PERSONAL DATA PROTECTION
REGULATIONS
Moscow city
General Provisions
1.1. These Regulations defines the procedure for handling personal data of LLC “IceСor” employees (the Company).
1.2. The regulation of personal data handling is intended to ensure the observance of the legal rights and interests of the Company and its employees in connection with the need to obtain (collect), systematize (combine), store and transmit information that constitutes personal data.
1.3. Employee personal data means any information relating to a specific employee (personal data subject) and required by the Company in connection with labor relations.
1.4. Information about employee personal data is confidential (constituting the Company secret protected by the law). Confidentiality restrictions for personal data shall be removed in the following cases:
in case of data depersonalization;
upon expiry of 75 years of storage;
in other cases, stipulated by the federal laws.
2.1. For the purposes of these Regulations, the following key terms are used:
personal data means any information directly or indirectly relating to personally identified or personally identifying individual (personal data subject) (p. 1 Art. 3 of the Federal Law as of July 27, 2006 N 152-FZ);
processing employee personal data means any action (operation) or a set of actions (operations) performed with personal data using automation tools or without using such tools, including collecting, recording, organizing, accumulating, storing, refinement (updating, modifying), retrieving, use, transfer (distribution, submission, access), depersonalization, blocking, deletion, destruction of personal data (p. 3 Art. 3 of the Federal Law as of 27.07.2006 N 152-FZ);
dissemination of personal data means any actions aimed at disclosing employee personal data to an indefinite circle of persons (p. 5 Art. 3 of the Federal Law as of 07.27.2006 N 152-FZ);
submission of personal data means actions aimed at disclosing employee personal data to a specific person or a specific circle of persons (p. 6 Art. 3 of the Federal Law as of July 27, 2006 N 152-FZ);
blocking personal data means temporary ceasing of employee personal data processing (unless it is necessary to refine personal data) (p. 7 Art. 3 of the Federal Law as of 27.07.2006 N 152-FZ);
destruction of personal data means any actions that result in the impossibility to restore the content of personal data in employee personal data information system and (or) in the destruction of employee personal data material carriers (p. 8 Art. 3 of the Federal Law as of 27.07.2006 N 152-FZ);
personal data depersonalization means the actions, as a result of which it becomes impossible to identify a specific employee as the owner of personal data without using additional information (p. 9 Art. 3 of the Federal Law as of 27.07.2006 N 152-FZ);
information means any information (messages, data) regardless of the form of its presentation;
documented information means information recorded on physical storage medium by documenting information with details that allow to determine such information or its physical storage medium.
2.2. The information submitted by the employee when applying for a job at the Company shall be documented. At the conclusion of a labor agreement in accordance with Art. 65 of the Labor Code of the Russian Federation newly hired individuals shall submit the following:
passport or other identity document;
labor book, except when the agreement is concluded for the first time, or the employee is hired on a part-time basis, or the employee’s labor book is unavailable due to loss or other reasons;
state pension insurance certificate;
military registration documents –
for individuals subject to military registration;
education certificate, training certificates, certificates of completion – when being admitted for the work that requires special knowledge or special training;
certificate of assignment of TIN (if available);
certificate issued by the authorities of the Ministry of Internal Affairs of Russia on criminal record and/or criminal prosecution or on the termination of criminal prosecution on rehabilitating grounds (when being admitted to work to which persons who have a criminal record, who have been subjected to criminal prosecution are not admitted in accordance with the Labor Code of the Russian Federation).
2.3. In the course of employment formalities by HR division a unified form Т-2 employee personal card, where there the following employee background data is specified:
– general information (full name, date of birth, place of birth, citizenship, education, profession, work experience, marital status, passport details);
– information on military registration;
– data on admission to work;
– information about certification;
– information about advanced training;
– information about professional retraining;
– information about awards, honorary titles;
– information about the holidays;
– information about social guarantees;
– information about the place of residence and contact phone numbers.
2.4. Company’s General director shall create and keep the following groups of documents containing employee data in separate or consolidated form:
2.4.1. Documents containing employee personal data:
sets of documents accompanying the process of employment at admission to work, transfer, dismissal;
a set of materials on questioning, testing, conducting interviews with candidate for a certain position;
originals and copies of orders on personnel;
personal files and labor books;
files containing basis for issuing staff-related orders;
files containing materials on employee certification;
files containing materials on internal investigations;
reference data bank on personnel (card files, journals);
originals and copies of reporting, analytical and reference materials transmitted to Company management, heads of structural divisions;
copies of reports sent to state statistical bodies, tax inspectorates, higher management bodies and other institutions.
2.4.2. Documents on the organization of operations of structural units:
employee job descriptions;
orders, resolutions, instructions of Company management;
planning, accounting, analysis and reporting documents on personnel administration.
3.1. The source of information about all employee personal data is directly the employee. If personal data can only be obtained from a third party, the employee shall be notified in advance of this in writing and written consent shall be obtained from him. The employer shall inform the employee about the goals, intended sources and methods of obtaining personal data, as well as the consequences of the employee’s refusal to give written consent to receive them.
3.2. An employee is not entitled to receive and process employee personal data about his race, nationality, political views, religious and philosophical convictions, health status, and intimate life. In cases directly related to labor relationships, in accordance with Art. 24 of the Constitution of the Russian Federation the employer is entitled to receive and process data on employee’s private life only with his/her written consent.
3.3. The processing of employee personal data by the employer is allowed only with or without his/her consent in the following cases:
– personal data is publicly available;
– personal data refers to the state of health of the employee, and its processing is necessary to protect his/her life, health or other vital interests of other persons, and it is impossible to obtain the consent of the employee;
– at the request of authorized state bodies – in cases stipulated by the Federal Law.
3.4. The employer is entitled to process employee personal data only with his/her written consent.
3.5. The employee’s written consent to the processing of his/her personal data should include the following:
– surname, name, patronymic, address of the personal data subject, number of the main identity document, information about the date of issue of the specified document and the issuing authority;
– name (surname, name, patronymic name) and address of the operator receiving consent from the personal data subject;
– the purpose of personal data processing;
– a list of personal data for which processing is given consent by the personal data subject;
– a list of actions with personal data for which consent is given, a summary of personal data processing methods used by the operator;
– the period during which the consent is valid, as well as the procedure for its revocation.
3.6. Employee consent is not required in the following cases:
– personal data processing is carried out under another Federal Law, establishing its purpose, the terms and conditions for obtaining personal data and the range of subjects, personal data of who is subject to processing, as well as certain authority of the employer;
– personal data processing in order to perform the labor agreement;
– personal data processing is carried out for statistical or other scientific purposes, subject to the mandatory depersonalization of personal data;
– personal data processing is necessary to protect life, health or other vital interests of the employee, if obtaining his/her consent is impossible.
3.7. A company employee provides the General Director with reliable personal information. The General Director reserves the right to verify the accuracy of the information.
3.8. In accordance with Art.86 of the Labor Code of the Russian Federation to ensure the rights and freedoms of a person and citizen, the Chief Executive and his/her legal, authorized representatives shall fulfill the following general requirements when processing employee personal data:
3.8.1. Personal data processing may be carried out solely for the purpose of ensuring compliance with laws or other legal acts, assisting employees in getting employed, training and professional advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, and ensuring the safety of property.
3.8.2. In determining the scope and content of the personal data processed, the employer should be governed by the Constitution of the Russian Federation, the Labor Code of the Russian Federation and other the federal laws.
3.8.3. When making decisions that affect the interests of the employee, the employer is not entitled to rely on personal data obtained about him/her solely as a result of its automated processing or electronic receipt.
3.8.4. Protection of employee personal data from its being used unlawfully and lost is provided by the employer at its own expense in the manner prescribed by the Federal Law.
3.8.5. Employees and their representatives should read and sign the Company’s documents establishing the procedure for personal data processing, as well as about their rights and obligations in this area.
3.8.6. In all cases, the employee’s refusal of his/her rights to preserve and protect secrets is void.
4.1. When transferring employee personal data, the employer shall comply with the following requirements:
4.1.1. not communicate employee personal data to a third party without the written consent of the employee, unless necessary to prevent a threat to life and health of the employee, as well as in cases established by the Federal Law.
4.1.2. not disclose employee personal data for commercial purposes without respective written consent. Processing employee personal data in order to promote goods, works, and services on the market by making direct contacts with a potential consumer using means of communication is allowed only with his prior consent.
4.1.3. warn persons who have received employee personal data that the data can only be used for the purposes for which it is communicated, and require that these persons confirm the observance of this requirement. Persons who have received employee personal data is obliged to keep it confidential (secret). These Regulations do not apply to the exchange of employee personal data in the manner prescribed by the federal laws.
4.1.4. carry out the transfer in accordance with the Regulations.
4.1.5. allow access to employee personal data only to specially authorized persons, while these persons should be entitled to receive only those personal data that are necessary to perform a particular function.
4.1.6. not request information about employee’s state of health, except for those data that relate to the issue of employee’s being able to perform the labor function.
4.1.7. To transfer employee personal data to his legal, authorized representatives in the manner established by the Labor Code of the Russian Federation, and to limit this information to only such personal data that is necessary for the said representatives to perform their functions.
4.2. Employee personal data is processed and stored in the office of the General Director.
4.3. Employee personal data can be received, further processed and transferred for storage both on paper and in electronic form (via a local computer network).
4.4. When receiving personal data from a person other than the employee (unless personal data is publicly available), the employer shall provide the employee with the following information before processing such personal data:
– name (last name, first name, middle name) and address of the operator or its representative;
– the purpose of personal data processing and its legal basis;
– assumed users of personal data;
– the rights of personal data subject established by the federal laws.
5. Access to Employee Personal Data
5.1. The following persons are authorized to access personal data:
– Company’s Chief Executive Officer;
– Accounting staff;
– heads of structural divisions in the field of activity (access to personal data only of employees of their division).
5.2. The number of mass consumers of personal data outside the entity includes state and non-state functional structures:
– tax inspections;
– law enforcement agencies;
– statistical bodies;
– insurance agencies;
– military registration and enlistment offices;
– social insurance authorities;
– pension funds;
– units of municipal governments;
5.3. Supervisory authorities have access to information only in within their area of competence.
5.4. Entities to which the employee can transfer money (insurance companies, non-state pension funds, charitable organizations, credit institutions) can gain access to employee personal data only upon his/her written permission.
5.5. Company employee is entitled to the following:
5.5.1. Access and share his/her personal data, including the right to receive free of charge copy of any record containing personal data.
5.5.2. Require that the employer clarifies, excludes or corrects incomplete, incorrect, obsolete, inaccurate, illegally obtained or the personal data which is unnecessary for the employer.
5.5.3. Receive the following from the employer:
– information about persons who have access to personal data or who may be granted such access;
– list of processed personal data and the source of its origin;
– processing time of personal data, including storage period;
– information on legal consequences for the personal data subject that the processing of his/her personal data may entail.
5.5.4. Require that the employer notifies all persons who were previously informed of incorrect or incomplete personal data about all exceptions, corrections or additions made.
5.5.5. Appeal to the authorized body for the protection of personal data subjects or in a court of law any unlawful actions or omission of the employer in the processing and protection of his/her personal data.
5.6. Making copies and excerpts from employee personal data is permitted only for official purposes with the written permission of the General Director.
5.7. Transfer of information to a third party is allowed only with the written consent of the employee.
5.8. Information about current or dismissed employees may be provided to another entity only with a written request on the entity’s letterhead, with a copy of notarized employee statement enclosed.
5.9. Employee personal data may be provided to relatives or members of his/her family only with the written permission of the employee.
6. Responsibility for Breaching the Rules Governing Personal Data Processing
6.1. Company employees who are guilty of breaching the procedure for handling personal data bear disciplinary, administrative, civil or criminal liability in accordance with the federal laws.
6.2. Company’s Chief Executive is administratively liable according to art. Art. 5.27 and 5.39 of the Administrative Code for breaches of the procedure for handling personal data, and shall compensate the employee for any damage caused by the unlawful use of information containing personal data about the employee.
6.3. Persons guilty of breaching the rules governing the receipt, processing and protection of employee personal data are subject to disciplinary, administrative, civil or criminal liability in accordance with the federal laws.
6.4. For non-fulfillment or improper fulfillment by an employee, through his/her fault, of the obligations assigned to him/her with respect to the observance of the established procedure for handling confidential information, the employer may apply the disciplinary measures provided for by the Labor Code.
6.5. Officials whose responsibility is to maintain employee personal data shall provide everyone with the opportunity to familiarize themselves with documents and materials directly affecting their rights and freedoms, unless otherwise provided by law. Any unlawful refusal to provide documents collected in accordance with the established procedure, or late submission of such documents or other information in cases stipulated by law, or the provision of incomplete or deliberately false information shall result in the imposition of an administrative fine on the officials.
PERSONAL DATA PROCESSING
POLICY
1. General Provisions.
1.1. This Personal Data Processing Policy (the PD Processing Policy) LLC “IceCor” (the Operator), TIN 7810994762, located at: Moscow, Khodynsky Boulevard, 4, has been developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Civil Code of the Russian Federation, The Federal Law as of July 27, 2006 No. 149-FZ On Information, Information Technologies and Information Protection, The Federal Law as of July 27, 2006 No. 152-FZ On Personal Data, Resolution of the Government of the Russian Federation as of November 1, 2012 No. 1119 On the approval of requirements for the protection of personal data when processed in personal data information systems, other federal laws and regulations.
1.2. This Policy has been developed taking into account the requirements of the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation in the field of personal data.
1.3. PD Processing Policy has been designed to ensure the protection of the rights and freedoms of personal data subjects when processing their personal data (the PD).
1.4. The provisions of this Policy serve as the basis for the development of local regulatory acts that regulate the matters of LLC “IceCor” employee personal data processing at LLC “IceCor” and other personal data subjects.
2. Purposes of Personal Data Processing.
Personal data is processed by the Operator for the following purposes:
1) the execution and implementation by the Operator of it functions, powers and obligations prescribed by the legislation of the Russian Federation, in particular:
– compliance with legal requirements in the field of labor and taxation;
– maintenance of current accounting and tax accounting, formation, production and timely submission of accounting, tax and statistical reports;
– meeting the requirements of the legislation on determining the procedure for processing and protecting PD of citizens who are customers or contractors of IceKor OJSC (personal data subjects).
2) exercise of rights and legitimate interests of LLC “IceCor” as part of the implementation of activities, stipulated by the Charter and other local regulations of IceKor OJSC, or of third parties, or the achievement of socially significant goals;
3) for other legitimate purposes.
3. Legal Basis for Personal Data Processing
PD processing is carried out based on the following federal laws and regulations:
1) the Constitution of the Russian Federation;
2) the Labor Code of the Russian Federation;
3) the Federal Law as of July 27, 2006 No. 152-FZ On Personal Data;
4) the Federal Law On Information, Information Technologies and on the Protection of Information of 07/27/2006 N 149-FZ.
5) The provisions on the specificities of personal data processing, carried out without the use of automation tools approved by Resolution of the Government of the Russian Federation as of September 15, 2008 No. 687.
6) Regulations as of November 11, 2012 No. 1119 on the approval of the requirements for the protection of personal data when processed in personal data information systems.
7) Order of the Federal Service for Technical and Export Control as of Russia No. 55, the Federal Security Service of Russia No. 86, the Order of the Ministry of Information Technologies and Communications of Russia No. 20 as of February 13, 2008 on the approval of the Procedure for the classification of personal data information systems;
8) Order of the Federal Service for Technical and Export Control as of Russia No. 21 as of February 18, 2013 On the approval of the composition and content of organizational and technical measures to ensure the security of personal data when processed in personal data information systems;
9) Order of the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications of September 05, 2013 No. 996 On the approval of requirements and methods for the depersonalization of personal data;
10) Order of the Federal Tax Service as of November 17, 2010 No. MMV-7-3/611 On the approval of the form of income information of individuals and recommendations for its completion, the format of information on income of individuals in electronic form, directories.
11) Other regulations of the Russian Federation and normative documents of government authorities.
4. List of Personal Data-Related Actions
When processing PD, the Operator will perform the following actions with PD: collection, recording, systematization, accumulation, storage, refinement (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
5. Composition of Personal Data Processed
5.1. The following PD of PD subjects shall be processed by the Operator:
– Operator’s staff;
– Customer Operator;
– Operator’s counterparties;
– individuals who applied to the Operator in accordance with the procedure established by the Federal Law On the procedure for considering applications from citizens of the Russian Federation.
5.2. The composition of PD for each of the subject category listed in p. 5.1 of these Regulations is defined according to the regulatory documents listed in Section 3 of these Regulations, as well as the regulatory documents of the Entity issued to ensure their execution.
5.3. In cases stipulated by applicable laws, the personal data subject makes the decision to provide his/her PD to the Operator and gives consent for its processing freely, at Operator’s full discretion.
5.4. The Operator ensures that the content and volume of PD processed is consistent with the stated processing purposes and, if necessary, takes actions to eliminate data redundancy in relation to the stated processing purposes.
5.5. LLC “IceСor” is not engaged in processing special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, and intimate life.
6. Personal Data Processing
6.1. Personal data processing in “LLC IceCor” is carried out in the following ways:
• non-automated personal data processing;
• automated personal data processing with transfer of the received information via information and telecommunication networks or without them;
• mixed personal data processing.
7. Ensuring Personal Data Protection during Processing by Operator
The Operator takes each and every action necessary and sufficient to secure the fulfillment of the obligations stipulated by the Federal Law as of July 27, 2006 No. 152-FZ On personal data and regulations adopted in accordance with it. The Operator independently determines the composition and list of actions necessary and sufficient to secure the fulfillment of the obligations stipulated by the Federal Law as of July 27, 2006 No. 152 On personal data, the Government Resolution as of September 15, 2008 No. 687 On the approval of the Regulations on the specificities of personal data processing, carried out without the use of automation tools, the Government Resolution as of November 01, 2012 No. 1119 On the approval of the requirements for the protection of personal data when processed in personal data information systems, the Order of the Federal Service for Technical and Export Control as of February 18, 2013 No. 21 On the approval of the composition and content of organizational and technical measures to ensure the security of personal data when it is processed in personal data information systems, and other regulatory legal acts, unless otherwise provided by the federal laws. These actions include the following:
– appointing the Operator responsible for the organization of personal data processing;
– publication by the Operator of documents determining the operator’s policy with respect to personal data processing, local acts on personal data processing, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
– application of legal, organizational and technical measures to ensure the security of personal data;
– implementation of internal control and/or audit of personal data processing compliance with the Federal Law on Personal Data and the regulatory legal acts adopted in accordance with the regulations, personal data protection requirements, Operator’s policy regarding personal data processing, local Operator acts;
– assessment of the harm that may be caused to the personal data subjects in the event of breaches of the Federal Personal Data Law, the ratio of the said harm and the actions taken by the operator aimed at ensuring the fulfillment of the obligations stipulated by the Federal Law On personal data;
– familiarization of the Operator’s employees who directly process personal data with the provisions of the Russian legislation on personal data, including personal data protection requirements, with documents defining Operator’s policies regarding personal data processing, local acts on personal data processing, and (or) training of specified employees.
7.2. The Operator when performing personal data processing, takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unlawful or accidental access to them, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data.
8. The Right of PD Subject to Access His/Her Personal Data
8.1. The PD subject is entitled to require the Operator to clarify his/her personal data, to block or destroy it if personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take legal measures to protect his/her rights.
8.2. Information is provided by the personal data subject or its representative by the operator when contacting or upon receipt of a request from the personal data subject or his/her representative. The request shall contain the reference number of the main document certifying the identity of the personal data subject or his/her representative, information about the date of issue of the specified document and the issuing authority, information confirming the participation of the personal data subject in relations with the Operator (agreement number, agreement conclusion date, conditional verbal mark and (or) other data), or information otherwise confirming the fact of personal data processing by the Operator, signature of the personal data subject or his/her representative. The request may be sent in the form of an electronic document and signed by an electronic signature in accordance with the legislation of the Russian Federation.
8.3. The operator is entitled to deny the personal data subject in the execution of a second request. Such a refusal should be grounded. The responsibility of presenting the evidence of a grounded refusal to perform the second request is borne by the Operator.
8.4. The personal data subject is entitled to receive information relating to the processing of his/her personal data, including the one containing the following:
– confirmation of the fact of personal data processing by the Operator;
– legal grounds and goals of personal data processing;
– objectives and methods of personal data processing applied by the Operator;
– name and location of the Operator, information about persons (except for operator’s employees) who have access personal data or to whom personal data can be disclosed under the agreement with the operator or under the federal law;
– processed personal data related to the relevant personal data subject, the source of its receipt, unless otherwise provided by the Federal Law;
– timelines with respect to the personal data processing, including the terms and conditions of its storage;
– the procedure for exercising personal data by the subject, the rights stipulated by the Federal Law on personal data;
– information on or carried out on the alleged cross-border data transfer;
– name or surname, name, patronymic and address of the person performing personal data processing on behalf of the Operator, if processing is entrusted or shall be entrusted to such person.
8.5. If the personal data subject considers that the operator is processing his/her personal data in violation of the requirements of the Federal Personal Data Act or otherwise violates its rights and freedoms, the personal data subject is entitled to appeal against the actions or omission of the operator to a body authorized to protect the rights of personal data subjects, or in court.
8.6. The personal data subject is entitled to the protection of his/her rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in a court of law.
