Approved by the writ № 4 of July 24, 2018
The CEO of the” Detali mashin” Plc
“Detali mashin” Plc
- General information about data processing
1.1. The present Policy concerning data processing (further – Policy) is compiled in accordance with clause 2 of Article 18.1 of the federal law “Of the personal data” №152-F3 of July 27, 2006, and in accordance with other legal acts of the Russian Federation which concern the protection and processing of all personal data (further – Data) which the Organization (further – Operator, Company) can gain from the person who, according to the contract within the civil law, appears to be a party, or from the user of the Internet (further – User) when he or she is using any of the websites, services, programs or products provided by “Detali mashin” Plc, or from the person whose relationship with the Operator is regulated by the Labour law (further – Employee).
1.2. The Operator provides personal data protection from the unsanctioned access and divulgation, illegal use or the loss in accordance with the demands of the Federal law of July 27, 2006 №152-F3 “Of the personal data”.
1.3. The Operator is allowed to make changes to the present Policy. When the changes are made to the Policy, the title is dated according to the latest edit. The new edition of the Policy comes into effect since the moment when it is posted on the website unless the other option is presupposed according to the new edition of the Policy.
- Terms and Abbreviations
Personal data is any kind of information related, directly or indirectly, to a certain person (the subject of the personal data). Personal data processing includes any action (transaction) or a set of actions (transactions) completed with or without the help of any automatized means when collecting, recording, systematizing, detailing, storing, restoring, editing, retrieving, using, conveying (spreading, providing, giving access), depersonalizing, blocking, deleting, destroying the personal data.
The automatized processing of the personal data refers to the processing of the personal data with the help of computers.
The information system of the personal data (ISPD) is the personal data stored in the databases as well as the technical means and the information technologies which enable their processing.
Personal data made accessible by the subject of the personal data refers to the personal data the access to which is given to the unlimited number of people by the subject of the personal data or by his request.
Blocking of the personal data is the temporary cessation of the processing of the personal data (except the cases when the processing is necessary for the detailing of the personal data).
The deleting of the personal data refers to the actions as a result of which it becomes impossible to restore the content of the personal data in the information system of the personal data and (or) as a result of which the personal data storage devices are eliminated.
Operator is an organization which, individually or together with other parties, organizes the processing of the personal data and determines the aims of the processing of the personal data which are to be processed, the actions (transactions) concerning the personal data. The Operator is «Detali mashin» Plc, located by the address: postal code 111024, Moscow, 2nd Cable passage, 1, block 2, 1 floor, office 101/6.
- Personal data processing
3.1. Collecting of the personal data
3.1.1. All the personal data should be collected from the subject himself/herself. If the personal data of the subject can only be got from the third party, then the subject must be notified about it or must give an official permit.
3.1.2. The Operator must inform the subject about the aims, presupposed sources and the ways of gaining the personal data, about the character of the personal data, about the set of actions with the personal data, the terms within which the agreement is valid and about the terms of its withdrawal, and about the consequences of the refusal to give a written permit to gain them.
3.1.3. The documents which contain the data are compiled by:
– making a copy of the original documents (passport, diplomas/certificates of education, TIN, pension testimony etc.);
– filling in the forms;
– collecting the necessary original documents (record of service, medical report, other reports etc);
3.2. Personal data processing.
3.2.1. Personal data processing is exercised:
– with the permit of the subject of the personal data to process his or her personal data;
– in cases when personal data processing is necessary to fulfill and exercise the functions, rights and duties entrusted by the legislature of the Russian Federation;
– in the cases when the access to the personal data being processed is made public by the subject of the personal data or by his request (further – personal data made public by the subject of the personal data);
3.2.2. The aims of the personal data processing:
– exercise of the relationship regulated by the labour law;
– exercise of the relationship regulated by the civil law;
– the interaction with the user in connection with filling in the feedback form on the website, including sending notifications, requests and information concerning the use of the information from the website of the store, processing and coordinating the orders being placed and the delivery/shipment, the fulfillment of the agreements and contracts.
- depersonalization of the personal data with the aim of gaining the impersonal statistics which is given to the third party with research aims or for conducting research, any kind of work or doing the service on request of the shop.
3.2.3. Categories of the subjects of personal data
There can be processed personal data of the following subjects:
– the individuals in a relationship with the Company regulated by the labour law;
– the individuals dismissed from the Company;
– the individuals who are prospective employees;
– the individuals in a relationship with the Company regulated by the civil law;
– the individuals who are the users of the shop’s website.
3.2.4. Personal data processed by the Operator:
– the data collected in a relationship regulated by the labour law;
– the data collected while recruiting the candidates;
– the data collected in a relationship regulated by the civil law;
– the data collected from the users of the shop’s website.
3.2.5. Personal data processing can be exercised:
– with the help of automatized means;
– without the automatized means.
3.3. Personal data storage.
3.3.1. Personal data of the subjects can be collected, processed and archived both on paper and in the digital format.
3.3.2. Personal data in the paper format is archived in the lockable drawers or cabinets, or in the lockable places with a limited access.
3.3.3. Personal data of the subjects being processed with the help of the automatized means at various aims are stored in separate folders.
3.3.4. It is forbidden to store and archive the documents containing personal data in digital format with an open access in the ISPD.
3.3.5. Storage of the personal data in the format which enables to identify the subject of the personal data must be only for the period necessary for the processing, and these data are to be deleted when the aims of the processing are achieved or when these aims are no longer important.
3.4. Personal data destruction
3.4.1. The destruction of the documents (storage drives) containing the personal data is exercised through burning, shredding, chemical decomposition, turning it into the shapeless mass or powdering it. For destroying paper documents, a shredder can be used.
3.4.2. Personal data stored in a digital format is destroyed through erasing or formatting the storage drive.
3.4.3. The fact of destruction of the personal data is officially confirmed with the act of destruction of the carrier.
3.5. Sharing of the personal data
3.5.1. The Operator can share personal data with the third party in the following cases:
– the subject has agreed with these actions;
– the sharing of the data is presupposed by the Russian or some other applicable legislature within the limits of the procedure regulated by the law.
3.5.2. The list of subjects entitled to receive the personal data:
– the Pension Fund of the Russian Federation (entitled by law);
– the taxation professional bodies of the Russian Federation (entitled by law);
– the social insurance fund of the Russian Federation (entitled by law);
– the territorial fund of the compulsory medical insurance (entitled by law);
– the insurance companies specializing in compulsory or voluntary medical insurance (entitled by law);
– banks to accrue for salaries and wages (according to the agreement);
– Ministry of Internal Affairs of the Russian Federation (entitled by law);
– depersonalized personal data of the Users of the Internet shop’s website are transferred to the Shop’s contractors.
- Personal data protection
4.1. According to the demands of the legal documents, the Operator creates the system of personal data protection (SPDP), which consists of the sub-systems of the legal, organizational and technical protection.
4.2. The sub-system of the legal protection is a complex of legal, organizational-administrative and legal documents ensuring creation, functioning and improving of the SPDP.
4.3. The sub-system of the organizational protection includes the structural organization of the administration of the SPDP, the system of permits, protection of information when cooperating with the employees, partners and other individuals.
4.4. The sub-system of the technical protection includes technical, software and hardware means which enable personal data protection.
4.4. The key means of personal data protection used by the Operator are:
4.5.1. Appointing the individual responsible for personal data processing, for the trainings and lecturing of the employees, and for ensuring that the company and all employees are meeting all the demands concerning personal data protection.
4.5.2. Defining the possible risks concerning safety of the personal data while its processing in the SPDP and developing the course of action on the personal data protection.
4.5.3. Development of the policy concerning personal data protection.
4.5.4. Making access regulations for personal data processed in the SPDP as well as ensuring the record of all the actions taken in regards to personal data in the SPDP.
4.5.5. Setting the unique personal passwords for the access of the employees to the information system in accordance with their professional duties.
4.5.6. The use of the information protection means which have got through the necessary assessment procedures.
4.5.7. Certified antivirus software with regularly renewed databases.
4.5.8. Compliance with the conditions which ensure personal data safety and exclude the possibility of illegal access.
4.5.9. Discovering the cases of the unsanctioned access to personal data and taking the necessary measures.
4.5.10. Restoring the personal data modified or destroyed as a result of the unsanctioned access to them.
4.5.11. Introducing the acts of personal data protection of the legislature of the Russian Federation to the employees of the Operator, directly involved in the personal data protection. This includes introducing the demands to personal data protection, documents defining the Operator’s policy concerning personal data protection and local acts concerning the questions of personal data protection.
4.5.12. In-company monitoring and audit.
- Key rights of the subject of personal data and key responsibilities of the Operator
5.1. Key rights of the subject of personal data.
The subject has the right to get access to his or her personal data and the following information:
– confirmation of the fact of personal data processing by the Operator;
– legal foundation and aims of personal data processing;
– Operator's aims and ways of personal data processing;
– Operator’s name and location, information about the individuals (excluding the employees of the Operator), who has access to personal data and who can get access to personal data in accordance with the agreement with the Operator or in accordance with the federal law;
– the terms of personal data processing, including the expiry date;
– the Subject’s rights presupposed by Federal law;
– the naming or name, surname and patronymic as well as the address of the individual exercising personal data processing by the request of the Operator in case the processing is requested or will be requested from such an individual.
– contacting the Operator and sending any requests to him;
– appealing the actions or lack of action of the Operator;
5.2. Operator's responsibilities.
Operator is responsible for:
– providing the information concerning personal data processing when the personal data is being collected;
– notify the subject in the cases when personal data was collected not from the subject of the personal data;
– explaining the consequences of the refusal of giving the personal data to the subject by his request;
– publishing the document on the website or in another way providing public access to the document defining the Operator’s policy concerning personal data processing and to the information on the demands for personal data protection;
– taking necessary legal, organizational and technical measures or ensuring that these measures are taken in order to protect personal data from illegal or accidental access to them, destruction, modification, blocking, copying, providing, sharing of personal data, as well as from other illegal actions with personal data;
– replying to the questions and requests from the subjects of personal data and their representatives as well as the assigned body for the subjects’ of personal data rights’ protection.