The policy of personal data processing

The policy of personal data processing (hereinafter the Policy) is developed to fulfill the requirements of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the Directive) and of Article 18.1 of Federal Law 152-FZ, dated 27 Jul. 2006 “On personal data ” (hereinafter the Federal Law).

This Policy establishes the method of personal data processing and the measures of guaranteeing security of personal data in order to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.

Terminology and definitions are used in the Policy according to their meaning established in the Directive.

  1. 1. CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE

1.1. Personal data may be processed by the processor only if:

I. the data subject has unambiguously given his consent; or

II. processing is necessary for the performance of a contract to which the data subject is party (or grantor, beneficiary) or in order to take steps at the request of the data subject prior to entering into a contract; or

III. processing is necessary for compliance with a legal obligation to which the processor is subject; or

IV. processing is necessary in order to protect the vital interests of the data subject; or

V. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the processor or in a third party to whom the data are disclosed; or

VI. processing is necessary for the purposes of the legitimate interests pursued by the processor or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under the Directive; or

VII. the data were manifestly made public by the data subject.

  1. THE WAYS OF PERSONAL DATA PROCESSING

2.1. The processor processes personal data by any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.2. The processor is entitled to authorize a third party to process personal data with the consent of the data subject. In so doing, the processor is responsible for the third party`s actions. Personal data processing may be authorized to any individual who has a civil or an employment contract with the processor on provision of legal services for the data subject. The third party should follow the requirements of the Directive. The assignment for the third party should contain all the list of actions, the purposes of the processing, confidentiality and safety requirements.

2.3. Signing a legal services contract with the processor, filling a feedback form out on the processor`s official website or asking for legal advice (www.msablina.en) the data subject agrees the processing of personal data relating to him to be authorized to a third party.

  1. THE PURPOSES OF PERSONAL DATA PROCESSING

3.1. The content and the volume of the data processed are determined according to the purposes of the processing.

3.2. The data cannot be processed if it is excessive or incompatible with the following fundamental purposes:

– formalization of employment relations with individuals;
– performance of a contract by the processor;
– fulfilling the requirements of the topical labour, accounting and pension legislation of the Russian Federation.

3.3. There are three feedback forms on the official website of the processor. While filling them out, a person indicates the following personal data for the following purposes:

The form The kind of personal data The purpose of the processing
Ask a question – name
– e-mail
– any kind of personal data from the electronic images of the documents attached Taking legal advice or/and making a contract on the data subject`s initiative/making a contract under which the data subject is a guarantor or a beneficiary.
Taking legal advice or/and making a contract on the data subject`s initiative/making a contract under which the data subject is a guarantor or a beneficiary.
Give a feedback – name
– post
Informing the general public about your opinion on the services provided by the processor.
Get a service – name
– e-mail and/or phone number
– any kind of personal data from the electronic images of the documents attached
Making a contract on the data subject`s initiative or making a contract under which the data subject is a guarantor or a beneficiary, performance of this contract.

3.4. The data cannot be disclosed to a third party or spread by the processor (or other persons who have access to the personal data) without the consent of the data subjects unless otherwise provided by the Directive or by the federal legislation of the Russian Federation.

3.5. The data are stored by the processor for 5 years from the date of receipt except data received in feedback form. Such data are stored with no time limitations.

  1. RIGHTS OF THE DATA SUBJECT

4.1. The data subject makes a decision to provide personal data and agrees them to be processed by any freely given specific and informed indication of his wishes. The consent can be made by the data subject or his representative in any form which can affirm the fact that the personal data was got.

4.2 Every data subject has the right to obtain the following information from the processor:

(a) without constraint at reasonable intervals and without excessive delay or expense:

– confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned,

and the recipients or categories of recipients to whom the data are disclosed, the terms of data processing and storing, the method of data processing, the name and the location of the processor, information on the trans-border data transfer carried out or expected, the method of exercising the data subject`s rights by him, the other information according to the Directive or to the federal legislation of the Russian Federation,

– communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,

– knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1) of the Directive;

(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of the Directive, in particular because of the incomplete or inaccurate nature of the data, or because the data is outdated, illegally obtained or doesn`t comply with the declared purposes of the processing;

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

4.3. The subject has a right to object, on request and free of charge, to the processing of personal data relating to him which the controller anticipates being processed for the purposes of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of charge to such disclosures or uses.

4.4. Every person has the right not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. unless otherwise provided by the Directive and by the federal legislation of the Russian Federation.

4.5. In case the data subject considers the processor to process the personal data in violation of the Directive or of the federal legislation of the Russian Federation, he is entitled to refer to the supervisory authority (Article 28 of the Directive) prior to referral to the judicial authority. The right of every person to a judicial remedy is provided for any breach of the rights guaranteed him by the national law applicable to the processing in question.

4.6. The data subject also has other rights provided by the Directive or by the federal legislation of the Russian Federation.

  1. GUARANTEEING OF PERSONAL DATA PROTECTION

5.1. Security of personal data processed by the processor by taking legal, organizational and technical measures which are necessary to fulfill the requirements of the Directive and of the federal legislation.

5.2. To protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing the processor takes the following organizational and technical measures:

I. Designates persons as responsible for organization of data processing and protection.

II. Guarantees that only persons responsible for personal data are provided with the access to such data.

III. Places this Policy on the official website of the processor.

IV. Organizes registration, storage and circulation of the data carriers.

V. Identifies the personal data security risks while operating them and creates risk models on that basis.

VI. Checks the readiness and efficiency of the data protection facilities usage.

VII. Uses antivirus facilities and facilities of the personal data protection system recovery.

VIII. Uses a firewall, intrusion detection, security analysis and cryptographic information protection facilities when necessary.



Share: