1. General Provisions
1.1. The purpose of this Policy on the processing and protection of personal data (hereinafter referred to as the Policy) is to provide Anastasia Stepanovna Alekseenko (hereinafter referred to as the "Company") the processing of personal data (hereinafter also as "PD") in accordance with the norms and principles of applicable federal legislation.
1.2. This Policy applies to all business processes of the Company and is binding on all employees of the Company.
1.3. The General Director of the Company is the person responsible for organizing the processing of personal data.
2.1. Personal data - any information relating directly or indirectly to a specific or determinable individual (subject of personal data);
2.2. Operator - a state body, municipal body, legal or natural person, independently or jointly with other persons, organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
2.3. Personal data processing - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
2.4. Automated processing of personal data - processing of personal data using computer technology;
2.5. Distribution of personal data - actions aimed at the disclosure of personal data to an indefinite number of persons;
2.6. Provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons;
2.7. Blocking of personal data - temporary termination of the processing of personal data (unless the processing is necessary to clarify personal data);
2.8. Destruction of personal data - actions, as a result of which it becomes impossible to restore the data content in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
2.9. Anonymization of personal data - actions, as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data;
2.10. Personal data information system - a set of personal data contained in databases and providing information processing of information technologies and technical means;
2.11. Machine media - magnetic disk, magnetic tape, laser disk and other material media used to record and store information using electronic computer technology.
3. Principles and conditions for processing PD
3.1. PD processing at the Company is carried out strictly in accordance with the following principles:
PD processing is carried out on a legal and fair basis.
PD processing is limited to achieving specific, predetermined and legitimate goals.
The content and volume of processed PDs correspond to the declared processing goals, the Company does not process redundant personal data.
When processing, the accuracy of PD is ensured, their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data.
Processed PD are destroyed upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.
3.2. The Company may include PD of subjects in public sources of PD, while the Company takes the written consent of the subject to process its PD.
3.3. The company does not process PD related to racial, ethnicity, political views, religious, philosophical and other beliefs, intimate life, membership in public associations, including trade unions.
3.4. Biometric PDs (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which are used by the operator to establish the identity of the subject of PD) are not processed in the Company.
3.5. The company does not carry out cross-border transfer of personal data.
3.6. In cases established by the legislation of the Russian Federation, the Company has the right to transfer PD to third parties (the federal tax service, the state pension fund to other state bodies) in cases stipulated by the legislation of the Russian Federation.
3.7. The company has the right to entrust the processing of personal data of personal data to third parties on the basis of an agreement concluded with these persons.
3.8. Persons who process PD on the basis of an agreement concluded with the Company (operator’s order) are obligated to comply with the principles and rules of PD processing and protection provided for by the Law.
3.9. In order to fulfill the requirements of the current legislation of the Russian Federation and its contractual obligations, PD processing in the Company is carried out both with and without the use of automation means, i.e. mixed PD processing.
3.10. The adoption of decisions giving rise to legal consequences on the basis of automated processing of personal data in the Company is not carried out. Otherwise, the appropriate consent of the subjects of PD is necessary.
3.11. The processing of personal data in the Company should be carried out with the consent of the subject of personal data, except in cases where such consent is not required or on behalf of, in cases where the Company is not an operator of personal data of subjects.
3.12. Consent to the processing of PD should satisfy the following requirements:
- the consent of the subject must be obtained freely, according to the will of the subject and in his interests;
- consent must be given by the PD subject in any form that allows confirming the fact of its receipt.
3.13. The terms for processing (storing) personal data are determined on the basis of the purpose of processing personal data, in accordance with the term of the contract with the subject of personal data, the requirements of federal laws, the requirements of personal data operators, on behalf of which the Company processes personal data, the basic rules of operation of archives of organizations, and the limitation period.
3.14. PD, the term of processing (storage) of which has expired, must be destroyed, unless otherwise provided by federal law. Storage of PD after the termination of their processing is allowed only after their depersonalization.
4. Legal grounds and purposes of processing PD
4.1. Processing and ensuring the safety of personal data in the Company is carried out in accordance with the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, by-laws and other defining cases and features of processing personal data of federal laws of the Russian Federation, guidelines and methodological documents of the FSTEC of Russia and the Federal Security Service of Russia.
4.2. PD subjects processed by the Company are:
- candidates for vacant positions;
- employees of the Company, relatives of employees of the Company, to the extent determined by the legislation of the Russian Federation, if information about them is provided by the employee;
- persons who are members of the management bodies of the Company and are not employees;
- individuals with whom the Company enters into civil law contracts;
- representatives of legal entities - contractors of the Company;
- members of bonus loyalty programs;
- customers - consumers, incl. visitors to sites owned by the Company: modest-story.com (hereinafter referred to as the “Sites”), including for the purpose of placing an order with subsequent delivery to the client;
- customers are newsletter subscribers.
the implementation of the functions, powers and obligations assigned to the Company by the legislation of the Russian Federation in accordance with federal laws, including, but not limited to: the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, and the Federal Law of 01.04 .1996 No. 27-ФЗ “On individual (personified) accounting in the mandatory pension insurance system”, Federal Law of July 27, 2006 No. 152-ФЗ “On Personal Data”, Federal Law of March 28, 1998 No. 53 -FZ “On military duty and military service”, Federal Law of February 26, 1997 No. 31-FZ “On mobilization training and mobilization in the Russian Federation”, Federal Law of February 8, 1998 No. 14-FZ “On companies with limited liability ”, Federal Law of 02.07.1992 No. 2300-1“ On Protection of Consumer Rights ”, Federal Law of 21.11.1996, No. 129-ФЗ“ On Accounting ”, Ф by the unified law of November 29, 2010 No. 326-ФЗ “On Compulsory Health Insurance in the Russian Federation”, as well as PD operators, the charter and local acts of the Company.
Employees in order to:
- compliance with labor, tax and pension laws of the Russian Federation, namely:
- Assistance to employees in employment, training and promotion;
- calculation and payroll;
- organization of business trips (business trips) of employees;
- registration of powers of attorney (including to represent the interests of the Company to third parties);
- ensuring personal safety of employees;
- control the quantity and quality of work performed;
- ensuring the safety of property;
- adherence to access control at the premises of the Company;
- time tracking;
Candidates for vacant positions in order to:
- making decisions on the possibility of concluding an employment contract with persons applying for available vacancies;
Persons included in the management bodies of the Company, who are not employees, in order to:
- fulfillment of requirements stipulated by law, including mandatory disclosure of information, audit, verification of the possibility of transactions, including related-party transactions and / or major transactions.
Counterparties-individuals in order to:
- conclusion and execution of an agreement, one of the parties of which is an individual;
- consideration of opportunities for further cooperation.
Representatives of legal entities - contractors of the Company in order to:
- negotiating, concluding and executing contracts for which PD is granted to employees of such a legal entity for the purpose of executing the contract in various areas of the Company's business.
Participants of loyalty bonus programs in order to:
- providing information on goods passing stocks, personal account status;
- identification of the participant in the loyalty program; providing procedures for accounting for the accumulation and use of bonuses;
- performance by the Company of loyalty program obligations.
Customers - consumers in order to:
- providing information on goods / services, passing promotions and special offers;
- analysis of the quality of the service provided by the Company and improving the quality of customer service of the Company;
- informing about the status of the order;
- performance of the contract, including sales contract, including concluded remotely on the Sites, the provision of services;
- delivery of the ordered goods to the customer who made the order on the Sites, return of goods.
5. Rights and obligations of PD subjects
5.1. An entity whose PD is processed by the Company has the following rights:
- receive information from the Company regarding the processing of its personal data (including confirmation of the fact of processing personal data, legal grounds, goals, processing, processing time, storage periods, name and address of the person processing the personal data on behalf of the Company, if processing is or will be entrusted such person, other information provided for by the Federal Law of July 27, 2006 No. 152-ФЗ "On Personal Data");
- require the Company to clarify its PDs, block them or destroy them if PDs are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as take measures prescribed by law to protect their rights;
- withdraw your consent to the processing of personal data at any time.
5.3. The request can be sent to the address of the company: RF, 127051, Moscow, ul. Petrovka, d.16, room 45, in the form of an electronic document and signed by electronic signature in accordance with the legislation of the Russian Federation.
6. Rights and Obligations of the Company
6.1. The company in the process of processing personal data must:
- to provide to the subject of personal data at his request information regarding the processing of his personal data, or to legally provide a refusal within thirty days from the date of receipt of the request of the subject of personal data or his representative;
- to take the necessary legal, organizational and technical measures or to ensure their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
- publish on the Internet and provide unrestricted access using the Internet to a document defining its policy regarding the processing of personal data, to information on the ongoing requirements for the protection of personal data;
- to provide PD subjects and / or their representatives free of charge the opportunity to familiarize themselves with the Data when making a corresponding request within 30 days from the date of receipt of such a request;
- to block or illegally process PD related to the PD subject, or to ensure their blocking (if PD processing is carried out by another person acting on behalf of the Company) from the moment of request or receipt of a request for the verification period, in case of detection of illegal PD processing when the PD subject or a representative either at the request of the PD subject or his representative, or the authorized body for the protection of the rights of PD subjects;
- clarify PD or ensure its clarification (if PD processing is carried out by another person acting on behalf of the Company) within 7 business days from the date of submission of information and remove the blocking of PD, if it is confirmed that PD is inaccurate on the basis of information provided by the PD subject or his representative;
- to stop the illegal processing of personal data or to ensure the termination of the illegal processing of personal data by a person acting on behalf of the Company, in case of detection of illegal processing of personal data carried out by the Company or by a person acting on the basis of an agreement with the Company, within a period not exceeding 3 working days from the date of this detection;
- stop processing PD or ensure its termination (if PD processing is carried out by another person acting under an agreement with the Company) and destroy PD or ensure their destruction (if processing PD is carried out by another person acting under an agreement with the Company) to achieve the purpose of processing PD, unless otherwise not provided for by the contract to which the beneficiary or guarantor of which is the subject of personal data, if the goal of processing personal data is achieved;
- terminate the processing of personal data or ensure its termination and destroy personal data or ensure their destruction if the subject revokes consent to the processing of personal data if the Company is not entitled to process personal data without the consent of the personal data subject;
- keep a journal of records of applications of PD subjects, in which requests of PD subjects for receiving PDs, as well as facts of providing PDs for these requests should be recorded.
7. Security of PD during their processing
7.1. When processing personal data, the Company takes the necessary legal, organizational and technical measures to protect personal data from unauthorized and / or accidental access to them, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.
7.2. Such measures in accordance with the Law, in particular, include:
- the appointment of a person responsible for organizing the processing of personal data and a person responsible for ensuring the security of personal data;
- development and approval of local acts on the processing and protection of PD;
- application of legal, organizational and technical measures to ensure the safety of PD:
- identification of security risks for personal data during their processing in information systems of personal personal data;
- the application of organizational and technical measures to ensure the safety of personal data during their processing in information systems of personal data necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the security levels of personal data established by the Government of the Russian Federation;
- the use of the procedures for assessing the conformity of information protection facilities that have passed in the established manner;
- assessment of the effectiveness of measures taken to ensure the safety of PD before the commissioning of the information system of PD;
- accounting of machine carriers of personal data, if storage of personal data is carried out on machine media;
- detecting facts of unauthorized access to the Data and taking measures to prevent similar incidents in the future;
- restoration of personal data, modified or destroyed due to unauthorized access to them;
- establishing rules for access to Data processed in the personal information system, as well as ensuring the registration and recording of all actions performed with data in the personal information system.
- control over the measures taken to ensure the safety of personal data and the level of security of personal information systems;
- assessment of the harm that may be caused to PD subjects in case of violation of the requirements of the Law, the ratio of the specified harm to the measures taken by the Company aimed at ensuring the fulfillment of obligations stipulated by the Law;
- compliance with conditions that exclude unauthorized access to tangible personal data carriers and ensuring the safety of personal data;
- familiarization of the Company's employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, local acts on the processing and protection of personal data, and the training of employees of the Company.
7.3. Requirements for processing PD on material carriers:
Workers who process personal data on tangible media should be informed about the categories of personal data, about the features and rules of processing personal data, before processing begins.
An employee of the Company is responsible for the storage and destruction of tangible media with personal data with which he works.
PD processed on material carriers should be stored separately from other information.
Storage of material carriers of personal data is carried out only if there is a valid consent of the personal data subject to the processing of personal data or a valid contract to which the personal data subject is a party.
The Company stores the resume and questionnaires of candidates for vacant positions, whether or not a candidate is accepted as a staff member. Data storage of resumes and questionnaires can be carried out only with the consent of the candidate to process his PD, indicating the validity of the consent. In cases of the expiration of the processing of personal data or the requirements of the subject of personal data on the destruction of personal data, resumes and questionnaires are destroyed using a shredder.
Storage of PD material carriers in the public domain in the working rooms of the Company’s divisions and on employee desks is allowed only during the working day, under the personal responsibility of the employee. Upon completion of work with the material carrier, the employee must remove the material carrier in a lockable cabinet assigned to the employee, or in the cabinet of the immediate supervisor. Access to cabinets should be limited to the list of persons having access to personal data.
In case of expiration of the PD processing period, the employee shall destroy the PD paper media using a shredder without drawing up an act of destruction.
7.4. The audit is carried out independently by each employee in relation to the material carriers of personal data with which he works. In the course of the audit should be identified paper media PD, which are not required for employees to further fulfill their job duties.
7.5. Employees of the Company gain access to personal data only to the extent necessary for the performance of their duties.
8. Responsibility for violations of the rules governing the processing of personal data
8.1. Ensuring confidentiality of personal data processed by the Company is a mandatory requirement for all employees for whom personal data became known, both in connection with work activities or by chance or error.
8.2. Workers are personally responsible for compliance with the processing and safety requirements for personal data set by the Company.
8.3. In cases of violation of the established procedure for processing and ensuring the safety of personal data, unauthorized access to personal data, disclosing personal data and causing the company, its employees, customers and counterparties material or other damage, the perpetrators are liable under the current legislation of the Russian Federation.
9. Final Provisions
9.1. This Policy is a local regulatory act of the Company. This Policy is publicly available. The general accessibility of this Policy is ensured by its publication on the Sites, by posting in stores (boutiques) and on a network drive accessible to all employees of the Company.
9.2. This Policy may be revised due to a change in the norms of the current legislation or by decision of the Company.