Policy on the processing of personal data provided by users on the website "Grand Logistics"
(hereinafter: Policy)
1. General Provisions
1.1. This Policy applies to all information that «Grand Logistics» may legally obtain about the subject of personal data including during the use of the «Grand Logistics» website, programs and products of the website.
1.2. The following terms are used in this Policy:
- Personal data is any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data);
- Personal data operator (operator) is a state body, municipal body, legal or natural person that independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data;
- Subject of personal data is an natural person identified or identifiable with the help of information relating to him/her directly or indirectly;
- Personal data processing is any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. Personal data processing includes, among other things, collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.
- Automated processing of personal data is the processing of personal data using computer technology;
- Dissemination of personal data is actions aimed at disclosing personal data to an indefinite number of persons;
- Provision of personal data is actions aimed at disclosing personal data to a specific person or a specific group of persons;
- Destruction of personal data is actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;
- Depersonalization of personal data is actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without the use of additional information;
- Personal data information system is a set of personal data contained in databases and the information technologies and technical means that ensure their processing;
- Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to a government body of a foreign state, a foreign individual or a foreign legal entity.
- Confidentiality of personal data is a mandatory requirement for the Operator or another person who has gained access to personal data to prevent their dissemination without the consent of the subject of the personal data or the presence of another legal basis.
1.2 Basic rights and obligations of the Operator and the subject of personal data.
1.2.1. Obligations of the Operator:
- when collecting personal data, provide information on the processing of personal data;
- in cases where personal data were not received from the subject of personal data, notify the subject;
- in case of refusal to provide personal data, the subject is explained the consequences of such refusal;
- publish or otherwise provide unlimited access to the document defining its policy regarding the processing of personal data, to information on the implemented requirements for the protection of personal data;
- take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
- respond to requests and appeals from personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.
1.2.2. Rights of the subject of personal data:
The subject of personal data has the right to access his personal data and the following information:
- confirmation of the fact of processing of personal data by the operator;
- legal grounds and purposes of processing of personal data;
- purposes and methods of processing of personal data used by the operator;
- name and location of the operator, information about persons (except for the operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
- terms of processing of personal data including the terms of their storage;
- the procedure for the personal data subject to exercise the rights provided for by this Federal Law;
- the name or surname, first name, patronymic and address of the person processing the personal data on behalf of the operator, if the processing is or will be entrusted to such person;
- contacting the operator and sending him requests;
- appealing the actions or inactions of the operator;
- revocation of consent to the processing of personal data.
2. The purposes of collecting personal data
2.1. The Operator processes personal data for the following purposes:
- ensuring compliance with the Constitution, federal laws and other regulatory legal acts of the Russian Federation in the field of personal data;
- carrying out its activities in accordance with the charter of "Grand Logistics";
- maintaining personnel records;
- assisting employees in finding employment, obtaining education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property;
- attracting and selecting candidates for work at the operator;
- organizing the registration of employees for individual (personalized) records in the mandatory pension insurance system;
- filling out and submitting required reporting forms to executive authorities and other authorized organizations;
- implementing civil law relations;
- accounting;
- implementing access control;
- posting information about employees on the official website gl-log.ru.
3. Legal grounds for processing personal data
3.3.1. The legal basis for the processing of personal data is the totality of legal acts, in pursuance of which and in accordance with which the operator processes personal data. Namely:
- Constitution of the Russian Federation;
- Labor Code of the Russian Federation;
- Civil Code of the Russian Federation;
- Federal Law of 27.07.2006 No. 149-FZ "On Information, Information Technologies and Information Protection";
- Federal Law of 29.11.2010 N 326-FZ "On Compulsory Medical Insurance in the Russian Federation";
- Federal Law "On Compulsory Pension Insurance in the Russian Federation" of 15.12.2001 N 167-FZ;
- Federal Law "On Compulsory Social Insurance from Labor Accidents and Occupational Diseases" of 24.07.1998 N 125-FZ;
- Operator Charter;
Resolution of the Government of the Russian Federation of 15.09.2008 N 687 "On approval of the Regulation on the specifics of personal data processing without the use of automation tools";
- Agreements concluded between the operator and the subject of personal data;
- Consent to the processing of personal data (in cases not expressly provided for by the legislation of the Russian Federation but corresponding to the powers of the operator);
- Consent to the distribution of personal data.
4. Volume and categories of personal data processed, categories of personal data subjects
4.1. The processing of personal data must be carried out in compliance with the principles and rules stipulated by the Federal Law. The processing of personal data is permitted in the following cases:
- the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
- the processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or by law, for the implementation and performance of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation;
- the processing of personal data is necessary for the exercise of powers of federal executive bodies, bodies of state extra-budgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, local government bodies and the functions of organizations involved in the provision of state and municipal services, respectively, provided for by Federal Law No. 210-FZ of July 27, 2010 "On the Organization of the Provision of State and Municipal Services", including the registration of the subject of personal data on the unified portal of state and municipal services and (or) regional portals of state and municipal services;
the processing of personal data is necessary for the performance of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor;
- the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible.
4.2. The categories of personal data subjects include:
- employees of the operator, former employees, candidates for vacant positions, as well as relatives of employees;
- contractors of the operator (natural persons);
- representatives/employees of contractors of "Grand Logistics" (legal persons);
- persons not related to those listed above and entering the territory of the operator.
4.3. The operator processes the following personal data:
- general;
- biometric;
- special;
- other.
4.4. The list of data processed by the operator includes:
- last name, first name, patronymic;
- date and place of birth;
- citizenship;
- information about knowledge of foreign languages;
- education (name of educational institution, year of graduation, education document, qualification, specialty);
- profession;
- work experience;
- marital status;
- family composition (degree of kinship (closest relatives, full names of relatives, year of their birth);
- information on military registration;
- place of registration;
- information on place(s) of work;
- contact phone number;
- email address;
- information about certification, advanced training, professional retraining;
- passport details (number, date of issue, by whom issued);
- race or nationality;
- health status;
- photographs;
- blood type;
- genetic information;
- information on existing awards (incentives), honorary titles;
- information on the number and series of the state pension insurance certificate;
- information on the taxpayer identification number;
- current accounts;
- driver's license;
- SNILS.
5. Procedure, conditions of processing and storage of personal data
5.1. The processing of personal data is carried out by the operator in accordance with the requirements of the legislation of the Russian Federation.
5.2. Personal data is processed with the consent of the personal data subjects to the processing of their personal data, as well as without such consent in cases stipulated by the legislation of the Russian Federation.
5.3. The operator carries out both automated and non-automated processing of personal data.
5.4. The operator's employees whose job responsibilities include the processing of personal data are allowed to process personal data.
5.5. Personal data is processed by:
- obtaining personal data in oral and written form directly with the consent of the subject of personal data to the processing of his personal data;
- entering personal data into the operator's logs, registers and information systems;
- using other methods of processing personal data.
5.6. Disclosure to third parties and distribution of personal data is prohibited without the consent of the subject of personal data, unless otherwise provided by federal law.
5.7. Transfer of personal data to inquiry and investigation bodies, the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
5.8. The operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions, including:
- identifies threats to the security of personal data during their processing;
- adopts local regulations and other documents governing relations in the field of processing and protecting personal data;
- appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the operator;
- creates the necessary conditions for working with personal data;
- organizes the registration of documents containing personal data;
- organizes work with information systems in which personal data is processed;
- stores personal data in conditions that ensure their safety and exclude unauthorized access to them;
- organizes training for the operator's employees who process personal data.
5.9. The operator stores personal data in a form that allows the subject of personal data to be identified, no longer than required by the purposes of processing personal data, unless the storage period for personal data is established by federal law or agreement.
5.10. When collecting personal data, including through the Internet information and telecommunications network, the operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases specified in the Federal Law.
5.11. Personal data of subjects may be received, further processed and transferred for storage both on paper and in electronic form.
5.12. Personal data recorded on paper are stored in locked cabinets or in locked rooms with limited access rights.
5.12. Personal data of subjects processed using automation tools for different purposes are stored in different folders.
5.13. Storage and placement of documents containing personal data in open electronic catalogues is prohibited.
5.14. The storage of personal data in a form that allows the identification of the subject of the personal data is carried out no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the purposes of processing or in the event of loss of the need to achieve them.
5.15. Destruction of documents (media) containing personal data is carried out by burning, crushing (grinding), chemical decomposition, turning into a shapeless mass or powder. A shredder may be used to destroy paper documents.
5.16. Personal data on electronic media are destroyed by erasing or formatting the media.
5.17. The fact of destruction of personal data is confirmed by a documented act on the destruction of media.
6. Updating, correcting, deleting and destroying personal data, responding to requests from subjects for access to personal data
6.1. In case of confirmation of the fact of inaccuracy of personal data or illegality of their processing, the personal data are subject to their updating by the operator, and the processing must be terminated.
6.2. Upon achievement of the purposes of processing personal data, as well as in case of withdrawal of consent to their processing by the subject of personal data, personal data are subject to destruction if:
- unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor;
- the operator has no right to process personal data without the consent of the personal data subject on the grounds provided for by the Federal Law or other federal laws;
- unless otherwise provided by another agreement between the operator and the personal data subject.
6.3. The operator is obliged to inform the subject of personal data or his representative about the processing of personal data of such subject carried out by him at the request of the latter within thirty days from the date of receipt of the request of the subject of personal data or his representative.
7. Protection of personal data
7.1. The operator independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by current legislation.
7.2. The main measures for the protection of personal data used by the operator are:
7.2.1. Appointment of a person responsible for the processing of personal data, who carries out the organization of the processing of personal data, training and instruction, internal control over the compliance of the institution and its employees with the requirements for the protection of personal data.
7.2.2. The issuance by the operator of documents defining the operator's policy regarding the processing of personal data, local acts on issues of processing personal data, defining for each purpose of processing personal data the categories and list of personal data being processed, the categories of subjects whose personal data are being processed, the methods and terms of their processing and storage, the procedure for the destruction of personal data upon achieving the purposes of their processing or upon the occurrence of other legal grounds, as well as local acts establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations.
7.2.3. Application of legal, organizational and technical measures to ensure the security of personal data.
7.2.4. Implementation of internal control and (or) audit of compliance of personal data processing with current legislation, requirements for the protection of personal data, the operator's policy regarding the processing of personal data, local acts of the operator.
7.2.5. Assessment of the harm that may be caused to personal data subjects in the event of a violation of current legislation, the ratio of the said harm and the measures taken by the operator aimed at ensuring the fulfillment of obligations under current legislation.
7.2.6. Familiarization of the operator's employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the operator's policy regarding the processing of personal data, local acts on issues of processing personal data, and (or) training of the said employees.
7.3. The operator has published on the website gl-log.ru a document defining its policy regarding the processing of personal data, with information on the implemented requirements for the protection of personal data.
7.4. At the request of the authorized body for the protection of the rights of personal data subjects, the operator is obliged to submit documents and local acts and (or) otherwise confirm the adoption of the said measures.
7.5. When processing personal data, the operator takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.
7.6. The main measures to ensure the security of personal data used by the operator are:
7.6.1. Identification of threats to the security of personal data when processing them in personal data information systems.
7.6.2. Application of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems, necessary to meet the requirements for the protection of personal data, the implementation of which ensures the levels of protection of personal data established by the Government of the Russian Federation.;
7.6.3. Application of information security tools that have undergone the established procedure for assessing the conformity of information.
7.6.4. Evaluation of the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system.
7.6.5. Accounting for machine-readable media containing personal data.
7.6.6. Detection of facts of unauthorized access to personal data and taking measures, including measures to detect, prevent and eliminate the consequences of computer attacks on personal data information systems and to respond to computer incidents in them.
7.6.7. Restoration of personal data modified or destroyed as a result of unauthorized access to them.
7.6.8. Establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system.
7.6.9. Monitoring the measures taken to ensure the security of personal data and the level of protection of personal data information systems.
7.7. The Operator interacts with the State System for Detecting, Preventing, and Eliminating the Consequences of Computer Attacks on Information Resources of the Russian Federation, including informing it of computer incidents that have resulted in the unauthorized transfer (provision, distribution, access) of personal data.
1. General Provisions
1.1. This Policy applies to all information that «Grand Logistics» may legally obtain about the subject of personal data including during the use of the «Grand Logistics» website, programs and products of the website.
1.2. The following terms are used in this Policy:
- Personal data is any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data);
- Personal data operator (operator) is a state body, municipal body, legal or natural person that independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data;
- Subject of personal data is an natural person identified or identifiable with the help of information relating to him/her directly or indirectly;
- Personal data processing is any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. Personal data processing includes, among other things, collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.
- Automated processing of personal data is the processing of personal data using computer technology;
- Dissemination of personal data is actions aimed at disclosing personal data to an indefinite number of persons;
- Provision of personal data is actions aimed at disclosing personal data to a specific person or a specific group of persons;
- Destruction of personal data is actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;
- Depersonalization of personal data is actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without the use of additional information;
- Personal data information system is a set of personal data contained in databases and the information technologies and technical means that ensure their processing;
- Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to a government body of a foreign state, a foreign individual or a foreign legal entity.
- Confidentiality of personal data is a mandatory requirement for the Operator or another person who has gained access to personal data to prevent their dissemination without the consent of the subject of the personal data or the presence of another legal basis.
1.2 Basic rights and obligations of the Operator and the subject of personal data.
1.2.1. Obligations of the Operator:
- when collecting personal data, provide information on the processing of personal data;
- in cases where personal data were not received from the subject of personal data, notify the subject;
- in case of refusal to provide personal data, the subject is explained the consequences of such refusal;
- publish or otherwise provide unlimited access to the document defining its policy regarding the processing of personal data, to information on the implemented requirements for the protection of personal data;
- take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
- respond to requests and appeals from personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.
1.2.2. Rights of the subject of personal data:
The subject of personal data has the right to access his personal data and the following information:
- confirmation of the fact of processing of personal data by the operator;
- legal grounds and purposes of processing of personal data;
- purposes and methods of processing of personal data used by the operator;
- name and location of the operator, information about persons (except for the operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
- terms of processing of personal data including the terms of their storage;
- the procedure for the personal data subject to exercise the rights provided for by this Federal Law;
- the name or surname, first name, patronymic and address of the person processing the personal data on behalf of the operator, if the processing is or will be entrusted to such person;
- contacting the operator and sending him requests;
- appealing the actions or inactions of the operator;
- revocation of consent to the processing of personal data.
2. The purposes of collecting personal data
2.1. The Operator processes personal data for the following purposes:
- ensuring compliance with the Constitution, federal laws and other regulatory legal acts of the Russian Federation in the field of personal data;
- carrying out its activities in accordance with the charter of "Grand Logistics";
- maintaining personnel records;
- assisting employees in finding employment, obtaining education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property;
- attracting and selecting candidates for work at the operator;
- organizing the registration of employees for individual (personalized) records in the mandatory pension insurance system;
- filling out and submitting required reporting forms to executive authorities and other authorized organizations;
- implementing civil law relations;
- accounting;
- implementing access control;
- posting information about employees on the official website gl-log.ru.
3. Legal grounds for processing personal data
3.3.1. The legal basis for the processing of personal data is the totality of legal acts, in pursuance of which and in accordance with which the operator processes personal data. Namely:
- Constitution of the Russian Federation;
- Labor Code of the Russian Federation;
- Civil Code of the Russian Federation;
- Federal Law of 27.07.2006 No. 149-FZ "On Information, Information Technologies and Information Protection";
- Federal Law of 29.11.2010 N 326-FZ "On Compulsory Medical Insurance in the Russian Federation";
- Federal Law "On Compulsory Pension Insurance in the Russian Federation" of 15.12.2001 N 167-FZ;
- Federal Law "On Compulsory Social Insurance from Labor Accidents and Occupational Diseases" of 24.07.1998 N 125-FZ;
- Operator Charter;
Resolution of the Government of the Russian Federation of 15.09.2008 N 687 "On approval of the Regulation on the specifics of personal data processing without the use of automation tools";
- Agreements concluded between the operator and the subject of personal data;
- Consent to the processing of personal data (in cases not expressly provided for by the legislation of the Russian Federation but corresponding to the powers of the operator);
- Consent to the distribution of personal data.
4. Volume and categories of personal data processed, categories of personal data subjects
4.1. The processing of personal data must be carried out in compliance with the principles and rules stipulated by the Federal Law. The processing of personal data is permitted in the following cases:
- the processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
- the processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or by law, for the implementation and performance of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation;
- the processing of personal data is necessary for the exercise of powers of federal executive bodies, bodies of state extra-budgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, local government bodies and the functions of organizations involved in the provision of state and municipal services, respectively, provided for by Federal Law No. 210-FZ of July 27, 2010 "On the Organization of the Provision of State and Municipal Services", including the registration of the subject of personal data on the unified portal of state and municipal services and (or) regional portals of state and municipal services;
the processing of personal data is necessary for the performance of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor;
- the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible.
4.2. The categories of personal data subjects include:
- employees of the operator, former employees, candidates for vacant positions, as well as relatives of employees;
- contractors of the operator (natural persons);
- representatives/employees of contractors of "Grand Logistics" (legal persons);
- persons not related to those listed above and entering the territory of the operator.
4.3. The operator processes the following personal data:
- general;
- biometric;
- special;
- other.
4.4. The list of data processed by the operator includes:
- last name, first name, patronymic;
- date and place of birth;
- citizenship;
- information about knowledge of foreign languages;
- education (name of educational institution, year of graduation, education document, qualification, specialty);
- profession;
- work experience;
- marital status;
- family composition (degree of kinship (closest relatives, full names of relatives, year of their birth);
- information on military registration;
- place of registration;
- information on place(s) of work;
- contact phone number;
- email address;
- information about certification, advanced training, professional retraining;
- passport details (number, date of issue, by whom issued);
- race or nationality;
- health status;
- photographs;
- blood type;
- genetic information;
- information on existing awards (incentives), honorary titles;
- information on the number and series of the state pension insurance certificate;
- information on the taxpayer identification number;
- current accounts;
- driver's license;
- SNILS.
5. Procedure, conditions of processing and storage of personal data
5.1. The processing of personal data is carried out by the operator in accordance with the requirements of the legislation of the Russian Federation.
5.2. Personal data is processed with the consent of the personal data subjects to the processing of their personal data, as well as without such consent in cases stipulated by the legislation of the Russian Federation.
5.3. The operator carries out both automated and non-automated processing of personal data.
5.4. The operator's employees whose job responsibilities include the processing of personal data are allowed to process personal data.
5.5. Personal data is processed by:
- obtaining personal data in oral and written form directly with the consent of the subject of personal data to the processing of his personal data;
- entering personal data into the operator's logs, registers and information systems;
- using other methods of processing personal data.
5.6. Disclosure to third parties and distribution of personal data is prohibited without the consent of the subject of personal data, unless otherwise provided by federal law.
5.7. Transfer of personal data to inquiry and investigation bodies, the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
5.8. The operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions, including:
- identifies threats to the security of personal data during their processing;
- adopts local regulations and other documents governing relations in the field of processing and protecting personal data;
- appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the operator;
- creates the necessary conditions for working with personal data;
- organizes the registration of documents containing personal data;
- organizes work with information systems in which personal data is processed;
- stores personal data in conditions that ensure their safety and exclude unauthorized access to them;
- organizes training for the operator's employees who process personal data.
5.9. The operator stores personal data in a form that allows the subject of personal data to be identified, no longer than required by the purposes of processing personal data, unless the storage period for personal data is established by federal law or agreement.
5.10. When collecting personal data, including through the Internet information and telecommunications network, the operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases specified in the Federal Law.
5.11. Personal data of subjects may be received, further processed and transferred for storage both on paper and in electronic form.
5.12. Personal data recorded on paper are stored in locked cabinets or in locked rooms with limited access rights.
5.12. Personal data of subjects processed using automation tools for different purposes are stored in different folders.
5.13. Storage and placement of documents containing personal data in open electronic catalogues is prohibited.
5.14. The storage of personal data in a form that allows the identification of the subject of the personal data is carried out no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the purposes of processing or in the event of loss of the need to achieve them.
5.15. Destruction of documents (media) containing personal data is carried out by burning, crushing (grinding), chemical decomposition, turning into a shapeless mass or powder. A shredder may be used to destroy paper documents.
5.16. Personal data on electronic media are destroyed by erasing or formatting the media.
5.17. The fact of destruction of personal data is confirmed by a documented act on the destruction of media.
6. Updating, correcting, deleting and destroying personal data, responding to requests from subjects for access to personal data
6.1. In case of confirmation of the fact of inaccuracy of personal data or illegality of their processing, the personal data are subject to their updating by the operator, and the processing must be terminated.
6.2. Upon achievement of the purposes of processing personal data, as well as in case of withdrawal of consent to their processing by the subject of personal data, personal data are subject to destruction if:
- unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor;
- the operator has no right to process personal data without the consent of the personal data subject on the grounds provided for by the Federal Law or other federal laws;
- unless otherwise provided by another agreement between the operator and the personal data subject.
6.3. The operator is obliged to inform the subject of personal data or his representative about the processing of personal data of such subject carried out by him at the request of the latter within thirty days from the date of receipt of the request of the subject of personal data or his representative.
7. Protection of personal data
7.1. The operator independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by current legislation.
7.2. The main measures for the protection of personal data used by the operator are:
7.2.1. Appointment of a person responsible for the processing of personal data, who carries out the organization of the processing of personal data, training and instruction, internal control over the compliance of the institution and its employees with the requirements for the protection of personal data.
7.2.2. The issuance by the operator of documents defining the operator's policy regarding the processing of personal data, local acts on issues of processing personal data, defining for each purpose of processing personal data the categories and list of personal data being processed, the categories of subjects whose personal data are being processed, the methods and terms of their processing and storage, the procedure for the destruction of personal data upon achieving the purposes of their processing or upon the occurrence of other legal grounds, as well as local acts establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations.
7.2.3. Application of legal, organizational and technical measures to ensure the security of personal data.
7.2.4. Implementation of internal control and (or) audit of compliance of personal data processing with current legislation, requirements for the protection of personal data, the operator's policy regarding the processing of personal data, local acts of the operator.
7.2.5. Assessment of the harm that may be caused to personal data subjects in the event of a violation of current legislation, the ratio of the said harm and the measures taken by the operator aimed at ensuring the fulfillment of obligations under current legislation.
7.2.6. Familiarization of the operator's employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the operator's policy regarding the processing of personal data, local acts on issues of processing personal data, and (or) training of the said employees.
7.3. The operator has published on the website gl-log.ru a document defining its policy regarding the processing of personal data, with information on the implemented requirements for the protection of personal data.
7.4. At the request of the authorized body for the protection of the rights of personal data subjects, the operator is obliged to submit documents and local acts and (or) otherwise confirm the adoption of the said measures.
7.5. When processing personal data, the operator takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.
7.6. The main measures to ensure the security of personal data used by the operator are:
7.6.1. Identification of threats to the security of personal data when processing them in personal data information systems.
7.6.2. Application of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems, necessary to meet the requirements for the protection of personal data, the implementation of which ensures the levels of protection of personal data established by the Government of the Russian Federation.;
7.6.3. Application of information security tools that have undergone the established procedure for assessing the conformity of information.
7.6.4. Evaluation of the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system.
7.6.5. Accounting for machine-readable media containing personal data.
7.6.6. Detection of facts of unauthorized access to personal data and taking measures, including measures to detect, prevent and eliminate the consequences of computer attacks on personal data information systems and to respond to computer incidents in them.
7.6.7. Restoration of personal data modified or destroyed as a result of unauthorized access to them.
7.6.8. Establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system.
7.6.9. Monitoring the measures taken to ensure the security of personal data and the level of protection of personal data information systems.
7.7. The Operator interacts with the State System for Detecting, Preventing, and Eliminating the Consequences of Computer Attacks on Information Resources of the Russian Federation, including informing it of computer incidents that have resulted in the unauthorized transfer (provision, distribution, access) of personal data.