Processing of personal data

POSITION
ABOUT PERSONAL DATA PROCESSING
Saint Petersburg
 

This Regulation on the processing of personal data (hereinafter referred to as the "Regulations") has been published and is being used by OOO "Atribeaute Clinique" (hereinafter referred to as the "Operator") in accordance with cl. 18.1 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" and defines the main provisions implemented when processing personal data by the Operator. The purpose of this Regulation is to comply with the requirements of the legislation in the field of personal data protection based on the Constitution of the Russian Federation and international treaties of the Russian Federation and consisting of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" and other federal laws and by-laws defining cases and peculiarities of processing personal data.
 

1. Terms and definitions
Personal data - any information relating to a directly or indirectly defined or determined individual (subject of personal data);
Operator - Limited Liability Company "Consulting Center" Atribeaute Clinique ", OGRN 1137847407906, INN 7806512448, address of location: 195112, St. Petersburg, Novocherkassk Ave., d.33, building 2 litas A, p. 12-N, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as defining the purposes of processing personal data, the composition of personal data to be processed, the actions (operations) performed with personal data;
Personal data processing - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, updating (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Automated processing of personal data - processing of personal data by means of computer facilities;
Dissemination of personal data - actions aimed at disclosing personal data to an undetermined number of persons;
Provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons;
Blocking of personal data - temporary termination of processing of personal data (except for cases when processing is necessary for specification of personal data);
Destruction of personal data - actions, as a result of which it becomes impossible to restore the contents of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;
The depersonalization of personal data is an action, as a result of which it becomes impossible, without using additional information, to determine the belonging of personal data to a specific subject of personal data;
Information system of personal data - a set of personal data contained in databases and providing their processing of information technologies and technical means;
Cross-border transfer of personal data - the transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity.

 

2. Principles of processing personal data
2.1. The processing of personal data must be carried out in a legal and fair manner.
2.2. The processing of personal data must be limited to the achievement of specific, predefined and legitimate purposes. It is not allowed to process personal data incompatible with the purposes of collecting personal data.
2.3. It is not allowed to combine databases containing personal data, processing of which is carried out for purposes incompatible with each other.
2.4. The processing is subject only to personal data, which meet the purposes of their processing.
2.5. The content and volume of processed personal data must comply with the stated processing objectives. Processed personal data should not be excessive in relation to the stated purposes of their processing.
2.6. When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, the relevance to the purposes of processing personal data should be ensured. The operator must take the necessary measures or ensure their acceptance to remove or update incomplete or inaccurate data.
2.7. The storage of personal data must be carried out in a form that allows the subject of personal data to be determined no longer than the purpose of processing personal data requires, unless the period of personal data storage is established by a federal law, a contract to which the subject of personal data is a party whose beneficiary or guarantor is the subject. The processed personal data shall be destroyed or depersonalized upon the achievement of the processing objectives or in the event of the loss of the need to achieve these goals, unless otherwise provided by federal law.

 

3. Conditions for processing personal data
3.1. Processing of personal data must be carried out in compliance with the principles and rules provided for by Federal laws.
3.2. Processing of personal data is allowed in the following cases:
3.2.1. processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
3.2.2. the processing of personal data is necessary to achieve the goals stipulated by the international treaty of the Russian Federation or the law for the implementation and performance of the functions, powers and duties imposed by the legislation of the Russian Federation on the Operator;
3.2.3. the processing of personal data is necessary for the administration of justice, the enforcement of a judicial act, an act of another body or official subject to enforcement in accordance with the law of the Russian Federation on enforcement proceedings;
3.2.4. the processing of personal data is necessary for the performance of a contract to which the subject of personal data or a beneficiary or guarantor is a party, as well as for the conclusion of a contract on the initiative of a personal data subject or a contract whereby the personal data subject will be a beneficiary or guarantor;
3.2.5. the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data if obtaining the consent of the personal data subject is impossible;
3.2.6. the processing of personal data is necessary for the exercise of the rights and legitimate interests of the Operator or third parties or for the achievement of socially significant purposes, provided that the rights and freedoms of the subject of personal data are not thereby violated;
3.2.7. processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Article 15 of the Federal Law "On Personal Data", subject to obligatory depersonalization of personal data;
3.2.8. processing of personal data, access of an unlimited circle of persons to which is provided by the subject of personal data or at his request;
3.2.9. processing of personal data subject to publication or mandatory disclosure in accordance with federal law.
3.3. The operator has the right to charge the processing of personal data to another person with the consent of the personal data subject, unless otherwise stipulated by federal law, on the basis of a contract concluded with that person, including a state or municipal contract, or by adoption of a relevant act by the state or municipal body. A person carrying out the processing of personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided for by the Federal Law "On Personal Data".

 

4. Measures for the proper organization of processing and ensuring the security of personal data
4.1. Ensuring the safety of personal data The operator achieves, in particular, the following ways:
4.1.1. appointment of the responsible person for organizing the processing of personal data, the rights and obligations of which are determined by the operator's local acts;
4.1.2. implementation of internal control and / or audit of compliance with the processing of personal data Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" and regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, local acts of the Operator;
4.1.3. acquaintance of the Operator's employees who directly process personal data, with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, local acts regarding the processing of personal data and / or training of these employees;
4.1.4. identification of threats to the security of personal data when processing them in personal data information systems;
4.1.5. application of organizational and technical measures to ensure the safety of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data;
4.1.6. evaluation of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of an information system for personal data;
4.1.7. taking into account the machine (material) carriers of personal data;
4.1.8. the detection of unauthorized access to personal data and the adoption of appropriate measures;
restoration of personal data, modified or destroyed due to unauthorized access to them;
4.1.9. establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions performed with personal data in the personal data information system;
4.1.10. control over compliance with the requirements in the field of ensuring the security of personal data and to the levels of security of information systems of personal data.
4.2. The duties of the Operator's employees who directly handle the processing of personal data, as well as their liability, are determined in the Operator's local acts. Employees of the Operator who are guilty of violating the rules governing the processing and protection of personal data bear material, disciplinary, administrative, civil or criminal liability in accordance with the procedure established by federal laws.

 

5. Restrictions on the operation of this Regulation
The effect of this Regulation does not apply to relations arising when:
5.1. the processing of personal data by individuals solely for personal and family needs, unless the rights of subjects of personal data are violated;
5.2. organization of storage, acquisition, registration and use of documents containing the personal data of the Archives of the Russian Federation and other archival documents in accordance with the legislation on archival business in the Russian Federation;
5.3. processing of personal data classified in accordance with the established procedure for information constituting a state secret;
5.4. the provision by authorized bodies of information on the activities of the courts in the Russian Federation in accordance with Federal Law No. 262-FZ of 22 December 2008 "On providing access to information on the activities of the courts in the Russian Federation".

 

6. Normative-legal acts
This Regulation has been developed in accordance with the provisions of the following regulatory legal acts:
• The Code of the Russian Federation on Administrative Offenses of 30.12.2001 No. 195-FZ;
• Federal Law No. 149-FZ of 27.07.2006 "On Information, Information Technologies and Information Protection";
• Federal Law No. 152-FZ of 27.07.2006 "On Personal Data";
• Federal Law No. 242-FZ of July 21, 2014 "On Amending Certain Legislative Acts of the Russian Federation Regarding Specification of the Procedure for Processing Personal Data in Information and Telecommunication Networks";
• Requirements for the protection of personal data when processing them in personal data information systems (approved by Resolution of the Government of the Russian Federation No. 1119 of 01.11.2012);
• Regulations on the specifics of processing personal data, carried out without the use of automation tools (approved by Resolution of the Government of the Russian Federation of September 15, 2008 No. 687);
• The composition and content of organizational and technical measures to ensure the safety of personal data when processing them in personal data information systems (approved by Order No. 21 of the Federal Service for Technical and Export Control of the Russian Federation of February 18, 2013);
• The composition and content of organizational and technical measures to ensure the safety of personal data when processing them in personal data information systems using cryptographic information security tools necessary to meet the requirements set by the Government of the Russian Federation for the protection of personal data for each level of security (approved by the order of the Federal Security Service of the Russian Federation of July 10, 2014 No. 378).

 

7. Final Provisions
7.1. This Regulation is approved by the sole executive body of the Operator
7.2. The operator has the right to amend this Regulation.
7.3. When making changes in the heading of the Regulations, the date of the last revision of the edition is indicated. The new edition of the Regulation comes into force from the moment of its approval and posting on the Operator's website, unless otherwise provided by the new edition of the Regulation.
7.4. This Regulation is mandatory for compliance and familiarization of all employees of the Operator.
7.5. Other rights and duties of OOO " Atribeaute Clinique ", as an operator of personal data, are determined by the legislation of the Russian Federation in the field of personal data.