Personal Data | Faberlic
24.9.2
POLICY of JSC Faberlic as to the Processing of Personal Data and Information about Requirements to P

1. General Terms

1.1. This Policy (hereinafter referred to as the Policy) lays out the general principles and procedures for processing personal data, as well as measures to ensure security of said data, within the Joint Stock Company Faberlic (hereinafter referred to as the Company).

1.2. The Policy has been developed in accordance with the provisions of Federal law 152-FZ of 27.07.2006 On personal data, and other legislative and normative legal acts that govern the procedures surrounding the use of personal data and requirements to ensure their safety.

1.3. The Policy uses the following terms and definitions:

Automated processing of personal data – the processing of personal data using computer technology
Biometric personal data – data that characterize a person's physiological and biological features, on the basis of which identity can be established and which are used by the operator to establish the identity of the data subject
Personal data blocking – the temporary cessation of personal data processing (except where processing is necessary for rectification of personal data)
Access to personal data – the disclosure of a subject's personal data that are processed by the Company to certain parties (including employees), while maintaining the privacy of this information
Contractor – the counterparty in a contract with the Company, not an employee of the Company
Personal data confidentiality – the responsibility of parties with access to personal data not to disclose said data to third parties and not to distribute personal data without the consent of the data subject, unless otherwise required by law
Depersonalization of personal data – action taken by which it becomes impossible to determine the particular subject of personal data without additional information
Processing of personal data – any action (operation) or a combination of actions (operations) performed both automatically and manually with personal data, including collection, recording, arrangement, accumulation, storage, rectification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data
Public personal data – personal data available to the public, access to which is provided according to legislation or at the subject's request, as well as data that are subject to mandatory disclosure or publication
Operator – state agency, municipal authority, legal entity or individual who independently or in cooperation with other entities organizes and/or processes personal data as well as determines the purposes, scope and subject of data processing and actions (operations) related to personal data (in the Policy, the Operator refers to the Company unless otherwise specified)
Personal data – any information referring directly or indirectly to a particular or identified individual (personal data subject);
Provision of personal data – actions intended to disclose personal data to a certain person or a certain group of persons
Distribution of personal data – actions intended to disclose personal data to the public at large
Personal data subject – the individual to whom the personal data refers
Cross-border transfer of personal data – the transfer of personal data to a foreign territory, foreign government body, foreign individual or foreign legal entity;
Destruction of personal data – actions performed on personal data contained in the database that prevent such data from being restored and/or actions aimed at the physical destruction of the tangible medium of personal data


1.   The List of Processed Personal Data

1.1.    The Company processes personal data under the following terms:

 

No.

Purpose of Processing

Categories of Personal Data Subjects

The List and Categories of Personal Data

1.

Execution of employment contracts in accordance with

laws and support of the Company’s work processes, compliance with the requirements of labor, tax laws, and accounting laws; providing employees with benefits and guarantees provided for by law for persons who have (adopted) children and persons with family responsibilities; compliance with the requirements of the Labor Code of the Russian Federation on informing relatives about accidents; provision of additional services to employees (pension insurance, accident insurance), transfer of income to payment cards of employees.

Employees

Last name, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; income; gender; email address; residence address; registration address; telephone number; SNILS (Personal insurance policy number); INN (taxpayer identification number); citizenship; disability; ID details; bank card details; job title; information about employment activity (including work experience, data on employment as at the current time specifying company's name and settlement account; relation to military service, information about military registration; information about education, disability;

2.

Ensuring the personal safety of employees and their

relatives, ensuring the safety of property, calculation and payment of remunerations, calculation and transfer of taxes and insurance contributions; provision of additional services to Employees at the expense of the employer (pension insurance, transfer of income to payment cards of employees); compliance with the requirements of regulatory legal acts of state statistical accounting bodies; providing Employees with benefits and guarantees provided for by law for persons that have (adopted) kids, persons with family responsibilities; compliance with the requirements of the Labor Code of the Russian Federation on informing relatives about accidents; compliance with the requirements of regulatory legal acts

of bodies of state statistical accounting.

Relatives of employees

Last name, first name, patronymic; year of birth; degree of relationship, place of employment.

3.

Ensuring the safety of their property, calculation and payment of remunerations, calculation and transfer of taxes and insurance contributions; fulfillment of requirements of regulatory legal acts of state statistical accounting bodies; provision of benefits and guarantees, provided for by law for persons who have (adopted) children, persons with family responsibilities; providing information at the request of government authorities; compliance with the requirements of the Labor Code of the Russian Federation.

Dismissed employees

Last name, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status;

income; floor; email address; residence address;

registration address; telephone number; SNILS; INN; citizenship; identification document details; personality; bank card details; job title; information about work activity (including length of work at the current time, indicating the name and current account of the organization); attitude towards military duty, information about military

registration; information about education, disability.

 

No.

Purpose of Processing

Categories of Personal Data Subjects

The List and Categories of Personal Data

4.

Conclusion and execution of a civil contract.

Buyers

Last name, first name, patronymic; year of birth; month of birth; date of birth; floor; email address; phone

number.

Performers

Last name, first name, patronymic; year of birth; month of birth; date of birth; place of birth; email address

residence address; registration address; telephone number; INN; identification document details; settlement account.

Agents

Last name, first name, patronymic; year of birth; month of birth; date of birth; place of birth; email address;

residence address; registration address; telephone number; INN; identification document details; settlement account.

Contractors

Last name, first name, patronymic; email address; telephone number; job title.

5.

Employment in the Company

Candidates

for filling vacant positions of the Company

Last name, first name, patronymic; gender; information about the main identification document (name, series, number, date of issue, name of authority issuing document, code of subdivision issuing document); date and place of birth; address of registration at the place of residence and address of actual residence; INN;

SNILS; affiliated structures; the receiving of credit reports from credit bureau; telephone number; information about places of work, information about education.

6.

Making it easier for site visitors to navigate the site, obtaining analytical data on visits and improving performance

of the website.

Website visitors

Information collected through metric programs (cookies).

7.

Selection of Individuals to enter into a service

agreement

Contractors

Individuals

Last name, first name, patronymic; floor; information about the main identification document (name, series, number, date of issue, name of authority issuing document, code of subdivision issuing document); date and place of birth; address of registration at the place of residence and address of actual residence; INN;

SNILS; affiliated structures; the receiving of credit reports from credit bureau; telephone number; information about places of work, position.

 

No.

Purpose of Processing

Categories of Personal Data Subjects

The List and Categories of Personal Data

8.

Business trip arrangements

Employees

Last name, first name, patronymic; information about the main identity document (name, series, number); telephone number; email address.

9.

Improvement of qualifications of Employees

Employees

Last name, first name, patronymic; information about the main identity document (name, series, number, date of issue, name of the authority that issued the document); registration address.

10.

Placing information at the website

Employees

Image (photography); surname, first name; job title.

11.

Using corporate taxi

Employees

Last name, first name, patronymic; telephone number; corporate email address.

12.

Registration of corporate cellular communications

Employees

Last name, first name, patronymic; citizenship; date of birth; information about the main identification document

(name, series and number of the document, date of issue of the document, name of the issuing authority and subdivision code (if available); information (address) about registration at the place of residence and actual place of residence (place of stay); Taxpayer identification number (if available).

13.

Registration of voluntary health insurance

Employees

Last name, first name, patronymic; information about the main identity document (name, series, number, date of issue, name of the authority that issued the document); registration address.


2.2. The Company is an entity that provides personal data to other operators in accordance with the requirements of laws, which include, without limitation:

– Government authorities and extra-budgetary funds to which tax reports are sent with regard to the Company's employees as a tax agent, and employee funds or funds to be credited to employees ' accounts are transferred (Federal Tax Service inspectorates, offices of the Pension Fund of the Russian Federation, the Federal Mandatory Medical Insurance Fund, the Social Insurance Fund of the Russian Federation, etc.)

– Telecommunications operators which are given information about users of corporate communications services (landline and mobile telephones, Internet access) in accordance with the requirements of legislation

– Military commissioners and trade union bodies to which personal data is provided (transferred) in cases stipulated by law

In addition to the above, personal data is provided (transferred) to government authorities and extra-budgetary funds, telecommunications operators, military commissioners, and trade union bodies by the relevant government authorities and extra-budgetary funds within the limits of their mandates under the law. Consent of the subjects for such transfer of personal data is not required.

2.3. The Company does not process personal data related to special categories and related to race and nationality, political views, religious or philosophical beliefs, health status (except for information related to the issue of the Employee’s ability to perform a labor function and necessary for the purposes determined by pension laws), intimate life, the Employees’ membership in public associations or their trade union activities, except in cases expressly provided for by law.

2.4. The Company does not process biometric personal data.

2.5. List of actions on personal data: collection; recording; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (provision, access); blocking; deletion; destruction; distribution (for Employees only).

2.6. Methods of processing personal data: mixed; with transmission via the internal network of a legal entity; with transmission over the Internet


3. Principles of personal data processing

The Company processes personal data according to the following principles:

3.1. Legality and equitable basis of personal data processing. The Company takes all necessary measures to comply with the requirements of the Law and does not process personal data in cases where it is not permitted by law or where it is not required for any specific purpose by the Company, and does not use personal data to harm the subject of such data.

3.2. Processing only personal data that correspond to the pre-declared purposes of their processing; compliance of the content and volume of the processed personal data with the stated purposes of processing; prevention of processing personal data that is not compatible with the purposes of personal data collection or unnecessary in relation to the stated purposes of personal data processing. The company does not collect or process personal data that is not required to achieve the goals specified in clause 2.1 of this Policy, and does not use personal data of subjects for any purposes other than those specified.

3.3. Prevention of combining databases containing personal data processed for purposes that are not compatible with each other.

3.4. Ensuring the accuracy, completeness, and relevance of personal data in relation to the purposes of personal data processing. The Company takes all reasonable measures to maintain the relevance of the processed personal data, including (without limitation) exercising the right of each subject to receive their personal data for review and to require the Company to clarify, block, or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the purposes of processing stated above.

3.5. Storage of personal data in a form that allows identification of the data subject for no longer than required for the purpose of processing the personal data, if the retention period of personal data is not established by legislation, by an agreement where one of the parties is the personal data subject, or the consent of the personal data subject to data processing.

3.6. Destruction or depersonalization of personal data upon fulfillment of the declared purposes of their processing or in the event it is no longer necessary to fulfill these purposes, or it becomes impossible for the Company to prevent violations of the procedure for processing personal data established by law, or withdrawal of the subject's consent to personal data processing, or the end of the period for personal data processing established by the consent to personal data processing, unless otherwise provided for by law or by agreement with the personal data subjects.

 

4. Terms of personal data processing

4.1. The company's personal data processing is allowed in the following situations:

4.1.1. With the personal data subject's consent to personal data processing.

4.1.2. Personal data processing that is necessary for implementation and fulfillment of the functions, powers and duties assigned to the Company by law. Such cases imply processing of Employee personal data in order to fulfill purposes stipulated by labor and pension laws.

4.1.3. To conclude a contract at the initiative of the personal data subject and to execute the contract to which the personal data subject is a party. Such contracts are employment contracts with Employees, civil contracts with Individual Contractors, legal entities and individuals, individual entrepreneurs.

4.1.4. Prior to the conclusion of these contracts, the Company processes personal data at the stage of pre-contractual work with Individual Contractors and Representatives, as well as when conducting recruitment work when the subject's consent to processing is confirmed by the Applicant's own completed form or a form (resume) submitted by them to the Company or to a specialized recruitment organization, or posted by the Applicant, Contractor, or Representative on specialized websites on the Internet, or sent by them to the Company via e-mail.

4.1.5. Processing of personal data is necessary to protect the life, health, or other vital interests of the personal data subject, if it is not possible to obtain the subject's consent.

4.1.6. Processing of personal data by the Company is necessary to exercise the rights and legitimate interests of the Company and/or third parties, including in cases provided for by Federal law 320-FZ On protection of the rights and legitimate interests of individuals when performing activities to repay overdue debts..., or to achieve socially significant goals, provided that the rights and freedoms of personal data subjects are not violated.

4.1.7. Personal data is processed by the Company for statistical or other research purposes, subject to mandatory depersonalization of personal data.

4.1.8. Personal data is subject to publication or mandatory disclosure in accordance with laws.

4.2. The Company does not disclose or distribute personal data to third parties without the subject's consent, unless otherwise required by law, by contract with the personal data subject, or not specified in the subject's consent to process their personal data.

4.3. The Company may process personal data on criminal records only in cases and in accordance with the procedure established by law.

4.4. The processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts; for example, challenging the performance of the contract in court.

4.5. The processing of personal data is necessary for the execution of a judicial act, an act of another body or official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings. For example, the processing of personal data when paying alimony by court decision.

4.6. The Company shall not carry out cross-border personal data processing.

4.7. The company does not make decisions that give rise to legal consequences for Employees or otherwise affect the rights and legitimate interests of Employees based solely on automated processing of personal data. Data that has legal consequences or affects the rights and legitimate interests of the Employee, such as the amount of accrued income, taxes and other deductions, are subject to verification by an authorized employee of the Company before use.

5. Confidentiality of personal data

5.1. Employees of the Company who have access to personal data must ensure the confidentiality of said data. Confidentiality is not required with respect to:

– Personal data after its depersonalization;

– Public personal data;

– Personal data allowed for distribution by a personal data subject.

5.2. The Company may, with the consent of the subject, entrust the processing of personal data to another party, unless otherwise required by law, on the basis of a contract related to personal data processing on behalf of the Company entered into with said party, following the principles and rules of personal data processing as required by law. The amount of personal data transferred to another party for personal data processing and the number of processing methods used by said party must be the minimum necessary to fulfill their responsibilities to the Company. The Company's instructions must include a defined list of actions (operations) to be taken with personal data that will be performed by the party carrying out the personal data processing and purposes of the processing; said instructions must define the aforementioned party's responsibility to maintain the confidentiality of personal data and ensure the security of personal data during their processing as well as indicate the requirements for the protection of processed personal data in accordance with part 5 of articles 18, 18.1, and 19, including requirement on notification of operator in cases stipulated by part 3.1. of article 21 of Federal law 152-FZ of 27.07.2006 On personal data.

When fulfilling the Company's instructions with regard to personal data processing, the party to whom the processing is entrusted shall be entitled to use their information systems located on the territory of the Russian Federation and conforming to safety measures required by law as instructed by the Company in the agreed-upon personal data processing contract.

When fulfilling the Company's instructions with regard to personal data processing, the party to whom the processing is entrusted shall be entitled to use their information systems located on the territory of the Russian Federation and conforming to safety measures required by law as instructed by the Company in the agreed-upon personal data processing contract.

5.3. In the event that the Company entrusts the processing of personal data to another party, the Company is responsible to the personal data subject for the actions of the specified party. The party processing personal data on behalf of the Company is liable to the Company.

6. Rights of personal data subjects

6.1. The personal data subject has the right to receive information regarding the processing of their personal data. The personal data subject is entitled to request that the Company rectify, block, or destroy their personal data in the event that the personal data is incomplete, outdated, inaccurate, illegally obtained, or unnecessary for the declared purpose of processing; and also to take legal measures to protect their rights. The personal data subject may make requests in writing, by e-mail to  This e-mail address is being protected from spam. You need JavaScript enabled to view it "> This e-mail address is being protected from spam. You need JavaScript enabled to view it , or via the feedback form on the Company's website.

6.2. The subject's request concerning the Company's processing of their personal data in writing or by e-mail must contain:

- Surname, first name, and patronymic/middle name of the personal data subject or their representative;
- The number of a basic document proving the identity of the personal data subject as well as their representative (if the inquiry is made by a representative), the date the aforementioned document(s) was issued, and the issuing authority (authorities);
- Information that confirms the personal data subject's relationship with the Company (number and date of contract with the Company, a copy (scan or photograph) of written communication or an SMS from the Company, etc.), or information that otherwise confirms personal data processing by the Company;
- The signature of the personal data subject or their representative;

6.3. The subject has the right to revoke their consent to the Company's processing of their personal data at any time by written declaration in any form containing basic document information that proves the subject's identity or the personal data that was specified when providing it to the Company, or by sending a request via the feedback form on the Company's website (in this case, identity-proving document information is not required).

6.4. If the personal data subject believes that the Company is processing their personal data in violation of the law, or otherwise violating their rights and liberties, the personal data subject has the right to appeal the Company's actions or inaction to the authorized body on protection of the rights of personal data subjects (Federal Service for Supervision of Communications, Information Technology and Mass Media) or through legal action.

6.5. At the request of the authorized body on protection of the rights of personal data subjects, the Company is obliged to provide the requested information within ten days from the date of receipt of such request..

6.6. The procedure for interaction with regulatory authorities is regulated by the current legislation of the Russian Federation.

7. Information concerning implemented requirements for personal data protection

7.1. The security of personal data processed by the Company is supported by the implementation of legal, organizational, and technical measures necessary and sufficient to meet the requirements of legislation concerning personal data.

7.2. Legal measures taken by the Company include:

– developing Company by-laws that implement the requirements of legislation, including this Policy and the Regulations on the organization of personal data processing and protection within JSC Faberlic;
–refusing to use any personal data processing methods that do not fulfill the purposes and legal requirements set out in the Policy.

7.3. Organizational measures taken by the Company include:

– appointing individuals responsible for organizing personal data processing and for ensuring the security of personal data in personal data information systems;
– restricting the number of Company employees who have access to personal data, and organizing a permit system for access to them;
– familiarizing the Company's employees who directly process personal data with the provisions of the legislation on personal data, including requirements for personal data protection, the Company's Policy, and other by-laws on personal data processing;
– training all categories of Company employees directly engaged in processing personal data, on the rules of working with personal data and ensuring the security of the processed data;
– defining the responsibilities for ensuring the security of personal data processing and responsibility for violation of the established procedure in the job descriptions of Company employees;
– regulating the personal data processing procedures;
– organizing an accounting system for material carriers of personal data and their storage, ensuring the prevention of theft, substitution, unauthorized copying and destruction;
– identifying current threats to the security of personal data, and determining the level of security and requirements for the protection of personal data when processing them in information systems that ensure the established levels of personal data security;
– making technical resources for processing personal data available within a secure area;
– restricting access to the Company's premises by unauthorized individuals, prevention of their presence on the premises where personal data is processed and technical resources for processing them are located, without supervision by the Company's employees;

– control over the implementation of these requirements (independently or with the involvement of legal entities and individual entrepreneurs on a contractual basis, licensed to carry out activities for the technical protection of confidential information) at least once every 3 years.

7.4. Technical measures taken by the Company include:

– developing a personal data protection system based on current threats for the levels of personal data protection established by the Government of the Russian Federation during processing in information systems;
– using information security tools that have passed compliance assessment to neutralize current threats;
– assessing the effectiveness of measures taken to ensure the security of personal data;
– implementing an employee permission system for access to personal data processed in information systems, as well as to hardware and software tools for information protection;
– registering and recording the actions taken with personal data by users of information systems where personal data is processed;
– detecting malicious software (using anti-virus programs) on all nodes of the Company's information network with the respective technical capabilities;
– secure inter-network interactions (using inter-network shielding);
– detecting intrusions into the Company's information system that violate or create prerequisites for violating the established requirements for ensuring the security of personal data;
– recovering personal data that was modified or destroyed due to unauthorized access (creating a backup and recovery system for personal data);
– periodically monitoring user actions, and investigating violations of personal data security requirements;

8. Final provisions

8.1. Other responsibilities and rights of the Company as a personal data operator and as a party that processes data on behalf of other operators are regulated by the laws of the Russian Federation in the sphere of personal data.

8.2. Officials and Employees of the Company responsible for the violation of terms regulating personal data processing and protection shall bear material, disciplinary, administrative, civil and criminal liability in accordance with the laws of the Russian Federation.

8.3. The terms of this Policy shall be revised as necessary. Mandatory Policy review shall be conducted in the event of significant changes in international or Russian Federation law in the sphere of personal data.

The following are considered when introducing changes to the terms of the Policy:

– changes in the information infrastructure and/or technologies used by the Company;
– established practice of enforcement of law in the sphere of personal data in the Russian Federation;
– Changes to the conditions and nature of the Company's personal data processing in connection with the introduction of new information systems, processes and technologies into the Company's operation.

Personal Data