Organization policy in the field of personal data protection

Apply for SearchInform DLP TRY NOW

The organization's policy is designed to protect the personal data (PD) of the employee. Its development is carried out in accordance with Federal Law No. 152 "On Personal Data", which came into force on July 27, 2006. This document defines the procedure for performing the PD processing procedure, and provides measures to improve the security of this information in the company. These measures allow you to create a holistic protection of the rights, as well as the freedoms provided for by law, of each employee, any person during the performance of all actions with his personal data, together with the protection of rights that create conditions for privacy.

Basic concepts

The company's PD processing policy provides for the use of the following concepts:

  • automated systems for processing personal data - processing tools, computers;
  • blocking of personal data - suspension of work with PD (except when processing is carried out to clarify this information);
  • information systems PD - a complex of information stored in databases that process this information with the use of information technologies and technical means;
  • depersonalization of personal data - actions during which it is impossible to establish the ownership of the information to their subject without the use of additional information;
  • processing of personal data - any operations performed with the use of automated means or without them, with personal data , including the collection, recording, accumulation, saving, clarification, extraction, use, transfer, depersonalization, deletion, blocking, liquidation;
  • operator - bodies of state, municipal significance, an individual or a legal entity, independently organizing or together with other persons processing personal data, establishing the purposes of processing personal data, data content, actions performed with this information;
  • personal data - any type of information related directly or indirectly to a specific or established individual, the subject of PD;
  • provision of personal data - operations performed for the purpose of demonstrating PD to someone;
  • distribution of PD - disclosure of PD (transmission) for familiarization to an unlimited number of persons, including the publication of PD in the media, organization of access to this information in any other way;
  • destruction of personal data - actions after which it is not possible to restore PD in the information system, or as a result of these actions, the PD is destroyed.

The operator must publish or otherwise provide unrestricted access to this Policy.

PD processing conditions

The operator must adhere to the following principles when processing PD:

  • Comply with legal requirements and be based on the fairness of the implementation of any transactions related to PD.
  • Prevent the processing of PD in the case when the goals of such actions do not coincide with the goals that were pursued when they were collected.
  • Do not combine databases containing PD, provided that the processing was performed for incompatible tasks.
  • The volume and composition of the data to be processed must correspond to the declared purposes.
  • Do not allow work with PD if they are redundant for the specified tasks.
  • Ensure collection of accurate, sufficient, up-to-date PDs required for work.
  • Eliminate, depersonalize PD, when the goals that were pursued during their collection and processing were achieved, or when the need to achieve them is lost.

Processing conditions

The operator is entitled to work with PD if at least one of the following criteria is met.

PD processing:

  • performed with the consent of the subject for these actions;
  • is designed to achieve the tasks specified in international agreements of the Russian Federation or the law, and is necessary for the performance of various powers and duties assigned to the operator by the laws of the Russian Federation
  • is needed for the implementation of the tasks of law enforcement agencies, the implementation of court decisions, within the framework of executive proceedings;
  • is required in order to enforce the contractual terms;
  • is necessary for the implementation of the legitimate interests and rights of the operator, third parties, for the performance of socially significant tasks, if there is no violation of legal requirements in relation to the PD subject;
  • performed with the provision of access to PD to persons on behalf or request of the PD subject;
  • needed for publication, mandatory disclosure as required by law.

The operator, other persons who have gained the opportunity to access the PD, are prohibited from providing information to unauthorized citizens, to distribute it, if there is no consent of the PD subject.

Publicly available sources of PD

For information support, the operator has the right to form publicly available sources of personal data of subjects, including reference information, address books. Such PD blocks may consist of information obtained with the consent of the subject, which he will provide in writing. This category includes:

  • birth information;
  • profession;
  • phone numbers;
  • e-mail and other PD provided by the subject.

This information should be permanently excluded from the block of public domains if a request is made by their subject or if a decision is issued by a court or other government agencies that have the right to do so.

Special PD

The possibility of processing PD is allowed if they relate to special (political preferences, racial characteristics, nationality, views, information about health, personal life), subject to the requirements:

  • the citizen agrees to these actions, has provided written permission;
  • he independently made his PD publicly available;
  • their processing is carried out on a legal basis;
  • work with PD is needed to protect the interests of the PD subject or other persons who are considered vital to him, and there is no way to get a positive decision from the subject;
  • processing is carried out for medical purposes, when making diagnoses, for the provision of medical services, if the condition is met: a person engaged in medical activities observes medical confidentiality;
  • work with PD is needed to exercise the rights of their owner, other citizens to perform judicial and other legal actions;
  • such actions with PD are necessary under the terms of compliance with the legislation relating to compulsory insurance, subject to the norms of this area in the legislation.

Work with PD related to special should be urgently terminated if the reasons for which it was performed have been eliminated, unless otherwise specified in the law.

Biometric PD

Information that represents the characteristics of biological, physiological information about a person that can become the basis for his identification, the operator has the right to process with the written consent of this citizen for the possibility of performing these operations.

Transfer of PD processing to other persons

The operator can transfer the ability to work with PD to another operator, if the owner of this data has agreed to perform these actions, unless otherwise provided in the legal requirements. The basis is the contractual obligations with the party performing any actions with the PD, if there is an order from the party that transferred such powers. Such a person must adhere to all established legal principles, standards and rules for processing PD.

The rights of the PD subject

Subject's consent to PD processing

Each citizen independently decides the issue of transferring their own PD, agrees that they will be processed. He provides such consent without coercion, pursuing personal interests. The format of such permission can be any and must be confirmed by the facts of its grant, unless otherwise contained in the Federal Law.

The operator must provide evidence that the required approval has been received, and is obliged to prove on what grounds he receives it, based on the requirements of Law 152-FZ.

The rights of the PD subject

A citizen is entitled to receive information from the operator about the types of processing of his personal data (in the absence of legal restrictions on such a right) prescribed in the Federal Law. He has the right to demand from the operator to clarify personal information, as well as to demand that it be destroyed if it is incomplete, irrelevant, inaccurate, obtained illegally, and is not needed to achieve the assigned tasks related to information processing actions.

A citizen has the right to use all possible legal means to protect his own rights.

Working with PD to promote various services, any goods, perform any work using direct contacts with a potential partner, buyer using communication means, for political reasons, can be carried out if there is a prior approval of such actions by the PD subject.

Such processing of PD will be recognized as executable without the prior consent of the PD subject, if the organization can provide evidence that this approval has been granted.

The operator must urgently stop working with the PD, if required by the subject.

Ensuring PD security

Ensuring the security of personal data processed by the operator should be carried out by implementing all possible legal measures to fulfill all the requirements of the Federal Law on the protection of personal data.

The operator must prevent unauthorized access to PD using the following measures:

  • by order to appoint persons responsible for the correct organization of work on the processing and protection of PD;
  • limit the circle of persons who can be provided with access to this information;
  • to acquaint subjects with the provisions of the Federal Law, other regulatory documents used by the operator to process and protect such information;
  • organize strict accounting, storage, use of data carriers;
  • to determine the list of threats affecting the security of PD during processing, to model threats on this basis;
  • to develop a system for effective protection of personal data on this model;
  • check the effectiveness of the means to protect information;
  • to delimit the ability of users to access information resources, to software and hardware for data processing;
  • register and take into account the actions of users of such systems;
  • use antivirus tools and tools to restore the protective systems of PD;
  • organize firewalling, analysis, intrusion detection and cryptographic data protection;
  • organize access control to the enterprise, ensure the protection of the premises in which the means for processing PD are concentrated.

Other rights of the operator and his obligations not set forth in this Regulation are established by the norms of the legislation of the Russian Federation on the protection and processing of personal data.

Officials who have committed violations of the legislation governing the processing, protection of personal data, bear all types of responsibility provided by law.