on processing of personal data of Electroizolit, PJSC
1.1. The present Policy on processing of personal data (hereafter the "Policy") has been elaborated in accordance with Clause 2, Part 1, Art. 18.1 of Federal Law No.152-FZ of the Russian Federation "On Personal Data", dated July 27, 2006 (hereafter the "Law"). It specifies the position of Electroizolit PJSC (hereafter the "Company") related to processing and protection of personal data (hereafter the "Data"), respect for the right and freedom of each individual and, especially, protection of the right to privacy, personal and family confidentiality.
2. Scope of Application
2.1. The Policy applies to the Data received both prior to and after the effective date of the present Policy.
2.2. Understanding importance and value of Data, as well as taking care about respect for the rights of the citizens of the Russian Federation and citizens of other states, the Company ensures strong security of the Data.
3.1. Data shall mean any information directly or indirectly related to an identified or identifiable individual (citizen) including, in particular, such information as: the first name, last name and patronymic, year, month, date and place of birth, address, data on the marital, social, financial status, data on education, profession, income, telephone number, e-mail address for communication, information on candidates for vacant positions in their application forms and CVs, as well as other information.
3.2. Data processing shall mean any activity (operation) or a combination of actions (operations) with the Data carried out with/without application of automation means. Such actions (operations) shall include the following: collection, record, classification, accumulation, storage, specification (updating, change), extraction, use, transfer (distribution, provision, access), anonymization, locking, deletion, and destruction of the Data.
3.3. Data security shall mean Data protection from illegal and/or unauthorized access thereto, destruction, change, locking, copying, provision, distribution of the Data, as well as other illegal actions regarding the Data.
4. Legal basis and purposes of the Data processing
4.1. Data processing and security assurance are carried out by the Company pursuant to the requirements of the Constitution of the Russian Federation, the Law, Labor Code of the Russian Federation, by-laws, other federal laws of the Russian Federation and guidelines of FSTEK (Russian Federal Service for Technical and Export Control) and FSS (Federal Security Service) which specify application and peculiarities of data processing.
4.2. Subjects of the Data processd by the Company, shall include:
· candidates for vacant positions including candidates filling out a recruitment form at the Company's website;
· employees of the Company, relatives of the Company's employees to the extent stipulated by the legislation of the Russian Federation, if data thereon are provided by the employee;
· members of the Company Administration who are not its employees;
· individuals, with whom the Company enters into civil agreements;
· representatives of legal entities - Company's contractors;
· participants of the loyalty bonus programs;
· clients -consumers including visitors of the website owned by the Company: Electroizolit PJSC, www.electroizolit.com (hereafter the "Website") including for the purposes of placing an order with further delivery to the client, recipients of services on delivery, set up and installation of household appliances;
· individuals, whose Data are processd in the interests of third parties being operators of the Data under an agreement (Data operator orders);)
4.3. The Company shall process Data of subjects for the following purposes:
· carrying out functions, authorities and obligations imposed on or vested with the Company under the legislation of the Russian Federation in accordance with federal laws including, but not limited to: the Civil Code of the Russian Federation, Tax Code of the Russian Federation, Family Code of the Russian Federation, Federal Law No.27-FZ "On Individual (Personalized) Registration with the Compulsory Pension Insurance System") dated 01.04.1996, Federal Law
No.152-FZ "On Personal Data" dated 27.07.2006, Federal Law No.53-FZ "On Military Obligation and Military Service" dated 28.03.1998, Federal Law No.31-FZ "On Mobilization Preparation and Mobilization in the Russian Federation" dated 26.02.1997, Federal Law No.14-FZ "On Limited Liability Companies", dated 08.02.1998, Federal Law No.2300-1 "On Protection of Consumers' Rights" dated 07.02.1992, Federal Law No.129-FZ "On Accounting" dated 21.11.1996, Federal Law No.326-FZ "On Compulsory Medical Insurance in the Russian Federation" dated 29.11.2010, as well as Data operators, the Charter and local by-laws of the Company.
Personal data of employees are processed for the purposes of:
· compliance with the labor, tax and pension legislation of the Russian Federation, namely,
o assistance in finding employment, training and promotion;
o salary calculation and payroll;
o organization of employees' business trips;
o drawing up of powers of attorney (including to represent Company's interests before third parties);
o employees personal safety assurance;
o control over the scope and quality of the works performed;
o property safety assurance;
o adherence to the access control requirements in the Company's facilities;
o recording of working time;
o using various benefits according to the Labor Code of the Russian Federation, Tax Code of the Russian Federation, Federal laws, as well as the Charter and regulations of the Company;
o voluntary life, health and/or accident insurance maintenance.
Personal data of Candidates for vacant positions are processed for the purposes of:
· making a decision whether the employment contract can be entered into with persons pretending for open vacant positions;
Personal data of the Company Administration who are not its employees are processed for the purposes of:
· compliance with the requirements envisaged by the legislation including mandatory disclosure of information, audit, check of a possibility to settle transactions including an interested transaction and/or large transactions.
Personal data of the Contractors – individuals are processed for the purposes of:
· entering into and execution of a contract, one of which parties is an individual person;
· review of further cooperation possibilities. Representatives of legal entities, which are contractors of the Company for the purposes of:
· negotiating, entering into and execution of contracts, under which Data of employees of such legal entity are provided for the purposes of execution of the contract in various areas of the Company's business activity.
Individuals whose Data are processed in the interests of third parties -Data operators under an agreement (Data operators' orders) for the purposes of:
· execution of contracts, Data operators' orders; Relatives of the Company's employees for the purposes of:
· compliance with the requirements of the legislation of the Russian Federation;
· provision of additional benefits; taking part in corporate events. Participants of the loyalty bonus programs for the purposes of:
· provision of information on the goods, sales promotions, personal account status;
· identification of a participant in the loyalty program; assurance of the bonus accumulation and use accounting procedure;
· execution by the Company of obligations under the loyalty program. Customers, who/which are consumers, for the purposes of:
· provision of information on goods/services, sales promotions and special offers;
· analysis of quality of the services provided by the Company and improvement of the Company's customers service quality;
· informing of the order status;
· execution of the contract including the sales contract, incl. those concluded remotely at the Website, fee-based services;
· provision of services for installation and connection of household appliances, as well as accounting of services rendered to consumers to carry out settlements;
· delivery of the ordered goods to the customer, who placed an order at the Website, goods return.
5. Data processing rules and conditions
5.1. In the course of Data processing, the Company shall adhere to the following rules:
· Data processing shall be carried out legally and fairly;
· Data shall not be disclosed to third parties or distributed without the consent of the Data subject, except for cases, when such disclosure is required by request of authorized state bodies, court authorities;
· determination of specific legal objectives before beginning of Data processing (including collection);
· only those Data, which are necessary and sufficient for the stated purpose, shall be collected;
· combination of databases containing Data which are processd for the conflicting purposes, is not allowed;
· Data processing is limited to achievement of specific, predetermined and legal objectives;
· The processed Data shall be destroyed or anonymized after achievement of the processing objectives or if the need in such objectives achievement have seized to exist, unless otherwise is stipulated by the federal law.
5.2. The Company may include subject Data in publicly available Data sources, where the Company obtains the subject's consent to his/her/its Data processing.
5.3. The Company shall not process the Data concerning racial, national origin, political views, religious, philosophy and other beliefs, sexual life, membership in public associations, including trade unions.
5.4. The Company may process data about Data subject's health in the following cases:
· pursuant to the legislation on state social aid, labor legislation, legislation of the Russian Federation on pensions under the state pension system, labor pensions;
· to protect life, health or other vital interests of an employee or to protect life, health or other vital interests of other persons, and it is impossible to obtain the Data subject's consent;
· to establish or exercise rights of an employee or third parties, as well as in the course of administration of justice;
· pursuant to the legislation on compulsory insurance, insurance legislation.
5.5. Biometric Data (data which characterize physiological and biological peculiarities of a person, on which basis it is possible to establish his/her identity and used by the operator to identify the Data subject) shall not be processed by the Company.
5.6. The Company shall not perform trans-border transfer of Data.
5.7. In cases established by the legislation of the Russian Federation, the Company has a right to transfer Data to third parties (federal tax service, state pension fund and other state authorities) in cases stipulated by the legislation of the Russian Federation.
5.8. The Company shall have the right to subcontract processing of the subjects Data to third parties with the Data subject's consent based on the contract concluded with such persons.
5.9. Persons processing Data as per the contract concluded with the Company (operator's order) shall adhere to the Data processing and protection rules and regulations provided for by the Law. The contract shall stipulate for each third party the list of activities (operations) with the Data to be carried out by a third party which performs Data processing, processing objectives, the confidentiality obligation of such person and obligation to ensure Data safety in the course of processing thereof, as well as requirements to protection of the Data to be processed pursuant to the Law.
5.10. For the purposes to meet the requirements of the applicable legislation of the Russian Federation and its contractual obligations, Data processing in the Company shall be carried out both with and without the use of automation means. A combination of processing operations includes collection, record, classification, accumulation, storage, specification (update, change), extraction, use, transfer (provision, access), anonymization, locking, deletion, and destroying of Data.
5.11. The Company is not allowed to make decisions based on Data automated processing only, which entail legal consequences regarding the Data subject or otherwise concerning his/her/its rights and legal interests, except when it is stipulated by the legislation of the Russian Federation.
6. Rights and obligations of the Data subjects and Company regarding Data processing
6.1. The subject, whose/which Data are being processed, shall have the right to:
· receive from the Company:
o confirmation of the Data processing fact and data on availability of Data related to the corresponding Data subject;
o information about legal grounds and purposes of Data processing;
o information about Data processing methods used by the Company;
o Information about the Company's name and location;
o information about persons (except for Company's employees) having access to the Data or whom/which the Data can be disclosed to under the contract with the Company or the federal law;
o the list of processed Data related to the Data subject and information about the source of obtaining thereof, unless other procedure of such Data provision is stipulated by the federal law;
o information about Data processing terms including their storage period;
o information about procedure of exercising rights stipulated in the Law by the Data subject;
o name (first name, last name, patronymic) and address of a person, who/which carries out Data processing by the Company's instruction;
o other information provided for by the Law or other regulations of the Russian Federation;
· demand from the Company to clarify his/her/its Data, lock or destroy them if the Data are incomplete, outdated, incorrect, illegally obtained or are not required for the stated processing objective;
· revoke his/her/its consent to Data processing at any moment;
· demand for elimination of illegal activities regarding his/her/its Data;
· appeal against Company's actions or failure to act in the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications (Roskomnadzor) or through the courts if the Data subject believes that the Company processes his/her/its Data in violation of the requirements of the Law or infringes his/her/its rights and freedoms in any other way whatsoever;
· protect his/her/its rights and interests, including to indemnify losses and/or moral damage through the courts.
6.2. When processing Data, the Company shall:
· provide the Data subject at the request thereof information related to processing his/her/its PD, or provide on the legal basis a refusal within thirty dates after the receipt of the request of the Data subject or a representative thereof;
· explain to the Data subject legal consequences of the refusal from submission of Data if Data submission is required by the federal law;
· prior to processing of Data (if the Data have been obtained from a person other than the Data subject) provide the Data subject with the following information, except for cases stipulated by Part 4 Art. 18 of the law: name or last name, first name, patronymic and address of the Company or its representative;
· name of the Company or the last name, first name, and patronymic of its representative;
· Data processing objective and its legal ground;
· intended Data users;
· Data subjects' rights established by the law;
· Data source.
· to take necessary legal, organizational and technical measures or provide taking thereof for Data protection from unauthorized or accidental access thereto, destruction, modification, locking, copying, provision, distribution of Data, as well as other illegal activities with respect thereto;
· publish in the Internet and ensure unrestricted access with the use of the Internet to the document stipulating its policy regarding data processing, information about requirements to the Data protection;
· provide the Data subjects and/or their representatives on a free basis the possibility of studying the Data, subject to a corresponding request to be filed within 30 days after the receipt of such request;
· lock illegally processed Data related to the Data subject or provide their blocking (if the Data are processed by other person acting by the Company's order) after application or receipt of the request during the check period, in case any illegal Data processing has been revealed upon Data subject's application or a representative thereof or at the request of the Data subject or a representative thereof, or of the authorized body for personal data subjects' rights protection;
· clarify the Data or provide their clarification (if the Data are processed by other person acting by the Company's order) during 7 business days after the day of provision of information and unlock the Data if the Data incorrectness has been confirmed based on the information provided by the Data subject or his/her/its representative;
· stop illegal Data processing or provide termination of illegal Data processing by a person acting by the Company's order in case of any illegal Data processing by the Company or a person acting as per the contract with the Company has been revealed, within 3 business days after the reveal thereof;
· stop Data processing or provide termination of Data processing (if the Data are processed by other person acting as per the contract with the Company) and destroy Data or provide destruction thereof (if the Data are processed by other person acting as per the contract with the Company) after the Data processing objective has been achieved, unless otherwise is stipulated by the contract, to which the Data subject is a party, beneficiary or a guarantor, when the Data processing objective has been achieved;
· stop Data processing or provide termination of its processing and destroy Data or provide destruction thereof if the Data subject revokes his/her/its consent to Data processing, where the Company is unable to process the Data without the Data subject's consent;
· keep PD subjects' request registration log, in which Data subjects' requests for Data receipt shall be registered, as well as facts of Data provision under such requests.
7. Requirements to Data protection
7.1. The Company in the course of the Data processing shall take necessary legal, organizational and technical measures to protect Data from illegal and/or unauthorized access thereto, destruction, modification, locking, copying, provision, distribution of Data, as well as other illegal actions regarding the Data.
7.2. According to the Law, such measures shall include:
· appointment of a person responsible for organization of Data processing and a person responsible for Data security;
· elaboration and approval of local by-laws related to Data processing and protection issues;
· application of legal, organizational and technical measures for assurance of Data safety;
o determination of Data safety threats in the course of processing thereof in personal data information systems;
o application of organizational and technical measures for assurance of Data safety in the course of processing thereof in personal data information systems, necessary to meet requirements to Data protection, which satisfaction is ensured with the Data protection levels established by the Government of the Russian Federation;
o application of information protection means, which have duly passed the compliance verification procedure;
o assessment of efficiency of Data security assurance measures taken prior to putting into operation of the personal data informational system;
o accounting of Data media, if the Data are stored on data media;
o identification of cases of unauthorized access to the Data and taking measures to prevent from such incidents in the future;
o restoration of Data modified or destroyed as a result of unauthorized access thereto;
o establishment of rules of access to Data processed in the personal data information system and arrangement of registration and accounting of all activities carried out with the Data in the personal data information system.
· control over the measures taken to ensure Data protection and the personal data information systems security level;
· assessment of damage which can be inflicted on the Data subjects in case of violation of the Law provisions, adequacy of the measures taken by the Company aimed at assurance of execution of obligations stipulated by the Law, to such damage;
· compliance with the terms and conditions which exclude unauthorized access to Data physical media and ensure Data safety;
· study by the Company's employees directly involved in Data processing of provisions of the legislation of the Russian Federation on Data including requirements to Data protection, local by-laws on Data processing and protection issues, as well as training of the Company's employees.
8. Data processing (storage) time periods
8.1. Data processing (storage) terms shall be determined based on Data processing purposes, the effective term of the contract concluded with the Data subject, requirements of federal laws, requirements of Data operators, by which order the Company processes Data, main corporate archive work regulations, and periods of limitation of actions.
8.2. Data which processing (storage) term has expired, shall be destroyed, unless otherwise is stipulated by the federal law. Storage of Data after termination of their processing is allowed after their anonymization only.
9. Procedure for obtaining clarifications on Data processing issues
9.1. Persons, whose Data are processed by the Company may obtain clarifications on their Data processing issues by applying to the Company in person or by sending a written request at the Company's location address: Zavodskaya St., 1, Khotkovo, Moscow Region 141371.
9.2. When a formal request is sent to the Company it shall contain the following information:
· last name, first name, patronymic of the Data subject or a representative thereof;
· number of the main Data subject's or its representative's identification document, data on issue of such document and the issuing authority;
· information certifying that the Data subject has relationships with the Company;
· feedback information for the Company to be able to send a response to the request;
· Data subject's (its representative's) signature. If the request is sent via electronic means, it shall be made as an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
10. Specific features of processing and protection of Data collected by the Company via the Internet
10.1. The Company shall process and protect Data received from Website users including Data of candidates for vacant positions.
10.2. Data collection
10.3. There are two main methods the Company uses to obtain Data via the Internet.
10.3.1. Data provision
Provision of Data (including last name, first name, position, place of work, position, contact number, e-mail address, address, etc.) by Data subjects by filling-out corresponding forms at the Website and sending electronic letters at Company's corporate addresses.
10.3.2. Automatically collected information
The Company may collect and process information not referred to personal data:
· information on the interests of the users at the Website based on Website users' search requests for the products sold and offered for sale by the Company in order to provide the Company's customers with updated information when using the Website, as well as to sum up and analyze information about what Website sections and goods are in the greatest demand of the Company's customers;
· processing and creation of the customer statistics about the use of the Website sections.
The Company shall automatically receive certain type of information obtained in the course of interaction with the Website users, e-mail correspondence, etc. It is referred to technologies and services, such as web-protocols, cookies, web-marks, as well as applications and tools of such third party. Cookies. Cookies form the part of data which are automatically placed of the PC hard drive at each Website visit. Therefore, Cookies means a unique Website browser identifier. Cookies enable storing information on the server and orienting easier in the web-space, as well as analyzing the site and evaluating the results. Most web-browsers allow using cookies, however settings can be changed in a way to avoid cookies or to track ways of distribution thereof. Here, prohibition of cookies in the browser may lead to incorrect operation of certain resources.
· Web-marks. The Company may use on certain web-pages or in e-mails popular web-marking technology (also known as tags or precise GIF technology). Web-marks enable analysis of Websites efficiency, e.g., via measuring the number of site visitors or the number of clicks made on key positions of the site page.
Here, web-marks, cookies and other monitoring technologies prevent from automated obtaining the Data. If the Website user provides his/her/its Data at its own discretion, e.g., during filling out the feedback form or when sending an e-mail letter, then such information automated collection processes are launched for convenient use of Websites and/or better interaction with the users.
10.4. Data use.
The Company shall have the right to use the Data provided pursuant to the state objectives of collection thereof, subject to the Data subject's consent, is such consent is required under the provisions of the legislation of the Russian Federation regarding Data.
The Data obtained in a generalized or anonymized form may be used to understand better the needs of users of the goods and services sold by the Company and improve the service quality.
10.5. Data transfer
The Company may assign Data processing to third parties only with the Data subject's consent. Also, Data may be transferred to third parties in the following cases:
a) In response to legal requests of authorized state bodies pursuant to the laws, court awards, etc.
b) Data may not be transferred to third parties for marketing, commercial and other similar purposes, except when the preliminary consent of the Data subject has been obtained.
o The Website contains links to other web-resources, where information useful and interesting for Website users can be posted. Herewith, this Policy shall not apply to such other sites. Users following links to other sites are recommended to study Data processing policies posted on such sites.
o The Website user shall at any time have the right to revoke his/her/its consent to Data processing by forwarding an electronic letter at the following email address: firstname.lastname@example.org, or forwarding a written letter at the Company's address: Zavodskaya St., 1, Khotkovo, Moscow Region 141371.
After the receipt of such message, the user's Data processing will stop, and his/her/its Data will be deleted, except when processing can be continued in accordance with the legislation.
This Policy is a local regulation of the Company. This Policy is publicly available. The public access hereto is provided with posting at the Company's Website.
This Policy may be reviewed in any of the following cases:
· In case of changes to the legislation of the Russian Federation regarding personal data processing and protection;
· in case of resolutions issued by competent state authorities for elimination of inconsistencies related to the Policy scope of application;
· in case of changes to the purpose and terms of Data processing;
· changes to the company's structure, structure of information and/or telecommunications systems (or introduction of new ones);
· application of new Data processing and protection technologies (including transfer and storage thereof);
· the need in changing the Data processing procedure related to the Company's activity.
Failure to adhere to the provisions of this Policy by the Company and its employees shall result in the liability imposed thereon pursuant to the applicable legislation of the Russian Federation.
Persons responsible for Data processing arrangement in the Company and personal data safety shall carry out control over execution of this Policy provisions.