PERSONAL DATA PROCESSING POLICY
1. GENERAL PROVISIONS
1.1. The Personal Data Processing Policy of “BURINTEKH”, Ltd (hereinafter referred to as the “Policy”) sets out the basic principles, purposes, conditions and methods of personal data processing, the lists of data subjects and personal data processed at “BURINTEKH”, Ltd, “BURINTEKH”, Ltd functions in the processing of personal data, the rights of data subjects, and “BURINTEKH”, Ltd requirements to personal data protection.
1.2. The Policy has been developed in accordance with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation regarding personal data.
1.3. The purpose of this Policy is to inform the subjects of personal data and persons involved in the processing of personal data about the observance by the Enterprise and Enterprise group of companies as an operator of the fundamental principles of legality, fairness, compliance of the content and volume of personal data being processed with the stated purposes of processing.
1.4. The Policy must be posted on the official website of “BURINTEKH”, Ltd https://burintekh.com/ in order to provide unlimited access to this Policy to subjects of personal data.
1.5. This Policy applies to all personal data processed by the Enterprise.
2. LEGISLATIVE REGULATION AND OTHER STATUTORY LEGAL ACTS OF THE RUSSIAN FEDERATION, IN ACCORDANCE WITH WHICH DATA PROCESSING POLICY IN THE ENTERPRISE IS DETERMINED
2.1. Enterprise Personal Data Processing Policy is based on the following statutory acts, including:
- Labor Code of the Russian Federation;
- Federal Law No. 152-FZ dated July 27, 2006, on Personal Data;
- Russian Government Directive No. 687 dated September15,2008, on Approving the Provision Regarding the Specifics of Personal Data Processing without Automated Means;
- Russian Government Directive No. 1119 dated November 1, 2012, on Approving the Requirements to the Protection of Personal Data Undergoing Processing in Personal Data Information Systems;
- Order of the FSTEC of Russia No. 21 dated February 18, 2013, on Approving the List and Scope of Organizational and Technical Measures for Protection of Personal Data Undergoing Processing in Personal Data Information Systems;
- GOST R ISO 9001-2015 (ISO 9001:2015) Quality management systems. Requirements;
- GOST R ISO 14001-2016 (ISO 14001:2015) Environmental management systems. Requirements and instructions for use;
- GOST R ISO 45001-2020 (ISO 45001:2018) Occupational health and safety management systems. Requirements and instructions for use;
- INTI S.QS.1-2020 Quality management system. Requirements.
3. BASIC TERMS AND DEFINITIONS USED IN LOCAL REGULATIONS OF ENTERPRISE GOVERNING PERSONAL DATA PROCESSING
Personal data means any information related to a directly or indirectly identified or identifiable natural person (data subject).
Operator means a government authority, a municipal authority, a legal or private person, which severally or jointly arranges and/or performs the processing of personal data, as well as defines the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.
Personal data processing means any action (operation) or a series of actions (operations) with personal data performed with or without automated means, including collection, recording, systematization, accumulation, storage, refinement (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data.
Automated personal data processing means the processing of personal data with the use of computers.
Provision of personal data means actions aimed at disclosing personal data to a specific person or a specific group of persons.
Dissemination of personal data means actions aimed at disclosing personal data to an indefinite number of persons.
Blocking of personal data means a temporary interruption of personal data processing (except where processing is required for personal data refinement).
Destruction of personal data means actions making it impossible to restore the content of personal data in the personal data information system and/or resulting in the destruction of physical media on which personal data are stored.
Depersonalization of personal data means actions making it impossible to establish a connection between personal data and a specific data subject without using additional information.
Personal data information system means a set of personal data contained in personal data databases, as well as information technologies and tools used for their processing.
Trans-border transfer of personal data means a transfer of personal data to a foreign country, specifically to a foreign government body or a foreign natural or legal person.
Employee means an individual who has created an employer-employee relationship with an employer.
Personal data subject means a natural person who is directly or indirectly identified or determined using personal data.
Counterparty means any Russian or foreign legal entity or individual with whom the Enterprise or Enterprise group of companies enters into contractual relations, with the exception of labor relations.
Confidentiality of personal data means the observance by the Operator or other persons who have gained access to personal data of the requirement not to disclose to third parties and not to provide personal data without the consent of the personal data subject or other legal grounds.
4. PRINCIPLES FOR PERSONAL DATA PROCESSING
4.1. The Enterprise processes personal data of employees, representatives of the counterparty and other subjects of personal data for the purposes provided for in this policy.
4.2. The processing of personal data at Enterprise in performed on the following principles:
- Personal data processing at Enterprise is performed on a legal and equitable basis;
- Personal data processing is limited to specific, predetermined and legitimate purposes;
- Personal data processing is not allowed if such processing is incompatible with the purposes of personal data collection;
- It is not allowed to combine databases containing personal data which are processed for incompatible purposes;
- Personal data are not subject to processing unless they meet the purposes of their processing;
- Scope and amount of personal data comply with the stated purposes of processing. Data redundancy in relation to the stated purposes is not allowed;
- Personal data undergoing processing must be accurate, sufficient and, if necessary, relevant to the purposes of personal data processing.
- Enterprise takes the required measures or makes efforts to delete or refine incomplete or inaccurate personal data;
- Personal data are stored in the form that makes it possible to identify the data subject for no longer than required for the purposes of personal data processing unless the personal data retention period is set by federal law or an agreement under which the data subject acts as a party, beneficiary or guarantor;
- Personal data undergoing processing are destroyed or depersonalized as soon as the purposes of processing are achieved or if the achievement thereof is no longer required, unless otherwise provided by federal law.
5. PURPOSES AND SCOPE OF PERSONAL DATA PROCESSING
5.1. The processing of personal data in the Enterprise is carried out for the following purposes and scope:
5.1.1. Ensuring compliance with the legislation of the Russian Federation, including labor, pension, insurance, tax legislation, maintaining personnel, military registration and accounting records maintenance.
Categories of personal data.
Personal data: Last name, first name, patronymic, year, month, date of birth, place of birth, marital status, gender, residence address, registration address, telephone number, Insurance individual account number, TIN, citizenship, identity document details, driver’s license details, document data contained in the birth certificate, profession, position, information about work activity (including work experience, data on employment at the current time indicating the name and current account of the organization), information about education, attitude to military service, information about military registration, photo, other personal data, information about the fitness of the subject of personal data to perform official duties.
Special categories of personal data are not processed..
Categories of subjects whose personal data is processed: employees, relatives of employees, dismissed employees.
Legal basis for processing personal data:
- processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
- processing of personal data is necessary for the implementation and fulfillment of the functions, powers and responsibilities assigned by the legislation of the Russian Federation to the operator.
List of actions: collection; record; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (provision, access); blocking; deletion; destruction.
Ways of processing: mixed; with transmission via the internal network of a legal entity; with transmission over the Internet.
5.1.2. Enforcement of local regulations (including Internal Labor Regulations, Collective Agreement).
Categories of personal data.
Personal data: last name, first name, patronymic, year, month, date of birth, place of birth, marital status, property status, social status, gender, residence address, registration address, telephone number, citizenship, identity document details, information about children, document data contained in the birth certificate, position, information about work activity (including length of service, information about current employment, information about education, profession, attitude to military service, other personal data necessary to fulfill local regulations with the consent of the subject of personal data (information about social benefits, biographical data)
Special categories of personal data are not processed.
Categories of subjects whose personal data is processed: employees, relatives of employees, dismissed employees.
Legal basis for processing personal data:
- processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
- processing of personal data is necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary.
- processing of personal data is necessary for the implementation and fulfillment of the functions, powers and responsibilities assigned by the legislation of the Russian Federation to the operator;
List of actions: collection; record; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (provision, access); blocking; deletion; destruction.
Ways of processing: mixed; with transmission via the internal network of a legal entity; with transmission over the Internet.
5.1.3. Recruitment for vacant positions.
Categories of personal data.
Personal data: last name, first name, patronymic, date of birth, citizenship, data confirming the qualifications and work experience of the subject of personal data, email address, telephone number.
Special categories of personal data are not processed.
Categories of subjects whose personal data is processed: job seekers.
Legal basis for processing personal data:
- processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
List of actions: collection; record; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (provision, access); blocking; deletion; destruction.
Ways of processing: mixed; with transmission via the internal network of a legal entity; with transmission over the Internet.
5.1.4. Ensuring access control to the enterprise territory.
Categories of personal data.
Personal data: last name, first name, patronymic .
Special categories of personal data are not processed.
Categories of subjects whose personal data is processed: employees, representatives of contractors, other third-party organizations, job seekers.
Legal basis for processing personal data:
- processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated;
List of actions: collection; record; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (provision, access); blocking; deletion; destruction.
Ways of processing: mixed; with transmission via the internal network of a legal entity; with transmission over the Internet.
5.1.5. Administration of the Operator’s official website (including posting news on the operator’s website, processing requests received through the site, posting contact information of the operator’s representatives, assessing the effectiveness of the site).
Categories of personal data.
Personal data: Last name, first name, patronymic, position, email address, contact phone number, photograph, information about awards, information about participation in events, information about place of work/study, other personal data with the consent of the subject of personal data.Special categories of personal data are not processed.
Categories of subjects whose personal data is processed: employees, representatives of contractors, other third-party organizations, representatives of government agencies, site visitors, visitors to events organized by the operator.
Legal basis for processing personal data:
- processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data.
List of actions: collection; record; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (provision, access); blocking; deletion; destruction.
Ways of processing: mixed; with transmission via the internal network of a legal entity; with transmission over the Internet.
5.1.6. Conclusion and execution of civil contracts with individuals and legal entities, preliminary stages preceding the conclusion of contract - search and selection of counterparties, negotiations, correspondence with third parties.
Categories of personal data.
Personal data: Last name, first name, patronymic, data of the parties, their representatives and executors, beneficiaries, necessary for the conclusion and execution of contracts.
Special categories of personal data are not processed.
Categories of subjects whose personal data is processed: Operator employees, representatives of counterparties, counterparties, beneficiaries under contracts.
Legal basis for processing personal data:
- processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
- processing of personal data is necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor. An agreement concluded with a personal data subject cannot contain provisions limiting the rights and freedoms of the personal data subject.
List of actions: collection; record; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (provision, access); blocking; deletion; destruction.
Ways of processing: mixed; with transmission via the internal network of a legal entity; with transmission over the Internet.
5.1.7. Keeping minutes of general meetings of company participants.
Categories of personal data.
Personal data: last name, first name, patronymic, ownership interest.
Categories of subjects whose personal data is processed: participants.
Legal basis for processing personal data:
- processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data.
List of actions: collection; record; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (provision, access); blocking; deletion; destruction.
Ways of processing: mixed; with transmission via the internal network of a legal entity; with transmission over the Internet.
6. CONDITIONS FOR PERSONAL DATA PROCESSING IN ENTERPRISE
6.1. The processing of personal data in the Enterprise is carried out with the consent of the subject of personal data to the processing of his personal data, unless otherwise provided by the legislation of the Russian Federation in the field of personal data.
6.2. Processing of personal data without obtaining consent is permitted in the following cases:
- the processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or law, to implement and fulfill the functions, powers and responsibilities assigned to the Enterprise by the legislation of the Russian Federation;
- the processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings, proceedings in arbitration courts;
- the processing of personal data is necessary for the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
- processing of personal data is necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor;
- the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
- processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties;
- processing of personal data subject to publication or mandatory disclosure in accordance with federal law is carried out.
6.3. The Enterprise does not process special categories of personal data.
6.4. The Enterprise has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, on the basis of an agreement concluded with this person. The agreement must contain a list of actions (operations) with personal data that will be performed by the person processing personal data, the purposes of processing, the obligation of such person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as requirements for the protection of processed personal data in compliance with the Federal Law “On Personal Data”.
6.5. The Enterprise does not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
6.6. The transfer of personal data of personal data subjects within the Enterprise is carried out in accordance with this Policy.
6.7. For the purpose of information support, the Enterprise may create internal reference materials which may include the necessary personal data.
6.8. When collecting personal data (including through the information and telecommunications network “Internet”), the Enterprise records, systematizes, accumulates, stores, clarifies (updates, changes), and retrieves personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except as provided by law.
6.9. The Enterprise may carry out cross-border transfer of personal data to the territory of foreign states, in compliance with legal requirements.
6.10. The processing of cookies by the Enterprise is carried out in a generalized form and is never correlated with the personal information of Users.
7. OBLIGATIONS OF THE ENTERPRISE AS AN OPERATOR WHEN PROCESSING PERSONAL DATA
7.1. While processing personal data, Enterprise:
- takes legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data;
- issues local regulations defining the policy and issues of processing and protection of personal data in the Enterprise;
- familiarizes the Enterprise employees and the Enterprise group of companies directly processing personal data with the provisions of the legislation of the Russian Federation and local regulations of the Enterprise in the field of personal data, including requirements for the protection of personal data, and trains these employees;
- provides unlimited access to this Policy by posting it on the official website of the Enterprise;
- informs in the prescribed manner to the subjects of personal data or their representatives information about the availability of personal data relating to the relevant subjects, provides the opportunity to familiarize themselves with this personal data when contacting and (or) receiving requests from the specified subjects of personal data or their representatives, unless otherwise provided by law Russian Federation;
- stops processing and destroys or ensures the destruction of personal data in cases provided for by the legislation of the Russian Federation in the field of personal data;
- performs other actions provided for by the legislation of the Russian Federation in the field of personal data.
8. RIGHTS OF PERSONAL DATA SUBJECTS
8.1. Data subjects have the right to:
- obtain complete information about their personal data undergoing processing at Enterprise;
- access their personal data, including the right to obtain a copy of any record containing their personal data, unless otherwise provided by federal law, as well as access to related medical data with the help of a medical expert of their choosing;
- refine, block or destroy their personal data if such personal data are incomplete, outdated, inaccurate, illegally obtained or inessential for the stated purpose of processing;
- revoke their consent to personal data processing;
- take action to protect their rights as provided by law;
- appeal against Enterprise action or inaction violating the laws of the Russian Federation with regard to personal data to a body authorized to protect the rights of data subjects or to a court;
- exercise other rights provided by legislation of the Russian Federation.
9. INFORMATION ABOUT THE IMPLEMENTED REQUIREMENTS FOR THE PROTECTION OF PERSONAL DATA ACCEPTED BY THE ENTERPRISE WHEN PROCESSING PERSONAL DATA
9.1. Enterprise takes measures necessary to fulfill operator duties set forth by Russian legislation in the field of personal data including:
- issuance of local regulations on the processing and protection of personal data aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
- taking legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
- arranging training and guidance support, familiarizing the employees of the Enterprise and the Enterprise group of companies engaged in the processing of personal data by signing with the fact of participation in the processing of personal data, as well as with the rules for processing and protecting personal data established by regulatory legal acts of executive authorities and local regulatory acts of the Enterprise;
- obtaining consent from data subjects to process their personal data, unless otherwise provided by the laws of the Russian Federation;
- familiarization of the Enterprise employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the Enterprise policy regarding the processing of personal data, local acts on the processing of personal data, and ( or) training of said employees.
- ensuring the security of premises in which material carriers of personal data are located, in accordance with the requirements of regulatory legal acts;
- detecting facts of unauthorized access to personal data and taking appropriate measures;
- compiling standard forms for the collection of personal data in such a way that each of the subjects of personal data has the possibility to get acquainted with their personal data without violating the rights and legitimate interests of other subjects of personal data;
- other actions provided by the laws of the Russian Federation.
9.2. The measures for the protection of personal data undergoing processing in personal data information systems are established in accordance with “BURINTEKH”, Ltd local regulations, which govern issues related to personal data protection in the course of processing by means of personal data information systems of “BURINTEKH”, Ltd.
10. RESPONSIBILITY FOR VIOLATION OF THE RULES FOR PROCESSING PERSONAL DATA AND REQUIREMENTS FOR THE PROTECTION OF PERSONAL DATA
10.1. Enterprise employees responsible for organizing the processing of personal data and ensuring the security of personal data involved in the processing of personal data bear disciplinary, civil, administrative or criminal liability in accordance with the current legislation of the Russian Federation for violation of Personal Data Protection Guidelines and requirements for the Personal Data protection.