Privacy

The Policy of CJSC «KONTI-RUS» regarding the processing and protection of personal data

1. General Terms

1.1. This Policy on personal data processing (hereinafter referred to as the «Policy») is prepared in accordance with the Federal Law of July 27, 2006 No. 152-FL «On Personal Data» and applies to all personal data that AO «KONTI-RUS» (hereinafter referred to as the «Company») may obtain from personal data subjects.

1.2. The Policy applies to personal data obtained both before and after the signing of this Policy.

1.3. The Policy is developed in order to meet the requirements of legislation in the field of personal data processing and protection, and aims to ensure the protection of the rights and freedoms of individuals when their personal data is processed by the Company, including the protection of the right to privacy and personal and family secrets.

1.4. The Company carries out the processing of personal data in accordance with: the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Federal Law of July 27, 2006 No. 152-FL «On Personal Data», and other current federal laws and regulations of the Russian Federation that establish the rules and specifics of personal data processing and the security of such processing.

1.5. The processing of personal data in the Company is carried out for the following purposes:

  • Ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, and the Company's local regulations;
  • Conclusion and execution of any contracts and agreements with the personal data subject;
  • Organization and maintenance of personnel records in the Company;
  • Attracting candidates for employment in the Company;
  • Carrying out administrative and economic activities by the Company;
  • Preparation of statistical reports, including for submission to the supervisory authorities of the Russian Federation;
  • And also for other purposes in accordance with federal laws.

2. Processing of Personal Data

2.1. The information that constitutes personal data in the Company includes any information related to directly or indirectly identified or identifiable natural person (data subject).

2.2. The Company processes personal data of the following categories of data subjects:

2.2.1. Individuals applying for vacant positions in the Company; employees of the Company who are currently employed or have been employed by AO «KONTI-RUS»;

2.2.2. Individuals performing work or providing services under civil law contracts concluded with the Company;

2.2.3. Managers, members of collegial executive bodies, and representatives of legal entities, as well as other individuals represented by participants in the procurement of goods (services, works);

2.2.4. Individuals, whose personal data has been made publicly available by them, and whose processing does not violate their rights and complies with the requirements of the legislation of the Russian Federation;

2.2.5. Other individuals who have given their consent to the processing of personal data and have approached the Company, or whose personal data processing is necessary for the Company to carry out its functions as provided by the laws of the Russian Federation or an international treaty.

3. Rights and Obligations

3.1. Rights of the Company

  • Process the personal data of the data subject in accordance with the stated purpose;
  • Require the data subject to provide accurate personal data necessary for the performance of a contract, service provision, identification of the data subject, as well as in other cases provided for by the legislation on personal data;
  • Restrict the data subject's access to their personal data if the processing of personal data is carried out in accordance with the legislation on countering the legalization (money laundering) of proceeds of crime and financing of terrorism, and the data subject's access to their personal data violates the rights and legitimate interests of third parties, as well as in other cases provided for by the legislation of the Russian Federation;
  • Process publicly available personal data of individuals;
  • Clarify the processed personal data, block or delete if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated processing purpose;
  • Delegate the processing of personal data to another party with the consent of the data subject;
  • Provide personal data of individuals to third parties as required by applicable legislation (tax authorities, law enforcement agencies, etc.);
  • Refuse to provide personal data in cases provided for by legislation.

3.2. Duties of the Company:

  • Provide the data subject with information regarding the processing of their personal data upon request, or provide a legitimate refusal;
  • Clarify the processed personal data, block or delete them upon the request of the data subject if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
  • Keep records of inquiries from data subjects;
  • Notify the data subject about the processing of their personal data in cases where the personal data was not obtained directly from the data subject, except for cases provided by the laws of the Russian Federation;
  • Immediately cease the processing of personal data and destroy the corresponding personal data upon achieving the purpose of processing, unless otherwise specified in the agreement;
  • If the data subject withdraws their consent for the processing of their personal data, the data controller must cease processing the personal data and destroy it within a period not exceeding thirty days from the date of receipt of the withdrawal, unless otherwise specified in the agreement between the company and the data subject. The company is obligated to notify the data subject of the destruction of their personal data.

The company undertakes and obligates other individuals who have access to the personal data not to disclose them to third parties and not to disseminate the personal data without the consent of the data subject, unless otherwise provided by federal law.

3.3. Rights of the personal data subject:

  • The right to request clarification of their personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or no longer necessary for the stated processing purpose, as well as to take measures provided by law to protect their rights;
  • The right to request a list of their personal data processed by the Company and the source of their acquisition;
  • The right to receive information about the timeframes for processing their personal data, including the durations of their storage;
  • The right to take measures provided by law to protect their rights;
  • The right to withdraw their consent to the processing of personal data.

3.4. Duties of the personal data subject:

  • Timely provide complete, accurate, and truthful information about their personal data.

4. Principles of personal data processing

4.1. The processing of personal data is carried out by the Company based on the following principles:

  • Legality of the purposes and methods of personal data processing;
  • Consistency of the purposes of personal data processing with the goals that were predetermined and stated during the collection of personal data;
  • Correspondence of the scope and composition of the processed personal data, as well as the methods of processing personal data, with the purposes of processing;
  • Verification of the accuracy of personal data, its sufficiency for processing purposes, inadmissibility of processing personal data that is excessive in relation to the purposes stated during the collection of personal data;
  • Prohibition of combining databases created for incompatible purposes that contain personal data;
  • Incompatibility of processing personal data with the purposes of collecting personal data;
  • Storage of personal data in a form that allows the identification of the data subject for no longer than necessary for the purposes of processing, unless the storage period of personal data is established by federal law or a contract;
  • Destruction or anonymization of personal data upon achieving the purposes of processing personal data or when there is no longer a need to achieve these purposes, unless otherwise provided by the legislation of the Russian Federation or a contract;
  • Ensuring the confidentiality and security of processed personal data.

5. Data Processing Organization

5.1. Personal data processing is carried out in compliance with the principles and rules established by Federal Law No. 152-FZ «On Personal Data» dated July 27, 2006.

5.2. The company processes personal data both with the use of automation tools and without using automation tools.

5.3. Biometric personal data is not processed in the company.

5.4. If there is no need for written consent from the data subject for the processing of their personal data, the consent of the data subject can be given by the data subject themselves or their representative in any form that allows the fact of its receipt to be obtained.

5.5. The company may entrust the processing of personal data to another party with the consent of the data subject, unless otherwise provided by federal law, based on a contract concluded with that party (hereinafter referred to as the operator's assignment). In this case, the company obliges the party processing personal data on behalf of the company to comply with the principles and rules of personal data processing provided for by this Federal Law in the contract.

5.6. The provision of access to state authorities (including supervisory, monitoring, law enforcement, and other authorities) to personal data processed by the company is carried out in the scope and manner established by the relevant legislation of the Russian Federation.

6. Ensuring the Security of Personal Data

6.1. When processing personal data, the Company takes the necessary legal, organizational, and technical measures and ensures their implementation to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as from other unauthorized actions with regard to personal data.

6.2. Ensuring the security of personal data is achieved through, in particular:

  • Identifying threats to the security of personal data during their processing in personal data information systems;
  • Applying organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary for meeting the requirements for personal data protection, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;
  • Applying the properly conducted procedures for assessing the compliance of information security measures;
  • Evaluation of the effectiveness of measures taken to ensure the security of personal data before the implementation of the personal data information system;
  • Consideration of machine media carrying personal data;
  • Detection of unauthorized access to personal data and taking appropriate measures;
  • Restoration of personal data that has been modified or destroyed due to unauthorized access;
  • Establishment of rules for accessing personal data processed in the personal data information system, as well as ensuring registration and tracking of all actions performed with personal data in the personal data information system;
  • Training of the Society's personnel involved in personal data processing on issues related to ensuring the security of personal data;
  • Monitoring the measures taken to ensure the security of personal data and the level of protection of personal data information systems.

6.3. Responsible individuals are designated in the Society for the purpose of coordinating actions related to the organization of personal data processing, including their security.

7. Concluding Provisions

7.1. This Policy is an internal document of the Society and is publicly available. It shall be posted on the official website of AO «KONTI-RUS».

7.2. Compliance with the requirements of this Policy is monitored by the person responsible for organizing the processing of personal data in the Society.

7.3. The liability of the Society's employees who process personal data and have access rights to them, for non-compliance with the norms and regulations governing the processing and protection of personal data, shall be determined in accordance with the legislation of the Russian Federation and the internal documents of AO «KONTI-RUS». It includes criminal, civil, administrative, and disciplinary liability.