Policy regarding the processing of personal data jsc "r-garnet"
1. General Provisions
1.1. This document defines the policy (hereinafter referred to as the Policy) of R-Garnet Closed Joint Stock Company (hereinafter referred to as the Operator, the Company) regarding the processing of personal data.
1.2. The Policy has been developed and approved in accordance with the requirements of Article 18.1 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Federal Law “On Personal Data”), as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data and applies to all personal data processed by the Operator.
1.3. The purpose of the Policy is to ensure the protection of the rights and freedoms of a person and citizen in the processing of his personal data, as well as the interests of the Operator.
1.4. The Policy defines the purposes, principles, procedure and conditions for processing personal data of individuals whose personal data is processed by the Operator, and also includes a list of measures used to ensure the security of personal data during their processing.
1.5. The Policy is a public document and posted on the Operator's website on the Internet at: https://r-garnet.ru/ .
1.6. The Operator has the right to make changes to the Policy. When making changes in the current version, the date of the last update is indicated.
1.7. The Policy applies to the processing of personal data received both before and after the approval of this Policy.
2. Basic concepts used in this Policy
Personal data - any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data).
The subject of personal data is a natural person who is directly or indirectly identified or determined using personal data.
Operator - an organization that independently or jointly with other persons organizes the processing of personal data, as well as determines the purposes of processing personal data to be processed, actions (operations) performed with personal data. The operator is Closed Joint Stock Company R-Garnet, OGRN 1057810298798, located at the address: Russia, 193230, St. Petersburg, per. Chelieva, 13, lit. T, k. 3.
Website of the Internet store - the website of the Operator's Internet store on the Internet at: https://r-garnet.ru/ .
Processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated processing of personal data - processing of personal data using computer technology.
Personal data information system (PDIS) - a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Publicly available personal data - personal data, access to which is granted to an unlimited number of persons with the consent of the subject of personal data or to which, in accordance with Federal law, the confidentiality requirement does not apply.
Blocking of personal data is a temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data).
Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed.
Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons.
Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons.
Depersonalization of personal data - actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.
Confidentiality of personal data is a mandatory requirement for the operator and other persons who have gained access to personal data not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.
Unauthorized access (unauthorized actions) - access to information or actions with information that violate the rules of access control, including using standard tools provided by personal data information systems.
3. Rights and obligations of the subject of personal data and the Operator
3.1. The subject of personal data has the right:
3.1.1. For gratuitous familiarization with their personal data, with the exception of cases provided for by the Federal Law "On Personal Data";
3.1.2. To receive information regarding the processing of his personal data, including containing:
1) confirmation of the fact of processing personal data by the Company;
2) legal grounds and purposes for processing personal data;
3) the purposes and methods used by the Company for processing personal data;
4) the name and location of the Company, information about persons (excluding employees of the Company) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Company or on the basis of the Federal Law "On Personal Data";
5) processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for the submission of such data is provided by the Federal Law "On Personal Data";
6) terms of personal data processing, including terms of their storage;
7) the procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law "On Personal Data";
8) information about the performed or proposed cross-border data transfer;
9) the name or surname, name, patronymic and address of the person who processes personal data on behalf of the Company, if the processing is or will be entrusted to such a person;
10) other information provided for by the legislation of the Russian Federation.
3.1.3. Require clarification of their personal data, their blocking or destruction if personal data is incomplete, outdated, unreliable, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect their rights;
3.1.4. Require the Operator to notify all persons who, under the current legislation of the Russian Federation, were previously informed of incorrect or incomplete personal data of all exceptions, corrections or additions made to them;
3.1.5. Withdraw your consent to the processing of your personal data;
3.1.6. Require the elimination of unlawful actions of the Operator in relation to his personal data;
3.1.7. Appeal to the authorized body for the protection of the rights of subjects of personal data or in court against illegal actions or inaction of the Operator when processing his personal data;
3.1.8. To protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
3.2. The subjects whose personal data are processed by the Operator are obliged to:
3.2.1. Provide reliable information about yourself and provide documents containing personal data, the composition of which is established by the legislation of the Russian Federation and local regulatory documents of the Company to the extent necessary for the purpose of processing;
3.2.2. notify the Operator about the clarification (update, change) of their personal data.
3.3. The operator is obliged:
3.3.1. Provide the subject of personal data (the legal representative of the subject of personal data) with the possibility of free access to their personal data processed by the Operator;
3.3.2. Take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
3.3.3. Consider the appeals of the subject of personal data (the legal representative of the subject of personal data, the authorized body for the protection of the rights of subjects of personal data) on the processing of his personal data and give reasoned answers within a period not exceeding 7 (seven) business days from the date of receipt of the appeal (request);
3.3.4. Take measures to clarify, destroy the personal data of the subject of personal data in connection with his (legal representative) treatment with legal and reasonable requirements;
3.3.5. Organize operational and archival storage of documents containing personal data of personal data subjects, in accordance with the requirements of the legislation of the Russian Federation.
3.3.6. Maintain a register of requests from subjects of personal data, which should record the requests of subjects for obtaining personal data, as well as the facts of providing data on these requests.
4. Purposes of collecting personal data
4.1. The operator processes personal data for the following purposes:
4.1.1. for the preparation, conclusion and execution of a civil law contract, a party to which is either a beneficiary or a guarantor, under which the subject of personal data is;
4.1.2. to contact the user, in connection with filling out the feedback form on the website, including sending notifications, requests and information regarding the use of the website of the online store, processing, coordinating orders and their delivery, execution of agreements and contracts;
4.1.3. regulation of labor relations and other relations directly related to them, fulfillment of the requirements of the labor legislation of the Russian Federation, search for applicants, maintenance of accounting, personnel and military records.
5. Legal grounds for the processing of personal data
5.1. The legal basis for the processing of personal data is a set of legal acts, in pursuance of which and in accordance with which the Operator processes personal data, namely:
- The Constitution of the Russian Federation of 12.12.1993;
- Labor Code of the Russian Federation;
- Civil Code of the Russian Federation;
- Tax Code of the Russian Federation;
- Federal Law No. 208-FZ dated December 26, 1995 “On Joint Stock Companies”;
- Decree of the Government of the Russian Federation of September 15, 2008 No. 687 "On Approval of the Regulations on the Specifics of Personal Data Processing without the Use of Automation Tools";
- Decree of the Government of the Russian Federation of November 01, 2012 No. 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems";
- other regulatory legal acts of the Russian Federation and regulatory documents of authorized state authorities;
- Charter of the Company;
- Regulations on the processing and protection of personal data of the Company's employees;
- local regulations of the Company;
- consent to the processing of personal data, the terms of which are confirmed by the subject of personal data when working with the feedback form on the Operator's website;
- agreements concluded between the Operator and the subject of personal data.
6. Scope and categories of processed personal data, categories of personal data subjects
6.1. Categories of personal data subjects.
The personal data of the following personal data subjects are processed:
– individuals who are in civil law relations with the Company, including individuals who are buyers and clients of the Company;
- individuals who are Users of the website of the online store;
– individuals who are employees of the Operator, former employees, candidates for filling vacancies, as well as relatives of employees.
6.2. The scope of personal data processed by the Operator:
6.2.1. The Operator processes personal data of individuals who are in civil law relations with the Company, including individuals who are buyers and clients of the Company in the following scope:
- Full Name;
- floor;
- passport data;
- address of registration at the place of residence;
- phone number (home, mobile);
- E-mail address.
6.2.2. The operator processes the personal data of individuals who are Users of the website of the online store in the following scope:
- Full Name;
- floor;
- phone number (home, mobile).
- E-mail address.
6.2.3. The Operator processes personal data of individuals who are employees of the Operator, former employees, as well as relatives of employees in the following scope:
- Full Name;
- floor;
- Date and place of birth;
- passport data;
- address of registration at the place of residence and address of actual residence;
- phone number (home, mobile);
- information on education, qualifications, availability of special knowledge and training, on advanced training;
- information about labor and general experience;
- information about the previous place of work, income from previous places of work;
- information about the composition of the family;
- marital status,
- information about military registration;
- information about wages;
- information about social benefits;
- speciality;
- position held;
- the amount of wages;
- having a criminal record;
- the content of the employment contract;
- information on admission, transfer, dismissal and other events related to labor activity
- the results of a medical examination for fitness for work duties;
- Photo;
- information about business and other personal qualities of an evaluative nature;
- SNILS;
- TIN;
- E-mail address.
6.2.4. The operator processes the personal data of individuals who are candidates for filling vacant positions in the following scope:
- Full Name;
- floor;
- Date and place of birth;
- passport data;
- address of registration at the place of residence and address of actual residence;
- phone number (home, mobile);
- information on education, qualifications, availability of special knowledge and training, on advanced training;
- information about labor and general experience;
- information about the composition of the family;
- marital status,
- information about military registration;
- information about social benefits;
- having a criminal record;
- Photo;
- information about business and other personal qualities of an evaluative nature;
- E-mail address.
6.3. The operator does not process biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity).
6.4. The Operator does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life.
7. Procedure and conditions for processing personal data
7.1. The processing of personal data is carried out with the consent of the subjects of personal data, unless otherwise provided by the legislation of the Russian Federation.
7.2. The operator must inform the subject of the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid and the procedure for its withdrawal, as well as the consequences of the subject's refusal to give written consent to receiving them.
7.3. The processing of personal data can be carried out using computer technology (automated processing) or with the direct participation of a person without the use of computer technology (manual processing).
7.4. Only those employees of the Operator whose job duties include the processing of personal data are allowed to process personal data. These employees have the right to receive only those personal data that they need to perform their job duties.
7.5. The transfer of personal data to third parties is allowed with the written consent of the subjects of personal data, except when it is necessary in order to prevent a threat to the life and health of subjects of personal data, as well as in other cases established by the legislation of the Russian Federation.
7.6. When transferring personal data to third parties in accordance with the concluded agreements, the Operator ensures mandatory compliance with the requirements of the legislation of the Russian Federation in the field of personal data.
The transfer of personal data to authorized bodies and organizations (bodies of the Ministry of Internal Affairs of the Russian Federation, the Federal Tax Service, the Pension Fund of the Russian Federation, the territorial fund of compulsory medical insurance of the Russian Federation, insurance medical organizations for compulsory and voluntary medical insurance, banks and others) is carried out in accordance with the requirements of the legislation of the Russian Federation.
7.7. The operator has the right to entrust the processing of personal data to another legal entity or individual entrepreneur with the consent of the subjects of personal data on the basis of a contract. A legal entity or an individual entrepreneur processing personal data on behalf of the Operator is required to comply with the principles and rules for the processing of personal data provided for by the legislation of the Russian Federation in the field of personal data.
In the event that the Operator, on the basis of an agreement, transfers or entrusts the processing of personal data to another legal entity or individual entrepreneur, an essential condition of the agreement should be the obligation to provide the specified person with confidentiality conditions and ensure the security of personal data during their transfer or processing.
7.8. The processing of personal data is terminated when the goals of such processing are achieved, after the expiration of the period provided for by law, the contract, or the consent of the subject of personal data to the processing of his personal data, as well as when unlawful processing of personal data is detected.
7.9. The processing of personal data is carried out in compliance with confidentiality, which means the obligation not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation.
7.10. The Operator ensures the confidentiality of the personal data of the Subject of personal data on its part, on the part of its employees who have access to the personal data of individuals, and also ensures the use of personal data by the above persons solely for the purposes consistent with the law, contract or other agreement concluded with the subject of personal data .
7.11. Storage of personal data:
7.11.1 The storage of personal data is carried out by the Operator in a form that allows determining the subject of personal data no longer than the purpose of their processing requires.
7.11.2. Personal data of subjects can be obtained, further processed and transferred to storage both on paper and in electronic form.
7.11.3. The storage of documents containing the personal data of the subjects is carried out within the terms of storage of these documents established by the current regulatory enactments. Upon the expiration of the established storage periods, the documents shall be destroyed.
7.11.4. Personal data recorded on paper are stored in locked cabinets or in locked rooms with limited access rights.
7.11.5. Personal data of subjects processed using automation tools for different purposes are stored in different folders.
It is not allowed to store and place documents containing personal data in open electronic catalogs (file hosting) in ISPD.
7.11.6. Personal computers containing personal data must be protected with access passwords.
8. Information about the implemented requirements for the protection of personal data
8.1. Ensuring the security of personal data during their processing by the Operator is carried out in accordance with the legislation of the Russian Federation.
8.2. The Operator takes the necessary organizational and technical measures to protect personal data from accidental or unauthorized access, destruction, modification, blocking access and other unauthorized actions.
8.3. The protection measures implemented by the Operator when processing personal data include:
- adoption of local regulations and other documents in the field of processing and protection of personal data;
- appointment of officials responsible for ensuring the security of personal data in the divisions and information systems of the Operator;
- organizing training and conducting methodological work with employees who process personal data;
- creation of the necessary conditions for working with material carriers and information systems in which personal data is processed;
- organization of accounting of material carriers of personal data and information systems in which personal data are processed;
- storage of material carriers of personal data in compliance with the conditions that ensure the safety of personal data and exclude unauthorized access to them;
- isolation of personal data processed without the use of automation tools from other information;
- ensuring separate storage of physical media of personal data, which contain personal data of different categories or contain personal data, the processing of which is carried out for different purposes;
- establishing a ban on the transfer of personal data through open communication channels, computer networks and the Internet without applying the measures established by the Operator to ensure the security of personal data;
- ensuring the protection of documents containing personal data on paper and other tangible media when they are transferred to third parties using postal services;
- implementation of internal control over compliance with the legislation of the Russian Federation and local regulations in the processing of personal data.
8.4. Responsibility for violation of the requirements of the legislation of the Russian Federation in the field of processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.
9. Update, correction, deletion and destruction of personal data, responses to requests from subjects for access to personal data
9.1. In case of confirmation of the fact of inaccuracy of personal data or illegality of their processing, personal data shall be updated by the Operator, and the processing shall be terminated, respectively.
9.2. Upon reaching the goals of processing personal data, as well as in the event that the subject of personal data withdraws consent to their processing, personal data shall be destroyed if:
- otherwise is not provided by the agreement to which the subject of personal data is a party, beneficiary or guarantor;
- The operator is not entitled to process without the consent of the subject of personal data on the grounds provided for by the Federal Law "On Personal Data" or other federal laws;
- otherwise is not provided by another agreement between the Operator and the subject of personal data.
9.3. Within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that personal data is incomplete, inaccurate or out of date, the Operator makes the necessary changes to them.
9.4. Within a period not exceeding seven working days from the date of submission by the subject of personal data or his representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the Operator destroys such personal data.
9.5. The operator notifies the subject of personal data or his representative about the changes made and the measures taken and takes reasonable measures to notify third parties to whom the personal data of this subject were transferred.
9.6. The operator is obliged to inform the authorized body for the protection of the rights of subjects of personal data, at the request of this body, the necessary information within thirty days from the date of receipt of such a request.
9.7. Consent to the processing of personal data may be withdrawn by the subject of personal data.
In the event that the subject of personal data withdraws consent to the processing of his personal data, the Operator terminates their processing or ensures the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator) and if the storage of personal data is no longer required for the purposes of processing personal data, destroys personal data or ensures their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided by the agreement, the party to which, the beneficiary or the guarantor under which is the subject of personal data,another agreement between the Operator and the subject of personal data, or if the Operator is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law "On Personal Data" or other federal laws.
If it is not possible to destroy personal data within the above period, the Operator blocks such personal data or ensures their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) and ensures the destruction of personal data within a period of not more than six months, unless otherwise no deadline set by federal law.
If the subject of personal data withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in Part 2 of Article 9 of the Federal Law "On Personal Data"
9.8. The information specified in Part 7 of Article 14 of the Federal Law "On Personal Data" is provided to the subject of personal data or his representative by the Operator when applying or upon receiving a request from the subject of personal data or his representative.
Information is provided in an accessible form, it does not include personal data relating to other subjects of personal data, unless there are legal grounds for disclosing such personal data.
If in the appeal (request) of the personal data subject, in accordance with the requirements of the Federal Law "On Personal Data", all the necessary information is not reflected or the subject does not have the right to access the requested information, then a reasoned refusal is sent to him.
The request must contain the data of the main document proving the identity of the subject of personal data or his representative, information confirming the participation of the subject of personal data in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator, signature (including electronic) of the subject of personal data or his representative.
The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
The right of the subject of personal data to access his personal data may be limited in accordance with Part 8 of Article 14 of the Federal Law "On Personal Data", including if the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties.