Personal Data Processing Policy
GENERAL PROVISIONS
This Personal Data Processing Policy (the «Policy») drawn up in accordance with paragraph 2 of Article 18.1 of the Federal Law «On Personal Data» No. 152-FZ of July 27, 2006, as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data and is valid for all personal data (hereinafter referred to as the data) that the Organization (hereinafter referred to as the Operator, the Company) may receive from a personal data subject, which is a party to a civil contract, from an Internet user (hereinafter referred to as the User) when using any of the sites, services, programs, products or services of Maria Evgenievna Ozhiganova, as well as from a personal data subject consisting of the Operator in relations regulated by labor legislation (hereinafter referred to as the Employee).
The Operator may amend this Policy. When making changes in the Policy title, the date of the last revision update is indicated. The new version of the Policy comes into force from the moment of its publication on the website, unless otherwise provided by the new version of the Policy.
Terms and abbreviations
Personal data processing — any action (operation) or a set of actions (operations) performed using automation means or without using such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated processing of personal data — processing of personal data using computer equipment.
Personal data made publicly available by the personal data subject — personal data, access of an unlimited number of persons to which is provided by the personal data subject or at his request.
Blocking of personal data — temporary termination of the processing of personal data (except if processing is necessary to clarify personal data).
Operator — an organization that independently or jointly with other persons organizes the processing of personal data, as well as determines the purpose of processing personal data to be processed, actions (operations) performed with personal data. The operator is IE Ozhiganova Maria Evgenievna, TIN: 667357427772, OGRNIP: 316965800008196. The office is located at the address Russia, Sverdlovsk region, Yekaterinburg, st. Roses Luxembourg 69/2, entrance «OFFICE 4.»
Personal data processing
Obtaining personal data.
All personal data should be obtained from the subject himself. If the personal data of the subject can only be obtained from a third party, then the subject must be notified of this or consent must be obtained from him.
The operator must inform the subject about the purposes, alleged sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid, and the procedure for revoking it, as well as the consequences of the subject’s refusal to give written consent to their receipt.
Documents containing personal data are created by:
copying original documents (passport, education document, TIN certificate, pension certificate, etc.);
entering information into accounting forms;
receipt of originals of necessary documents (employment record, medical report, characteristics, etc.).
Processing of personal data.
Personal data are processed:
with the consent of the personal data subject to the processing of his personal data;
in cases where the processing of personal data is necessary for the implementation and fulfillment of the functions, powers and obligations assigned by the legislation of the Russian Federation;
in cases where personal data are processed, access of an unlimited number of persons to which is granted by the personal data subject or at his request (hereinafter referred to as personal data made publicly available by the personal data subject).
Purposes of personal data processing:
implementation of civil law relations;
for communication with the user, in connection with filling out the feedback form on the https://en.formabim.net website, including sending notifications, requests and information regarding the use of the www.sidingmarket.ru website, processing, approval of orders and their delivery, execution of agreements and contracts;
depersonalization of personal data to obtain depersonalized statistical data that are transferred to a third party for research, work or services on behalf of the site https://en.formabim.net.
Categories of personal data subjects.
Personal data of the following personal data subjects are processed:
individuals in employment with the Company;
individuals who left the Company;
individuals who are job candidates;
individuals in civil relations with the Company;
individuals who are Users of the site https://en.formabim.net.
Personal data processed by the Operator:
data obtained in the implementation of labor relations;
data obtained for selection of job candidates;
data obtained in the implementation of civil law relations;
data received from Site Users https://en.formabim.net.
Personal data are processed:
using automation tools;
without automation.
Storage of personal data.
Personal data of subjects can be obtained, further processed and transferred for storage both on paper and in electronic form.
Personal data recorded on paper are stored in locked cabinets or locked rooms with limited access rights.
Personal data of subjects processed using automation tools for different purposes are stored in different folders.
It is not allowed to store and place documents containing personal data in open electronic directories (file sharing) in PDIS.
The storage of personal data in a form that allows identifying the subject of personal data is carried out no longer than the goals of their processing require, and they are subject to destruction upon achieving the goals of processing or in case of loss of the need to achieve them.
Destruction of personal data.
Destruction of documents (media) containing personal data is carried out by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass or powder. A shredder may be used to destroy paper documents.
Personal data on electronic media are destroyed by erasing or formatting the media.
The fact of destruction of personal data is confirmed by a documentary act on the destruction of media.
Transfer of personal data.
The operator transfers personal data to third parties in the following cases:
the subject has expressed his consent to such actions;
the transfer is provided for by Russian or other applicable law within the framework of the procedure established by law.
List of persons to whom personal data is transferred.
Pension Fund of the Russian Federation for accounting (legally);
tax authorities of the Russian Federation (legally);
Social Insurance Fund of the Russian Federation (legally);
health insurance organizations for compulsory and voluntary health insurance (legally);
banks for payroll (based on a contract);
bodies of the Ministry of Internal Affairs of Russia in cases established by law;
if available on the site https://en.formabim.net. online store, anonymized personal data of Users of the website of the online store are transferred to the Store’s counterparties.
Personal data protection
The legal protection subsystem is a set of legal, organizational, administrative and regulatory documents that ensure the creation, functioning and improvement of the EMA.
The organizational protection subsystem includes the organization of the HIPPS management structure, permit system, information protection when working with employees, partners and third parties.
The technical protection subsystem includes a set of technical, software, software and hardware tools that ensure the protection of personal data.
The main measures of personal data protection used by the Operator are:
Appointment of a person responsible for personal data processing, who organizes personal data processing, training and briefing, internal control over compliance by the institution and its employees with personal data protection requirements.
Identification of current threats to the security of personal data during their processing in the PDIS and the development of measures and measures to protect personal data.
Establishing rules for access to personal data processed in the PDIS, as well as ensuring registration and accounting of all actions performed with personal data in the PDIS.
Establishing individual passwords for employees’ access to the information system in accordance with their production duties.
The use of information protection tools that have passed the compliance assessment procedure in accordance with the established procedure.
Certified antivirus software with regularly updated databases.
Compliance with conditions ensuring the safety of personal data and excluding unauthorized access to them.
Recovery of personal data modified or destroyed due to unauthorized access to it.
Training of the Operator’s employees directly involved in personal data processing on the provisions of the legislation of the Russian Federation on personal data, including requirements for personal data protection, documents defining the Operator’s policy on personal data processing, and local acts on personal data processing.
Internal control and audit.
Basic rights of the personal data subject and obligations of the Operator
Basic rights of the personal data subject.
The subject has the right to access his personal data and the following information:
confirmation of personal data processing by the Operator;
legal grounds and purposes of personal data processing;
purposes and methods of personal data processing used by the Operator;
name and location of the Operator, information about persons (except for the Operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
terms of personal data processing, including terms of their storage;
procedure for the personal data subject to exercise the rights stipulated by the Federal Law;
name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if the processing is entrusted or will be entrusted to such person;
contacting and sending requests to the Operator;
appeal against actions or inaction of the Operator.
Operator’s responsibilities:
in cases where personal data were not obtained from the personal data subject, notify the subject;
in case of refusal to provide personal data to the subject, the consequences of such refusal are explained;
publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information on the requirements for the protection of personal data being implemented;
take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from illegal or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;