RU   EN  
All we need!
online scheduler

Regulations on protection of personal data of Clients

Regulations on protection of personal data of Clients of www.avinida.ru

 

1. Terms and definitions.

1.1. Personal data is any information concerning a defined individual person or the one being defined pursuant to this information (personal data subject), including his/her surname, first name, patronymic, year, month, data and place of birth, address, email address, telephone number, family, social and property status, education, professional occupation, income, other information.

1.2. Personal data processing is actions (operations) using personal data, including capturing, systematization, accumulation, storage, update (refreshing, changing), use, disseminating (including transfer), depersonalization, locking.

1.3. Confidentiality of personal data is a statutory for the designated person in charge who has gained access to personal data, requirement not to allow its distribution without consent of the subject or other reasonable ground.

1.4. Distribution of personal data is actions aimed at transfer of personal data to a certain scope of persons (disclosure of personal data) or at familiarization with personal data of an unlimited range of persons, including publishing of personal data in mass media, information and telecommunications networks or providing access to personal data in some other way.

1.5. Use of personal data is actions (operations) with personal data being taken for the purpose of making decisions or taking other actions, which produce legal effects concerning personal data subjects or in any other way affect their rights and freedoms or rights and freedoms of other persons.

1.6. Locking of personal data is interruption of capturing, systematization, accumulation, use, disseminating of personal data, including its transfer.

1.7. Destruction of personal data is actions following which it is impossible to restore the content of personal data in the personal data filing system or following which tangible media carrying personal data are eliminated.

1.8. Depersonalization of personal data is actions following which it is impossible to define belonging of personal data to a particular subject without using additional information.

1.9. Publicly available personal data is personal data, which is accessed by an unlimited range of persons with consent of the subject or which is not applicable to confidentiality compliance requirement according to the federal legislation.

1.10. Information is data (reports, facts) irrespective of its presentation form.

1.11. Client (personal data subject) is an individual person, service consumer of the Limited Liability Company “Avinida”, on its website www.avinida.ru hereinafter referred to as “Organization”.

1.12. Operator is a public authority, municipal authority, legal entity or individual person, organizing and/or implementing processing of personal data on a stand-alone basis or in affiliation with other persons as well as defining goals of processing of personal data, the scope of personal data to be processed, actions (operations) taken using personal data.

2. General provisions.

2.1. The current Regulations on processing of personal data (hereinafter referred to as Regulations) has been worked out in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the Federal Law “On information, Information Technologies, and Information Protection”, the Federal Law 152-FZ “On Personal Data”, other federal laws.

2.2. The goal of the Regulations’ working out is establishing of the order of processing and protection of personal data of all Clients of the Organization, whose data is subject to processing in line with the operator’s authority; provision of protection of rights and freedoms of the person and of the citizen when processing his/her personal data, including protection of rights to privacy as well as allocation of responsibility of duty holders who have access to personal data, for failing regulation requirements of personal data processing and protection of personal data.

2.3. Order of the Regulations implementation and change.

2.3.1. The current Regulations comes into force starting upon its approval by the General Director of the Organization and remains in force without limit of time until new Regulations replacement. 

2.3.2. Changes into the Regulations are introduced on an Order by the General Director of the Organization.

3. Scope of personal data.

3.1. The scope of personal data of the Clients particularly includes:

3.1.1. Surname, first name, patronymic.

3.1.2. Year of birth.

3.1.3. Month of birth.

3.1.4. Date of birth.

3.1.5. Place of birth.

3.1.7. Family status.

3.1.8. Education.

3.1.9. Professional occupation.

3.1.10. Income.

3.1.11. Individual Taxpayer Number, Pension certificate number.

3.1.12. Place of employment.

3.1.13. Current position.

3.1.14. Email address.

3.1.15. Telephone number (home, mobile).

3.2. The Organization may create (creates, collects and maintains) the following documents and data, including in electronic format, containing information about the Clients:

3.2.1. Enquiry.

3.2.2. Registration request by an individual person.

3.2.3. Contract (public offer).

3.2.4. Accession agreement.

3.2.5. Copies of personal identity documents and other documents submitted by the Client and containing personal data.

3.2.6. Orders (goods/services) payments figures, containing wire transfer and other information of the Client.

3.2.7. Telephone conversation records and email correspondence.

4. Goal of personal data processing.

4.1. The goal of personal data processing is to implement a series of steps aimed at achieving the goal, including:

4.1.1. Rendering consulting and information services.

4.1.2. Other transactions not prohibited by the legislation as well as a series of steps using personal data required for execution of the above mentioned transactions.

4.1.3. For purposes of execution of the Russian Federation legal requirements.

4.2. The Organization dissolution as well as a respective requirement by the Client is the condition for cancellation of the personal data processing.

5. Capturing, processing and protection of personal data.

5.1. The order of receiving (capturing) personal data:

5.1.1. All personal data of the Client should be received from him/her personally with the written consent save as set out in Item 5.1.4 and 5.1.6 of the current Regulations and other cases provided for by the legislation of the Russian Federation.

5.1.2. The consent of the Client for using his/her personal data is stored in the Organization in hard and/or soft copies.

5.1.3. The consent of the subject for personal data processing extends for the whole effective period of the contract as well as for 5 years from the date of termination of the contractual relations between the Client and the Organization. After expiry of the above mentioned period the effect of the consent is considered as extended for every following 5 years unless record of its withdrawal is provided.

5.1.4. If personal data of the Client can only be received from the third person the Client should be informed about it in advance and he/she should provide a written consent. The third person providing personal data of the Client should have in possession consent of the subject for transfer of personal data to the Organization. The Organization is obliged to take acknowledgement from the third person transferring the personal data of the Client on the fact that the personal data is being transferred with his/her consent. When dealing with third persons the Organization is obliged to conclude privacy agreement with them on information related to personal data of the Clients.

5.1.5. The Organization is obliged to inform the Client about goals, would-be sources and ways of obtaining personal data as well as about the nature of personal data due to be obtained and the consequences of refusal of the Client to provide written acceptance consent.

5.1.6. Processing of personal data of the Clients without their consent is implemented on the occurrence of any of the following:

5.1.6.1. Personal data is publicly available.

5.1.6.2. Upon the request of competent public authorities in cases provided for by the federal law.

5.1.6.3. Processing of personal data is implemented under the federal law, which defines its goal, conditions of personal data acceptance and the scope of subjects whose personal data are being processed as well as the authorized operator.

5.1.6.4. Processing of personal data is implemented for purpose of formation and performance of the contract, which involves personal data subject – the Client – as one of its sides.

5.1.6.5. Processing of personal data is implemented for strategic goals pursuant to obligatory depersonalization of personal data.

5.1.6.6. To the extent otherwise set forth by the law.

5.1.7. The Organization is not entitled to receive and process personal data of the Client concerning his/her race, nationality, political views, religious and philosophic convictions, state of health, intimacies.

5.2. Order of processing of personal data:

5.2.1. Personal data subject provides reliable information about him/her to the Organization.

5.2.2. Only corporate employees of the Organization admitted to work with personal data of the Client and having signed the Non-disclosure agreement can have access to processing personal data of the Clients.

5.2.3. The right of access to personal data of the Client in the Organization belongs to:

The name list of employees of the Organization, who have access to personal data of the Clients, is defined by a decree of the General Director of the Organization.

5.2.4. Processing of personal data of the Client may be implemented solely in purposes fixed by the Regulations and in compliance with law and other regulatory legal acts of the Russian Federation.

5.2.5. When defining the amount and content of personal data to be processed the Organization is governed by the Constitution of the Russian Federation, the law on personal data and other federal laws.

5.3. Protection of personal data:

5.3.1. Protection of personal data of the Client is a set of measures (organizational/management, technical, legal) aimed at prevention of unlawful and accidental access to it, destruction, changing, locking, copying, dissemination of personal data of the subjects and other unlawful actions.

5.3.2. Protection of personal data of the Client is implemented at the expense of the Organization in accordance with the procedures established by the federal law of the Russian Federation.  

5.3.3. In order to protect personal data of the Clients the Organization takes all necessary organizational/management, legal and technical measures, including:

5.3.4. The general organization of protection of personal data of the Clients is fulfilled by the General Director of the Organization.

5.3.5. Access to personal data of the Client is possessed by those employees of the Organization who need personal data due to fulfillment of employment duties.

5.3.6. All employees involved with receiving, processing and protection of personal data of the Clients are obliged to sign the Non-disclosure agreement.

5.3.7. The procedure of formulation of access to personal data of the Client includes:

5.3.8. An employee of the Organization who has access to personal data of the Clients due to fulfillment of employment duties:

5.3.9. Personnel manager ensures:

5.3.10. Protection of personal data of the Clients stored in electronic database of the Organization, from unauthorized access, corruption and destruction as well as other unlawful actions is guaranteed by the System Administrator. 

5.4. Personal data storage:

5.4.1. Personal data of the Clients in hard copies is stored in safe deposit boxes.

5.4.2. Personal data of the Clients in soft copies is stored in the local area network of the Organization, in electronic folders and files in personal computers of the General Director and employees admitted to processing of personal data of the Clients. 

5.4.3. Documents containing personal data of the Clients are stored in lockers (safe deposit boxes), which provide protection from unauthorized access. At the end of workday all documents containing personal data of the Clients are placed in lockers (safe deposit boxes), which provide protection from unauthorized access.

5.4.4. Protection of access to electronic databases containing personal data of the Clients is provided by:

5.4.4.1. Unauthorized entering to personal computers containing personal data of the Clients is locked by a password, which is set by the System Administrator and is not subject to dissemination. 

5.4.4.2. All electronic folders and files containing personal data of the Clients are protected by a password, which is set by an employee of the Organization who is in charge of personal computers and is conveyed to the System Administrator.

5.4.4.3. Passwords are changed by the System Administrator at least once every 3 months.

5.4.5. Copying and abstracting personal data of the Client is allowed solely for work-related purposes subject to written approval of the General Director of the Organization.

5.4.6. Responses to written requests from other organizations and offices regarding personal data of the Clients are only given with the written consent of the Client himself/herself save as otherwise provided by legislation. Responses are executed in writing on the form of the Organization and to the extent that allows holding confidential the excessive amount of personal data of the Client.

6. Locking, depersonalization, destruction of personal data.

6.1. Order of locking and unlocking of personal data.

6.1.1. Personal data of the Clients is only locked with the written application of the Client.

6.1.2. Locking of personal data implies:

6.1.2.1. Prohibition on editing personal data.

6.1.2.2. Prohibition on dissemination of personal data in every way possible (email, mobile communication, tangible media).

6.1.2.3. Prohibition on using personal data in bulk messaging (sms, email, post).

6.1.2.4. Withdrawal of paper records related to the Client and containing his/her personal data from the internal document flow of the Organization and prohibition on its further use.

6.1.3. Locking of personal data of the Client may be temporary released if needed for the Russian Federation statutory compliance.

6.1.4. Personal data of the Client is unlocked with the written application of the Client (if consent needs to be received) or with an application of the Client. 

 6.1.5. Repeated consent of the Client for processing of his/her personal data (if needs to be received) involves unlocking of his/her personal data.

6.2. Order of depersonalization and destruction of personal data:

6.2.1. Personal data of the Client is depersonalized with the written application of the Client to the extent that all contractual relations are finalized and at least 5 years passed from the date of last contract termination.

6.2.2. When being depersonalized personal data are substituted in the information systems with a set of symbols, which can’t reveal belonging of personal data to a particular Client.

6.2.3. When depersonalizing personal data hard copies of documents are eliminated.

6.2.4. The Organization is obliged to provide confidentiality regarding personal data when data systems test is needed on the territory of the implementer and to depersonalize personal data in information systems transferred to the implementer.

6.2.5. Destruction of personal data of the Client implies termination of any access to personal data of the Client.

6.2.6. When destructing personal data of the Client employees of the Organization cannot get access to personal data of the subject in information systems.

6.2.7. When destructing personal data hard copies of documents are eliminated, personal data in information systems are depersonalized. Personal data cannot be corrected.

6.2.8. The operation of destruction of personal data is nonreversible.

6.2.9. The date after which the operation of the Client’s personal data destruction is possible, is fixed by the end of the period mentioned in Item 7.3 of the current Regulations.

7. Transfer and storage of personal data.

7.1. Transfer of personal data:

7.1.1. Transfer of personal data of the subject is dissemination of information via communications network and on tangible media.

7.1.2. When transferring personal data employees of the Organization should comply with the following requirements:

7.1.2.1. Not to supply personal data of the Client for commercial purposes.

7.1.2.2. Not to supply personal data of the Client to a third person without written consent of the Client save as otherwise provided by the federal law of the Russian Federation.

7.1.2.3. To inform persons who acquire personal data of the Client about the fact that the data may only be used for the purposes of their transfer and to request from those persons confirmation on this rule compliance.

7.1.2.4. To allow access to personal data of the Clients only to authorized persons, at which time the within-named persons should have the right to acquire only the personal data of the Clients, which are needed for performing particular functions.

7.1.2.5. To transfer personal data of the Client within the Organization in accordance with the current Regulations, standard process documentation and job profile.

7.1.2.6. To provide access of the Client to his/her personal data at application or when receiving an application from the Client. The Organization is obliged to submit to the Client information on existence of personal data about him/her as well as provide a possibility of familiarization with it within 10 workdays from the moment of application.

7.1.2.7. To transfer personal data of the Client to representatives of the Client under the current statutory procedure and standard process documentation and provide only personal data of the subject, which are needed for performing the functions defined by representatives.

7.1.2.8. To ensure log keeping of the personal data of the Client transferred, recording information about the person who acquired personal data of the Clients, the date of personal data transfer or the date of notice of objection to providing personal data as well as the kind of information transferred is also registered.

7.2. Storage and use of personal data:

7.2.1. Storage of personal data is existence of records in information systems and on tangible media.

7.2.2. Personal data of the Clients is processed and stored in information systems as well as in hard copies in the Organization. Personal data of the Clients is also stored in soft copies: in local computer network of the Organization, in electronic folders and files in personal computers of the General Director and employees admitted to process personal data of the Clients.  

7.2.3. Personal data of the Client may be stored as long, and no longer, than needed for processing unless otherwise provided for by the federal laws of the Russian Federation.

7.3. Period for retaining personal data:

7.3.1. Period for retaining civil law contracts containing personal data of the Clients as well as going with their formation and document execution is 5 years from the moment of contracts termination.

7.3.2. Within the period for retaining personal data may not be depersonalized or eliminated.

7.3.3. After termination of period for retaining personal data may be depersonalized in information systems and eliminated in hard copies pursuant to the procedure established by the Regulations and the acting legislation of the Russian Federation.

8. Rights of the personal data processor.

The Organization has the right to:

8.1. Assert its interests in court.

8.2. Provide personal data of the Clients to third persons in the event it’s provided for by the acting legislation (taxing authorities, law-enforcement authorities and others).

8.3. Deny provision of personal data in cases provided for by the law.  

8.4. Use personal data of the Client without his/her consent in cases provided for by the legislation of the Russian Federation.

9. Rights of the Client.

The Client has the right to:

9.1. Require his/her personal data refinement, its locking and destruction in the event the personal data is incomplete, outdated, invalid, illegally acquired or is not needed for the announced goal of the processing as well as take measures provided for by the law to protect his/her rights.  

9.2. Require the list of processed personal data the Organization has and the source of its obtaining.

9.3. Receive information on periods for personal data processing, including periods for its retaining.

9.4. Require notification of all persons earlier informed on his/her invalid or incomplete personal data, on all facts of expunctions, corrections or supplements made in it.

9.5. Take an appeal to a competent authority on protection of rights of personal data subjects or through legal proceedings regarding wrong acts or omission to act when processing his/her personal data.

10. Responsibility for violating norms regulating processing and protection of personal data.

10.1. Employees of the Organization guilty of violation of norms regulating capturing, processing and protection of personal data bear disciplinary, administrative, civil and criminal liability in accordance with the acting legislation of the Russian Federation and the internal local acts of the Organization.