REGULATION ON THE PROCESSING OF PERSONAL DATA
1. Terms and definitions
1.1. Personal data - any information related to a particular individual (subject of personal data) defined or determined on the basis of such information, including his surname, first name, patronymic, year, month, date and place of birth, address, e-mail address, telephone number , family, social, property status, education, profession, income, other information.
1.2. Personal data processing - actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, modification), use, distribution (including transfer), depersonalization, blocking.
1.3. Confidentiality of personal data is a requirement that a designated responsible person who accesses personal data be required to comply with a requirement not to allow their dissemination without the consent of the subject or other legal basis.
1.4. Dissemination of personal data - actions aimed at the transfer of personal data to a certain range of persons (transfer of personal data) or for acquaintance with personal data of an unlimited number of persons, including the disclosure of personal data in the media, placement in information and telecommunications networks or provision of access to personal data in any other way.
1.5. Use of personal data - actions (operations) with personal data, made for the purpose of making decisions or performing other actions that give rise to legal consequences with respect to subjects of personal data or otherwise affecting their rights and freedoms or the rights and freedoms of others.
1.6. Blocking of personal data - temporary suspension of collection, systematization, accumulation, use, dissemination of personal data, including their transfer.
1.7. Destruction of personal data - actions, as a result of which it is impossible to restore the contents of personal data in the information system of personal data or as a result of which material carriers of personal data are destroyed.
1.8. The depersonalization of personal data is an action resulting in the impossibility of using additional information to determine the ownership of personal data by a specific subject.
1.9. Publicly available personal data are personal data, unrestricted access to which is granted with the consent of the entity or for which confidentiality requirements do not apply in accordance with federal laws.
1.10. Information - information (messages, data) regardless of the form of their presentation.
1.11. The client (the subject of personal data) is a natural person who uses the services of OOO Ortes-Finance, hereinafter referred to as the "Organization".
1.12. Operator - a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as defining the purposes of processing personal data, the composition of the personal data subject to processing, the actions (operations) performed with personal data. Within the framework of these Regulations, the Limited Liability Company Ortes-Finance is recognized as the Operator;
2. General provisions.
2.1. This Regulation on the processing of personal data (the "Regulations") has been developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the Federal Law "On Information, Information Technologies and Information Protection", Federal Law 152-FZ "On Personal Data" federal laws.
2.2. The purpose of the development of the Regulations is the definition of the procedure for processing and protecting the personal data of all Clients of the Organization whose data are subject to processing on the basis of the authority of the operator; ensuring the protection of human and civil rights and freedoms in the processing of his personal data, including the protection of privacy rights, personal and family secrets, as well as establishing the responsibility of officials who have access to personal data for non-compliance with the rules governing processing and protection of personal data.
2.3. Procedure for putting into operation and changing the Regulations.
2.3.1. This Regulation comes into force from the moment of its approval by the Director General of the Organization and is valid for an indefinite period, until replaced by a new Regulation.
2.3.2. Changes to the Regulations are made on the basis of Orders of the Director General of the Organization.
3. Composition of personal data.
3.1. The personal data of the Clients, including:
3.1.1. Full Name.
3.1.2. Year of birth.
3.1.3. Month of birth.
3.1.4. Date of Birth.
3.1.5. Place of Birth.
3.1.6. Passport data
3.1.7. E-mail address.
3.1.8. Phone number (home, cellular).
3.2. The following documents and information may be created (created, collected) in the Organization and stored, including in electronic form, containing data about the Customers:
3.2.1. Application for a survey on the possibility of connection of an individual.
3.2.2. Contract (public offer).
3.2.3. Confirmation of accession to the contract.
3.2.5. Copies of identity documents, as well as other documents provided by the Client, and containing personal data.
3.2.6. Data on payment of orders (goods / services) containing payment and other details of the Customer.
4. The purpose of processing personal data.
4.1. The purpose of processing personal data is the implementation of a set of actions aimed at achieving the goal, including:
4.1.1. Rendering of consulting and information services.
4.1.2. Other transactions not prohibited by law, as well as a set of actions with personal data necessary for the execution of the above transactions.
4.1.3. In order to fulfill the requirements of the legislation of the Russian Federation.
4.2. The condition for the termination of the processing of personal data is the liquidation of the Organization, as well as the corresponding request of the Customer.
5. Collection, processing and protection of personal data.
5.1. The procedure for obtaining (collecting) personal data:
5.1.1. All personal data of the Client should be obtained from him personally with his written consent, except for the cases specified in clauses 5.1.4 and 5.1.6 of this Regulation and in other cases provided for by the laws of the Russian Federation.
5.1.2. The Client's consent to the use of his personal data is stored in the Organization in paper and / or electronic form.
5.1.3. The consent of the subject to the processing of personal data is valid for the entire duration of the contract, as well as for 5 years from the date of termination of the contractual relations of the Client with the Organization. After the expiration of this period, the consent is deemed extended for every five years thereafter in the absence of information on its recall.
5.1.4. If the Customer's personal data can only be obtained from a third party, the Client must be notified of this in advance and a written consent must be obtained from him. The third person providing the personal data of the Client must have the consent of the subject to transfer the personal data of the Organization. The organization is obliged to receive confirmation from a third party transferring personal data of the Customer that personal data is transmitted with his consent. The organization is obliged, in cooperation with third parties, to enter into an agreement with them regarding the confidentiality of information concerning the personal data of the Clients.
5.1.5. The organization is obliged to inform the Client about the purposes, prospective sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the Customer's refusal to provide personal data, to give written consent to receive them.
5.1.6. Processing of personal data of clients without their consent is carried out in the following cases:
22.214.171.124. Personal data is publicly available.
126.96.36.199. At the request of authorized state bodies in cases provided for by federal law.
188.8.131.52. Processing of personal data is carried out on the basis of the federal law establishing its purpose, the conditions for obtaining personal data and the circle of subjects whose personal data are subject to processing, as well as determining the powers of the operator.
184.108.40.206. Processing of personal data is carried out with a view to concluding and executing a contract, one of which is the subject of personal data - the Customer.
220.127.116.11. Processing of personal data is carried out for statistical purposes subject to obligatory depersonalization of personal data.
18.104.22.168. In other cases provided for by law.
5.1.7. The organization has no right to receive and process the personal data of the Client about its racial, national affiliation, political views, religious or philosophical beliefs, health status, intimate life.
5.2. Procedure for processing personal data:
5.2.1. The subject of personal data provides the Organization with reliable information about himself.
5.2.2. To the processing of the personal data of the Clients, only employees of the Organization authorized to work with the Client's personal data and who have signed the Agreement on the non-disclosure of the Customer's personal data may have access.
5.2.3. The right of access to personal data of the Customer in the Organization shall be:
- Director-General of the Organization;
- Employees responsible for financial accounting (manager, accountant).
- Employees of the Department for work with clients (head of sales department, manager).
- Workers IT (technical director, system administrator).
- The client, as a subject of personal data.
22.214.171.124. The list of employees of the Organization with access to personal data of the Clients is determined by the order of the Director General of the Organization.
5.2.4. Processing of the Customer's personal data may be carried out solely for the purposes of the Regulations and compliance with laws and other normative legal acts of the Russian Federation.
5.2.5. In determining the scope and content, processed personal data, the Organization is guided by the Constitution of the Russian Federation, the law on personal data, and other federal laws.
5.3. Protection of personal information:
5.3.1. Under the protection of the Client's personal data, a set of measures (organizational, administrative, technical, legal) aimed at preventing unauthorized or accidental access to them, destruction, modification, blocking, copying, dissemination of personal data of subjects, and other illegal actions is understood.
5.3.2. Protection of personal data of the Client is carried out at the expense of the Organization in the manner established by the federal law of the Russian Federation.
5.3.3. Organization in the protection of personal data of the Customer takes all necessary organizational, administrative, legal and technical measures, including:
- Antivirus protection.
- Analysis of security.
- Intrusion Detection and Prevention.
- Management access.
- Registration and accounting.
- Ensuring integrity.
- Organization of regulatory and methodological local acts regulating the protection of personal data.
5.3.4. The general organization of protection of personal data of Clients is carried out by the General Director of the Organization.
5.3.5. Access to the personal data of the Client is available to employees of the Organization who need personal data in connection with the performance of their work duties.
5.3.6. All employees associated with the receipt, processing and protection of personal data of Clients are required to sign an Agreement on the non-disclosure of personal data of Clients.
5.3.7. The procedure for obtaining access to the personal data of the Client includes:
- Acquaintance of the employee against signature with this Regulation. In the presence of other regulations (orders, orders, instructions, etc.) governing the processing and protection of personal data of the Client, these acts are also made available for signature.
- Request from the employee (with the exception of the Director General) a written obligation to respect the confidentiality of the personal data of the Clients and to comply with the rules for processing them in accordance with the internal local acts of the Organization governing the security of confidential information.
5.3.8. Employee of the Organization who has access to the personal data of the Clients in connection with the performance of labor duties:
- Provides storage of information containing personal data of the Customer, excluding access to them by third parties.
- In the absence of an employee at his workplace there should be no documents containing personal data of the Clients.
- When leaving for vacation, during a business trip and in other cases of prolonged absence of an employee at his workplace, he is obliged to transfer documents and other media containing personal data to clients for whom the local act of the Company (order, order) will entrust the performance of his labor responsibilities.
- In the event that such person is not appointed, the documents and other carriers containing the personal data of the Clients are transferred to another employee who has access to the personal data of the Clients as directed by the Director General of the Organization.
- Upon dismissal of an employee who has access to personal data of the Client, documents and other media containing personal data of the Customers are transferred to another employee who has access to the personal data of the Clients as directed by the Director General.
- In order to carry out the assigned task and on the basis of a memo with a positive resolution of the Director General, access to the personal data of the Client may be granted to another employee. The admission to personal data of the Client of other employees of the Organization that do not have a properly issued access is prohibited.
5.3.9. The manager for personnel work provides:
- Familiarization of employees against signature with this Regulation.
- Requesting from employees a written obligation to respect the confidentiality of the Customer's personal data (Non-disclosure agreement) and compliance with the rules for their processing.
- General control over the observance by employees of measures to protect the personal data of the Client.
5.3.10. Protection of personal data Clients stored in electronic databases of the Organization, from unauthorized access, distortion and destruction of information, as well as from other illegal actions, are provided by the System Administrator.
5.4. Storage of personal data:
5.4.1. Personal data of clients on paper carriers are stored in safes.
5.4.2. Personal data of Clients in electronic form is stored in the local computer network of the Organization, in electronic folders and files in the personal computers of the General Director and employees admitted to processing personal data of the Customers.
5.4.3. Documents containing personal data of customers are stored in lockable cabinets (safes), providing protection from unauthorized access. At the end of the working day, all documents containing personal data of the Customers are placed in cabinets (safes) providing protection against unauthorized access.
5.4.4. Protection of access to electronic databases containing personal data of customers is provided by:
- Using licensed anti-virus and anti-hacker programs that do not allow unauthorized entry into the local network of the Organization.
- Differentiation of access rights using an account.
- Two-step password system: at the level of the local computer network and at the database level. Passwords are set by the System Administrator of the Organization and are communicated individually to employees who have access to personal data of the Customers.
126.96.36.199. Unauthorized entry to the PC, which contains personal data of the Customers, is blocked by a password that is set by the System Administrator and is not subject to disclosure.
188.8.131.52. All electronic folders and files containing personal data of the Customers are protected with a password that is set by the employee responsible for the PC and is notified to the System Administrator.
184.108.40.206. Change of passwords The system administrator is carried out not less often than 1 time in 3 months.
5.4.5. Copy and make extracts of the personal data of the Client is permitted only for official purposes with the written permission of the Director General of the Organization.
5.4.6. Answers to written inquiries of other organizations and institutions on the personal data of the Customers are given only with the written consent of the Customer himself, unless otherwise provided by law. Responses are drawn up in writing, on the Organization's letterhead, and to the extent that it allows not to disclose excessive amounts of the Customer's personal data.
6. Blocking, depersonalization, destruction of personal data
6.1. The procedure for blocking and unlocking personal data:
6.1.1. Blocking of personal data of Clients is carried out with a written application of the Client.
6.1.2. Blocking of personal data implies:
220.127.116.11. Prohibition of editing personal data.
18.104.22.168. Prohibition of distribution of personal data by any means (e-mail, cellular communication, material carriers).
22.214.171.124. The prohibition of the use of personal data in mass mailings (sms, e-mail, mail).
126.96.36.199. The withdrawal of paper documents relating to the Client and containing his personal data from the internal workflow of the Organization and the prohibition of their use.
6.1.3. The blocking of the personal data of the Client can be temporarily withdrawn, if this is required for compliance with the legislation of the Russian Federation.
6.1.4. Unblocking of personal data of the Client is carried out with his written consent (if there is a need to obtain consent) or the Customer's application.
6.1.5. The Customer's consent to the processing of his personal data (if it is necessary to receive it) entails the unblocking of his personal data.
6.2. The order of depersonalization and destruction of personal data:
6.2.1. Anonymization of the Customer's personal data takes place upon a written application of the Client, provided that all contractual relations are completed and not less than 5 years have elapsed from the date of termination of the last contract.
6.2.2. In the case of depersonalization, personal data in information systems are replaced by a set of symbols, in which it is impossible to determine whether personal data belongs to a specific Customer.
6.2.3. Paper documents carriers with the depersonalization of personal data are destroyed.
6.2.4. The organization is obliged to ensure confidentiality with respect to personal data when it is necessary to conduct testing of information systems in the developer's territory and to make personal data in the information systems transferred to the developer.
6.2.5. Destruction of the Customer's personal data implies the termination of any access to the Customer's personal data.
6.2.6. When the personal data of the Customer are destroyed, the employees of the Organization can not access the personal data of the subject in the information systems.
6.2.7. Paper documents carriers are destroyed in the destruction of personal data, personal data in the information systems are depersonalized.Personal data can not be restored.
6.2.8. The operation of destroying personal data is irreversible.
6.2.9. The period after which the operation of destruction of the Customer's personal data is possible is determined by the end of the period specified in clause 7.3 of this Regulation.
7. Transmission and storage of personal data
7.1. Transfer of personal data:
7.1.1. Under the transfer of personal data subject is understood as the dissemination of information through communication channels and on tangible media.
7.1.2. When transferring personal data, employees of the Organization must comply with the following requirements:
188.8.131.52. Do not disclose personal data of the Client for commercial purposes.
184.108.40.206. Not to disclose personal data of the Client to a third party without the written consent of the Client, except for the cases established by the federal law of the Russian Federation.
220.127.116.11. Warn the persons receiving the personal data of the Customer that these data can be used only for the purposes for which they are communicated and to require these persons to confirm that this rule is observed;
18.104.22.168. Permit access to personal data of Clients only to specially authorized persons, and these persons should have the right to receive only those personal data of the Clients that are necessary for performing specific functions.
22.214.171.124. To transfer personal data of the Customer within the Organization in accordance with this Regulation, regulatory and technological documentation and job descriptions.
126.96.36.199. Provide the Client's access to their personal data when they apply or upon receipt of the Customer's request. The organization is obliged to inform the Client about the availability of personal data about him, and also to provide an opportunity to get acquainted with them within ten working days from the date of application.
188.8.131.52. To transfer personal data of the Client to the representatives of the Client in the order established by the legislation and normative and technological documentation and to limit this information only with those personal data of the subject that are necessary for the performance of these representatives by their functions.
7.2. Storage and use of personal data:
7.2.1. The storage of personal data means the existence of records in information systems and on tangible media.
7.2.2.Personal data of the Customers are processed and stored in information systems, as well as on hard copies in the Organization. Personal data of Clients is also stored electronically: on the Organization's local computer network, in electronic folders and files in the General Director's PC and employees authorized to process personal data of the Clients.
7.2.3. The storage of personal data of the Client can be carried out no longer than the purpose of processing requires, unless otherwise stipulated by federal laws of the Russian Federation.
7.3. Terms of storage of personal data:
7.3.1. Terms of storage of civil contracts containing personal data of the Clients, as well as concomitant with their conclusion, execution of documents - 5 years from the date of the termination of the contracts.
7.3.2. During the period of storage, personal data can not be depersonalized or destroyed.
7.3.3.After the expiry of the period of storage, personal data may be depersonalized in information systems and destroyed on paper in the manner prescribed in the Regulations and current legislation of the Russian Federation. (Appendix to the Act on the destruction of personal data)
8. Rights of the operator of personal data
The Organization has the right:
8.1. Defend your interests in court.
8.2. Provide personal data of Clients to third parties, if it is provided by the current legislation (tax, law enforcement agencies, etc.).
8.3. Refuse to provide personal data in cases stipulated by law.
8.4. Use the personal data of the Client without his consent, in cases stipulated by the legislation of the Russian Federation.
9. Rights of the Client
The Client has the right:
9.1. To require the specification of their personal data, its blocking or destruction in the event that personal data are incomplete, outdated, unreliable, illegally obtained or are not necessary for the stated purpose of processing, and also take legal measures to protect their rights;
9.2. Require a list of processed personal data available in the Organization and the source of their receipt.
9.3. To receive information on the terms of processing of personal data, including the time of their storage.
9.4. To require the notification of all persons who were previously informed of incorrect or incomplete personal data about all exceptions, corrections or additions made in them.
9.5. Appeal to the authorized body for the protection of the rights of subjects of personal data or in a judicial manner wrongful acts or omissions when processing its personal data.
10. Liability for violation of the rules governing the processing and protection of personal data
10.1. Employees of the Organization who are guilty of violating the rules governing the receipt, processing and protection of personal data bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Russian Federation and the internal local acts of the Organization.
Download the regulation on the processing of personal data