Personal data processing policy
Annex to order No. 280
by EKRA RPE Ltd.
dated December 23, 2022
PERSONAL DATA
PROCESSING POLICY
1. General provisions
1.1. This Policy of EKRA RPE Ltd., Cheboksary (hereinafter referred to as the Operator) regarding the processing of personal data of individuals (hereinafter referred to as the Policy) has been developed based on Article 18.1 of the Federal Law No. 152-FZ “Concerning Personal Data” dated July 27, 2006 (No. 266-FZ as amended on July 14, 2022), defines the purposes of personal data processing, categories and the list of personal data processed for each purpose of personal data processing, categories of subjects whose personal data are processed by the Operator, the methods, terms for their processing and storage, the procedure for destroying personal data after the goals of its processing are accomplished or when other legal grounds occur, other measures necessary and sufficient to ensure the fulfillment of the obligations stipulated by the legislation of the Russian Federation, regulatory legal acts and other documents regarding personal data processing and security.
1.2. The Policy contains information about the Operator, the list and categories of personal data being processed, the purposes, methods, terms, principles of personal data processing, the categories of subjects, whose personal data is processed by the Operator, the measures taken to ensure the security of personal data during its processing, the rights of personal data subjects, as well as information necessary for personal data subjects and other persons to appeal to the Operator.
1.3. The Policy is a public document, subject to publication on the Operator’s website https://ekra.ru it can be accessed via the data telecommunications network (Internet), as well as by other means as per the legislation of the Russian Federation.
2. Terms and definitions
2.1. This document (Policy) uses terms and definitions generally accepted in the field of data protection, making up personal data, which is used in the legislation of the Russian Federation, Federal Laws No. 149-FZ “Concerning Information, Information Technologies and Information Protection” dated July 27, 2006, No. 152-FZ “Concerning Personal Data” dated July 27, 2006, regulatory legal acts in the field of personal data processing and information protection:
Personal data (hereinafter referred to as PD): any information related directly or indirectly to an identified or identifiable individual (personal data subject);
Personal data authorized by the personal data subject for distribution is personal data with access provided by the personal data subject to an unlimited number of persons by giving consent to personal data processing permitted by the personal data subject for distribution as prescribed by this Federal Law
The Operator is a state body, municipal body, legal entity or individual, independently or in cooperation with other individuals arranging and (or) processing personal data, as well as determining the purposes for personal data processing, the composition of personal data to be processed, the actions (operations) performed with personal data;
Personal data processing is any action (operation) or a set of actions (operations) performed with personal data with or without the use of automation tools, including acquisition, recording, systematization, accumulation, storage, clarification (updating, altering), extraction, use, transfer (distribution, submission, access), depersonalization, blocking, deletion and destruction of personal data;
Personal data confidentiality is a binding requirement for the Operator (and employees of the Operator allowed to do personal data processing) prohibiting to disclose to third parties and to distribute personal data without the consent of personal data subject, unless otherwise stipulated by federal law;
Automated personal data processing is processing of personal data using computer aids;
Personal data processing without using automation tools (non-automated personal data processing) – the processing of personal data contained in the personal data information system or extracted from such a system is considered to be carried out without using automation tools (non-automated), if actions with personal data such as the use, clarification, distribution, destruction in relation to each of personal data subjects are carried out with the direct participation of a person;
Personal data distribution – actions aimed at disclosing personal data to an indefinite range of persons;
Personal data submission – actions aimed at disclosing personal data to a certain person or a certain group of persons;
Personal data blocking – temporary suspension of personal data processing (unless the processing is necessary to update personal data);
Personal data destruction:: actions making it impossible to restore the content of personal data in personal data information system and (or) that result in destruction of personal data storage media;
Personal data depersonalization: actions making it impossible to determine the ownership of personal data by a specific personal data subject without additional information;
Personal data information system (hereinafter referred to as PDIS) is a set of personal data contained in databases, as well as information technologies and technical means used to process it;
Cross-border personal data transfer is the transfer of personal data to the territory of a foreign country, to an authority of a foreign country, a foreign individual or a foreign legal entity.
3. Information about the Operator
Name: | EKRA Research And Production Enterprise Ltd. |
Address: | STE 541, 3 Yakovlev prospect, Cheboksary, Chuvashia, Chuvash Republic, 428020, Russia |
Telephone: | +7 (8352) 220-110, +7 (8352) 220-130 |
E-mail: | ekra@ekra.ru |
4. Legal grounds for personal data processing
4.1. Legal grounds for personal data processing:
- Operator’s Articles;
- employment contracts and civil law contracts concluded between the Operator and the personal data subject;
- contracts concluded with legal entities and individuals for the main activities of the Operator;
- consent to the personal data processing given by the personal data subject or his/her legal representative to the Operator in any form allowing to confirm its receipt, including in writing.
4.2. The Operator’s personal data processing policy is formed based on the legislation of the Russian Federation, regulatory legal acts, including:
- the Constitution of the Russian Federation;
- the Labor Code of the Russian Federation;
- the Civil Code of the Russian Federation;
- the Tax Code of the Russian Federation;
- Federal law No. 14-FZ “Concerning the Limited Liability Companies” dated February 8, 1998;
- Federal law No. 149-FZ “Concerning Information, Information Technologies and Information Protection” dated July 27, 2006;
- Federal law No. 152-FZ “Concerning Personal Data” dated July 27, 2006 (hereinafter referred to as Federal law “Concerning Personal Data”);
- Federal law No. 59-FZ “Concerning the Procedure for Reviewing the Applications from Citizens of the Russian Federation” dated May 2, 2006;
- Decree of the Government of the Russian Federation No. 687 “Concerning the Approval of the Regulation for the Aspects of Personal Data Processing Carried Out Without Using Automation Tools” dated September 15, 2008;
- Decree of the Government of the Russian Federation No. 1119 “Concerning the Approval of Requirements for Protection of Personal Data When Processed in Personal Data Information Systems” dated November 1, 2012;
- Order of the Federal Service for Technical and Export Control No. 21 “Concerning the Approval of the Composition and Content of Arrangements and Technical Measures Ensuring the Safety of Personal Data When Processed in Personal Data Information Systems” dated February 18, 2013;
- other regulatory legal acts and recommended practices of supervisory authorities (Roskomnadzor, Russian Federal Security Service and the Russian Federal Service for Technical and Export Control) in the field of information protection and personal data security.
4.3. Pursuant to this Policy, the following local regulatory, administrative and other documents are approved by the orders of the Operator, including:
- Order for appointment of a person responsible for organizing personal data processing;
- Order for formation (creation) of an expert commission (to classify PDIS and develop PD security threat models);
- Order for appointment of an information security administrator;
- Order for appointment of persons responsible for personal data security in PDIS;
- Order for appointment of persons responsible for the use of PDIS and information protection tools used in it;
- Order for approval of the list of persons having access to personal data processing;
- Order for approval of the list of premises used to process personal data;
- Order for approval of the regulation concerning the compliance with the requirements of the Russian Federation legislation and local regulatory and administrative documents concerning personal data processing;
- Order for taking actions necessary to ensure PD security, including the following annexes:
- Regulations for actions to be taken to ensure the security of PD;
- Regulations to ensure the security in premises used to process PD;
- Standard log books.
- Order concerning PD processing, including the following:
- Regulation concerning PD processing;
- Standard instructions for filling out standard forms;
- PD non-disclosure form;
- PD processing consent form;
- Consent form for processing of personal data permitted by the personal data subject for distribution.
- Order for approval of the list of personal data to be processed;
- Order for approval of the list of personal data information systems;
- Classification acts for personal data information systems;
- Personal data security thread models.
4.4. Local regulatory and administrative and other documents of the Operator are updated following the alterations of the legislation of the Russian Federation in the field of personal data processing and information protection, as well as organizational and standard changes in the structure of the Operator and other changes in the activities of the Operator, as well as changes in the conditions and rules for personal data processing.
5. Purposes of personal data processing
The Operator processes personal data for the following purposes:
- human resourcing for Operator’s work, incl. to ensure the enforcement of laws and other regulatory legal acts governing labor relations, calculating and issuing wages and other payments, taxes and pension contributions, assistance to subjects in obtaining education, internal and external transfers, monitoring the observance of internal local acts of the Operator by the subject, ensuring the safety of the property owned by the Operator and subjects;
- pursuit of statutory activities according to the declared types of activities (rendering services, etc.) of the Operator, including the discharge of obligations under civil law contracts;
- guarding the rights and freedoms of a person and a citizen when processing his/her personal data, including the protection of the rights to privacy, personal and family secrets.
For purposes, categories and a list of personal data of subjects processed by EKRA RPE Ltd., see Appendix No. 2 to this Policy.
For legal grounds, terms of personal data processing and storage, see Appendix No. 3 to this Policy.
6. Personal data processing principles
In its activities the Operator refers to and processes personal data in compliance with the principles specified in Article 5 of the Federal Law “Concerning Personal Data”, including:
- Personal data shall be processed on a legitimate and fair basis.
- Personal data processing should be limited to the achievement of specific, predetermined and legitimate purposes. Do not process personal data that is incompatible with the purposes of personal data acquisition.
- Do not combine databases containing personal data that is processed for purposes that are incompatible with each other.
- Only personal data meeting the purposes of their processing are subject to processing.
- The content and scope of the processed personal data shall match the declared processing purposes. The processed personal data shall not be excessive as related to the declared processing purposes.
- When processing personal data, the accuracy of personal data, its sufficiency, and, if necessary, its relevance as related to the purposes of personal data processing, shall be guaranteed. The operator shall take the necessary actions or enforce them in order to remove or update incomplete or inaccurate data.
- The personal data shall be stored in such a way as to make it possible to determine the subject of personal data, no longer than required for the purposes of personal data processing, unless personal data storage period is imposed by federal law or an agreement, to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon achieving the goals of processing or if there is no further need to achieve these goals, unless otherwise stated by federal law.
7. Personal data processing
7.1. The Operator processes personal data for the following subject categories:
- candidates for employment;
- Operator’s employees;
- members of the employee’s family (children, spouse, etc., whose personal data is processed when issuing the “Employee Data Card” as per form No. T-2);
- individuals the Operator terminated employment relationship with;
- individuals and legal entity representatives the Operator concluded agreements on its core and non-core activities with;
- individuals, whose personal data are transferred by companies and institutions as per agreements concluded with the Operator;
- visitors, who have been granted temporary access to the territory of the Operator;
- individuals, whose personal data are indicated in the applications received by the Operator.
The Operator processes personal data of the subjects with categories specified in clause 7.1 of this Policy using automation tools of personal data information systems and on paper media.
7.2. The content and scope of the processed personal data correspond to and are not excessive as related to the declared purposes of personal data processing (see section 4 of this Policy) according to the requirements of the Federal Law “Concerning Personal Data” and consent to personal data processing.
7.3. The Operator does not make any decisions based solely on automated personal data processing that give rise to legal consequences for personal data subjects.
7.4. The Operator processes biometric personal data of subjects by video recording and taking photos without readout or use of the following anthropometric parameters:
- taking photos of the subjects with personal or visitor electronic access cards during access control at Operator’s checkpoints;
- video recording indoors and on adjacent territory of Operator in order to ensure safe environment for Operator’s statutory activities, as well as safety of Operator’s and subjects’ property;
- (photos, snapshots) of subjects, when uploading photos, snapshots to Operator’s website and to Operator’s groups in social networks, as well as displaying on the wall of honor.
7.5. The Operator processes personal data of a specific category.
7.6. The Operator transfers personal data to third parties following the requirements of the legislation of the Russian Federation, as well as the regulatory and administrative documents of the Operator in the field of personal data processing and protection, as well according to the terms of the agreements concluded by the Operator that do not contradict the requirements of the legislation of the Russian Federation, and the consent of the subjects for personal data processing.
7.7. The Operator transfers personal data across the border (to the territory of a foreign country, to an authority of a foreign country, a foreign individual or a foreign legal entity).
8. Personal data security arrangements
8.1. In accordance with the legislation of the Russian Federation concerning information protection, when processing personal data, the Operator, shall take the necessary legal, regulatory and technical measures to protect them from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions with regard to it. Among other things, the security of personal data is achieved by taking the following actions:
8.1.1. In accordance with the local regulatory and administrative documents of the Operator (clause 3.2. of this Policy):
the following persons are appointed:
- person responsible for organizing personal data processing;
- information security administrator;
- persons responsible for personal data processing;
- persons responsible for the security of personal data in personal data information systems;
- persons responsible for the use of personal data information systems;
the following is defined:
- persons having access to personal data processing;
- premises used for personal data processing;
- the list of information systems used for personal data processing;
- the list of personal data processed using automation tools or without such tools;
- the obligations of persons responsible for processing and protecting personal data during its processing;
- subject personal data processing consent form;
- subject consent form for processing of personal data permitted by the personal data subject for distribution;
- employee personal data non-disclosure form.
8.1.2. Personal data information systems were classified, the threats to personal data security during its processing in personal data information systems were identified based on a survey concerning personal data processing procedures. Classification acts for personal data information systems and particular personal data security threat models were developed and approved.
8.1.3. Regulatory and technical measures have been taken to ensure personal data security during its processing in personal data information systems necessary to fulfill personal data protection requirements, as well as to perform internal control over personal data processing and storage on data storage media.
8.1.4. The Operator’s employees who process personal data are familiar with the requirements of the legislation of the Russian Federation, regulatory legal acts and local regulatory and administrative documents of the Operator (regulations, rules, guidelines, etc.) related to personal data protection during its processing. They are also aware about the penalties for violating legal requirements in this area.
8.1.5. The Operator holds training in order to increase the skills and awareness of employees related to personal data processing and information protection according to the requirements of the legislation of the Russian Federation.
8.2. The responsibilities of officials and employees of the Operator who process and protect personal data are specified in the Regulations Concerning Personal Data Security, the Regulations Concerning Personal Data Processing and other documents.
9. Rights of personal data subject
9.1. Personal data subject has the right to receive information regarding his/her personal data processing, as per Part 7 of Article 14 of the Federal Law “Concerning Personal Data”, including the following:
9.1.1. Confirming the fact of personal data processing by the Operator.
9.1.2. Legal grounds and purposes for personal data processing.
9.1.3. Purposes and personal data processing methods used by the Operator.
9.1.4. Name and location of the Operator, information about persons (excluding employees of the Operator) having access to personal data or whom personal data may be disclosed to based on the agreement with the Operator or the federal law.
9.1.5. Processed personal data relating to the relevant personal data subject, the source of such data, unless a different procedure for submitting such data is stated in the federal law.
9.1.6. Terms of personal data processing, including its storage terms.
9.1.7. Procedure for personal data subject to exercise the rights stated in the Federal Law “Concerning Personal Data”.
9.1.8. Information about the executed or planned cross-border data transfer.
9.1.9. Name or full name and address of the person who processes personal data on behalf of the Operator, if the processing is or will be entrusted to such a person.
9.1.10. Information on methods used by the Operator to fulfill the obligations stated in Article 18.1 of Federal Law No. 152-FZ “Concerning Personal Data” dated July 27, 2006 (No. 266-FZ as amended of July 14, 2022).
9.1.11. Other information stated in the Federal Law “Concerning Personal Data” and (or) other federal laws.
9.2. The subject has a right to demand the Operator to update his/her personal data, block or destruct it, if such personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of personal data processing, as well as to take legal actions to protect his/her rights.
9.3. The personal data subject may contact the Operator concerning all the above stated issues of interest, for contact data, see section 3 of this Policy. For the recommended request form for personal data subjects to receive information regarding the personal data processing, see Appendix No. 1 to this Policy.
Information is provided to the personal data subject or his representative by the Operator within ten working days starting from the date of the request or the date the Operator received the request from the personal data subject or his representative. This period may be extended, but to a maximum of five more working days, if the operator sends a motivated notice to the personal data subject indicating the reasons for the extension of the period necessary to provide the requested information. The request shall contain the number of the main document certifying the identity of personal data subject or his representative, specified document issue date and the authority that issued it, information confirming the relationship between personal data subject and the Operator (contract number, contract conclusion date, conditional verbal agreement and (or) other data), or information otherwise confirming the fact of personal data processing by the Operator, and the signature of the personal data subject or his/her representative.
The request can be sent as an electronic document signed with an electronic signature under the legislation of the Russian Federation. The Operator provides information to the personal data subject or his/her representative in the same form the relevant application or request was sent in, unless otherwise specified in the application or request.
9.4. The Operator reviews requests for personal data processing within the terms and as directed by the requirements of the Federal Law “Concerning Personal Data”.
10. Final provisions
The Operator reserves the right to make amendments to this Policy that do not contradict the legislation of the Russian Federation or regulatory legal acts regarding personal data processing and information protection.
Annex No. 1
to the Policy of EKRA RPE Ltd.
regarding personal data processing
To Director General
of EKRA RPE Ltd.
K. N. Doni
_______________________
(Full name of the applicant)
_______________________
(Address of the applicant)
_______________________
(Document certifying the identity,
series, number, issue date and authority)
Request
According to Article 14 of the Federal Law No. 152-FZ “Concerning Personal Data” dated July 27, 2006 (hereinafter referred to as Federal Law No. 152-FZ), I hereby request for information regarding my personal data processing (personal data of the applicant), namely:
1) confirming the fact of personal data processing by EKRA RPE Ltd.;
2) legal grounds and purposes for personal data processing;
3) purposes and personal data processing methods used by EKRA RPE Ltd.;
4) name and location of EKRA RPE Ltd., information about persons (excluding employees of EKRA RPE Ltd.) having access to personal data or whom personal data may be disclosed to based on the agreement with EKRA RPE Ltd. or the federal law;
5) processed personal data relating to the relevant personal data subject, source of such data, unless a different procedure for submitting such data is stated in the federal law;
6) terms of personal data processing, including its storage terms;
7) procedure for personal data subject to exercise the rights stated in the Federal Law No. 152-FZ;
8) information about the executed or planned cross-border data transfer;
9) name or full name and address of the person who processes personal data on behalf of EKRA RPE Ltd., if the processing is or will be entrusted to such a person;
10) other information stated in the Federal Law No. 152-FZ or other federal laws.
If you do not have such information, please let me know.
Please send the response to this request in writing to the above address within the legally stated time period.
(Signature)
(Full name)
«__»______________ 20__ г.
Annex No. 2
to the Policy of EKRA RPE Ltd.
regarding personal data processing
For purposes, categories and a list of personal data of subjects processed by EKRA RPE Ltd.
Purpose of personal data processing | Categories of personal data subjects | Categories and list of personal data subjects |
to personal data subjects employed by the Operator | Candidates for employment |
|
Operator’s staff management including for enforcement of laws and other regulatory legal acts, formalizing employment relations, payroll calculation and payment of wages or other income, tax and pension contributions, sending personal data subjects on business trips, offering assistance in employment, education and promotion, protecting the property of personal data subjects, ensuring their personal safety and safety of their family members, controlling the scope and quality of the work performed, ensuring the safety of their property and the property of the Operator | Operator’s employees |
|
Operator’s staff management including for enforcement of laws and other regulatory legal acts, including in terms of accounting and tax registration, archival storage of documents, providing them with guarantees and compensations upon the current legislation and local regulations of the Operator | Dismissed Operator’s employees: |
|
Operator’s staff management including for enforcement of laws and other regulatory legal acts, providing them with guarantees and compensations upon the current legislation and local regulations of the Operator | Members of the employee’s family (children, spouse, etc., whose personal data is processed when issuing the “Employee Data Card” as per form No. T-2): |
|
Performance of duties and functions according to the declared types of activities (rendering services, etc.) as stated in the Articles | Individuals, officials and legal entity representatives the Operator concluded agreements with on its core and non-core activities |
|
Fulfillment of obligations under civil law contracts | Individuals, whose personal data are transferred by companies and institutions as per agreements concluded with the Operator: |
|
Access control and site security regulations of the Operator | Visitors who have been granted temporary access to the territory of the Operator |
|
Ensuring the protection of the rights and freedoms of personal data subjects (including employees of the Operator and other persons) who have submitted a request to the Operator’s archive in order to receive information containing personal data of these subjects | Individuals, whose personal data are indicated in the applications received by the Operator |
|
Annex No. 3
to the Policy of EKRA RPE Ltd.
regarding personal data processing
Legal grounds, personal data processing and storage terms
Legal grounds for personal data processing | Personal data processing and storage terms |
With the consent of personal data subject to process his/her personal data | During the period the consent to personal data processing was given to |
To achieve the goals stipulated by an international treaty of the Russian Federation or the law, to introduce and discharge the functions, obligations and duties assigned by the legislation of the Russian Federation to the Operator | Within the period stated in the relevant international treaties or laws |
If necessary to process personal data subject to publication or mandatory disclosure as per federal law | Within the period stated in the relevant laws |
For the execution of a court order, an order of another body or official subject to execution under the legislation of the Russian Federation concerning enforcement procedures | Within the period necessary to execute a relevant order |
Due to participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts | During the period of participation in the relevant legal proceedings, including the terms for appealing (challenging) court orders, except for cases where a longer period of personal data processing is stated by the current legislation of the Russian Federation |
To execute a contract a personal data subject is a party or beneficiary or guarantor of, as well as to conclude a contract on the initiative of personal data subject or a contract a personal data subject will be a beneficiary or guarantor under | During the validity term of such a contract, except for cases when a longer period for personal data processing is stated in current legislation of the Russian Federation |
To protect the life, health or other vital interests of a personal data subject, if obtaining the consent from the personal data subject is impossible | Until obtaining the consent from the personal data subject becomes possible or when the relevant grounds that threaten life, health or other vital interests disappear (whichever comes first) |
To exercise the rights and legal interests of the Operator or third parties, provided that the rights and freedoms of the personal data subject are not violated | During the period necessary to exercise the rights and serve the legitimate interests The specific period is determined by the Company, in light of the provisions of this Policy, internal documents and local regulations of the Company, as well as the principles for personal data processing and the requirements of the current legislation of the Russian Federation, also in terms of stopping personal data processing upon reaching the specific, predetermined and legitimate goals of such processing |