1. General provisions
1.1. This Policy has been developed in accordance with the provisions of the Federal Law "On Personal Data" and other regulatory legal acts regulating the protection of personal data.
1.2. This Policy defines the main issues related to the processing of personal data in LLC "Angel" (hereinafter – the Organization) with the use of automation tools, including in information and telecommunications networks, or without the use of such tools. The Policy applies to personal data received both before and after signing this Policy.
1.3. Personal data is confidential, protected information and is subject to all the requirements established by the internal documents of the Organization for the protection of confidential information.
2. The concept and composition of personal data
2.1. Information constituting personal data is any information related directly or indirectly to a specific or identifiable individual (subject of personal data).
2.2. The Organization processes personal data of the following categories of personal data subjects:
- employees of the Organization – information required by the Organization in connection with employment relations;
- clients( potential clients), partners, counterparties (potential counterparties), as well as personal data of the head, participant (shareholder) or employee of a legal entity that is a client or counterparty (potential client, partner, counterparty) of the Organization – information necessary for the Organization to fulfill its obligations under civil law relations with the client (counterparty).
3. Purposes and cases of personal data processing
3.1. The purposes of personal data processing are:
- organization of personnel records, management of personnel records, assistance to employees in employment, training and promotion, implementation of tax and pension legislation of the Russian Federation, filling in primary statistical documentation;
- conclusion, execution and termination of civil law contracts, registration of other civil law relations (such as: compensation for damage, etc.).
3.2. Processing of personal data in the Organization is allowed in the following cases::
– if the processing of personal data is carried out with the consent of the personal data subject;
– if the processing of personal data is necessary for the performance of a contract to which the subject of personal data is a party or beneficiary, as well as for the conclusion of a contract on the initiative of the subject of personal data or a contract under which the subject of personal data will be a beneficiary;
– if the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
– if the processing of personal data is necessary for the exercise of the rights and legitimate interests of the Organization or third parties or for the achievement of socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated;
– if the processing of personal data is necessary for the implementation of scientific, literary or other creative activities, provided that the rights and legitimate interests of the subject of personal data are not violated;
– if the processing of personal data is carried out for research, statistical or other purposes, subject to the mandatory depersonalization of personal data;
– if the processing of personal data is carried out, the access of an unlimited number of persons to which is provided by the subject of personal data or at his request;
– if personal data is processed that is subject to publication or mandatory disclosure in accordance with the law.
4. Basic principles of personal data processing
4.1. The processing of personal data is possible only in accordance with the purposes that determined their receipt.
4.2. It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.
4.3. Employees of the Organization have the right of access to the processing of personal data in accordance with their functional responsibilities.
4.4. When processing personal data, the accuracy of personal data, its sufficiency, and, if necessary, its relevance in relation to the stated purposes of their processing is ensured.
4.5. The storage of personal data is carried out in a form that allows you to identify the subject of personal data, no longer than the purposes of personal data processing require, unless the period of storage of personal data is established by federal law, an agreement to which the subject of personal data is a party or beneficiary.
4.6. The processed personal data is destroyed or depersonalized upon the achievement of the processing goals or in the event of the loss of the need to achieve these goals, unless otherwise provided by federal law.
4.7. The terms of storage of personal data are determined in accordance with the term of validity of civil relations between the subject of personal data and the Organization, the statute of limitations, the terms of storage of documents on paper and documents in electronic databases, other requirements of the legislation of the Russian Federation, as well as the term of validity of the subject's consent to the processing of his personal data.
5. Measures to ensure the security of personal data
5.1. When processing personal data, the Organization takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.
5.2. Ensuring the security of personal data is achieved, in particular:
- the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to meet the established requirements for the protection of personal data;
- detection of unauthorized access to personal data and taking the necessary measures;
- establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system;
- control over the measures taken to ensure the security of personal data and the level of security of the personal data information system.
6. Rights of the personal data subject
The subject of personal data has the right to:
6.1. To receive information concerning the processing of his / her personal data, including information containing:
- confirmation of the fact of processing of personal data by the operator;
- legal grounds and purposes of personal data processing;
- the purposes and methods of personal data processing used by the Organization;
- the name and location of the Organization, information about persons (with the exception of employees of the Organization) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Organization or on the basis of a federal law;
- processed personal data related to the relevant subject of personal data, the source of their receipt, unless a different procedure for the submission of such data is provided for by federal law;
- terms of processing of personal data, including the terms of their storage;
- the procedure for the exercise by the subject of personal data of the rights provided for by federal law;
- information about the cross-border data transfer that has been carried out or is expected to be carried out;
- the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the Organization, if the processing is or will be entrusted to such a person;
- other information provided for by federal law.
6.2. Require the Organization to clarify its personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect its rights.
6.3. Free access to your personal data, including the right to receive copies of any record containing personal data, except in cases provided for by the legislation of the Russian Federation.
6.4. Appeal to the court against any illegal actions or omissions of the Organization in the processing and protection of its personal data.
7. Responsibilities of the Organization
7.1. The Organization undertakes to take necessary and sufficient legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.
8. Duties and responsibilities of the Organization's employees
8.1. Employees of the Organization who are allowed to process personal data are required to:
- know and strictly comply with the requirements of this Policy;
- to process personal data only within the framework of the performance of their official duties;
- not to disclose personal data obtained as a result of the performance of their official duties, as well as those that have become known to them by the nature of their activities;
- prevent the actions of third parties that may lead to the disclosure (destruction, distortion) of personal data;
- identify the facts of disclosure (destruction, distortion) of personal data and inform the direct manager about it;