations of PJSC Gazprom in the field of personal data, including requirements for the protection of personal data, is carried out by the person responsible for organizing the processing of personal data in PJSC Gazprom.

12.3. Internal control over the compliance of personal data processing with the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it, the requirements for the protection of personal data, this Policy, local regulatory acts of PJSC Gazprom are exercised by the Corporate Protection Service of PJSC Gazprom.

12.4. Personal responsibility for compliance with the requirements of the legislation of the Russian Federation and local regulations of PJSC Gazprom in the field of personal data in the structural subdivision of the administration of PJSC Gazprom, its branch and representative office, as well as for ensuring the confidentiality and security of personal data in the specified divisions of PJSC Gazprom assigned to their supervisors.

1. Purpose and scope

1.1. This document (hereinafter referred to as the Policy) defines the objectives and general principles for the processing of personal data, as well as the measures implemented for the protection of personal data in ZAO PF SKB Kontur (hereinafter referred to as the Operator). The policy is a publicly available document of the Operator and provides for the possibility of familiarization with it of any persons.

1.2. The policy is valid indefinitely after approval and before it is replaced by a new version.

1.3. The Policy uses terms and definitions in accordance with their meanings, as defined in FZ-152 “On Personal Data”.

1.4. The policy applies to all employees of the Operator (including employees under employment contracts and employees working under contract contracts) and all structural divisions of the Company, including separate divisions. The requirements of the Policy are also taken into account and are presented in relation to other persons when they need to participate in the processing of personal data by the Operator, as well as in cases of transferring personal data to them in the prescribed manner on the basis of agreements, contracts, processing instructions.

2. Information on the processing of personal data

2.1. The processing of personal data by the Operator is carried out in a mixed way: using automation tools and without.

2.2. Actions with personal data include the collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

2.3. The processing of personal data is carried out by the Operator on a lawful and fair basis, the legal grounds for processing are:

  • Constitution of the Russian Federation
  • Labor Code of the Russian Federation
  • Civil Code of the Russian Federation
  • Tax Code of the Russian Federation,
  • Federal Law of July 27, 2006 № 152-ФЗ “About personal data”,
  • Federal law of 10.01.2002. № 1-ФЗ “About electronic digital signature”,
  • Federal Law of April 6, 2011 № 63-ФЗ “About electronic signature”,
  • Federal law of 04.05.2011. № 99-FZ "On licensing certain types of activities"
  • Federal Law of 07.07.2003 № 126-ФЗ “About communication”,
  • Federal Law of 04/01/1996 № 27-FZ "On the individual (personalized) accounting in the system of mandatory pension insurance",
  • Federal Law of July 24, 2009 No. 212-FZ “On Insurance Contributions to the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Fund for Mandatory Medical Insurance and Territorial Funds for Mandatory Medical Insurance”
  • Federal law of 10.22.2004. № 125-ФЗ “On Archival Affairs in the Russian Federation”,
  • Law of the Russian Federation dated July 10, 1992 № 3266-1 "On Education",
  • Charter of CJSC PF SKB Kontur,
  • Regulations of the Certification Center of CJSC PF SKB Kontur.

  • conclusion of labor relations with individuals
  • fulfillment of contractual obligations of the Operator,
  • acting as a certification center,
  • compliance with current labor, accounting, retirement and other legislation of the Russian Federation.

2.5. The main categories of personal data subjects whose data are processed by the Operator include:

  • individuals who have labor and civil law relations with the Operator,
  • individuals who are in labor and civil relations with the counterparties of the Operator,
  • candidates for vacancies.

2.6. For the specified categories of subjects can be processed: surname, name, patronymic, year, month, date of birth, place of birth, address, marital status, social status, property status, education, profession, income, TIN, SNILS, contact information (telephone, address e-mail), other information provided for standard forms and established procedure for processing.

2.7. The processing ensures the accuracy of personal data, their sufficiency and relevance in relation to the purposes of processing personal data. If inaccurate or incomplete personal data is found, they are updated and updated.

2.8. For personal data that is not publicly accessible, confidentiality is maintained.

2.9. The processing and storage of personal data is carried out no longer than the purpose of processing personal data, if there are no legal grounds for further processing, for example, if a corresponding retention period is not established by federal law or an agreement with the subject of personal data. The personal data to be processed shall be destroyed or depersonalized upon the occurrence of the following conditions:

  • achieving the goals of personal data processing or maximum storage periods - within 30 days,
  • loss of the need to achieve the goals of processing personal data - within 30 days,
  • the provision by the subject of personal data or his legal representative to confirm that personal data is unlawfully obtained or not necessary for the stated purpose of processing - within 7 days,
  • the impossibility of ensuring the legality of the processing of personal data - within 10 days,
  • revocation by the subject of personal data of consent to the processing of personal data, if the preservation of personal data is no longer required for the purposes of processing personal data - within 30 days,
  • revocation by the subject of personal data of consent to the use of personal data for contacts with potential consumers in the promotion of goods and services - within 2 days,
  • expiration of the limitation period for legal relations in which personal data is processed or processed,
  • liquidation (reorganization) of the Operator.

2.10. The processing of personal data on the basis of contracts and other agreements of the Operator, instructions to the Operator and instructions of the Operator for the processing of personal data is carried out in accordance with the terms of these agreements, agreements of the Operator, as well as agreements with persons entrusted with the processing or who have been charged with processing on legal grounds. Such agreements may determine, inter alia:

  • goals, conditions, terms of personal data processing,
  • obligations of the parties, including measures to ensure confidentiality,
  • rights, obligations and responsibilities of the parties relating to the processing of personal data.

2.11. In cases not specifically provided for by the law or the contract, the processing is carried out after obtaining the consent of the subject of personal data. Consent can be expressed in the form of committing actions, accepting conditions

contract-offer, affixing the appropriate marks, fill in the fields in the forms, forms, or executed in writing in accordance with the law. An obligatory case of obtaining prior consent is, for example, contact with a potential consumer in promoting the Operator’s goods and services on the market.

2.12. The operator is registered in the register of the authorized body for the protection of the rights of personal data subjects for the number № 09-0066830. The registry contains information about the Operator, including: full name, contact information for requests, information about the processing of personal data and measures to ensure security.

3. Measures to ensure the security of personal data

3.1. The operator takes the necessary legal, organizational and technical measures to ensure the security of personal data to protect them from unauthorized (including accidental) access, destruction, alteration, blocking of access and other unauthorized actions. These measures, in particular, include:

  • appointment of employees responsible for organizing the processing and ensuring the security of personal data,
  • checking the availability in contracts and including, if necessary, in the contracts, items on ensuring the privacy of personal data,
  • publication of local acts on the processing of personal data, familiarization of employees with them, user training,
  • ensuring the physical security of premises and means of treatment, access control, security, video surveillance,
  • restricting and delimiting the access of employees and other persons to personal data and means of processing, monitoring actions with personal data,
  • identification of threats to the security of personal data during their processing, the formation of threat models on their basis,
  • use of security tools (anti-virus tools, firewalls, unauthorized access protection tools, cryptographic information protection tools), including those that have passed the compliance assessment procedure in the prescribed manner,
  • accounting and storage of information carriers, excluding their theft, substitution, unauthorized copying and destruction,
  • backup information for recoverability,
  • implementation of internal control over compliance with the established procedure, verification of the effectiveness of the measures taken, response to incidents.

4. Rights of personal data subjects

4.1. The subject of personal data has the right to withdraw consent to the processing of personal data by sending a request to the Operator by mail or by contacting in person.

4.2. The subject of personal data has the right to receive information relating to the processing of his personal data, including containing:

  • confirmation of the processing of personal data by the Operator,
  • legal grounds and purposes for the processing of personal data,
  • objectives and methods of personal data processing applied by the Operator,
  • the name and location of the Operator, information about persons (except for employees / employees of the Operator) who have access to personal data or who can disclose personal data on the basis of an agreement with the Operator or on the basis of federal law,
  • processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for submitting such data is provided for by federal law,
  • the processing of personal data, including the storage period,
  • the procedure for the exercise by a subject of personal data of the rights provided for by the Federal Law “On Personal Data”,
  • information on the performed or intended cross-border data transfer,
  • the name or surname, name, patronymic and address of the person who is processing personal data on behalf of the Operator, if the processing is entrusted to or will be entrusted to such person,
  • other information provided for by the Federal Law “On Personal Data” or other federal laws.

4.3. The personal data subject has the right to require the Operator to clarify his personal data, to block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights .

4.4. If the personal data subject believes that the Operator is processing its personal data in violation of the requirements of the Federal Law on Personal Data or otherwise violates its rights and freedoms, the personal data subject may appeal the Operator’s actions or omissions to the authorized body for the protection of personal data subjects (Federal Service for Supervision of Communications, Information Technology and Mass Communications - Roskomnadzor) or in court.

4.5. The subject of personal data has the right to protection of their rights and legitimate interests, including compensation of damages and (or) compensation for moral damage in court.

5. Roles and responsibilities

5.1. The rights and obligations of the Operator are determined by the current legislation and agreements of the Operator.

5.2. The monitoring of compliance with the requirements of this Policy is carried out by the person responsible for organizing the processing of personal data and the Information Security Department of the Operator within their authority.

5.3. The liability of persons involved in the processing of personal data on the basis of instructions from the Operator for the unlawful use of personal data is established in accordance with the terms of the civil contract or Agreement on confidentiality of information concluded between the Operator and the counterparty.

5.4. Persons guilty of violating the rules governing the processing and protection of personal data bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by federal laws, local acts, Operator agreements.

It's time to tick. What threatens to violate the Law on Personal Data No. 152-ФЗ

After July 1, 2017, the issue of processing and storing personal data became particularly relevant. The blame is a new table of fines for violations in this area. Now it’s not easy to get 75-300 thousand rubles of fine, for example, it’s enough not to take the user's consent to the processing of his personal data when sending an application from a landing page. So yesterday you had to describe on your website the policy of processing personal data and ask users to agree with it when sending any form from the website.

How to write a personal data processing policy

If you approach the matter thoroughly, it is advisable to read the law mentioned above, familiarize yourself with the recommendations of Roskomnadzor (tyts) and draw up a lengthy document regulating all the nuances of working with personal data of users on your website. Some do not bother and take someone else's rules for processing personal data, insert the name of their organization there and post it on their website. This is not quite beautiful and, moreover, can lead to a conflict with those who wrote this Policy. Like it or not, this is intellectual property (and not yours). We decided to give you one more, the easiest way - below there is a sample of the Personal Data Processing Policy.

Sample Privacy Policy for the site

The sample of the Policy for the processing of personal data for the website below is universal and is suitable for most Internet resources in runet. It is compiled by lawyers, there should be no complaints from the inspection bodies. However, we draw your attention - do not lay it out without looking. At least for the sake of decency, carefully read this sample of the Policy - you never know, suddenly it will not work for you in your particular case - then you will blame us :)
Yellow for convenience in the document highlighted those places that you need to replace your data.

If you want to thank us, share a link to this page with your friends!

Generate personal data processing policy for the site

You can use the designer below to generate your own personal data processing policy for your site. Just enter the necessary data in the form and click "Generate". Everything, your unique Policy is ready!

Attention! This form does not send us your personal data and does not save them. This is a Policy generator - it creates a document based on the information entered and provides it to you. Details are described in our Privacy Policy.

Development of seo-sites with a lifetime warranty. We create incredible SEO-sites optimized for 69 parameters already at the development stage. Read in detail about our SEO sites!

1. Purpose and scope

This Policy in the field of personal data processing (hereinafter referred to as the Policy) was developed on the basis of Article 18.1 of the Federal Law No. 152-ФЗ “On Personal Data”, taking into account the requirements of the Constitution of the Russian Federation, the Council of Europe Convention on the Protection of Individuals in the automated processing of personal data, international treaties of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation in the field of personal data.

This Policy applies to the relationship of processing and ensuring the security of information of limited access, related in accordance with the legislation of the Russian Federation to personal data (hereinafter - PD).

This Policy defines the principles, objectives, procedure and conditions for processing PDs of CROC Inc. CJSC employees (hereinafter referred to as the Company) and other entities whose PDNs are processed by the Company. This Policy contains provisions on the liability of the Company and its employees in the event of violations of PD processing legislation.

This Policy is a publicly available document and published on the Company's official website on the Internet.

This Policy does not apply to relationships arising from:

  • the organization of storage, acquisition, accounting and use of documents containing personal data that have the status of archival documents in accordance with the legislation on archives in the Russian Federation,
  • processing of personal data assigned in the prescribed manner to information constituting a state secret.

The provisions of this Policy govern all employees of the Company.

3. Principles of personal data processing

PD processing is carried out in the Company on the basis of the following principles:

  1. PD processing is legal and fair.
  2. PD processing is limited to achieving specific, predetermined and legitimate goals,
  3. The company does not process PDs that are incompatible with the purposes of collecting personal data,
  4. The company shares databases containing PDNs that are processed for purposes that are incompatible with each other,
  5. The company processes only PDs that meet their processing goals,
  6. the content and volume of PD processed are consistent with the stated processing objectives,
  7. PDs processed are not redundant in relation to the stated purposes of their processing,
  8. when processing PD, PD accuracy is ensured, their sufficiency, and, if necessary, also relevant to the purposes of PD processing.
  9. necessary measures are taken or their provision is ensured to remove or clarify incomplete or inaccurate PDNs,
  10. PD storage is carried out in a form that allows determining the PD subject not longer than the purpose of PD processing requires it, if the PD storage period is not established by federal law, contract, the party to which the PD subject is a beneficiary or guarantor,
  11. processed PDs are destroyed or depersonalized upon the achievement of processing objectives or in the case of the loss of the need to achieve these objectives, unless otherwise provided by federal law.

5. Categories of personal data subjects

Subjects whose personal data are processed in the Company with the use of automation equipment or without the use of such, are:

  • candidates for employment in the Company,
  • Company employees and their family members (spouses and close relatives),
  • persons who previously had labor relations with the Company,
  • persons who have a civil legal nature of contractual relations with the Company, or who are at the stage of pre-contractual or fulfilled relations of a similar nature,
  • Persons undergoing various internships at the Company;
  • Company shareholders
  • the counterparties of the Company, represented by individual entrepreneurs, their employees, founders, managers, representatives (persons acting on the basis of powers of attorney) and employees of legal entities who have or had contractual relations with the Company, or who wish to enter into agreements with the Company,
  • Company visitors
  • other persons whose processing of PDs is necessary for the Company to implement the objectives specified in section 4 of this Policy.

6. Categories of personal data

In company processed The following categories of PD:

  • General categories of personal data (other personal data) that cannot be classified as special categories of personal data, biometric personal data or publicly available personal data
  • biometric PD,
  • publicly available PD.

7. Composition of persons organizing and participating in the processing and ensuring the security of personal data

The company has appointed a person responsible for the organization of PD processing.

The Company has appointed a person responsible for ensuring the security of PDN and ISPDN.

The Company has appointed persons responsible for the organization of PD processing in structural units.

Employees are involved in the processing of personal data in the Company as part of the performance of their duties.

8.1 Processing and termination of personal data processing

PD processing in the Company is allowed in the following cases:

  • PD processing is carried out with the consent of the PD subject to the processing of its PD.
  • PD processing is necessary for the execution of the contract, the party to which either the beneficiary or the guarantor for which is the PD subject, including if the operator realizes his right to assign rights (claims) under such a contract, as well as to enter into a contract initiated by the PD subject or contract, according to which the PD subject will be a beneficiary or a guarantor.
  • PD processing is necessary for the exercise of the rights and legitimate interests of the operator or third parties, or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the PD subject.
  • PD processing is carried out for statistical or other research purposes, subject to the mandatory depersonalization of PD. An exception is the processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer through communication tools, as well as for political campaigning.
  • PD processing is carried out, access to an unlimited number of persons to which is provided by the PD subject, or at his request.
  • PDs are processed that are subject to publication or mandatory disclosure in accordance with federal law,
  • and the processing of personal data by the Company is possible in other cases provided for by federal law.

The incorporation by the Company of PDs of subjects into publicly available PD sources is possible only if there are requirements of federal legislation, or if the written consent of the PD subject is obtained.

The company carries out the cross-border transfer of PDs of employees for the purpose of fulfilling contractual obligations with counterparties only in the event of the written consent of the PD subject.

The company does not make decisions that generate legal consequences in relation to the subject of the PD or otherwise affect his rights and legitimate interests on the basis of exclusively automated processing of PD

The company has the right to entrust the processing of PD to another person only with the consent of the subject of the PD, unless otherwise provided by federal law, on the basis of an agreement concluded with this person (hereinafter - the operator’s order). At the same time, the Company obliges the person who carries out PD processing on behalf of, to comply with the principles and rules of PD processing provided for by federal law. If the Company entrusts the processing of PD to another person, the responsibility to the PD subject for the actions of the said person is borne by the Company.The person processing the PD on behalf of the Company is responsible to the Company.

The Company undertakes and obliges other persons who have obtained access to PD not to disclose to third parties and not to distribute PD without the consent of the PD subject, unless otherwise provided by federal law.

PD processing by the Company is terminated in the following cases:

  • achieving the goals of PD processing,
  • the expiration of the processing of PD, provided for by federal legislation, contract or consent of the subject of PD to the processing of his PD,
  • when the subject revokes the consent to the processing of his personal data, in cases not contradicting the requirements of federal legislation.

8.2 Information about the implemented requirements for the protection of personal data

The company takes all the necessary legal, organizational and technical measures in processing PD to protect PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions on PD.

Measures are being implemented to organize the processing and ensure the safety of PDs processed without automation equipment, including:

  • For each category of PDs, the locations for PD storage (material carriers) are identified and a list of persons processing PDs and having access to them is established;
  • Separate storage of PD (material carriers), which are processed for various purposes, is provided
  • the conditions that ensure the safety of personal data are prevented, excluding unauthorized access to them during storage of material carriers.

Measures are being implemented to protect PDs when they are processed in PD information systems, including:

  • Determines the level of security of PDN when processing them in information systems
  • the requirements for the protection of personal information systems are complied with in accordance with certain levels of personal data protection,
  • apply the necessary means of information protection,
  • an assessment is made of the effectiveness of measures taken to ensure the safety of personal data prior to the commissioning of ISPD,
  • accounting of PD carriers is carried out,
  • detection of facts of unauthorized access to PDN is carried out and taking the necessary measures,
  • PDN is being restored, modified or destroyed as a result of unauthorized access to them,
  • establishes the rules for access to PDN processed in the ISPDn, and also provides for the registration and accounting of actions taken from PDn to the ISPDn, where necessary,
  • Control measures are taken to ensure the safety of personal data and the level of security of ISPD.

9. Breach of policy and responsibility

The company is responsible for the compliance of the processing and ensuring the security of personal data with the law. All employees of the Company who process personal data are responsible for compliance with this Policy and other local acts of the Company regarding the processing and ensuring the security of personal data.

Any employee who has become aware of a violation of this Policy or who suspects the existence of such a violation must report this to the person responsible for organizing the processing of personal data in accordance with the procedures existing in the Company.

Any violations of this Policy and other local acts of the Company regarding the processing and ensuring the security of personal data will be investigated in accordance with the procedures in effect in the Company.

Persons found guilty of violating the established procedures and procedures for processing and ensuring the security of personal data may be brought to disciplinary, material, civil, administrative and criminal liability in the manner prescribed by the legislation of the Russian Federation.

Personal Data Processing Policy

  • 1. General Provisions
    • 1.1. The Policy on the processing of personal data (hereinafter referred to as the Policy) is aimed at protecting the rights and freedoms of individuals whose personal data are processed by CITILINK Limited Liability Company (hereinafter referred to as the Operator).
    • 1.2. The policy is developed in accordance with paragraph 2 of Part 1 of Art. 18.1 of the Federal Law of July 27, 2006 No. 152-ФЗ “On Personal Data” (hereinafter - the Federal Law “On Personal Data”).
    • 1.3. The policy contains information to be disclosed in accordance with Part 1 of Art. 14 of the Federal Law "On Personal Data", and is a public document.
  • 2. Information about the operator
    • 2.1. The operator conducts its activities at the address 107207, Moscow, Schelkovskoe highway, d.77, p. 1, room. 139
  • 3. Information on the processing of personal data
    • 3.1. The Operator processes personal data in a lawful and fair manner in order to fulfill the functions, powers and duties entrusted by law, to exercise the rights and legitimate interests of the Operator, Operator’s employees and third parties.
    • 3.2. The operator receives personal data directly from the subjects of personal data.
    • 3.3. The operator processes personal data in automated and non-automated ways, using computer technology and without the use of such tools.
    • 3.4. Actions for the processing of personal data include the collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction.
  • 4. Processing customer personal data
    • 4.1. The Operator processes the personal data of customers in the framework of legal relations with the Operator, settled by Part Two of the Civil Code of the Russian Federation dated January 26, 1996 No. 14-FZ (hereinafter referred to as customers).
    • 4.2. The operator processes the personal data of customers in order to comply with the laws of the Russian Federation, as well as to:
      • - inform about new products, special promotions and offers,
      • - the conclusion and execution of the terms of the contract.
    • 4.3. The operator processes the personal data of customers with their consent provided by customers and / or their legal representatives by performing concealed actions on this Internet site, including, but not limited to, placing an order, registering in a personal account, subscribing to the newsletter, in accordance with this Policy.
    • 4.4. The operator processes the personal data of customers no longer than required by the purpose of processing personal data, unless otherwise provided by the requirements of the legislation of the Russian Federation.
    • 4.5. The operator processes the following personal customer data:
      • - Full Name,
      • - Date of Birth,
      • - Address,
      • - Contact phone number,
      • - E-mail address.
  • 5. Information about the security of personal data
    • 5.1. The operator appoints a person responsible for organizing the processing of personal data to fulfill the obligations stipulated by the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it.
    • 5.2. The operator applies a set of legal, organizational and technical measures to ensure the security of personal data to ensure the confidentiality of personal data and their protection from illegal actions:
      • - provides unlimited access to the Policy, a copy of which is located at the address of the location of the Operator, and can also be posted on the Operator’s website (if available),
      • - in pursuance of the Policy, approves and enforces the document “Regulation on the processing of personal data” (hereinafter - the Regulation) and other local acts,
      • - makes employees familiar with the provisions of the legislation on personal data, as well as with the Policy and Regulations,
      • - carries out the admission of employees to personal data processed in the information system of the Operator, as well as to their material carriers only for the performance of job duties,
      • - sets the rules for access to personal data processed in the Operator’s information system, as well as ensures the registration and accounting of all actions with them,
      • - makes an assessment of the harm that may be caused to the subjects of personal data in the event of a violation of the Federal Law “On Personal Data”,
      • - identifies threats to the security of personal data when they are processed in the Operator’s information system,
      • - applies organizational and technical measures and uses the information security tools necessary to achieve the established level of personal data protection,
      • - carries out the detection of facts of unauthorized access to personal data and takes measures to respond, including the restoration of personal data modified or destroyed due to unauthorized access to them,
      • - evaluates the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the Operator’s information system,
      • - carries out internal control over the compliance of personal data processing with the Federal Law “On Personal Data”, the regulatory legal acts adopted in accordance with it, the requirements for the protection of personal data, the Policy, the Regulations and other local acts, including monitoring the measures taken to ensure the security of personal data and their security level in processing in the Operator’s information system.
  • 6. Rights of personal data subjects
    • 6.1. The subject of personal data has the right to:
      • - to obtain personal data relating to the subject, and information relating to their processing,
      • - to clarify, block or destroy his personal data in case they are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing,
      • - withdrawal of consent given by him for the processing of personal data,
      • - to protect their rights and legitimate interests, including the reimbursement of damages and compensation for moral damage in court,
      • - to appeal the actions or omissions of the Operator to the authorized body for the protection of the rights of personal data subjects or in court.
    • 6.2. In order to exercise their rights and legitimate interests, personal data subjects have the right to contact the Operator or send a request in person or with the help of a representative. The request must contain the information specified in Part 3 of Art. 14 of the Federal Law "On Personal Data".

Please note that from October 01, 2018, the legal address of Citylink LLC was changed to: 107497, Moscow, ul. Amur, 7, p. 1, pom. II, fl. 1, com. 21

Watch the video: GDPR Privacy Policy Generator (January 2020).