1.1. The present Policy of "BIOCARD LOGISTICS" LLC on personal data processing and fulfillment of requirements for the personal data protection is aimed at compliance with the requirements of the Federal Law of the Russian Federation No. 152-FZ effective July 27, 2006 “On Personal Data”, Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012 " On approval of requirements for the protection of personal data while their processing in personal data information systems” and establishes a unified procedure for processing personal data in “BIOCARD LOGISTICS” LLC (hereinafter – the Company).
1.2. Further measures regarding the personal data processing and their introduction into the Company's quality management system by correcting and updating the database of internal regulatory documents on safe processing of personal data, active participation of the personnel in maintaining the conditions for processing personnel data, the personal data information system itself in working order.
1.3. Improving professional competence of employees, administrative discipline, improving the regulatory framework for personal data processing, optimizing the operating conditions of the personal data information system (PD) is the most important factor for successful fulfillment of the task of personal data processing in the Company.
1.4. The present Policy of the Company on the processing of personal data, under Federal Law No. 152-FZ effective 27.07.2006 “On personal data”, is a publicly available document declaring the base of the Company's activities is mandatory for compliance, and subject to publishing on the official website.
Basic terms and definitions used in local regulations regulating personal data processing
Personal data means any information related to a directly or indirectly identified or identifiable individual (personal data owner).
Operator means a government authority, a municipal authority, a legal entity or individual that independently or jointly organize and/or perform the processing of personal data, as well as define the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.
Personal data processing means any action (operation) or a series of actions (operations) with personal data performed with or without automated means, including collection, recording, systematization, accumulation, storage, rectification (updating, amendment), retrieval, use, transfer (dissemination, provision, access), anonymization, blocking, deletion and destruction of personal data.
The automated personal data processing means the processing of personal data with the use of computers.
Dissemination of personal data means actions aimed at disclosing personal data to an indefinite number of persons.
Provision of personal data means actions aimed at disclosing personal data to a specific person or a specific group of persons.
Blocking of personal data means a temporary termination of personal data processing (except in the cases when processing is required for personal data rectification).
Destruction of personal data means actions making it impossible to restore the content of personal data in the personal data information system and/or resulting in the destruction of physical media on which personal data are stored.
Anonymisation of personal data means actions making it impossible to establish a connection between personal data and a specific personal data owner without using additional information.
A personal data information system means a set of personal data contained in personal data databases, as well as information technologies and tools used for their processing.
Principles and purposes of personal data processing
3.1. The processing of personal data in the Company is carried out on a legal grounds and equitable basis. At the same time, the goals for processing shall be specific, pre-defined, and data processing shall be limited to achieving these goals:
– exercising the functions, powers, and duties that are incumbent on the Company by the Government of the Russian Federation, including those regarding the provision of personal data to Government bodies, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund of the Russian Federation, and other state authorities;
– regulating labor relations with the Company’s employees (personal safety, control over the scope and quality of the works performed, safekeeping of property);
– to consider the applications of owners of personal data;
– arranging access and in-house security procedures;
– promotion and sale of goods to consumers;
– providing services to consumers;
– other legitimate purposes.
Basic principles of processing, transfer, and storage of personal data.
4.1. In its activities, the Company ensures compliance with the principles of personal data processing specified in Federal Law No. 152-FZ effective 27.07.2006 “On personal data”:
– PD processing is carried out on a legal and equitable basis;
– processing should be limited to achieving specific, legitimate goals;
– it is not allowed to process personal data that is incompatible to collect personal data;
– it is not allowed to combine databases containing PD, the processing of which is carried out for purposes incompatible with each other;
– the content and volume of the processed PD correspond to the defined processing goals. The processed PD is not redundant concerning the stated processing goals;
– at processing PD, the accuracy and sufficiency of PD are ensured, and, if necessary, the relevance of PD concerning the stated goals of their processing;
– The Company does not process biometric personal data (information that describes the physiological and biological characteristics of a person, based on which it is possible to establish his or her identity);
– The Company does not process special categories of personal data related to race, nationality, political opinions, religious or philosophical beliefs, health status, intimate life;
– The Company does not transfer personal data cross-border (to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity) ;
– The Company transfers personal data to third parties based on the relevant agreement and only with the consent of the personal data owners;
– PD storage is carried out in a form that allows determining the owner of PD no longer than the purposes of PD processing require unless the period of PD storage is established by federal law, an agreement to which the owner of PD is a party, beneficiary, or guarantor;
– the processed PD is subject to destruction or anonymization upon achievement of the processing goals or in case of no further need to achieve these goals unless otherwise provided by federal law.
List of personal data owners whose personal data are processed at the Company.
5.1. The following categories of personal data are processed at the Company:
– employees of the Company and persons considered to fill vacant positions;
– persons performing supplies, works, services under contracts;
– consumers of goods, works, services;
– and other owners of personal data.
5.2. The sources of obtaining PD are the owners of personal data.
Processing of personal data.
6.1. The processing of personal data is carried out by the Company using automation tools, as well as without them (in paper form).
6.2 The Company does not provide or disclose information containing personal data of owners of personal data to a third party without the written consent of the owner of personal data, except when it is necessary to prevent threats to life and health, as well as in cases established by federal laws.
6.3. Upon a reasoned request, only for the performing the functions and powers defined by the legislation, the personal data of the owner of personal data may be transferred without his or her consent:
– to the judicial authorities in connection with the administration of justice;
– to the bodies of the federal security service;
– to the prosecutor's office;
– to the police authorities;
– to other bodies and organizations in cases established by regulatory legal acts that are mandatory for execution.
6.4 The storage of personal data may be carried out no longer than the purposes of processing requirements unless otherwise provided for by federal laws of the Russian Federation. At storing material media, the conditions for ensuring the safety of personal data and excluding unauthorized access to them shall be observed.
6.5. To comply with the legislation of the Russian Federation, to achieve the purposes of the processing, as well as on behalf of and with the consent of owners of personal data, the Company provides personal data to the following organizations in the course of its activities:
– The Federal Tax Service;
– The Pension Fund;
– Non-state pension funds;
– Medical insurance organizations that render insurance services;
– does not entrust the processing of personal data to other parties based on the contract.
Actions taken to ensure the security of personal data during their processing
7.1. At processing PD, all required legal, organizational, and technical measures are taken, the conditions are established that exclude unauthorized access to the material media of personal data and ensure their safety and protection from unlawful or accidental destruction, modification, blocking, copying, provision, dissemination, as well as from other illegal actions with them.
Ensuring the safety of PD is achieved in the following ways:
– a responsible person has been appointed for organizing the processing of PD;
– internal documents have been created regulating the processing and ensuring the security of personal data, including the present Policy, aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
– keeping records of employees who have permits to work with PD;
– legal, organizational, and technical measures are taken to ensure the security of personal data, taking into account the level of their security;
– employees who directly process PD know the requirements of the legislation of the Russian Federation on PD, documents defining the policy regarding the processing of personal data, local acts regarding the processing of PD and have signed an obligation not to disclose information containing personal data;
– access to the premises and in-house security procedures are carried out and the procedure of access to them is determined;
– restriction of access to the premises where technical tools and equipment intended for processing personal data are located and personal data media are stored, restriction of access to information resources, software tools for processing and protecting information is implemented;
– data backup is being performed;
– internal control of compliance of PD processing with the Federal Law No. 152-FZ effective 27.07.2006 “On personal data” is carried out;
– certified protection software is used to protect personal data during their processing;
– the access rules to the processed PD are established in the Company,
– monitoring of the measures taken to ensure the safety of PD and the level of protection of PD.
The rights of owners of PD.
8.1. The PD owner has the right to receive information related to the processing of his or her PD, including information containing:
– confirmation of the fact of processing of personal data by the Company;
– information about the legal grounds and purposes of personal data processing;
– information about the used methods of processing personal data;
– a list of processed personal data related to the owner from whom the request was received and information about the sources of their receipt, unless another procedure for providing such data is established by federal law;
– information about the terms of processing of personal data, including the terms of their storage;
– information about the proposed cross-border transfer of personal data;
– other information defined by Federal Law No. 152-FZ effective July 27, 2006 “On personal data” or other federal laws;
– ask for clarification of his or her personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained, or is not required for the stated purpose of the processing;
– withdraw his or her consent to the processing of personal data;
– to demand the termination of illegal actions of the Company concerning his or her personal data;
8.2. The owner of personal data (the user of the Company's website, the buyer at a retail store, or an online store) expresses his or her unconditional Consent (refusal of processing) to the processing of personal data by agreeing to the Offer published on the Company's website, or filling out the Consent (refusal) form on the website and specifying his personal data independently in the appropriate form in the "Personal Account" section of the Company's website, or filling out the Consent (refusal) form in the Company's retail store.
Requirements for personnel to ensure the protection of information
9.1. All employees the users of PD shall know and strictly comply with the established rules and obligations for access to protected objects and compliance with the accepted PD security procedure.
9.2. When a new employee assumes a position, whose work duties are related to access to personal data, it is necessary to train him or her about the required documents regulating the requirements for information protection, including the information of the current Policy, as well as arrange training for performing the procedures necessary for the authorized use of PD.
9.3. Employees shall follow the established procedures for maintaining the information security at choosing and using passwords (if technical means of authentication are not used), ensure proper protection of equipment left unattended.
9.4. Employees should be informed about the threats of violating the information security and responsibility for its violation.
Methods of processing personal data
10.1. In order to comply with the requirements of the current legislation of the Russian Federation and its contractual obligations, the Company uses both automated processing of personal data and non-automated processing of personal data (in paper form). Overall processing operations include collection, recording, systematization, accumulation, storage, rectification (updating, amendment), use, anonymization, blocking, deletion, and destruction of personal data.
10.2. The processing of personal data is carried out:
– after obtaining the consent of the personal data owner, except for the cases provided for in part 2, Article 6 of Federal Law No. 152-FZ effective July 27, 2006;
– after taking the required measures to protect personal data.
Responsibility of officers
11.1. The responsibility of the Company's officers who have access to personal data for non-compliance with the requirements of the norms regulating the processing and protection of personal data is determined following the current legislation of the Russian Federation on personal data and local acts of the Company.