Approved by Order No. 01 of 01.12.2012
PERSONAL DATA PROTECTION AND PROCESSING POLICY
1.1. This Policy regarding the processing of personal data (hereinafter-the Policy) prepared in accordance with paragraph 2 of article 18.1 of the Federal law "On personal data" № 152-FZ of 27 July 2006, as well as other normative legal acts of the Russian Federation in the field of protection and processing of personal data and applies to all personal data (hereinafter – data), which the Organization (hereinafter – the Operator, the company) may obtain from the data subject, who has a civil contract, from the Internet user (hereinafter referred to – The user) while using any of the sites, services, services, programs, products or services, as well as from a personal data subject who is in a relationship with the Operator regulated by labor law (hereinafter – the Employee).
1.2. the Operator protects the processed personal data from unauthorized access and disclosure, misuse or loss in accordance with the requirements of Federal law No. 152-FZ of July 27, 2006 "on personal data".
1.3. The operator has the right to make changes in this Policy. When making changes, the Policy header specifies the date when the revision was last updated. The new version of the Policy takes effect from the moment it is posted on the site, unless otherwise provided for in the new version of the Policy.
2. Terms and accepted abbreviations
Personal data – any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).
Personal data processing – any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated processing of personal data – processing of personal data using computer technology.
Personal data information system (ISPS) – a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Personal data made publicly available by the subject of personal data is personal data that an unlimited number of persons have access to, or at the request of, the subject of personal data.
Blocking of personal data – temporary termination of processing of personal data (except for cases when processing is necessary to clarify personal data).
Destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.
Operator – an organization that independently or jointly with other persons organizes the processing of personal data, as well as determines the purposes of processing personal data to be processed, actions (operations) performed with personal data. The operator is an online store located at: http://sukonka.com
3. The processing of personal data
3.1. Receiving personal data.
3.1.1. All personal data should be obtained from the subject. If the subject's personal data can only be obtained from a third party, the subject must be notified of this or consent must be obtained from it.
3.1.2. the Operator must inform the subject of the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid, and the procedure for its withdrawal, as well as the consequences of the subject's refusal to give written consent to receive them.
3.1.3. Documents containing personal data are created by:
- copying of original documents (passport, education document, TIN certificate, pension certificate, etc.);
- entering information in accounting forms;
- obtaining the originals of the necessary documents (employment record, medical report, characteristics, etc.).
3.2. processing of personal data.
3.2.1. personal data is Processed by:
– with the consent of the personal data subject to the processing of their personal data;
– in cases when the processing of personal data is necessary for the implementation and performance of the functions, powers and duties assigned by the legislation of the Russian Federation;
– in cases when personal data is processed, access of an unlimited number of persons to which is provided by the subject of personal data or at his request (hereinafter – personal data made publicly available by the subject of personal data).
3.2.2. Purposes of personal data processing:
– implementation of labor relations;
– implementation of civil law relations;
– to contact the user in connection with filling out the feedback form on the site, including sending notifications, requests and information related to the use of the store's site, processing, approving orders and their delivery, and executing agreements and contracts;
- depersonalization of personal data in order to obtain depersonalized statistical data that is transmitted to a third party for conducting research, performing work or providing services on behalf of the store.
3.2.3. Categories of personal data subjects.
Personal data of the following personal data subjects is processed:
- individuals who have an employment relationship with the Company;
- individuals who have left the Company;
- individuals who are candidates for employment;
- individuals who have civil relations with the Company;
- individuals who are Users of the Store's Website.
3.2.4. Personal data processed by the Operator:
- data obtained during the implementation of labor relations;
– data obtained for the selection of candidates for employment;
- data obtained in the course of civil law relations;
– data received from Users of the Store's Site.
3.2.5. The processing of personal data is:
– using automation tools;
– without using automation tools.
3.3. Storage of personal data.
3.3.1. Subjects ' personal data can be obtained, to be further processed and transmitted to storage on paper and electronically.
3.3.2. Personal data recorded on paper is stored in locked cabinets or in locked rooms with limited access rights.
3.3.3. Personal data of the subjects treated with the use of automation for different purposes, stored in different folders.
3.3.4. it is Not allowed to store and place documents containing personal data in open electronic directories (file-sharing sites) in the ISPD.
3.3.5. storage of personal data in a form that allows to identify the subject of personal data is carried out no longer than the purposes of their processing require, and they are subject to destruction upon achievement of the processing goals or in case of loss of the need to achieve them.
3.4. Destruction of personal data.
3.4.1. Destruction of documents (media) containing personal data is performed by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass or powder. To destroy paper documents, you can use a shredder.
3.4.2. Personal data on electronic media is destroyed by erasing or formatting the media.
3.4.3. the fact of destruction of personal data is documented by the act of destruction of media.
3.5. Transfer of personal data.
3.5.1. The operator transmits personal data to third parties in the following cases:
– the subject has expressed its consent to such actions;
- the transfer is provided for by Russian or other applicable law within the procedure established by law.
3.5.2. List of persons to whom personal data is transferred.
- The pension Fund of the Russian Federation for accounting (legally);
– tax authorities of the Russian Federation (legally);
– Social insurance Fund of the Russian Federation (legally);
- territorial compulsory medical insurance Fund (legally);
– medical insurance organizations for compulsory and voluntary medical insurance (legally);
- banks for payroll (based on a contract);
- bodies of the Ministry of internal Affairs of Russia in cases established by law;
– depersonalized personal data Of users of the online store's site is transmitted to the store's contractors.
4. Protection of personal data
4.1.in accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (PDS) consisting of subsystems of legal, organizational and technical protection.
4.2. the legal protection Subsystem is a set of legal, organizational, administrative and regulatory documents that ensure the creation, operation and improvement of the NWPD.
4.3. Subsystem organizational security includes the organization management structure of SZPD, licensing system, protection of information while working with employees, partners and third parties.
4.4. the technical protection Subsystem includes a set of technical, software, hardware and software tools that ensure the protection of personal data.
4.4. The main personal data protection measures used by the Operator are:
4.5.1. Appointment of a person responsible for the processing of personal data, who organizes the processing of personal data, training and instruction, and internal control over the compliance of the institution and its employees with the requirements for the protection of personal data.
4.5.2. Identification of current threats to the security of personal data during their processing in the ISPD and development of measures and measures to protect personal data.
4.5.3. Development of a policy regarding the processing of personal data.
4.5.4. Establishing rules for access to personal data processed in the ISPD, as well as ensuring registration and accounting of all actions performed with personal data in the ISPD.
4.5.5. Setting individual passwords for employees ' access to the information system in accordance with their work responsibilities.
4.5.6. Use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure.
4.5.7. Certified antivirus software with regularly updated databases.
4.5.8. Compliance with the conditions that ensure the safety of personal data and exclude unauthorized access to them.
4.5.9. Detection of unauthorized access to personal data and taking measures.
4.5.10. Recovery of personal data that has been modified or destroyed due to unauthorized access to it.
4.5.11. Training of the Operator's employees who directly process personal data on the provisions of the legislation of the Russian Federation on personal data, including requirements for personal data protection, documents defining the Operator's policy on personal data processing, and local acts on personal data processing.
4.5.12. Implementation of internal control and audit.
5. Basic rights of the personal data subject and obligations of the Operator
5.1. Basic rights of the personal data subject.
The subject has the right to access his personal data and the following information:
- confirmation of personal data processing by the Operator;
– legal grounds and purposes of personal data processing;
– goals and methods of personal data processing used by the Operator;
– the name and location of the Operator, information about persons (except for employees of the Operator) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of Federal law;
– terms of processing of personal data, including the terms of their storage;
– the procedure for the personal data subject to exercise the rights provided for by Federal law;
– the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the Operator, if the processing is entrusted or will be entrusted to such person;
- contacting the Operator and sending them requests;
- appeal against actions or omissions of the Operator.
5.2. Operator's Responsibilities.
The operator must:
- when collecting personal data, provide information about the processing of personal data;
– if the personal data was not received from the personal data subject, notify the subject;
– in case of refusal to provide personal data to the subject, the consequences of such refusal are explained;
- publish or otherwise provide unrestricted access to the document defining its policy on personal data processing, to information about the implemented requirements for personal data protection;
- take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
- provide answers to requests and requests of personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.