Purpose and scope
This document describes the policy of processing, accumulation and storage of documents containing information related to personal data.
The purpose of formulation of this Policy is the provision of protection of human and civil rights and freedoms while processing their personal data, including the right to personal and family privacy, as well as establishment of responsibility of officials, having access to personal data, for the noncompliance with the regulations related to personal data processing and protection.
Abbreviations, basic definitions and terms
Personal data — any information related to directly or indirectly specified individual (personal data subject);
Operator — state authority, municipal authority, legal entity or individual, who independently or jointly with other persons arranges and/or performs personal data processing, as well as defines the purposes of personal data processing, the volume of personal data subject to processing and actions performed towards personal data;
Personal data processing — any action (operation) or a series of actions (operations) performed towards personal data with or without use of the software, including collection, recording, systematization, accumulation, storage, update and alteration, extraction, use, transfer (distribution, presentation, providing access), depersonalization, blocking, deleting and annihilation of personal data;
Automated personal data processing — personal data processing via PC software;
Personal data distribution — actions aimed at personal data disclosure to uncertain group of persons;
Personal data presentation — actions aimed at personal data disclosure to a certain person or a certain group of persons;
Personal data blocking — temporary interruption of personal data processing (except where processing is required for personal data update or alteration);
Personal data annihilation — actions making it impossible to restore personal data volume in the personal data information system and/or resulting in the elimination of tangible media;
Personal data depersonalization — actions making it impossible to identify personal data as related to a certain data subject without involving additional information;
Personal data information system — a set of personal data included into personal data databases, as well as the software and tools used for their processing;
Trans-border transfer of personal data — transfer of personal data to a foreign territory, foreign government body, to a foreign individual or a foreign legal entity;
Information — messages, data independently of their particular representation.
Legal basis for personal data processing
The Policy is based on the following statutes and regulations of the Russian Federation:
JSC Tander performs personal data processing on a legitimate equitable basis. The legal basis for personal data processing is a set of legal acts in compliance with which JSC Tander performs personal data processing:
Purposes for personal data collection and processing in JSC Tander
Purposes for personal data processing are the following:
Volume and categories of personal data processed, categories of personal data subjects
Content and volume of personal data processed fully meet the specified purposes.
JSC Tander carries out collection and further processing of the following categories of personal data subjects:
Procedure and terms of personal data processing
JSC Tander shall receive all personal data of subjects from these subjects or from their legal representatives.
Personal data processing shall be carried out in accordance with the current legislation of the Russian Federation on the basis of consent of the personal data subject, except as otherwise provided in the Federal Law No.
Personal data processing means actions (operations) with personal data including:
The personal data subject shall make a decision on provision of their personal data and give a consent to their processing wilfully and for their own benefit.
Obtainment of personal data of the subject from the third parties shall be possible only upon prior notification of the subject and subject to their written approval.
Personal data of subjects of JSC Tander shall be processed in structural divisions in accordance with functions performed.
Access to personal data processed without the use of automation facilities shall be exercised in accordance with the list approved.
Access to personal data processed in personal data information systems shall be exercised in accordance with the list and procedure approved by JSC Tander.
Authorized persons allowed to receive personal data of subjects of JSC Tander shall have a right to obtain only personal data of a subject that are necessary for fulfillment of certain functions in compliance with job description of the authorized persons.
Non-automated personal data processing shall be performed in compliance with “The provisions on details of non-automated personal data processing” approved by the Russian Federation Government Resolution No. 687 dated September 15, 2008.
Personal data processed in this way shall be separated from other information, in particular, by fixing it on separate material media bearing the personal data, in special sections or on forms (letterheads) margins.
Personal data shall be stored in the form which allows to determine the personal data subject not longer than it is required by a purpose of their processing.
Personal data shall be annihilated or depersonalized in the following cases:
Material media bearing the personal data shall be stored in specially fitted cabinets and safe boxes. Storage places shall be determined by the order on approval of storage places for JSC Tander material media bearing the personal data.
Within 7 business days from the day of provision by the personal data subject or their legal representative of information confirming that the personal data are incomplete, inaccurate or outdated, JSC Tander shall make adjustments as required and notify the subject of the alterations.
Annihilation of personal data shall be fulfilled within 30 business days from the moment of achieving the purpose of personal data processing unless otherwise provided for by the federal laws of the Russian Federation.
Annihilation of personal data shall be fulfilled within 30 business days from the moment of withdrawal of consent of the personal data subject to personal data processing.
Annihilation of personal data shall be fulfilled within 7 business days from the moment of provision by the personal data subject or their representative of information confirming that the personal data have been received illegally or are not necessary for the declared purpose of their processing.
In case of detection of unlawful processing of personal data when the personal data subject or their legal representative informs of it, and if it is impossible to provide lawful personal data processing, annihilation of personal data shall be fulfilled within 10 business days from the moment of detection of unlawful processing of personal data. Decision on the unlawfulness of personal data processing and the necessity of their annihilation shall be made by the person responsible for organization of personal data processing who shall inform the management of it. JSC Tander shall inform a personal data subject or their legal representative of annihilation of personal data.
Annihilation of personal data shall be fulfilled by the committee consisting of employees of the structural division which processed personal data of the subject and established the necessity of annihilation of personal data under the control of a director of this structural division.
The method of annihilation of material media bearing the personal data shall be determined by the committee. The use of the following methods shall be admitted:
An act shall be drawn up and signed by a chairman of the committee that performed annihilation of material media bearing the personal data.
Special organizations may be involved if it is needed to annihilate a large number of material media or to apply special methods of annihilation. In this case the members of the committee responsible for personal data annihilation shall be present at annihilation of the material media bearing the personal data. The slip confirming transfer of material media bearing personal data, subject to annihilation, to a special organization, shall be attached to the act of annihilation.
Annihilation of JSC Tander data base fields containing personal data of the subject shall be fulfilled in the following cases:
Annihilation shall be fulfilled by the committee consisting of persons that are responsible for the technical maintenance of automated systems and that own the databases.
Annihilation shall be fulfilled by erasing information from data storage media (including backup copies). The act shall be drawn up and approved by the person who is responsible for the technical maintenance of automated systems and who owns the databases.
Annihilation of electronic records archives and electronic communications protocols may not be fulfilled if their maintenance and security within a certain period are stipulated in the corresponding regulatory and/or contractual documents.
In the absence of technical capability to annihilate personal data contained in databases, depersonalization by rerecording of databases margins shall be acceptable. Rerecording shall be performed in such a way that the further identification of the personal data subject is impossible.
Monitoring of compliance with the procedures of annihilation of personal data shall be carried out by the person responsible for the organization of personal data processing.
Processing of biometric personal data (photograph used for identification, fingerprints, retinal pattern, etc.), according to article 11 of the Federal Law No.
A decision that produces legal effects concerning the personal data subject or otherwise involves their rights and legitimate interests may be made on the basis of entirely automated processing of their personal data with the express written agreement of the personal data subject.
Protection of personal data of the subjects from unlawful use or loss shall be provided by JSC Tander at its own expense in accordance with the procedure established by the legislation of the Russian Federation.
Necessary organizational and technical measures to ensure confidentiality of personal data shall be taken while processing.
Technical measures to protect personal data while processing with hardware shall be determined in accordance with:
Personal data protection shall provide for restriction of access to them.
Internal policies and procedures, including the following documents, have been approved and accepted for execution by the order of JSC Tander CEO:
JSC Tander shall reserve the right to check completeness and accuracy of personal data provided with the consent of the personal data subject. In case of detection of erroneous or incomplete personal data, JSC Tander shall have a right to end all relationships with the personal data subject.
Procedure of processing applications and inquiries of subjects.
When receiving an application or a written inquiry from the personal data subject or their legal representative for the access to their personal data, JSC Tander shall follow the requirements of the articles 14, 18 and 20 of the federal law No.
The access of the personal data subject or their legal representative to their personal data shall be provided by JSC Tander only under the control of the person responsible for the organization of personal data processing by JSC Tander.
Inquiries of the personal data subject or their legal representative shall be fixed in the registry of inquiries of citizens (personal data subjects) related to processing of personal data.
Written inquiries of the personal data subject or their legal representative shall be fixed in the registry of written inquiries of citizens for the access to their personal data.
The person responsible for the organization of personal data processing shall make a decision on providing access to personal data to the subject.
If the data provided by the subject are not enough for establishment of their identity or provision of personal data breaches constitutional rights and liberties of other persons, the person responsible for the organization of personal data processing shall prepare a substantive response containing a link to the provision of the part 8 article 14 of the Federal Law No.
In order to provide access to personal data of the subject to this subject or their representative, the person responsible for the organization of personal data processing shall involve an employee (employees) of the structural division processing personal data of the subject upon the agreement with a director of this structural division.
Information on availability of personal data shall be provided by JSC Tander to the personal data subject in an intelligible form, and it shall not contain personal data related to other personal data subjects. Control over provision of information to the subject or their legal representative shall be carried out by the person responsible for the organization of personal data processing.
Information on availability of personal data shall be provided to the subject upon the respond to the inquiry within thirty days from the date of receipt of the inquiry of the personal data subject or their legal representative.
Procedures in case of receiving inquiries from regulatory authorities.
In accordance with the part 4 article 20 of the Federal Law No.
Collection of information for preparation of the substantive response to the inquiry of regulatory authorities shall be carried out by the person responsible for the organization of personal data processing, if necessary involving JSC Tander employees.
Within the period established by the legislation the person responsible for the organization of personal data processing shall prepare the substantive response and other necessary documents and send them to the authorized body.