1. GENERAL INFORMATION
1.1. General provisions
1.1.1. The personal data processing policy of AEMZ LLC (hereinafter referred to as the Policy) defines the basic principles, goals, functions, conditions, methods of processing, the rights of the subjects of the processed personal data, including the right to protect the rights to privacy, personal and family secrets. P >
1.1.2. This Policy shall be included in the list of local regulations of AEMZ LLC, which apply to their employees, which is developed when concluding agreements with counterparties.
1.1.3. In accordance with clause 2 of part 2 of article 1 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data", the handling of documents transferred for storage in accordance with archival legislation is not regulated by this Policy.
1.1.4. Basic concepts used in the Policy:
- Personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);
- Operator of personal data (operator) - a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data;
- Personal data information system - a set of personal data contained in databases and information technologies and technical means ensuring their processing;
- Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
- Provision of personal data - actions aimed at disclosing personal data to a specific person or circle of persons;
- Processing of personal data - any action (operation) or a set of actions (operations) with personal data performed with the use of automation tools or without their use.
1.1.5. This Policy applies to all processes of AEMZ LLC related to the processing of personal data of subjects and is mandatory for use by all employees who process personal data due to their job duties.
1.1.6. All employees of AEMZ LLC who have gained access to PD are obliged not to disclose to third parties and not to distribute personal data without the consent of the PD subject, unless otherwise provided by federal law.
1.1.7. In all cases not regulated by this Policy, you must be guided by the current legislation of the Russian Federation.
1.2. Validity period and procedure for making changes
1.2.1. This policy is a permanent local regulation.
1.2.2. The policy is approved and put into effect at AEMZ LLC by order of the Director General of AEMZ LLC.
1.2.3. The policy is recognized as null and void in LLC AEMZ on the basis of the order of the General Director of PA AEMZ.
1.2.4. Changes in the policy are introduced by order of the General Director of AEMZ LLC.
2. ABBREVIATIONS AND DEFINITIONS, LINKS TO DOCUMENTS
2.1.1. Abbreviations
- PD - personal data;
- RF - Russian Federation.
2.2. Definitions
<>Information Asset - information and places of its processing, which are of value for & nbsp; "AEMZ" LLC;
Information security - the state of information security, characterized by the ability of technical means and information technology personnel to ensure the availability, confidentiality and integrity of information when it is processed by technical means
2.3. Links to enterprise documents.
Table & nbsp; 1
Documents |
STP ISMS 6.1-2019 Standard of the ISMS enterprise. Information Security Risk Management |
STP SMIB P-50-07-2019 Standard of the enterprise SMIB. Information Security Policy |
2.4. Links to regulatory legal acts of the Russian Federation.
Table & nbsp; 2
Documents |
Constitution of the Russian Federation |
Labor Code of the Russian Federation. Chapter 14 |
Federal Law No. 152 "On Personal Data" |
Federal Law of 27.07.2006 No. 149-FZ "On Information, Information Technologies and Information Protection" |
Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems" |
Resolution of the Government of the Russian Federation of September 15, 2008 No. 687 "On approval of the regulation on the specifics of personal data processing carried out without the use of automation tools"; |
3. Purpose of collecting personal data
3.1. LLC "AEMZ" processes personal data only on a legal basis.
3.2. The purposes of personal data processing at AEMZ LLC are:
- Ensuring labor processes and compliance with the legislation of the Russian Federation related to labor relations;
- Processing of personal data on the basis of an agreement with contractors;
- Accounting and registration of visitors of AEMZ LLC;
- Compliance with other requirements of the legislation of the Russian Federation;
- Fulfillment of contractual obligations to counterparties.
4. Volume and categories of processed personal data, categories of personal data subjects
4.1. The volume, content and terms of personal data processing are determined by the purposes of personal data processing.
4.2. The following categories of personal data subjects are processed at AEMZ LLC:
- Employees of contractors;
- Employees of AEMZ LLC;
- Individuals with whom the employment relationship has been terminated;
- Clients and contractors;
- Visitors and Applicants.
4.3. The following personal data are processed at AEMZ LLC:
- Primary credentials;
- Citizen information;
- Information about the place of residence and registration;
- Information about identity documents;
- Contact information;
- Position information;
- Information about working conditions;
- Professional Experience Details;
- Information about primary and secondary education;
- Business Skills Details;
- Information about wages, other payments;
- Information about insurance, tax and other mandatory contributions;
- Information on registration with the Federal Tax Service of the Russian Federation, Pension Fund of the Russian Federation;
- Information about seniority;
- Information about pension;
- Information about social and other benefits;
- Information about debt and other obligations;
- Information for deductions and professional contributions;
- Health insurance details;
- Information about foreign employees;
- Information about military registration;
- Family Information;
- Information on termination of employment;
- Medical restrictions on the performance of labor functions;
- Donation information;
- Information on the correspondence of the position held to the work performed;
- Details of incentives and awards;
- Information on violations and penalties;
- Information on accounting of working time, work performed;
- Information about temporary disability;
- Rest time tracking information;
- Information about contractors.
5. The procedure and conditions for the processing of personal data
5.1. LLC "AEMZ" carries out processing, including collection, systematization, accumulation, storage, clarification (update, change), use, distribution, depersonalization, blocking, destruction, recording on machine media and their storage, as well as transferring personal data of personal data.
5.2. Only PDs that meet the purposes of their processing are subject to processing. PD processing is limited to the achievement of specific, predetermined and legitimate goals.
5.3. LLC "AEMZ" reserves the right to check the completeness and accuracy of the personal data provided. In case of revealing erroneous or incomplete personal data, AEMZ LLC has the right to terminate all relations with the subject of personal data.
5.4. LLC "AEMZ" does not transfer personal data of subjects of personal data to third parties, without the consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation.
5.5. The condition for the termination of the processing of personal data in AEMZ LLC is: achievement of the goals of processing personal data, expiration of the consent period or withdrawal of the consent of the subject of personal data to the processing of his personal data, identification of illegal processing of personal data.
5.6. When operating personal data information systems, AEMZ LLC takes legal, organizational and technical measures to ensure the security of personal data in order to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data during their processing in accordance with the established levels of personal data protection.
5.7. When processing personal data without using automation tools, LLC AEMZ fulfills the requirements established by the decree of the Government of the Russian Federation of September 15, 2008 No. 687 "On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools."
5.8. Non-automated processing of PD should be carried out in such a way that PD is separated from other information, in particular by fixing them on separate physical media of PD, in special sections or in the fields of forms (forms) and in another way.
5.9. Automated processing of PD is carried out in the ISPD of AEMZ LLC in strict accordance with this policy.
5.10. At AEMZ LLC, it is prohibited to make decisions on the basis of solely automated processing of PD that generate legal consequences in relation to the PD subject or otherwise affect his rights and legitimate interests, with the exception of cases provided for by the legislation of the Russian Federation.
5.11. Persons who process PD without using automation tools (employees of AEMZ LLC and other persons performing PD processing on behalf of AEMZ LLC) must be informed about the fact that they have processed PD that is processed by AEMZ LLC without using automation tools , categories of processed PD, as well as about the peculiarities and rules of such processing, established by regulatory legal acts of federal executive authorities, executive authorities of the constituent entities of the Russian Federation, as well as local regulations of AEMZ LLC.
5.12. In case of manual processing of PD, which involves the use of standard forms of documents, the nature of the information in which suggests or allows the inclusion of PD (hereinafter referred to as the standard form), the following conditions must be met:
The standard form or related documents (instructions for filling it out, cards, registers and journals) should contain:
- Information about the purpose of PD processing carried out without the use of automation tools;
- Details of AEMZ LLC (name and address);
- Surname, name, patronymic and address of the PD subject;
- Source of PD receipt, terms of PD processing, a list of actions with PD that will be performed during their processing;
- General description of the methods of processing personal data used by the operator;
- The standard form should include a field in which the PD subject can put a mark on his consent to the processing of PD, carried out without the use of automation tools, if it is necessary to obtain written consent to the processing of PD;
- The standard form must be drawn up in such a way that each of the PD subjects contained in the document has the opportunity to get acquainted with their personal data contained in the document, without violating the rights and legitimate interests of other PD subjects;
- The standard form should exclude the combination of fields intended for entering PD, the processing purposes of which are obviously incompatible.
5.13. LLC AEMZ familiarizes its employees who directly process personal data with the provisions of the legislation of the Russian Federation on personal data (including requirements for the protection of personal data), local regulations on the processing of personal data and, if necessary, organize training the specified workers.
6. Receiving personal data
6.1. The receipt of personal data at AEMZ LLC is organized in such a way as not to violate the confidentiality, integrity and availability of the collected personal data.
6.2. The list of cases when it is necessary to obtain the written consent of the PD subject to the processing of his personal data, as well as the procedure and form for obtaining consent, are determined by the local regulations of AEMZ LLC in accordance with the provisions of the Federal Law of the Russian Federation “On Personal Data” No. 152-FZ dated July 27 2006.
6.3. In case of incapacity of the PD subject, written consent to the processing of his PD is obtained from his legal representative.
6.4. PD can be obtained by AEMZ LLC from a person who is not a subject of personal data, provided the operator is provided with confirmation of the existence of the grounds specified in clauses 2 - 11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Federal Law of the Russian Federation "On personal data "No. 152-ФЗ dated July 27, 2006.
7. Clarification of personal data
7.1. Clarification of PD processed in AEMZ LLC is carried out at the request of PD subjects, their legal representatives, or in case of a request from the authorized body for the protection of the rights of PD subjects.
7.2. Clarification of PD when processing them without using automation tools should be done by updating or changing data on a material carrier, and if this is not allowed by the technical features of a material carrier, then by fixing it on the same material carrier information about the changes made to them or by making a new material carrier with updated personal data.
8. Submission and transfer of personal data
8.1. When providing PD to a third party, the following conditions must be met:
- The transfer (provision of access) of PD to a third party is carried out on the basis of an agreement, an essential condition of which is the third party ensuring the confidentiality of PD and the security of personal data during their processing;
- Transfer (provision of access) of PD to a third party is carried out on the basis of the current legislation of the Russian Federation;
- The written consent of the PD subject to transfer his PD to a third party, except as otherwise provided by law.
8.2. Cross-border transfer of personal data to the territory of foreign states may be carried out by AEMZ LLC in accordance with the provisions of Art. 12 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data". Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of subjects of personal data may be carried out by AEMZ LLC in the following cases:
- The presence of written consent of the subject of personal data for the cross-border transfer of his personal data, provided for by international treaties of the Russian Federation;
- Execution of the contract to which the PD subject is a party;
- Protection of life, health, other vital interests of the PD subject or other persons if it is impossible to obtain written consent of the subject of personal data.
8.3. For the purpose of information support, AEMZ LLC may create specialized directories (telephone, address books, etc.) containing personal data, to which, with the written consent of the PD subject, access to an unlimited number of persons can be provided.
8.4. Information about the subject of personal data should at any time be excluded from publicly available sources of personal data at the request of the subject of personal data or at the request of his legal representative.
9. Blocking of personal data
9.1. The basis for blocking personal data by AEMZ LLC related to the relevant PD subject is:
- The appeal or request of the PD subject, provided that the fact of inaccuracy, obsolescence, incompleteness of personal data is confirmed, there is no need for them for the stated purpose of processing, illegal actions with them, illegal receipt;
- An appeal or request from the legal representative of the subject, subject to confirmation of the fact of inaccuracy, obsolescence, incompleteness of personal data, no need for them for the stated purpose of processing, illegal actions with them, illegal receipt;
- An appeal or request from the authorized body for the protection of the rights of subjects of personal data, provided that the fact of inaccuracy, obsolescence, incompleteness of personal data is confirmed, there is no need for them for the stated purpose of processing, illegal actions with them, illegal receipt.
10. Destruction of personal data
10.1. The basis for the destruction of PD processed by AEMZ LLC is:
- Achievement of the purpose of PD processing;
- Revocation by the PD subject of consent to the processing of his PD, except for cases when the processing of the said PD is mandatory in accordance with the law of the Russian Federation or an agreement;
- Identification of illegal actions with personal data and the impossibility of eliminating the violations committed within a period not exceeding three working days from the date of such identification;
- Expiration of the PD storage period established by the legislation of the Russian Federation and local regulations of AEMZ LLC;
- An order of the authorized body for the protection of the rights of personal data subjects, the Prosecutor's Office of Russia or a court decision.
10.2. In case of incompatibility of the purposes of PD processing recorded on one material medium, if the material medium does not allow processing of PD separately from other PD data recorded on the same medium, and if it is necessary to destroy or block part of the PD, the material medium is destroyed or blocked with preliminary copying of information that cannot be destroyed or blocking, in a way that excludes the simultaneous copying of personal data subject to destruction or blocking.
10.3. The destruction of a part of PD, if allowed by a material medium, can be carried out in a way that excludes further processing of these PD while preserving the possibility of processing other data recorded on a material medium.
11. Ensuring the security of personal data
11.1. When processing PD, AEMZ LLC takes legal, organizational and technical measures to protect PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions in relation to PD.
11.2. Ensuring PD security is achieved:
- Identification of threats to the security of personal data during their processing in ISPDN;
- The application of organizational and technical measures to ensure the security of PD during their processing in ISPD, necessary to meet the requirements for PD protection, the implementation of which is ensured by the levels of PD security established by the Government of the Russian Federation;
- Application of the procedure for assessing the compliance of information security means that have passed in accordance with the established procedure;
- Evaluation of the effectiveness of measures taken to ensure the security of PD prior to the commissioning of PDIS;
- Accounting for machine data carriers;
- Detection of facts of unauthorized access to personal data and taking measures to block unauthorized access channels;
- Recovery of PD, modified or destroyed due to unauthorized access to them;
- Establishing rules for accessing PD processed in ISPD, as well as ensuring registration and accounting of all actions performed with PD in ISPD;
- Control over the measures taken to ensure the security of PD and the level of protection of PD in ISPD.
11.3. The levels of PD security during their processing in the ISPD of AEMZ LLC, the requirements for PD protection that ensure the levels of PD security, the requirements for the material carriers of biometric PD and the technologies for their storage outside the ISPD are determined depending on the security threats to personal data, taking into account the possible harm to the PD subject, the volume and content of the processed PD, the type of activity in the implementation of which PD is processed, the relevance (level) of threats to the security of PD in accordance with Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", Resolutions of the Government of the Russian Federation, and other regulatory legal acts, as well as agreements between AEMZ LLC, PD operators and PD subjects.
11.4. Ensuring the security of PD during cross-border transfer of PD is carried out in accordance with the requirements and recommendations of international legal acts on ensuring the security of PD, international standards on information security and the legislation of the countries in which PD is processed.
12. Rights of the subject of personal data
12.1. The PD subject, whose personal data is processed by AEMZ LLC, has the right to receive information regarding the processing of his PD, including information containing:
- Confirmation of the fact of PD processing by the operator;
- Legal bases and purposes of personal data processing;
- Purposes and methods of PD processing;
- Terms of PD processing, including the terms of their storage;
- Information on the performed or expected cross-border transfer of PD;
- The name and address of the person who processes PD on behalf of the operator, if the processing is entrusted or will be entrusted to such a person;
- Other information provided for by the Federal Law Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" or other federal laws.
12.2. The information specified in clause 12.1 is provided to the PD subject of AEMZ LLC in an accessible form, and it should not contain PD related to other PD subjects, unless there are legal grounds for disclosing such PD.
13. Responsibility for violation of the rules governing the processing of personal data
13.1. LLC "AEMZ" and / or employees of LLC "AEMZ", guilty of violating the requirements of the legislation of the Russian Federation on personal data, as well as the provisions of this Policy, are liable under the legislation of the Russian Federation.
13.2. Moral harm caused to the subject of personal data due to violation of his rights, violation of the rules for processing personal data, as well as requirements for the protection of personal data is subject to compensation in accordance with the legislation of the Russian Federation.