Personal data processing policy

Moscow, version dated 05/25/2023

1. GENERAL PROVISIONS
1.1. This Policy of Sole Proprietor Ovsyankina Anna Aleksandrovna regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in pursuance of the requirements of paragraph 2 of part 1 of Art. 18.1 of the Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as the Law on Personal Data) in order to ensure the protection of the rights and freedoms of a person and citizen in the processing of his personal data, including the protection of the rights to inviolability privacy, personal and family secrets.

1.2. The Policy applies to all personal data processed by Sole Proprietor Ovsyankina Anna Alexandrovna (hereinafter referred to as the Operator, Sole Proprietor Ovsyankina Anna Alexandrovna).

1.3. The Policy applies to relations in the field of personal data processing that arose with the Operator both before and after the approval of this Policy.

1.4. In pursuance of the requirements h. 2 Article. 18. 1 of the Law on Personal Data, this Policy is published in the public domain on the Internet information and telecommunication network on the Operator’s website.

1.5. Basic concepts used in the Policy:
a) personal data– any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data);
b) personal data operator (operator)– a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
c) processing of personal data– any action (operation) or a set of actions (operations) with personal data performed using automation tools or without their use. The processing of personal data includes, among other things:

– collection;

– recording;

– systematization;

– accumulation;

– storage;

– clarification (update, change);

– extraction;

– use;

– transfer (distribution, provision, access);

– depersonalization;

– blocking;

– deletion;

– destruction;
d) automated processing of personal data– processing of personal data using computer technology;
e) dissemination of personal data– actions aimed at disclosing personal data to an indefinite circle of persons;
f) provision of personal data– actions aimed at disclosing personal data to a certain person or a certain circle of persons;
g) blocking personal data– temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
h) destruction of personal data– actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
i) depersonalization of personal data– actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information;
j) personal data information system– a set of personal data contained in databases and information technologies and technical means that ensure their processing;
k) cross-border transfer of personal data– transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity. 1.6. Basic rights and obligations of the Operator.

1.6.1. The operator has the right:

– to independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law on Personal Data and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;

– to entrust the processing personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. The person who processes personal data on behalf of the Operator, is obliged to comply with the principles and rules for the processing of personal data provided for by the Law on Personal Data;

– in the event that the subject of personal data withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in the Law on Personal Data.

1.6 .2. The operator is obliged:

– to organize the processing of personal data in accordance with the requirements of the Personal Data Law;

– to respond to requests and requests from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;

– provide to the authority responsible for protecting the rights of subjects of personal data (the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)), at the request of that authority, the necessary information within 10 business days of receipt of such a request.

1.7. Basic rights of the subject of personal data.
1.7.1. The subject of personal data has the right:

– to receive information regarding the processing of his personal data, except as otherwise provided by federal laws. The information is provided to the subject of personal data by the Operator in an accessible form, and it should not contain personal data related to other subjects of personal data, unless there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it is established by the Personal Data Law;

– require the Operator to clarify his personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take measures provided by law to protect their rights;

– put forward a condition for prior consent when processing personal data in order to promote goods, works and services on the market;

– appeal to Roskomnadzor or in court against illegal actions or inaction of the Operator when processing his personal data.

1.8 . Control over the fulfillment of the requirements of this Policy is carried out by an authorized person responsible for organizing the processing of personal data by the Operator. 1.9. Responsibility for violation of the requirements of the legislation of the Russian Federation and the regulations of Sole Proprietor Ovsyankina Anna Aleksandrovna in the field of processing and protecting personal data is determined in accordance with the legislation of the Russian Federation.

 

2. PURPOSE OF PROCESSING PERSONAL DATA
2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.

2.2. Only personal data that meet the purposes of their processing are subject to processing.

2.3. The processing of personal data by the Operator is carried out for the following purposes: – ensuring compliance with the Constitution of the Russian Federation, federal laws and other normative legal acts of the Russian Federation;

– carrying out its activities in accordance with the Charter of IE Ovsyankina Anna Aleksandrovna;

– maintaining personnel record-keeping;

– assisting employees in finding employment, education and career advancement, ensuring the personal safety of employees, controlling the quantity and quality of work performed, and ensuring the safety of property;

– attracting and selecting candidates to work for the Operator;

– Arrangement of individual (personified) registration of employees in the mandatory pension insurance system;

– Filling in and submitting to the executive authorities and other authorized organizations the required reporting forms;

– conclusion and execution of civil law contracts;

– maintaining accounting records;

– implementation of access control.

2.4. The processing of personal data of employees may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

 

3. LEGAL BASIS FOR PROCESSING PERSONAL DATA
3.1. The legal basis for the processing of personal data is a set of regulatory legal acts, pursuant to which and in accordance with which the Operator processes personal data, including:

– the Constitution of the Russian Federation;

– the Civil Code of the Russian Federation;

– the Labor Code of the Russian Federation;

– the Tax Code of the Russian Federation;

– the Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”;

– Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”;

– Federal Law No. 14-FZ of February 8, 1998 “On Limited Liability Companies”;

– Federal Law No. 402-FZ of December 6, 2011 “On Accounting”;

– Federal Law No. 167-FZ of December 15, 2001 “On Compulsory Pension Insurance In Russian federation”;

– “Requirements for the protection of personal data during their processing in information systems of personal data”, approved. Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012;

– other regulatory legal acts regulating the activities of the Operator;

– agreements concluded between the Operator and personal data subjects;

– consent of personal data subjects to the processing of their personal data.

 

4. COMPOSITION, VOLUME AND CATEGORIES OF PROCESSED PERSONAL DATA
4.1. The content and scope of the processed personal data must comply with the stated purposes of processing, provided for in sect. 2 of this Policy. The processed personal data should not be excessive in relation to the stated purposes of their processing. It is prohibited to refuse to process data (service) if the subject of personal data refuses to provide biometric personal data and (or) consent to the processing of personal data, if in accordance with federal law Obtaining the operator’s consent to the processing of personal data is not mandatory.

4.2. The Operator may process personal data of the following categories of personal data subjects.

4.2.1. Candidates for employment with the Operator:

– last name, first name, patronymic;

– gender;

– citizenship;

– date and place of birth;

– contact details;

– information about education, work experience, qualifications;

– other personal data reported by candidates in resumes and cover letters.

4.2.2. Employees (including former) of the Operator:

– surname, first name, patronymic;

– gender;

– nationality;

– image (photograph);

– passport data;

– address of registration at the place of residence and address of actual residence;

– contact information (telephone numbers, e-mail);

– individual taxpayer number;

– insurance number of an individual personal account (SNILS);

– information on education, qualification, professional training and advanced training;

– marital status, presence of children, family ties;

– information on labor activity, including existence of encouragements, awards and (or) disciplinary punishments;

– data on marriage registration;

– information on military registration;

– information on disability;

– information on maintenance payments;

– information on income from previous jobs;

– Other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.3. Family members of the Operator’s employees:

– surname, first name, patronymic;

– degree of kinship;

– date of birth;

– Other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.4. Clients and counterparties of the Operator (individuals), as well as representatives (employees) of clients and counterparties of the Operator (legal entities), including persons providing various types of services to the Operator, in particular, under civil law contracts:

– last name, first name, patronymic;

– passport data;

– address of registration at the place of residence;

– contact details (phone numbers, e-mail);

– position held;

– individual taxpayer number;

– current account number;

– other personal data provided by customers and contractors and their employees (individuals), necessary for the conclusion and execution of contracts.

4.3. The processing by the Operator of biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity) is carried out in accordance with the legislation of the Russian Federation.

4.4. The Operator does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except as provided by the legislation of the Russian Federation. on the basis of which his identity can be established) is carried out in accordance with the legislation of the Russian Federation.

 

5. PROCESSING OF PERSONAL DATA
5.1. The operator processes personal data in accordance with the requirements of the legislation of the Russian Federation.

5.2. The processing of personal data is carried out with the consent of the subjects of personal data for their processing, as well as without consent in cases provided for by the legislation of the Russian Federation.

5.3. The operator conducts both automated and non-automated processing of personal data.

5.4. Employees of the Operator whose duties include the processing of personal data are allowed to process personal data.

5.5. Personal data is processed by:

– ​​receiving them orally and in writing directly from the subjects of personal data;

– receiving them from publicly available sources;

– entering them into the journals, registers and information systems of the Operator;

– using other methods of processing personal data.

5.6. It is not allowed to disclose to third parties and distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.

5.7. The transfer of personal data to the bodies of inquiry and investigation, the Federal Tax Service, the Pension Fund of the Russian Federation, the FSS of the Russian Federation and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, distribution and other unauthorized actions, including:

– determines threats to security of personal data during its processing;

– adopts local regulations and other documents regulating relations in the field of processing and protection of personal data. Local acts of the operator may not include provisions restricting the rights of the subject of personal data;

– appoints persons responsible for the organization of personal data processing

– creates the necessary conditions for working with personal data;

– organizes the accounting of documents containing personal data;

– organizes work with information systems, in which personal data is processed;

– keeps personal data in conditions, which ensure its safety and exclude unauthorized access to it

– organizes internal control and/or audit activities in relation to compliance of personal data processing with the Personal Data Law and applicable regulations, personal data protection requirements, Operator’s policy in relation to personal data processing, Operator’s local regulations;

– defines assessment of damage which may be caused to subjects of personal data in case of violation of rules of work with personal data, correlation of said damage and measures taken by the operator to ensure fulfillment of obligations provided by the Law on personal data

– organizes familiarization of employees, directly involved in the processing of personal data, with the provisions of the legislation of the Russian Federation on personal data, including requirements to protection of personal data, documents which define the policy of the Operator in respect of processing personal data, local acts on processing of personal data, and (or) training of these employees;

– notifies Roskomnadzor of unlawful leaks of personal data resulting in breach of rights of personal data subjects, the alleged causes, damages, results of their investigation, and remedial measures

– provides interaction with the state system of detection, prevention and elimination of consequences of computer attacks on information resources of the Russian Federation, including informing Roskomnadzor about computer incidents that resulted in unlawful transfer (provision, distribution, access) of personal data.

 

6. OTHER ACTIONS WITH PERSONAL DATA. ACCESS TO PERSONAL DATA
6.1. Confirmation of the fact of personal data processing by the Operator, legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Art. 14 of the Law on Personal Data, are provided by the Operator to the subject of personal data or his representative when applying or upon receiving a request from the subject of personal data or his representative. ten working days from the date of application or receipt by the Operator of a request from the subject of personal data or his representative. This period may be extended but not more than five working days if the Operator sends a reasoned notice to the subject of personal data indicating the reasons for extending the period for providing the requested information. The response to the request is given in the form in which the request (appeal) was sent, or in the form specified in the request (appeal) itself. The information provided does not include personal data related to other subjects of personal data, unless there are legal grounds for disclosure of such personal data. The request must contain:

– number of the main document certifying identity of the subject of personal data or his/her representative, information about the date of issue of the said document and the authority that issued it;

– information confirming participation of the subject of personal data in relations with the Operator (contract number, contract conclusion date, conventional word mark and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator;

– signature of the subject of personal data or his/her representative.
The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation. If the application (request) of the subject of personal data does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject does not have the right to access the requested information , then a reasoned refusal is sent to him. The right of the subject of personal data to access his personal data may be limited in accordance with Part 8 of Art. 14 of the Law on Personal Data, including if the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties.

6.2. In the event that unlawful processing of personal data is detected when a personal data subject or his representative or Roskomnadzor contacts (request) a personal data subject or his representative or Roskomnadzor, the Operator blocks the unlawfully processed personal data related to this subject from the moment of such a request or receipt of a request.

6.3 If unlawful processing of personal data is detected when the subject of personal data or his/her representative or Roskomnadzor contacts (requests), the Operator shall block unlawfully processed personal data relating to that subject from the moment of such contact or request.

6.4 Upon achieving the objectives of personal data processing, as well as in case of withdrawal of personal data subject’s consent to its processing, personal data shall be destroyed, unless

– otherwise is not provided by the contract, to which the personal data subject is a party, beneficiary or guarantor;

– the operator is not entitled to carry out processing without the consent of the subject of personal data on the grounds provided by the Personal Data Law or other federal laws;

– unless otherwise stipulated by another agreement between the operator and the subject of personal data.

 

7. FINAL PROVISIONS
7.1. This Policy and changes to it are approved by Sole Proprietor Ovsyankina Anna Aleksandrovna and introduced by order.

7.2. All employees must be familiarized with the text of this Policy and changes to it under the signature.

7.3. I reserve control over the implementation of this Policy.