PERSONAL DATA PROCESSING AND PROTECTION POLICY
in the Joint Stock Company «Special Economic Zone of Industrial and Production Type „Alabuga“»
1. GENERAL PROVISIONS
1.1. This Policy of the Joint Stock Company «Special Economic Zone of Industrial Production Type „Alabuga“» (hereinafter referred to as the Company / Operator) with regard to personal data processing (hereinafter referred to as the Policy) is developed taking into account the requirements of the Constitution of the Russian Federation, legislative and other regulatory acts of the Russian Federation and in compliance with the requirements of paragraph 2, part 1, article 18.1 of the Federal Law dated 27.07.2006 No. 152-FZ «On Personal Data» (hereinafter referred to as the Personal Data Law) in order to ensure the protection of human and civil rights and freedoms in the course of processing of personal data.
1.2. The Policy applies to all personal data (hereinafter referred to as «Personal Data») processed by the Operator, including, but not limited to, Personal Data received via the Operator's websites: https://alabuga.ru, https://sezalabuga.ru, https://alabuga-polytech.ru and all their subdomain names (https://hr.alabuga.ru, https://rs.alabuga.ru, etc.), as well as other websites administered by the Operator, the Operator's employees or third parties with whom the Operator has a civil law contract.
1.3. Pursuant to the requirements of part 2, article 18.1 of the Personal Data Law, this Policy is published in free access in the information and telecommunication network Internet on the Operator's websites.
1.4. The provisions of the Policy shall serve as a basis for the development of local normative acts regulating the following issues.
2. TERMINOLOGY AND ACCEPTED ABBREVIATIONS
2.1 Personal data (PD) is any information relating to a directly or indirectly identified natural person (subject of personal data).
2.2. Personal data authorised by the subject of personal data for disclosure means personal data to which the subject of personal data has granted access to an unlimited number of persons by giving consent to the processing of personal data authorised by the subject of personal data for disclosure.
2.3. The subject of personal data is a natural person who is directly or indirectly identified or identifiable through PD.
2.4. Personal data operator (operator) - a state authority, municipal authority, legal entity or individual, independently or jointly with other persons organising and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, content of personal data subject to processing, actions (operations) performed with personal data.
2.5. Processing of personal data — any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools.
2.6. Automated processing of personal data — processing of personal data by means of computer equipment.
2.7. Provision of personal data — actions aimed at disclosure of personal data to a certain person or a certain entity.
2.8. Blocking of personal data — temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data).
2.9. Destruction of personal data — actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.
2.10. Personal data depersonalisation — actions, as a result of which it becomes impossible to determine the belonging of personal data to a particular subject of personal data without using additional information.
2.11. Personal data information system — a set of personal data contained in databases and ensuring their processing, information technologies and technical means.
2.12. Trans-border transfer of personal data — transfer of personal data to the territory of a foreign country to a foreign government authority, a foreign individual or a foreign legal entity.
3. PROCEDURE AND CONDITIONS OF PERSONAL DATA PROCESSING
3.1. Processing of Personal Data shall be carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
3.2. Processing of Personal Data shall be carried out by the Operator solely with the consent of the data subjects to the processing of their Personal Data, as well as without such consent in cases stipulated by the legislation of the Russian Federation.
3.3. The consent to the processing of Personal Data authorised by the data subject for disclosure shall be executed separately from other consents of the data subject to the processing of his/her Personal Data.
3.4. Consent to the processing of Personal Data authorised by the data subject for disclosure may be provided to the Operator directly or by confirming the data subject's intention to consent to the processing of Personal Data and the fact of familiarisation with this Policy on the Operator's websites specified in clause 1.2 of this Policy.
3.5. The Operator's employees are allowed to process Personal Data.
3.6. Processing of Personal Data shall be carried out by means of:
- - non-automated processing of Personal Data;
- - automated processing of Personal Data with or without transmission of this information via information and telecommunication networks;
- - mixed processing of Personal Data.
3.7. The Operator shall not disclose or distribute Personal Data to third parties without the consent of the data subject, unless otherwise provided for by the federal law.
3.8. Transfer of Personal Data to enquiry and investigation authorities, the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorised executive authorities and organisations is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
3.9. The Operator shall take the necessary legal, organisational and technical measures to protect Personal Data from unlawful or accidental access, destruction, modification, blocking, disclosure and other unauthorised actions, including:
- - determines threats to the security of PD during their processing;
- - adopts local regulatory acts and other documents regulating relations in the area of processing and protection of Personal Data;
- - appoints persons responsible for ensuring the security of Personal Data in the Operator's structural subdivisions and information systems;
- - creates necessary conditions for work with Personal Data;
- - organises accounting of documents containing Personal Data;
- - organises work with information systems in which Personal Data are processed;
- - stores Personal Data under conditions that ensure their safety and prevent unauthorised access to them;
3.10. The Operator shall store Personal Data in a form that allows identifying the subject of the Personal Data for no longer than required for the purposes of processing the Personal Data, unless the period of storage of the Personal Data is established by the Federal Law, contract or agreement.
3.11. When collecting Personal Data, including via the Internet, recording, systematisation, accumulation, storage, clarification (update, change), retrieval of Personal Data using databases located outside the territory of the Russian Federation is not permitted.
3.12. The purposes of processing of Personal Data:
3.12.1. Only the PD that meet the purposes of their processing shall be subject to processing.
3.12.2. The Operator shall process the Personal Data for the following purposes:
- - ensuring compliance with the Constitution, federal laws and other regulatory legal acts of the Russian Federation;
- - carrying out its activities in accordance with the Operator's charter;
- - maintaining personnel records;
- - assisting employees in employment, education and promotion, ensuring personal safety of employees, controlling the quantity and quality of work performed, ensuring safety of the Operator's property;
- - attracting and selecting candidates for employment with the Operator;
- - organising individual (personified) registration of employees in the compulsory pension insurance system;
- - completing and submitting the required reporting forms to the executive authorities and other authorised organisations;
- - carrying out civil-law relations;
- - maintaining accounting records;
- - implementing the access regime;
- - concluding contracts with individuals and legal entities for the provision of services and (or) performance of work;
- - identifying users of the websites specified in clause 1.2 of the Policy, providing access to the functions of the websites, personalisation of the provided services and services of the websites, promoting employment and providing opportunities for employment or other types of employment with the Operator or the Operator's subsidiaries, including provision of services / performance of work by the users of the websites to the Operator or the Operator's subsidiaries on the basis of a civil law contract, as well as conducting preliminary interviews for employment or other types of employment.
- - carrying out educational, upbringing, enlightening activities.
3.12.3. Processing of employees' Personal Data may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.
3.13. List of subjects of personal data, whose personal data are processed by the Operator:
- - individuals who have labour relations with the Company;
- - individuals who have resigned from the Company;
- - individuals who are candidates for employment;
- - individuals having civil law relations with the Company;
- - individuals who are users of the websites specified in clause 1.2 of the Policy;
- - individuals who have filled in the questionnaire data and sent it to the Operator on the websites specified in clause 1.2 of the Policy.
3.14. List of Personal Data processed by the Operator:
- - data obtained in the course of labour relations;
- - data obtained for the purpose of selecting candidates for employment;
- - data obtained in the course of civil law relations;
- - data obtained when visiting the websites specified in clause 1.2 of the Policy;
- - data obtained as a result of filling in questionnaires on the websites specified in clause 1.2 of the Policy.
3.15. Categories of Personal Data that may be processed by the Operator:
- - surname, first name, patronymic;
- - gender;
- - citizenship;
- - date and place of birth;
- - marital status, social status, property status, income;
- - passport data, individual taxpayer number, medical policy, insurance number of individual personal account;
- - contact details (phone number, email);
- - information on education, work experience, qualifications;
- - other Personal Data provided by candidates in their CVs and cover letters;
- - biometric data (including photo);
- - cookies containing technical data about the devices of the users of the websites specified in clause 1.2 of the Policy, including:
- - analytical cookies — data necessary for the analysis of the website traffic, user behaviour when using the website;
- - technical cookies — data necessary for the proper operation and functioning of the website.
3.16. The user of the website has the right to independently limit or completely disable the functioning of cookies through the settings of the web browser used. Disabling technical cookies may lead to incorrect operation of the Operator's websites, and some of their functionality may not be available. The Operator, using cookies, does not pursue the purpose of identifying a particular user of the website.
3.17. When entrusting the processing of Personal Data to a third party, the Operator shall enter into a relevant entrustment agreement with such third party. In this case, the Operator in such an assignment agreement shall oblige the person processing Personal Data to comply with the principles and rules of Personal Data processing stipulated by the current legislation of the Russian Federation.
3.18. In cases where the Operator entrusts the processing of Personal Data to a third party, the Operator shall be liable to the Personal Data subject for the actions of the said party. The person processing Personal Data on behalf of the Operator shall be liable to the Operator in accordance with the terms and conditions of the engagement agreement.
3.19. With the consent of the data subject, the Operator shall transfer the data subject's Personal Data to third parties with whom the Operator has a civil law contract.
3.20. Legal grounds for processing Personal Data:
3.20.1. Performance of functions, mandates and duties assigned to the Operator by the legislation of the Russian Federation (Labour Code of the Russian Federation, Civil Code of the Russian Federation, Federal Law-149 «On Information, Information Technologies and Information Protection»);
3.20.2. Agreements concluded by the Operator with the data subjects;
3.20.3. Consents for processing of Personal Data received by the Operator for the purposes specified in clause 3.13.2 of this Policy;
3.20.4. Exercise of the rights and legitimate interests of the Operator.
3.21. The Operator performs the following actions with Personal Data:
- - collection;
- - recording;
- - systematisation;
- - accumulation;
- - storage;
- - clarification (update, change);
- - extraction;
- - utilisation;
- - transfer (provision, access);
- - disclosure;
- - depersonalisation;
- - blocking;
- - deletion;
- - destruction.
4. STORAGE AND DESTRUCTION OF PERSONAL DATA
4.1. Personal Data of the subjects may be received, further processed and transferred for storage both on paper and in electronic form.
4.2. Personal Data recorded on paper shall be stored in lockable cabinets or in locked rooms with limited right of access to such rooms.
4.3. PD of subjects processed using automation tools for different purposes shall be stored in different folders.
4.4. PD stored in a form that allows identifying the PD subject shall be stored for no longer than required for the purposes of their processing and shall be destroyed upon achievement of the processing purposes or in the event that there is no longer a need to achieve them.
4.5. Destruction of PD.
4.6. Documents (carriers) containing Personal Data shall be destroyed by burning, crushing (shredding), chemical decomposition, transformation into a shapeless mass or powder. A shredder may be used to destroy paper documents.
4.7. PD on electronic carriers shall be destroyed by erasing or formatting the carrier.
4.8. The fact of the destruction of PD shall be confirmed by a documented act on the destruction of carriers. The act shall be drawn up and signed by the employee who actually destroyed the data. In addition, to further confirm the fact of deletion, the act shall also bear the signature of the employee's immediate supervisor.
5. PERSONAL DATA PROTECTION
5.1. In accordance with the requirements of regulatory documents, the Operator has established a Personal Data Protection System (hereinafter referred to as «PDPS») consisting of legal, organisational and technical protection subsystems.
5.2. The legal protection subsystem is a set of legal, organisational, administrative and regulatory documents ensuring the creation, operation and improvement of the PDPS.
5.3. The organisational protection subsystem includes the organisation of the management structure of the PDPS, the permit system, and information protection when working with employees, partners and third parties.
5.4. The technical protection subsystem includes a set of technical, hardware, and software tools that ensure the protection of PD.
5.5. The main measures of PD protection used by the Operator are:
5.5.1. Appointment of a person responsible for processing of Personal Data, who is responsible for organisation of processing of Personal Data, training and instruction, internal control over compliance of the Operator and its employees with the requirements for protection of Personal Data.
5.5.2. Identification of actual threats to the security of Personal Data during their processing in the Operator's information systems for Personal Data (hereinafter referred to as ISPD) and development of measures and activities to protect Personal Data.
5.5.3. Development of a policy on processing of PD by the Operator.
5.5.4. Establishment of rules of access to the PD processed in the Operator's ISPD, as well as ensure registration and accounting of all actions performed with the PD in the ISPD.
5.5.5. Establishment of individual passwords for employees' access to the ISPDS in accordance with their work duties.
5.5.6. The use of information protection equipment that has undergone the conformity assessment procedure in accordance with the established procedure.
5.5.7. Certified anti-virus software with regularly updated databases.
5.5.8. Observance of conditions ensuring the safety of Personal Data and excluding unauthorised access to them.
5.5.9. Detection of the facts of unauthorised access to Personal Data and taking necessary measures.
5.5.10. Restoration of PD modified or destroyed as a result of unauthorised access to them.
5.5.11. Training of the Operator's employees directly involved in the processing of Personal Data on the provisions of the Russian legislation on Personal Data, including the requirements for the protection of Personal Data, documents defining the Operator's policy with regard to the processing of Personal Data, and local acts on the processing of Personal Data.
5.5.12. Internal control and audit.
6. BASIC RIGHTS OF THE PERSONAL DATA SUBJECT AND THE RIGHTS AND OBLIGATIONS OF THE OPERATOR
6.1 The data subject has the right to:
- - to receive full information about his/her PD processed by the Operator;
- - access to his/her personal data, including the right to receive a copy of any record containing his/her Personal Data, except for cases provided for by the Federal Law;
- - obtaining information on the legal grounds and purposes of processing of Personal Data;
- - obtaining information about the purposes and methods of processing Personal Data used by the Operator;
- - obtaining information about the name and location of the Operator, information about persons (except for the Operator's employees) who have access to Personal Data or to whom Personal Data may be disclosed on the basis of a contract with the Operator or on the basis of Federal Law;
- - obtaining information on the timeframes for processing Personal Data, including the timeframes for their storage;
- - obtaining information on the procedure for exercising the rights provided for by the Federal Law;
- - obtaining information about the name or surname, first name, patronymic and address of a person who processes Personal Data on behalf of the Operator, if processing has been or will be entrusted to such a person;
- - contacting the Operator and sending requests to the Operator;
- - appealing against the Operator's actions or inaction to an authorised body for the protection of the rights and subjects of Personal Data or to a court.
6.2 The Operator has the right to:
- - independently determine the composition and the list of measures necessary and sufficient to ensure the fulfilment of obligations stipulated by the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws;
- - to entrust the processing of Personal Data to another person with the consent of the Personal Data subject, unless otherwise provided for by the Federal Law, on the basis of a contract concluded with this person. The person carrying out Personal Data processing on behalf of the Operator is obliged to comply with the principles and rules of Personal Data processing stipulated by the Personal Data Law;
- - in case the Personal Data subject revokes his/her consent to the processing of Personal Data, the Operator has the right to continue the processing of Personal Data without the consent of the Personal Data subject if there are grounds specified in the Personal Data Law.
6.3. The Operator shall:
- - when collecting PD, provide information about the processing of PD;
- - in cases where the Personal Data were not received from the data subject, notify the data subject;
- - in case of refusal to provide the data to the subject, explain the legal consequences of such refusal;
- - publish or otherwise provide unrestricted access to the document defining its policy with regard to processing of PDs;
- - take the necessary legal, organisational and technical measures or ensure that they are taken to protect Personal Data from unlawful or accidental access to it, destruction, alteration, blocking, copying, provision, distribution of Personal Data, as well as from other unlawful actions in relation to Personal Data;
- - provide answers to requests and appeals from PD subjects, their representatives and the authorised body for the protection of PD subjects' rights.
7. UPDATING, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA, RESPONSES TO REQUESTS OF SUBJECTS FOR ACCESS TO PERSONAL DATA
7.1. Confirmation of the fact of Personal Data processing by the Operator, legal grounds and purposes of Personal Data processing, as well as other information specified in part 7 of article 14 of the Federal Law on Personal Data shall be provided by the Operator to the data subject or his/her representative upon application or upon receipt of a request from the data subject or his/her representative. The information provided shall not include PD related to other PD subjects, except for cases when there are legal grounds for disclosure of such PD. The request must contain:
- - the number of the main identity document of the PD subject or his/her representative, information on the date of issue of the said document and the issuing authority, as well as the original document confirming the authorisation of the PD subject's representative to make such a request and receive the requested information;
- - information confirming the PD subject's involvement in relations with the Operator (contract number, date of contract conclusion, conventional verbal designation and (or) other information), or information otherwise confirming the fact of PD processing by the Operator;
- - the signature of the data subject or his/her representative.
A request may be sent in writing to the Operator's legal address or in the form of an electronic document and signed with an digital signature in accordance with the laws of the Russian Federation.
If the Personal Data subject's application (request) does not contain all the necessary information in accordance with the requirements of the Federal Law on Personal Data or the subject does not have access rights to the requested information, a reasoned refusal shall be sent to him/her.
The Personal Data subject's right to access his/her Personal Data may be restricted in accordance with part 8, article 14 of the Federal Law on Personal Data, including if the Personal Data subject's access to his/her Personal Data violates the rights and legitimate interests of third parties.
7.2. In the event that inaccurate PD are detected upon application of the PD subject or his/her representative or at their request or at the request of an authorised body for the protection of the rights and subjects of PD, the Operator shall block the PD related to that PD subject from the moment of such application or receipt of the said request for the period of verification, provided that the blocking of the PD does not violate the rights and legitimate interests of the PD subject or third parties. If the fact of inaccuracy of PD is confirmed, the Operator shall, on the basis of the information submitted by the PD subject or his/her representative or by an authorised body for the protection of the rights and subjects of PDs, or other necessary documents, clarify the PD within seven working days from the date of submission of such information and lift the PD blocking.
7.3. In case of detection of unlawful processing of Personal Data upon application (request) of a Personal Data subject or his/her representative or an authorised body for protection of rights and subjects of Personal Data, the Operator shall block the unlawfully processed Personal Data related to this Personal Data subject from the moment of such application or request.
7.4. Upon achievement of the goals of processing of Personal Data, as well as in case of withdrawal of consent to their processing by the subject of PD, the Personal Data shall be destroyed, unless:
- - other is not stipulated by the contract to which the PD subject is a party, beneficiary or guarantor;
- - the Operator is not allowed to carry out processing without the consent of the data subject on the grounds stipulated by the Personal Data Law or other federal laws;
- - unless otherwise is provided for by another agreement between the Operator and the data subject.
7.5. Application for withdrawal of consent to processing of Personal Data shall be sent in writing to the legal address of the Operator or in the form of an electronic document signed with a digital signature in accordance with the legislation of the Russian Federation.
In case of withdrawal of consent to processing of Personal Data by the PD subject, the Operator shall be obliged to stop processing of PD or ensure termination of such processing (if processing of Personal Data is performed by another person acting on behalf of the Operator) and, if the preservation of PD is no longer required for the purposes of Personal Data processing, destroy Personal Data or ensure their destruction (if PD processing is performed by another person acting on behalf of the Operator) within the thirty day period after receiving the abovementioned withdrawal. If it is not possible to destroy Personal Data within the specified period, the Operator shall block such PD or ensure their blocking (if PD processing is carried out by another person acting on behalf of the Operator) and ensure destruction of personal data within a period not exceeding six months.
8. CONTROL AND RESPONSIBILITY
8.1 The person responsible for the organisation of processing of Personal Data shall organise a continuous process of control over the Operator's compliance with the requirements of the Federal Law in the field of Personal Data.
8.2 The Operator's officials guilty of violating the norms regulating processing and protection of Personal Data shall bear the responsibility stipulated by the legislation of the Russian Federation.
9. POLICY CHANGES. APPLICABLE LAW
9.1 The Operator has the right to make changes to this Policy without prior notification of the PD subjects. PD subjects who are users of the Operator's website may monitor changes in the Policy on their own. The new version of this Policy shall come into force from the moment of its posting, unless otherwise provided for by the new version of the Policy.
9.2 The law of the Russian Federation shall apply to this Policy and the relations between the data subjects and the Operator arising in connection with the application of this Policy.