Policy regarding the processing of personal data at MTL-Hotel LLC

1. BASIC PROVISIONS

1.1. This Policy regarding the processing of personal data at MTL-Hotel LLC (hereinafter referred to as the Policy) was developed in accordance with the Federal law of July 27, 2006 No. 152-FZ “On Personal Data”.

1.2. The policy comes into force from the moment it is approved by the General director of MTL-Hotel LLC (hereinafter referred to as the Establishment).

1.3. The policy is subject to revision during periodic analysis by the management of the Establishment, as well as in cases of changes in the legislation of the Russian Federation in the field of personal data.

1.4. The policy is subject to publication on the official website of the Establishment.

2. GOALS

2.1. The purpose of the Policy is to ensure the protection of the rights and freedoms of personal data subjects when processing their personal data by the Establishment.

3. BASIC CONCEPTS

3.1. For the purposes of the Policy, the following concepts are used:

  • personal data – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data);
  • subject of personal data – an individual who is directly or indirectly identified or determined using personal data
  • operator - a public body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
  • processing of personal data – any action (operation) or set of actions (operations) performed by using automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction , use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
  • automated processing of personal data – processing of personal data using computer technology;
  • dissemination of personal data – actions aimed at disclosing personal data to an indefinite number of persons;
  • provision of personal data – actions aimed at disclosing personal data to a certain person or a certain circle of persons;
  • blocking of personal data – temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);
  • destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material media of personal data are destroyed;
  • depersonalization of personal data – actions as a result of which it becomes impossible, without the use of additional information, to determine the ownership of personal data to a specific subject of personal data;
  • personal data information system – a set of personal data contained in databases and information technologies and technical means that ensure their processing;
  • cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity;
  • threats to the security of personal data - a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions in their processing of personal data in the information system;
  • level of security of personal data – a complex indicator characterizing the requirements, the implementation of which ensures the neutralization of certain threats to the security of personal data during their processing in personal data information systems.

4. SCOPE

4.1. The provisions of the Policy apply to all relations related to the processing of personal data carried out by the Establishment:

  • using automation tools, including in information and telecommunication networks, or without the use of such tools, if the processing of personal data without the use of such tools corresponds to the nature of the actions (operations) performed with personal data using automation tools, that is, it allows for in accordance with a given algorithm, searching for personal data recorded on a tangible medium and contained in file cabinets or other systematized collections of personal data, and (or) access to such personal data;
  • without the use of automation tools.

4.2. The Policy applies to all employees of the Establishment.

5. PURPOSES OF PROCESSING PERSONAL DATA

5.1. The processing of personal data is carried out by the Establishment for the following purposes:

  • preparation of personalized accounting documents;
  • automation of hotel management;
  • automated accounting, payroll;
  • submission of information to the Ministry of Internal Affairs about arriving guests.

6. LEGAL BASIS FOR PROCESSING PERSONAL DATA

6.1. The basis for the processing of personal data at MTL-Hotel LLC are the following regulations and documents:

  • Labor Code of the Russian Federation;
  • Tax Code of the Russian Federation;
  • Charter of the limited liability company "MTL-Hotel";
  • Constitution of the Russian Federation;
  • Agreements concluded between the operator and the subject of personal data;
  • Consent of personal data subjects to the processing of personal data;
  • Federal law of December 6, 2011 No. 402-FZ “On Accounting”;
  • Federal law of July 27, 2006 No. 152-FZ “On Personal Data”;
  • Federal law of July 18, 2006 N 109-FZ (as amended on December 27, 2018) “On migration registration of foreign citizens and stateless persons in the Russian Federation.”

6.2. In cases not directly provided for by the legislation of the Russian Federation, but corresponding to the powers of the Establishment, the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data.

6.3. The processing of personal data is terminated upon reorganization or liquidation of MTL-Hotel LLC.

7. CATEGORIES OF SUBJECTS WHOSE PERSONAL DATA IS PROCESSED

7.1. In accordance with the purposes of processing personal data specified in clause 5 of this Policy, the Establishment processes the following categories of personal data subjects:

  • employees;
  • clients;
  • visitors.

7.2. The list and storage period of processed personal data is approved by the regulatory act of the Establishment.

8. PROCEDURE AND CONDITIONS FOR PROCESSING PERSONAL DATA

8.1. Principles for processing personal data

The processing of personal data is carried out by the Establishment in accordance with the following principles:

  • processing of personal data is carried out on a legal and fair basis;
  • the processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes; Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted;
  • it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other;
  • only personal data that meets the purposes of their processing are subject to processing;
  • the content and volume of personal data processed correspond to the stated purposes of processing; the personal data processed is not redundant in relation to the stated purposes of their processing;
  • when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data are ensured; The Establishment takes the necessary measures or ensures that they are taken to delete or clarify incomplete or inaccurate data;
  • storage of personal data is carried out in a form that makes it possible to identify the subject of personal data, no longer than required by the purposes of processing personal data, unless the period for storing personal data is established by Federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor; processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in the event of the loss of the need to achieve these goals, unless otherwise provided by Federal law.

8.2. Conditions for processing personal data

Conditions for processing personal data other than obtaining the consent of the subject of personal data to process his personal data are alternative.

8.2.1. Conditions for processing special categories of personal data

The Establishment does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life.

8.2.2. Conditions for processing biometric personal data

Information that characterizes the physiological and biological characteristics of a person, on the basis of which their identity can be established (biometric personal data) and which is used by the Establishment to establish the identity of the subject of personal data, is not processed by the Establishment.

8.2.3. Conditions for processing other categories of personal data

The processing of other categories of personal data is carried out by the Establishment in compliance with the following conditions:

  • processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or law, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the Russian Federation to MTL-Hotel LLC;
  • processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data.

8.2.4. Conditions for processing publicly available personal data

The Establishment does not process publicly available personal data.

8.2.5. Entrustment of personal data processing

8.2.5.1. The Establishment has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adoption of a corresponding act by a state or municipal body (hereinafter referred to as the assignment).

8.2.5.2. The person processing personal data on behalf of the Establishment complies with the principles and rules for processing personal data provided for in this Policy. The Establishment’s instruction defines a list of actions (operations) with personal data that will be performed by the person processing personal data, the methods and purposes of processing, establishes the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, and also specifies requirements for protection of processed personal data.

8.2.5.3. When entrusting the processing of personal data to another person, the Establishment bears responsibility to the subject of personal data for the actions of the specified person. The person processing personal data on behalf of the Establishment is responsible to the Establishment.

8.2.6. Transfer of personal data

8.2.6.1. MTL-Hotel LLC has the right to transfer personal data to the bodies of inquiry and investigation, and other authorized bodies on the grounds provided for by the current legislation of the Russian Federation.

8.3. Confidentiality of personal data

8.3.1. Employees of the Establishment who have access to personal data do not disclose or distribute personal data to third parties without the consent of the subject of personal data, unless otherwise provided by Federal law.

8.4. Public sources of personal data

8.4.1. The Establishment does not create publicly available sources of personal data.

8.5. Consent of the subject of personal data to the processing of his personal data

8.5.1. If it is necessary to ensure the conditions for processing the subject’s personal data, the consent of the subject of personal data to the processing of his personal data may be provided.

8.5.2. The subject of personal data decides to provide their personal data and consents to their processing freely, of their own free will and in their own interest. Consent to the processing of personal data must be specific, informed and conscious. Consent to the processing of personal data can be given by the subject of personal data or their representative in any form that allows confirmation of the fact of its receipt, unless otherwise provided by Federal law. If consent to the processing of personal data is received from a representative of the subject of personal data, the authority of this representative to give consent on behalf of the subject of personal data is verified by the Establishment.

8.5.3. Consent to the processing of personal data may be withdrawn by the subject of personal data. If the subject of personal data withdraws consent to the processing of personal data, the Establishment has the right to continue processing personal data without the consent of the subject of personal data if alternative conditions for processing personal data are met.

8.5.4. The obligation to provide evidence of obtaining the consent of the personal data subject to the processing of his personal data or proof of compliance with alternative conditions for the processing of personal data rests with the Establishment.

8.5.5. In cases provided for by Federal law, the processing of personal data is carried out only with the written consent of the subject of personal data. Consent in the form of an electronic document signed in accordance with Federal law with an electronic signature is recognized as equivalent to consent containing the personal data subject’s handwritten signature in writing on paper. The written consent of the personal data subject to the processing of his personal data must include, in particular:

  1. last name, first name, patronymic, address of the subject of personal data, number of the main document proving their identity, information about the date of issue of the specified document and the issuing authority;
  2. last name, first name, patronymic, address of the representative of the subject of personal data, number of the main document proving his identity, information about the date of issue of the specified document and the issuing authority, details of the power of attorney or other document confirming the powers of this representative (upon obtaining consent from the representative of the subject personal data);
  3. name or surname, first name, patronymic and address of the Establishment receiving the consent of the subject of personal data;
  4. purpose of processing personal data
  5. list of personal data for the processing of which the consent of the subject of personal data is given;
  6. name or surname, first name, patronymic and address of the person processing personal data on behalf of the Establishment, if processing will be entrusted to such a person;
  7. a list of actions with personal data for which consent is given, a general description of the methods of processing personal data used by the Establishment;
  8. the period during which the consent of the subject of personal data is valid, as well as the method of its withdrawal, unless otherwise established by Federal law;
  9. signature of the subject of personal data.

8.5.6. In case of incapacity of the subject of personal data, consent to the processing of their personal data is given by the legal representative of the subject of personal data.

8.5.7. In the event of the death of the subject of personal data, consent to the processing of their personal data is given by the heirs of the subject of personal data, if such consent was not given by the subject of personal data during his lifetime.

8.5.8. Personal data may be received by the Establishment from a person who is not the subject of personal data, provided that the Establishment is provided with confirmation of the availability of alternative conditions for processing the information.

8.6. Cross-border transfer of personal data

8.6.1. The Establishmentn does not carry out cross-border transfer of personal data.

8.7. Rights of personal data subjects

8.7.1. The right of the subject of personal data to access their personal data

8.7.1.1. The subject of personal data has the right to receive information (hereinafter referred to as the information requested by the subject) regarding the processing of his personal data, including containing:

  1. confirmation of the fact of processing of personal data by the Establishment;
  2. legal grounds and purposes of processing personal data;
  3. the purposes and methods of processing personal data used by the Establishment;
  4. name and location of the Establishment, information about persons (except for employees of the Establishment) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Establishment or on the basis of Federal law;
  5. processed personal data related to the relevant subject of personal data, the source of their receipt, unless a different procedure for the presentation of such data is provided for by Federal law;
  6. terms of processing of personal data, including periods of their storage;
  7. the procedure for the exercise by the subject of personal data of the rights provided for by the Federal law “On Personal Data”;
  8. information about completed or intended cross-border data transfers;
  9. name or surname, first name, patronymic and address of the person processing personal data on behalf of the Establishment, if the processing has been or will be assigned to such a person;
    10. 10.other information provided for by the Federal law “On Personal Data” or other Federal laws.

8.7.1.2. The subject of personal data has the right to receive the information requested by the subject, except for the following cases:

  • processing of personal data, including personal data obtained as a result of operational search, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and law enforcement;
  • processing of personal data is carried out by authorities that detained the subject of personal data on suspicion of committing a crime, or brought charges against the subject of personal data in a criminal case, or applied a preventive measure to the subject of personal data before bringing charges, with the exception of cases provided for by the criminal procedure legislation of the Russian Federation if the suspect or accused is allowed to become familiar with such personal data;
  • processing of personal data is carried out in accordance with the legislation on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;
  • access of the personal data subject to his personal data violates the rights and legitimate interests of third parties;
  • processing of personal data is carried out in cases provided for by the legislation of the Russian Federation on transport security, in order to ensure the sustainable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the field of the transport complex from acts of illegal interference.

8.7.1.3. The subject of personal data has the right to demand that the Establishment clarify their personal data, block it or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as take measures provided by law to protect his rights.

8.7.1.4. The information requested by the subject must be provided to the subject of personal data by the Establishment in an accessible form, and it should not contain personal data relating to other subjects of personal data, unless there are legal grounds for the disclosure of such personal data.

8.7.1.5. The requested information is provided to the subject of personal data or their representative by the Establishment upon application or upon receipt of a request from the subject of personal data or his representative. The request must contain the number of the main document identifying the subject of personal data or their representative, information about the date of issue of the specified document and the issuing authority, information confirming the participation of the subject of personal data in relations with the Establishment (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Establishment the signature of the subject of personal data or their representative (hereinafter referred to as the information necessary for the request). The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

8.7.1.6. If the information requested by the subject, as well as the personal data being processed, was provided for familiarization to the subject of personal data at their request, the subject of personal data has the right to contact the Establishment again or send a repeated request in order to obtain the information requested by the subject, and familiarize themselves with such personal data no earlier than thirty days (hereinafter referred to as the standard request period) after the initial application or sending of the initial request, unless a shorter period is established by Federal law, a regulatory legal act adopted in accordance with it, or an agreement to which the subject of personal data is a party or beneficiary or guarantor data.

8.7.1.7. The subject of personal data has the right to contact the Establishment again or send a repeated request in order to obtain the information requested by the subject, as well as in order to familiarize himself with the processed personal data before the expiration of the normalized request period, if such information and (or) the processed personal data were not provided them for review in full based on the results of consideration of the initial appeal. A repeated request, along with the information necessary for the request, must contain a justification for sending a repeated request.

8.7.1.8. The Establishment has the right to refuse the subject of personal data to fulfill a repeated request that does not comply with the conditions of the repeated request. Such refusal must be motivated. The obligation to provide evidence of the validity of the refusal to fulfill a repeated request lies with the Establishment.

8.7.2. Rights of personal data subjects when processing their personal data for the purpose of promoting goods, works, services on the market, as well as for the purposes of political propaganda.

8.7.2.1. The Establishment does not process personal data for the purpose of promoting goods, works, services on the market by making direct contacts with potential consumers using means of communication, as well as for the purposes of political campaigning.

8.7.3. Rights of personal data subjects when making decisions based solely on automated processing of their personal data.

8.7.3.1. The Establishment does not make decisions based solely on automated processing of personal data that give rise to legal consequences in relation to the subject of personal data or otherwise affect their rights and legitimate interests.

8.7.4. The right to appeal against actions or inactions of the Establishment

8.7.4.1. If the subject of personal data believes that the Establishment is processing their personal data in violation of the requirements of the Federal law “On Personal Data” or otherwise violates their rights and freedoms, the subject of personal data has the right to appeal the actions or inaction of the Establishment to the authorized body for the protection of the rights of personal data subjects or in court.

8.7.4.2. The subject of personal data has the right to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.

8.8. Responsibilities of the Establishment

8.8.1. Responsibilities of the Establishment when collecting personal data

8.8.1.1. When collecting personal data, the Establishment provides the subject of personal data, at their request, with the information requested by the subject.

8.8.1.2. If the provision of personal data is mandatory in accordance with Federal law, the Establishment explains to the subject of personal data the legal consequences of refusal to provide their personal data.

8.8.1.3. If personal data is not received from the subject of personal data, the Establishment , before processing such personal data, provides the subject of personal data with the following information (hereinafter referred to as information provided when receiving personal data not from the subject of personal data):

  1. name or surname, first name, patronymic and address of the Establishment or representative of the Establishment;
  2. the purpose of processing personal data and its legal basis;
  3. intended users of personal data;
  4. the rights of the subject of personal data established by the Federal law “On Personal Data”;
  5. source of obtaining personal data.

8.8.1.4. The Establishment does not provide the subject with information provided when receiving personal data not from the subject of personal data in cases where:

  1. the subject of personal data is notified of the processing of their personal data by the Establishment;
  2. personal data was received by the Establishment on the basis of Federal law or in connection with the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor;
  3. personal data is made publicly available by the subject of personal data or obtained from a publicly available source;
  4. The Establishment processes personal data for statistical or other research purposes, for the professional activities of a journalist or scientific, literary or other creative activity, unless the rights and legitimate interests of the subject of personal data are violated;
  5. Providing the subject of personal data with information provided when receiving personal data not from the subject of personal data violates the rights and legitimate interests of third parties.

8.8.1.5. When collecting personal data, including through the Internet information and telecommunications network, the Establishment ensures recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of citizens of the Russian Federation processed in the following information systems:

8.8.1.5.1. Microsoft Office software using databases located in the following countries:

8.8.1.5.1.1. Russia.

8.8.1.5.2. Hotel management system Opera Enterprise Solution using databases located in the following countries:

8.8.1.5.2.1. Russia.

8.8.1.5.3. 1C: Enterprise using databases located in the following countries:

8.8.1.5.3.1. Russia.

8.8.1.5.4. The FMS circuit using databases located in the following countries:

8.8.1.5.4.1. Russia.

8.8.1.5.5. A unified platform for online sales and management of the TravelLine hotel using databases located in the following countries:

8.8.1.5.5.1. Russia.

8.8.1.6. The location of the data processing center(s) and information about the organization responsible for storing the data are determined by the internal documents of the Establishment.

8.8.2. Measures aimed at ensuring that the Establishment fulfills its responsibilities

8.8.2.1. The Establishment takes measures necessary and sufficient to ensure the fulfillment of its duties. The Establishment independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of its duties, unless otherwise provided by Federal laws. Such measures, in particular, include:

  1. appointment of a person responsible for organizing the processing of personal data;
  2. publication of the Policy, local acts on the processing of personal data, as well as local acts establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
  3. application of legal, organizational and technical measures to ensure the security of personal data;
  4. implementation of internal control and (or) audit of compliance of the processing of personal data with the requirements for the protection of personal data, Policy, local acts of the Establishment;
  5. assessment of the harm that may be caused to subjects of personal data in the event of a violation of the Federal law “On Personal Data”, the relationship between this harm and the measures taken by the Establishment aimed at ensuring the fulfillment of the obligations provided for by the Federal law “On Personal Data”;
  6. familiarization of the employees of the Establishment directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents, Policies, local regulations on the processing of personal data, and (or) training of these employees.

8.8.3. Measures to ensure the security of personal data during its processing

8.8.3.1. When processing personal data, the Establishment takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in regarding personal data.

8.8.3.2. Ensuring the security of personal data is achieved, in particular:

  1. identifying threats to the security of personal data during their processing in personal data information systems;
  2. application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;
  3. the use of information security means that have passed the compliance assessment procedure in accordance with the established procedure;
  4. assessment of the effectiveness of measures taken to ensure the security of personal data before the commissioning of the personal data information system;
  5. taking into account computer storage media of personal data;
  6. detecting facts of unauthorized access to personal data and taking measures;
  7. restoration of personal data modified or destroyed due to unauthorized access to it;
  8. establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;
  9. control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.

8.8.3.3. The use and storage of biometric personal data outside personal data information systems can only be carried out on such tangible media and using such storage technology that ensure the protection of this data from unauthorized or accidental access to it, its destruction, modification, blocking, copying, provision , distribution.

8.8.4. Responsibilities of the Establishment when a personal data subject contacts it or upon receiving a request from a personal data subject or their representative, as well as an authorized body for the protection of the rights of personal data subjects

8.8.4.1. The Establishment informs, in the prescribed manner, the subject of personal data or his representative information about the availability of personal data relating to the corresponding subject of personal data, and also provides the opportunity to familiarize himself with these personal data when applying to the subject of personal data or his representative or within thirty days from the date of receipt of the request the subject of personal data or their representative.

8.8.4.2. In case of refusal to provide information about the availability of personal data about the relevant subject of personal data or personal data to the subject of personal data or their representative upon their request or upon receipt of a request from the subject of personal data or his representative, the Establishment gives a reasoned response in writing within a period not exceeding thirty days from the date of application by the subject of personal data or his representative or from the date of receipt of the request of the subject of personal data or his representative.

8.8.4.3. The Establishment provides free of charge to the subject of personal data or their representative the opportunity to familiarize himself with personal data relating to this subject of personal data. Within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that the personal data is incomplete, inaccurate or irrelevant, the Establishment makes the necessary changes to them. Within a period not exceeding seven working days from the date the subject of personal data or their representative provides information confirming that such personal data was illegally obtained or is not necessary for the stated purpose of processing, the Establishment destroys such personal data. The Establishment notifies the subject of personal data or their representative about the changes made and the measures taken and takes reasonable measures to notify third parties to whom the personal data of this subject have been transferred.

8.8.4.4. The Establishment reports to the authorized body for the protection of the rights of personal data subjects, at the request of this body, the necessary information within thirty days from the date of receipt of such a request.

8.8.5. Responsibilities of the Establishment to eliminate violations of the law committed during the processing of personal data, to clarify, block and destroy personal data

8.8.5.1. In case of detection of unlawful processing of personal data upon application of the subject of personal data or his representative or at the request of the subject of personal data or his representative or the authorized body for the protection of the rights of personal data subjects, the Establishment shall block unlawfully processed personal data relating to this subject of personal data or provide blocking them (if the processing of personal data is carried out by another person acting on behalf of the Establishment ) from the moment of such application or receipt of the specified request for the period of verification. If inaccurate personal data is identified when contacting a subject of personal data or their representative or at their request or at the request of an authorized body for the protection of the rights of subjects of personal data, the Establishment blocks personal data related to this subject of personal data or ensures their blocking (if the processing of personal data data is carried out by another person acting on behalf of the Establishment ) from the moment of such application or receipt of the specified request for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the subject of personal data or third parties.

8.8.5.2. If the fact of inaccuracy of personal data is confirmed, the Establishment, on the basis of information provided by the subject of personal data or his representative or an authorized body for the protection of the rights of personal data subjects, or other necessary documents, clarifies the personal data or ensures their clarification (if the processing of personal data is carried out by another person acting on behalf of the Establishment ) within seven working days from the date of submission of such information and removes the blocking of personal data.

8.8.5.3. In case of detection of unlawful processing of personal data carried out by the Establishment or a person acting on behalf of the Establishment, the Establishment, within a period not exceeding three working days from the date of this detection, stops the unlawful processing of personal data or ensures the cessation of unlawful processing of personal data by a person acting on behalf of the Establishment. If it is impossible to ensure the legality of the processing of personal data, the Establishment, within a period not exceeding ten working days from the date of detection of unlawful processing of personal data, destroys such personal data or ensures its destruction. The Establishment notifies the subject of personal data or its representative about the elimination of violations or the destruction of personal data, and in the event that the appeal of the subject of personal data or their representative or the request of the authorized body for the protection of the rights of personal data subjects was sent by the authorized body for the protection of the rights of personal data subjects, also the specified authority.

8.8.5.4. If the purpose of processing personal data is achieved, the Establishment stops processing personal data or ensures its termination (if the processing of personal data is carried out by another person acting on behalf of the Establishment ) and destroys personal data or ensures their destruction (if the processing of personal data is carried out by another person acting on behalf of the Establishment) within a period not exceeding thirty days from the date of achieving the purpose of processing personal data, unless otherwise provided by an agreement to which the subject of personal data is a party, beneficiary or guarantor, another agreement between the Establishment and the subject of personal data, or if the Establishment does not have the right to carry out processing of personal data without the consent of the subject of personal data on the grounds provided for by the Federal law “On Personal Data” or other federal laws.

8.8.5.5. If the subject of personal data withdraws consent to the processing of his personal data, the Establishment stops their processing or ensures the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Establishment) and in the event that the preservation of personal data is no longer required for the purposes of processing personal data, destroys personal data or ensures their destruction (if the processing of personal data is carried out by another person acting on behalf of the Establishment ) within a period not exceeding thirty days from the date of receipt of the said response, unless otherwise provided by the agreement to which the party, beneficiary or guarantor is the subject of personal data, another agreement between the Establishment and the subject of personal data, or if the Establishment does not have the right to process personal data without the consent of the subject of personal data on the grounds provided for by the Federal law “On Personal Data” or other federal laws.

8.8.5.6. If it is not possible to destroy personal data within the specified period, the Establishment blocks such personal data or ensures their blocking (if the processing of personal data is carried out by another person acting on behalf of the Establishment) and ensures the destruction of personal data within a period of no more than six months, unless otherwise the deadline is not established by Federal laws.

8.8.6. Notice about the processing of personal data

8.8.6.1. The Establishment, with the exception of cases provided for by the Federal law “On Personal Data,” before the start of processing personal data, notifies the authorized body for the protection of the rights of personal data subjects of its intention to process personal data.

8.8.6.2. The notification is sent in the form of a document on paper or in the form of an electronic document and signed by an authorized person. The notice contains the following information:

  1. name (last name, first name, patronymic), address of the Establishment;
  2. purpose of processing personal data;
  3. categories of personal data;
  4. categories of subjects whose personal data is processed;
  5. legal basis for processing personal data;
  6. list of actions with personal data, general description of the methods of processing personal data used by the Establishment;
  7. description of measures, including information about the availability of encryption (cryptographic) means and the names of these means;
  8. last name, first name, patronymic of the individual or name of the legal entity responsible for organizing the processing of personal data, and their contact telephone numbers, postal addresses and email addresses;
  9. date of commencement of processing of personal data;
  10. term or condition for termination of the processing of personal data;
  11. information about the presence or absence of cross-border transfer of personal data in the process of their processing;
  12. information about the location of the information database containing personal data of citizens of the Russian Federation;
  13. information about ensuring the security of personal data in accordance with the requirements for the protection of personal data established by the Government of the Russian Federation.

8.8.6.3. In the event of a change in the specified information, as well as in the event of termination of the processing of personal data, the Establishment notifies the authorized body for the protection of the rights of personal data subjects within ten working days from the date of such changes or from the date of termination of the processing of personal data.

8.9. Processing of personal data carried out without the use of automation tools

8.9.1. General provisions

8.9.1.1. Processing of personal data contained in the personal data information system or extracted from such a system is considered to be carried out without the use of automation tools (non-automated) if such actions with personal data as use, clarification, distribution, destruction of personal data in relation to each of the subjects of personal data , are carried out with the direct participation of humans.

8.9.2. Features of organizing the processing of personal data carried out without the use of automation tools

8.9.2.1. Personal data, when processed without the use of automation tools, is separated from other information, in particular by recording it on separate tangible personal data media (hereinafter referred to as tangible media), in special sections or on the fields of forms (forms).

8.9.2.2. When recording personal data on tangible media, it is not permitted to record personal data on one material medium, the purposes of which are obviously incompatible for processing. To process various categories of personal data, carried out without the use of automation tools, a separate material medium is used for each category of personal data.

8.9.2.3. Persons processing personal data without the use of automation tools (including employees of the Establishment or persons carrying out such processing under an agreement with the Establishment ) are informed about the fact of their processing of personal data, the processing of which is carried out by the Establishment without the use of automation tools, the categories of personal data processed, as well as about the features and rules for carrying out such processing established by regulatory legal acts of federal executive authorities, executive authorities of constituent entities of the Russian Federation, as well as local legal acts of the Establishment.

8.9.2.4. When using standard forms of documents, the nature of the information in which suggests or allows the inclusion of personal data (hereinafter referred to as the standard form), the following conditions are met:

a) the standard form or related documents (instructions for filling it out, cards, registers and journals) contain information about the purpose of processing personal data carried out without the use of automation tools, the name (name) and address of the Establishment, surname, first name, patronymic and address subject of personal data, source of obtaining personal data, terms of processing of personal data, list of actions with personal data that will be performed during their processing, general description of the methods of processing personal data used by the Establishment;
b) the standard form provides a field in which the subject of personal data can mark their consent to the processing of personal data carried out without the use of automation tools - if it is necessary to obtain written consent to the processing of personal data;
c) the standard form is drawn up in such a way that each of the subjects of personal data contained in the document has the opportunity to familiarize themselves with their personal data contained in the document without violating the rights and legitimate interests of other subjects of personal data;
d) the standard form excludes the combination of fields intended for entering personal data, the purposes of processing of which are obviously incompatible.

8.9.2.5. If the purposes of processing personal data recorded on one material medium are incompatible, if the material medium does not allow the processing of personal data separately from other personal data recorded on the same medium, measures are taken to ensure separate processing of personal data, in particular:

a) if it is necessary to use or distribute certain personal data separately from other personal data located on the same material medium, the personal data that is subject to distribution or use is copied in a manner that precludes the simultaneous copying of personal data that is not subject to distribution and use, and is used (distributed) a copy of personal data;
b) if it is necessary to destroy or block part of the personal data, the material medium is destroyed or blocked with preliminary copying of information that is not subject to destruction or blocking, in a manner that precludes simultaneous copying of personal data subject to destruction or blocking.

8.9.2.6. Destruction or depersonalization of part of personal data, if permitted by a tangible medium, can be carried out in a way that precludes further processing of this personal data while maintaining the possibility of processing other data recorded on a tangible medium (deletion, erasure). These rules also apply if it is necessary to ensure separate processing of personal data recorded on one material medium and information that is not personal data.

8.9.2.7. Clarification of personal data when processing them without the use of automation means is carried out by updating or changing the data on a material medium, and if this is not allowed by the technical features of the material medium, by recording on the same material medium information about changes made to them or by producing a new material carrier with updated personal data.

8.9.3 Measures to ensure the security of personal data during processing carried out without the use of automation tools

8.9.3.1. The processing of personal data, carried out without the use of automation tools, is carried out in such a way that for each category of personal data it is possible to determine the storage locations of personal data (tangible media) and establish a list of persons processing personal data or having access to it.

8.9.3.2. Separate storage of personal data (tangible media) is ensured, the processing of which is carried out for various purposes.

8.9.3.3. When storing material media, conditions are observed that ensure the safety of personal data and exclude unauthorized access to it. The list of measures necessary to ensure such conditions, the procedure for their adoption, as well as the list of persons responsible for the implementation of these measures are established by the Establishment.

9. AREAS OF RESPONSIBILITY

9.1. Persons responsible for organizing the processing of personal data in organizations

9.1.1. The Establishment appoints a person responsible for organizing the processing of personal data.

9.1.2. The person responsible for organizing the processing of personal data receives instructions directly from the executive body of the organization that is the operator and is accountable to it.

9.1.3. The Establishment provides the person responsible for organizing the processing of personal data with the necessary information.

9.1.4. The person responsible for organizing the processing of personal data, in particular, performs the following functions:

  1. carries out internal control over compliance by the Establishment and the employees of the Establishment with the legislation of the Russian Federation on personal data, including requirements for the protection of personal data;
  2. brings to the attention of the employees of the Establishment the provisions of the legislation of the Russian Federation on personal data, local acts on the processing of personal data, requirements for the protection of personal data;
  3. organizes the reception and processing of requests and requests from subjects of personal data or their representatives and (or) exercises control over the reception and processing of such requests and requests.

9.2. Responsibility

9.2.1. Persons guilty of violating the requirements of the Federal law “On Personal Data” bear responsibility as provided for by the legislation of the Russian Federation.

9.2.2. Moral damage caused to the subject of personal data as a result of violation of his rights, violation of the rules for processing personal data established by the Federal law "On Personal Data", as well as requirements for the protection of personal data established in accordance with the Federal law "On Personal Data", is subject to compensation in accordance with the legislation of the Russian Federation. Compensation for moral damage is carried out regardless of compensation for property damage and losses incurred by the subject of personal data.

10. KEY RESULTS

Upon achieving the goals, the following results are expected:

  • ensuring the protection of the rights and freedoms of personal data subjects when processing their personal data by the Establishment;
  • increasing the overall level of information security of the Establishment;
  • minimizing the legal risks of the Establishment.

11. RELATED POLICIES

There are no associated policies.