Please note: This document is an English translation of the document found here. In the event of a conflict between the Russian version of this document and this translation, the Russian version shall prevail. Only the Russian version of this document found here is legally binding.
- General Provisions
- Personal Data Processing Policy of OKEY-TELECOM Ltd (hereinafter referred to as the “Policy”) has been developed to comply with the following: the Constitution of the Russian Federation, Federal Law, dated 27.07.2006 No. 149-FZ “On Information, Information Technologies and Information Protection,” provisions of Chapter 14 of the Labor Code of the Russian Federation “Protection of Personal Data of Employees,” Federal Law dated 27.07.2006 No.152-FZ "On Personal Data", Resolution of the Government of the Russian Federation dated 15.09.2008 No. 687 "On Approval of the Regulation on the Specifics of Processing Personal Data, carried out without the use of automation tools ", Regulation of the Government of the Russian Federation dated 01.11.2012 No. 1119 "On approval of requirements for the protection of personal data during its processing in personal data information systems" and other statutory acts, guidelines, and regulations of the Russian Federation governing relations related to ensuring the security of personal data when processing them in personal data information systems.
- This Policy is valid with the limited liability of OKEY-TELECOM Ltd, INN/KPP 7727571465/772701001, OGRN 1067746441465, address: 117186, Moscow region, Moscow, 15 Nagornaya street, building 8, (mailing address: 117463, Moscow, PO Box No. 34) (hereinafter referred to as the Operator) concerning data processing and is a publicly available document.
- The requirements of this Policy are mandatory for all employees of the Operator who have access to personal data.
- Decisions to change this Policy shall be made based on the following:
- Results of audits, reviews, and supervision of the security of personal data, carried out by authorized bodies;
- Amendments of statutory acts, guidelines, and regulations of the Russian Federation governing relations related to ensuring the security of personal data during its processing in personal data information systems (hereinafter - PDIS);
- Changes in the processing of personal data in the Operator's PDIS;
- The results of the analysis of information security incidents in PDIS.
- Terms and Definitions
- Personal data means any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);
- Processing of personal data means any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, destruction of personal data;
- Automated processing of personal data means the processing of personal data using computer technology;
- Provision of personal data means actions aimed at disclosing personal data to a certain person or a certain circle of persons;
- Blocking of personal data means a temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
- Destruction of personal data means actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
- Depersonalization of personal data means actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without using additional information;
- A personal data information system means a set of personal data contained in databases and information technologies and technical means that ensure its processing;
- Cross-border transfer of personal data means the transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual, or a foreign legal entity.
- General principles and conditions for the processing of personal data
- The operator processes the personal data of the employees and non-employees.
- The processing aims to perform the functions determined by the laws and other regulatory legal acts of the Russian Federation and in the framework of the activities specified in the internal documents of the Operator.
- The operator is guided by the following principles and conditions when processing personal data:
- The processing of personal data shall be carried out on a legal and fair basis;
- The processing of personal data shall be carried out with the consent of the subject of personal data to the processing of his personal data, except for the cases specified in sub-paragraphs 2-11 of part 1 of article 6 of the Federal Law of July 27, 2006, No. 152-FZ "On Personal Data";
- Processing of special categories of personal data shall be carried out in the cases provided for by subparagraphs 1-9 of part 2 of article 10 of the Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data";
- The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, based on the agreement concluded with this person, including a state or municipal contract, or by the adoption of an appropriate act by a state or municipal body (hereinafter - instruction of the Operator). A person who processes personal data on behalf of the Operator shall comply with the principles and rules for processing personal data provided for by the provisions of Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data.” The instruction of the Operator shall define a list of actions (operations) with personal data that will be performed by the person processing personal data, and the purposes of the processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the safety of personal data during its processing, and also requirements for the protection of processed personal data must be specified following Article 19 of the Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data";
- The processing of personal data shall be limited to the achievement of specific, predetermined, and legitimate goals. Processing of personal data incompatible to collect personal data is not allowed;
- Combining databases containing personal data with different purposes, incompatible with each other, is not allowed;
- Only personal data that meet the purposes of its processing is subject to processing;
- The content and capacity of the processed personal data shall correspond to the stated purposes of the processing. The processed personal data should not be redundant concerning the stated purposes of its processing;
- The accuracy of personal data, its sufficiency, and, if necessary, relevance to the purposes of processing personal data shall be ensured when processing personal data. The operator shall take the required measures or ensure their adoption to remove or clarify incomplete or inaccurate data;
- The storage of personal data shall be carried out in a form that makes it possible to determine the subject of personal data, no longer than the purpose of processing personal data requires unless the storage period for personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data are subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these purposes unless otherwise provided by federal law;
- The operator shall independently determine the content, capacity, purposes of the processing, and storage periods for personal data.
- The documents adopted by the Operator defining the Operator's policy regarding the processing of personal data, local regulations on the processing of personal data, as well as local regulations establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations shall be communicated to the Operator's employees at parts concerning them.
- Legal basis for the processing of personal data
- The operator processes personal data guided by the following:
- Articles 23, 24 of the Constitution of the Russian Federation;
- Articles 86-90 of the Labor Code of the Russian Federation;
- Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data";
- This Personal Data Processing Policy;
- Consent to the processing of personal data expressed by the subject of personal data;
- Civil contracts concluded by the Operator with customers and annexes to these contracts;
- The Charter of the organization.
- The operator processes personal data guided by the following:
- Purposes of processing personal data
- The processing of personal data shall be carried out to:
- Fulfill the duties of the employer;
- Conclude and execute the contracts with the customers;
- Carry out activities following the constituent documents.
- The processing of personal data shall be carried out to:
- Categories of processed personal data by subjects, sources,
terms of processing and storage of personal data
- The Operator processes the following categories of personal data:
- Personal data of employees: first name, last name, patronymic; type, series, and number of the identity document, date of issue of the identity document and information about the issuing authority, date of birth (day, month, year), place of birth, address, contact phone number, e-mail address;
Personal data of clients: First name, last name, patronymic; contact phone number;
E-mail address; postal address (country, region, city, street, house number, apartment number); type, series, and a number of the identity document, date of issue of the identity document and information about the issuing authority, date of birth (day, month, year), place of birth.
- Personal data shall be processed and stored until:
- Achievements or loss on the need to achieve the purpose of personal data processing;
- Liquidation or reorganization of the Operator.
- The Operator processes the following categories of personal data:
- Information about third parties involved in the processing of personal data
- The Operator provides personal data to third parties to comply with the legislation of the Russian Federation, as well as with the consent of the subjects of personal data, to achieve the purposes of processing in the course of its activities.
- Personal data of employees: for submitting reports to regulatory authorities (Pension Fund of the Russian Federation, Federal Tax Service, Social Insurance Fund of the Russian Federation);
- Personal data of employees and non-employees: upon receipt of motivated requests to the prosecutor's office, law enforcement agencies, security agencies, state labor inspectors when they exercise state supervision and control over compliance with labor legislation and other bodies authorized to request information about employees under the competence provided for by the legislation of the Russian Federation within the established powers.
- The Operator provides personal data to third parties to comply with the legislation of the Russian Federation, as well as with the consent of the subjects of personal data, to achieve the purposes of processing in the course of its activities.
- Rights and obligations of the Operator of personal data
- The Operator shall immediately stop the processing of his personal data to promote goods, works, services on the market by making direct contacts with a potential consumer using communication means at the request of the subject of personal data.
- The operator shall explain to the subject of personal data the procedure for deciding based on exclusively automated processing of his personal data, and the possible legal consequences of such a decision, provide an opportunity to object to such a decision and explain the procedure for protecting the subject of personal data of his rights and legitimate interests.
- The operator shall consider an objection against a decision based on exclusively automated processing of personal data of the subject of personal data within thirty days from the date of its receipt and notify the subject of personal data of the results of considering such an objection.
- At the request of the subject of personal data, the Operator shall provide him with the information provided for in part 7 of article 14 of the Federal Law of 27.07.2006, No. 152-FZ "On personal data" when collecting personal data.
- If the provision of personal data is mandatory under federal law, the Operator shall explain the legal consequences of refusing to provide his personal data to the subject of personal data.
- The operator shall provide the subject of personal data or his representative with the information regarding the availability of personal data relating to the respective subject of personal data, and also provide an opportunity to familiarize himself with these personal data when the subject of personal data or his representative applies, or within thirty days from the date of receipt of the request of the subject of personal data or his representative in the manner prescribed by Article 14 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data".
- The operator shall provide the subject of personal data or his representative with the opportunity to familiarize himself with the personal data relating to this subject of personal data free of charge. The Operator shall amend the personal data within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that the personal data is incomplete, inaccurate, or irrelevant. The Operator shall destroy the personal data within a period not exceeding seven working days from the date the subject of personal data or his representative submits information confirming that such personal data is illegally obtained or is not necessary for the stated purpose of processing. The Operator shall notify the subject of personal data or his representative about the changes made and the measures taken and take reasonable measures to notify third parties to whom the personal data of this subject was transferred.
- The operator is obliged to inform the competent authority for the protection of the rights of personal data subjects upon the request of that authority within thirty days from the date of receipt of such a request.
- If the unlawful processing of personal data is revealed when the subject of personal data or his representative contacts or at the request of the subject of personal data or his representative or an authorized body for the protection of the rights of subjects of personal data, the Operator shall block the unlawfully processed personal data relating to this subject of personal data, or ensure its blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) from the moment of such an appeal or receipt of the specified request for the verification period. In case of revealing inaccurate personal data when the subject of personal data or his representative applies, or at their request or the request of the authorized body for the protection of the rights of personal data subjects, the Operator shall block personal data relating to this subject of personal data, or to ensure its blocking (if processing personal data is carried out by another person acting on behalf of the Operator) from the moment of such an appeal or receipt of the specified request for the verification period, if the blocking of personal data does not violate the rights and legitimate interests of the subject of personal data or third parties.
- In case of confirmation of the fact of the inaccuracy of personal data, the Operator based on information provided by the subject of personal data or his representative or the authorized body for the protection of the rights of subjects of personal data, or other necessary documents, shall clarify the personal data or ensure its clarification (if the processing of personal data is carried out by another person, acting on behalf of the Operator) within seven working days from the date of submission of such information and remove the blocking of personal data.
- In case of revealing illegal processing of personal data carried out by the Operator or a person acting on behalf of the Operator, the Operator, within a period not exceeding three working days from the date of this identification, shall stop the illegal processing of personal data or to ensure that the illegal processing of personal data by the person acting on behalf of Operator shall be stopped. If it is impossible to ensure the legality of the processing of personal data, the Operator shall destroy such personal data or ensure its destruction within a period not exceeding ten working days from the date of detection of the illegal processing of personal data. The operator shall notify the subject of personal data or his representative about the elimination of violations or the destruction of personal data, and if the request of the subject of personal data or his representative or the request of the authorized body for the protection of the rights of subjects of personal data were sent by the authorized body for the protection of the rights of subjects of personal data, the specified body, also.
- If the purpose of processing personal data is achieved, the Operator shall stop processing personal data or ensure its termination (if the processing of personal data is carried out by another person acting on behalf of the Operator) and destroy personal data or ensure its destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of achieving the purpose of processing personal data, unless otherwise provided by an agreement to which the subject of personal data is a party, beneficiary or guarantor, another agreement between the Operator and the subject of personal data, or if the Operator is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" or other regulatory legal acts.
- If the subject of personal data withdraws his consent to the processing of his personal data, the Operator shall stop its processing or to ensure the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator) and if the storage of personal data is no longer required for processing purposes personal data, destroy personal data or ensure its destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided by the contract, the party to which, the beneficiary or the guarantor for which is the subject of personal data, another agreement between the Operator and the subject of personal data, or if the Operator is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by this federal law or other federal laws.
- If it is impossible to destroy personal data within the period specified in clause 7.11-7.13 of this provision, the Operator blocks such personal data or ensures its blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) and ensures the destruction of personal data within a period not exceeding six months, unless another period is established by federal laws.
- Rights of subjects of personal data
- The subject of personal data has the right to receive information about the Operator’s processing of his personal data.
- The subject of personal data has the right to demand from the processing Operator to clarify these personal data, to block or destroy them if they are incomplete, outdated, inaccurate, illegally obtained, or cannot be deemed necessary for the stated purpose of processing, as well as to accept the measures provided the law to protect his rights
- If the information specified in part 7 of Article 14 of the Federal Law dated July 27, 2006, No. 152-FZ "On Personal Data", and the processed personal data were provided for familiarization with the subject of personal data at his request, the subject of personal data has the right to apply again to the Operator or send him a repeated request to obtain the information specified in part 7 of this article and familiarize himself with such personal data no earlier than thirty days after the initial application or sending the initial request, unless a shorter period is established by a federal law adopted or following it, a regulatory legal act or an agreement to which the subject of personal data is a party, or beneficiary, or guarantor.
- The subject of personal data has the right to re-contact the Operator or send him a repeated request to obtain the information specified in part 7 of article 14 of the Federal Law of July 27, 2006, No. 152-FZ "On personal data" and also to familiarize himself with the processed personal data before the expiration the period specified in part 4 of article 14 of the Federal Law of July 27, 2006, No. 152-FZ "On personal data" if such information and (or) processed personal data were not provided to him for review in full following the results of consideration of the initial appeal.
- The right of the subject of personal data to access his personal data may be limited following Part 8 of Article 14 of the Federal Law of 27.07.2006, No. 152-FZ "On Personal Data" in the following cases:
- If the processing of personal data, including those obtained as a result of the operational search, counterintelligence, and intelligence activities, is carried out to strengthen the country's defense, ensure state security and protect law and order;
- If the processing of personal data is carried out by the bodies that detained the subject of personal data on suspicion of committing a crime, or charged the subject of personal data in a criminal case, or applied a preventive measure to the subject of personal data before filing charges, except for cases provided for by the criminal procedural legislation of the Russian Federation if it is allowed to familiarize the suspect or the accused with such personal data;
- If the processing of personal data is carried out following the legislation on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;
- If the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties;
- If the processing of personal data is carried out in the cases provided for by the legislation of the Russian Federation on transport security, to ensure the stable and safe operation of the transport complex, to protect the interests of the individual, society, and the state in the field of the transport complex from acts of unlawful interference;
- If the subject of personal data believes that the Operator is processing his personal data in violation of the requirements of this Federal Law or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal against the actions or inaction of the Operator to the authorized body for the protection of the rights of subjects of personal data or in court.
- The subject of personal data has the right to protect his rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.
- Measures to ensure the security of personal data during its processing
- When processing personal data, the operator takes the necessary legal, organizational, and technical measures or provides their adoption to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, as well as from other illegal actions concerning personal data.
- Security shall be achieved by the following:
- Determination of threats to the security of personal data during its processing in personal data information systems;
- Application of organizational and technical measures to ensure the security of personal data during its processing in personal data information systems needed to meet the requirements for the protection of personal data, the implementation of which is ensured by the levels of personal data protection established by the Government of the Russian Federation;
- Application of information security tools that have passed the conformity assessment procedure following the established procedure;
- Detection of facts of unauthorized access to personal data and taking measures;
- Recovery of personal data modified or destroyed due to unauthorized access to them;
- Establishing rules for accessing personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;
- Control over the measures taken to ensure the security of personal data and the level of protection of information systems of personal data.
- Responsibility for the disclosure of information related to personal data
- Persons guilty of violating the requirements of this Federal Law shall bear responsibility stipulated by the legislation of the Russian Federation.
- Moral harm caused to the subject of personal data as a result of the violation of his rights, violation of the rules for processing personal data established by this Federal Law, as well as the requirements for the protection of personal data established by this Federal Law, shall be compensated as stipulated by the legislation of the Russian Federation. Compensation for moral damage shall be carried out regardless of compensation for property damage and losses incurred by the subject of personal data.