1. General Provisions
1.1. The policy of processing personal data in OJSC «Sasta» (hereinafter referred to as the Policy) applies to all personal data tha OJSC «Sasta» can receive from personal data subjects - employees of OJSC «Sasta» in connection with the implementation of labor relations, customers and counterparties of JSC «Sasta» "in connection with the implementation of OJSC" «Sasta» "statutory activities. This Policy defines the principles, procedure and conditions for the processing of personal data of employees, clients and contractors of OJSC «Sasta», whose personal data are processed by OJSC «Sasta» in order to ensure the protection of human and civil rights and freedoms while processing its personal data, including protection of rights to privacy, personal and family secrets, and also establishes the responsibility of employees of «Sasta» OJSC who have access to personal data for non-compliance with the requirements of the rules governing processing and protection from personal data.
1.2. The policy is developed taking into account the requirements of the Constitution of the Russian Federation, legislative and other normative legal acts of the Russian Federation in the field of personal data.
1.3. The provisions of the Policy form the basis for the development of local regulations governing the processing of personal data of employees of OJSC «Sasta» and other subjects of personal data in OJSC «Sasta».
2. Legislative and other normative legal acts of the Russian Federation, in accordance with which the Policy for the processing of personal data is determined in OJSC «Sasta».
2.1. The policy of processing personal data in OJSC «Sasta» is determined in accordance with the following regulatory legal acts:
- The Labor Code of the Russian Federation;
- Federal Law of July 27, 2006, No. 149-FZ "On Information, Information Technologies and Information Protection";
- Federal Law of May 2, 2006, No. 59-FZ "On the Procedure for Considering Applications from Citizens of the Russian Federation";
- Decree of the Government of the Russian Federation of September 15, 2008, No. 687 "On approval of the Regulations on the Specifics of Processing Personal Data Performed Without the Use of Automation Means";
- Decree of the Government of the Russian Federation of 1 November 2012 No. 1119 "On approval of the requirements for the protection of personal data when processing them in personal data information systems";
- Order FSTEC of Russia of February 18, 2013, No. 21 "On approval of the composition and content of organizational and technical measures to ensure the safety of personal data when processing them in personal data information systems";
- Order of Roskomnadzor from September 5, 2013 No. 996 "On approval of requirements and methods for the depersonalization of personal data";
- Other regulatory legal acts of the Russian Federation and regulatory documents of authorized state authorities.
2.2. In order to implement the provisions of the Policy, OJSC «Sasta» develops appropriate local regulations and other documents.
3. The basic concepts used in OJSC «Sasta» in this Policy of processing personal data.
Personal data - any information related to a directly or indirectly defined or determined individual (subject of personal data).
Information - information (messages, data) regardless of the form of their presentation.
Operator - a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as defining the purposes of processing personal data, the composition of the personal data subject to processing, the actions (operations) performed with personal data.
Personal data processing is any action (operation) or set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, updating (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated processing of personal data - processing of personal data by means of computer facilities. Provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons.
Dissemination of personal data - actions aimed at disclosing personal data to an undetermined number of persons.
Blocking of personal data - temporary termination of processing of personal data (except for cases when processing is necessary for specification of personal data).
Destruction of personal data is an action that makes it impossible to restore the contents of personal data in the personal data information system and (or) as a result of which material data carriers of personal data are destroyed.
The depersonalization of personal data is an action that makes it impossible to use the additional information to determine whether personal data belongs to a particular personal data subject.
Information system of personal data - a set of personal data contained in databases and providing their processing of information technologies and technical means.
Employees (subjects of personal data) are individuals who are in labor and other civil law relations with the Operator-Operator, including: state civil servants (citizens permanently employed in state civil service positions, replaced by the conclusion of an employment contract); job seekers for vacant positions and persons in the personnel reserve (individuals who are preparing to enter into employment or other civil law relations with the Operator Office).
4. Principles and purposes of personal data processing
4.1. OJSC «Sasta» carries out processing of personal data of employees of OJSC «Sasta» and other subjects of personal data that do not belong to OJSC «Sasta» in labor relations.
4.2. The processing of personal data in OJSC «Sasta» is carried out taking into account the need to ensure the protection of the rights and freedoms of employees of «Sasta» and other personal data subjects, including protection of the right to privacy, personal and family secrets, based on the following principles:
- processing of personal data is carried out in OJSC «Sasta» on a legal and fair basis;
- processing of personal data is limited to the achievement of specific, predefined and legitimate purposes;
- processing of personal data incompatible with the purposes of collecting personal data is not permitted;
- it is not allowed to combine databases containing personal data, processing of which is carried out for purposes incompatible with each other;
- only personal data that is suitable for processing purposes is subject to processing;
- the content and volume of processed personal data is consistent with the stated processing objectives. The redundancy of the processed personal data in relation to the stated purposes of their processing is not allowed;
- when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, the relevance to the purposes of processing personal data. OJSC «Sasta» takes the necessary measures or ensures their acceptance for the removal or refinement of incomplete or inaccurate personal data;
- the storage of personal data is carried out in a form that allows the subject of personal data to be determined no longer than the purpose of processing personal data requires, unless the period of personal data storage is established by a federal law, a contract to which the subject of personal data is a party whose beneficiary or guarantor is the subject of personal data; The processed personal data is destroyed or depersonalized upon the achievement of processing objectives or in the event of a loss of the need to achieve these goals, unless otherwise provided by federal law.
4.3. Personal data is processed by OJSC «Sasta» in order to:
- ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, local regulatory acts of OJSC «Sasta»;
- carrying out activities stipulated by the Charter of JSC «Sasta»;
- regulation of labor relations with employees of OJSC «Sasta» (assistance in employment, training and promotion, personal security, quantity and quality control of the work performed, ensuring the safety of property), organization of personnel records of OJSC «Sasta», enforcement of laws and other normative and legal acts, conclusion and execution of obligations under labor and civil law contracts;
- conclusion, execution and termination of civil law contracts with individuals, legal entities, individual entrepreneurs and other persons, in cases stipulated by the current legislation and the Charter of OJSC «Sasta»;
- providing additional guarantees and compensations to employees of OJSC «Sasta» and their family members, including non-state pension provision, voluntary medical insurance, medical care and other types of social security;
- provision of access and intrasite facilities at the facilities of OJSC «Sasta»;
- for other legitimate purposes.
With the consent of the subject of personal data, OJSC «Sasta» can use the personal data of customers and counterparties for the following purposes:
- for communication with customers and counterparties, if necessary, including for sending notifications, information and inquiries related to the sale of goods, provision of services, performance of work, and processing of applications, requests and applications of customers and counterparties;
- to improve the quality of the Goods, works and services provided by the Company;
- for promotion of the Goods, works and services in the market through direct contacts with customers and counterparties;
- for conducting statistical and other studies on the basis of impersonal personal data.
5. The list of entities whose personal data are processed in OJSC «Sasta»
5.1.O JSC "«Sasta»" processes personal data of the following categories of subjects:
- employees of OJSC «Sasta»;
- other subjects of personal data (to ensure the implementation of the processing objectives specified in section 4 of the Policy).
6. The list of personal data processed in OJSC «Sasta»
6.1. The list of personal data processed by OJSC «Sasta» is determined in accordance with the laws of the Russian Federation and local statutory acts of OJSC «Sasta», taking into account the purposes of processing personal data specified in section 4 of the Policy.
7. Functions of OJSC "«Sasta»" in the processing of personal data
7.1. OJSC "«Sasta»" in the processing of personal data:
- takes measures necessary and sufficient to ensure compliance with the legislation of the Russian Federation and local statutory acts of OJSC «Sasta» in the field of personal data;
- takes legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as other illegal actions in relation to personal data;appoints the person responsible for organizing the processing of personal data in OJSC «Sasta»;
- publishes local statutory acts defining the policy and issues of processing and protecting personal data in OJSC «Sasta»;
- familiarize employees of OJSC «Sasta» directly processing personal data, with the provisions of the legislation of the Russian Federation and local statutory acts of OJSC «Sasta» in the field of personal data, including requirements for protection of personal data, and training of these employees;
- publishes or otherwise provides unrestricted access to this Policy;
- informs the personal data subjects or their representatives about the availability of personal data related to the relevant subjects in accordance with the established procedure, provides an opportunity to get acquainted with these personal data when applying for and (or) receiving requests from the said subjects of personal data or their representatives, unless otherwise established by law Russian Federation;
- terminates processing and destroys personal data in cases stipulated by the legislation of the Russian Federation in the field of personal data;
- commits other acts provided for by the legislation of the Russian Federation in the field of personal data.
8. Rights of the subject of personal data
8.1. Consent of the subject of personal data to the processing of his personal data
8.1.1. The subject of personal data decides to provide his personal data and agrees to their processing freely, his will and in his interest. Consent to the processing of personal data can be given by the subject of personal data or his representative in any form that allows to confirm the fact of its receipt, unless otherwise provided by federal law.
8.2. Rights of subjects of personal data
8.2.1. The subject of personal data has the right to:
- obtaining in OJSC «Sasta» information regarding the processing of his personal data, if such right is not restricted in accordance with federal laws;
- requirement of the list of their personal data processed at OJSC «Sasta» and the source of their receipt;
- access to their personal data, including the right to receive a copy of any record containing his personal data, except as provided for by federal law;
- clarification of their personal data, their blocking or destruction in the event that personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing;
- adopting measures provided by law for the protection of their rights;
- withdrawal of consent to the processing of personal data;
- appealing against the action or inaction of OJSC «Sasta», carried out in violation of the requirements of the legislation of the Russian Federation in the field of personal data, to the Authorized body for the protection of the rights of subjects of personal data or in court.
9. List of actions with personal data and ways of its processing
9.1. OJSC "«Sasta»" collects, records, systemizes, accumulates, stores, updates (updates, changes), extracts, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes and destroys personal data.
9.2. Processing of personal data in OJSC "«Sasta»" is carried out by a method of mixed processing of personal data.
10. Measures to ensure the protection of personal data taken by OJSC «Sasta»
10.1. Measures that are necessary and sufficient to ensure the performance of OJSC «Sasta» of the operator's duties, provided for by the legislation of the Russian Federation in the field of personal data, include:
- appointment of the person responsible for organizing the processing of personal data in OJSC «Sasta»;
- adoption of local regulations and other documents in the field of processing and protection of personal data;
- obtaining consent of the subjects of personal data for the processing of their personal data, except for cases stipulated by the legislation of the Russian Federation;
- isolation of personal data processed without the use of automation facilities, from other information, in particular by fixing them on separate physical media of personal data, in special sections;
- ensuring the separate storage of personal data and their physical media, processing of which is carried out for different purposes and which contain different categories of personal data;
- prohibiting the transfer of personal data through open communication channels, computer networks outside the controlled area, Internet networks without the use of measures established by «Sasta» to ensure the security of personal data (with the exception of public and (or) impersonal personal data);
- storage of material carriers of personal data in compliance with the conditions ensuring the safety of personal data and excluding unauthorized access to them;
- implementation of internal control over the compliance of personal data processing with the Federal Law "On Personal Data" and regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, this Policy, local regulatory acts of OJSC «Sasta»;
- other measures provided for by the legislation of the Russian Federation in the field of personal data.
11. Guarantee of confidentiality
11.1. Information related to personal data that has become known in connection with the implementation of labor relations in connection with the implementation of the statutory activities of OJSC «Sasta» and in connection with cooperation with counterparties of OJSC «Sasta» is confidential information and is protected by law.
11.2. Employees of OJSC «Sasta» and other persons who have access to the processed personal data are warned about possible disciplinary, administrative, civil or criminal liability in case of violation of the norms and requirements of the current legislation regulating the rules for processing and protecting personal data.
11.3. Employees of OJSC «Sasta», through the fault of which there was a violation of the confidentiality of personal data, and employees who created the prerequisites for the violation of the confidentiality of personal data are liable under the current legislation of the Russian Federation, internal documents of OJSC «Sasta» and terms of the employment contract.
11.4. Employees carrying out the processing of personal data and responsible for ensuring its safety must have the qualifications sufficient to maintain the required mode of personal data security.
12. Changes to this Policy
12.1. This Policy is an internal document of OJSC «Sasta».
12.2. This Policy is subject to amendment, addition in the event of the emergence of new legislation and special regulations for the processing and protection of personal data. If changes are introduced to this Policy, they will be provided with unlimited access to all interested subjects of personal data.