1. GENERAL PROVISIONS
1.1. This Personal Data Processing Policy (hereinafter referred to as the Policy) LLC "Ipotekcentr" (hereinafter referred to as the Operator) has been developed in accordance with the following legal acts:
- The Constitution of the Russian Federation;
- The Labor Code of the Russian Federation;
- The Civil Code of the Russian Federation;
- Federal Law No. 149-FZ of July 27, 2006 "On Information, Information Technologies and Information Protection";
- Federal Law No. 152-FZ of July 27, 2006 'About personal data';
- Decree of the Government of the Russian Federation dated 01.11.2012 No. 1119 'On approval of requirements for the protection of personal data during their Processing in personal Data Information Systems';
- Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 'On Approval of requirements for the protection of personal data during their Processing in personal Data Information Systems';
- Order of FSTEC of Russia No. 55, FSB of Russia No. 86, Ministry of Communications of Russia No. 20 dated February 13, 2008 'On Approval of the Procedure for Classification of Personal Data Information Systems';
- Order of the FSTEC of Russia dated February 18, 2013 No. 21 'On Approval of the composition and Content of organizational and technical measures to ensure the security of personal data during their Processing in personal Data Information Systems';
- other federal laws and regulations.
1.2. This Policy in the field of processing and protection of personal data in LLC "Ipotekcentr" (hereinafter - the Policy):
- designed to ensure the protection of the rights and freedoms of the personal data subject during the processing of his personal data, as well as to ensure the implementation of the requirements of the legislation of the Russian Federation in the field of personal data processing of personal data subjects;
- discloses the main categories of personal data processed by the Operator, the purposes, methods and principles of personal data processing, the rights and obligations of the Operator in the processing of personal data, the rights of personal data subjects, as well as a list of measures applied by the Operator to ensure the security of personal data during their processing;
- serves as the basis for the development of local regulations governing the processing of personal data of employees, customers and counterparties of LLC "Mortgagecenter", as well as other subjects of personal data in LLC "Mortgagecenter".
1.3. Basic concepts
- personal data - any information related directly or indirectly to a specific or identifiable individual (subject of personal data);
- personal data operator (operator) - Limited Liability Company "Mortgagecenter" independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
- personal data processing - any action (operation) or a set of actions (operations) with personal data performed using automation tools or without their use. The processing of personal data includes, inter alia:
~ Collection
~ Recording
~ Systematization
~ Accumulation
~ Storage
~ Clarification(update, change)
~ Extraction
~ Usage
~ Transmission (distribution, provision, access)
~ Depersonalization
~ Blocking
~ Deleting
~ Destruction
~ Automated processing of personal data - processing of personal data using computer technology
dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons
~ Provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons
~ Blocking of personal data - temporary termination of the processing of personal data (except in cases where processing is necessary to clarify personal data)
~ Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed
~ Depersonalization of personal data - actions as a result of which it becomes impossible to determine the identity of personal data to a specific personal data subject without using additional information
~ Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;
~ Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity
2. PURPOSES OF PERSONAL DATA COLLECTION
Personal data is processed by the Operator for the following purposes:
2.1 Implementation and fulfillment of the functions, powers and duties assigned to the Operator by the legislation of the Russian Federation, in particular:
- compliance with the requirements of legislation in the field of labor and taxation; maintenance of current accounting and tax accounting, formation, production and timely submission of accounting, tax and statistical reports;
to carry out the functions, powers and duties assigned by the legislation of the Russian Federation to the Operator, including the provision of personal data to public authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, as well as other government agencies
2.2 Recruitment of applicants for vacant Operator positions
2.3 Formation of a personnel reserve of specialists in maritime professions within the scope of the Operator's activity as an employment agency.
2.4 Employment of maritime professionals on ships of shipping and fleet management companies
2.5. Preparation, conclusion and execution of civil contracts
3. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
The legal basis for the processing of personal data is:
The Labor Code of the Russian Federation;
The Tax Code of the Russian Federation;
Federal Law No. 27-FZ dated 04/01/1996 'On Individual (Personalized) Accounting in the Compulsory Pension Insurance System';
Federal Law No. 167-FZ dated 12/15/2001 'On Compulsory Pension Insurance';
Federal Law No. 125-FZ of 07/24/1998 'On Compulsory Social Insurance against Industrial Accidents and occupational diseases';
Federal Law No. 400-FZ of 12/28/2013 'On Insurance Pensions';
Federal Law No. 165-FZ of 07/16/1999 'On the basics of compulsory social insurance';
Federal Law No. 255-FZ of 12/29/2006 'On Compulsory social insurance in case of temporary disability and in connection with maternity';
Federal Law No. 402-FZ dated 06.12.2011 'About accounting';
Federal Law No. 63-FZ dated 04/06/2011 'On Electronic Signature';
Federal Law No. 323-FZ of 11/21/2011 'On the basics of public health protection in the Russian Federation';
Federal Law No. 54-FZ of 05/22/2003 'On the use of cash register equipment in making payments in the Russian Federation';
Federal Law No. 53-FZ of 03/28/1998 'About military duty and military service';
Federal Law No. 31-FZ of 02/26/1997 'On Mobilization Training and Mobilization in the Russian Federation';
The regulation on military registration, approved by the Decree of the Government of the Russian Federation dated 11/27/2006 No. 719;
Other federal laws and regulations;
Contracts concluded between the operator and the PD subject;
Consent of the personal data subject to the processing of his personal data.
4. THE COMPOSITION OF THE PROCESSED PERSONAL DATA AND THE METHODS OF PROCESSING.
4.1. PD of the following PD subjects are subject to processing by the Operator:
- employees of the operator, former employees, as well as relatives of employees;
- candidates for vacant Operator positions.
- specialists in maritime professions (applicants, within the framework of the Operator's activities as an employment agency), as well as their relatives;
- contractors of the operator and representatives of contractors (legal entities and individuals).
4.2. The composition of the PD of each of the categories of subjects listed in clause 4.1. of this Regulation is determined in accordance with regulatory documents and local acts of the Operator.
4.3. The subject of personal data decides to provide his personal data to the Operator and agrees to their processing freely, of his own free will and in his own interest.
4.4. When processing PD, the Operator will perform the following actions with PD: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access - including cross-border), depersonalization, blocking, deletion, destruction of personal data.
4.5. The Operator processes the following personal data:
- Last name, first name, patronymic;
- Date of birth;
- Place of birth;
- Profession;
- Position;
- Address of the place of residence;
- Registration address
- Contact phone numbers;
- E-mail;
- Marital status;
- Gender;
- Type, series and number of the Civil Passport and the issuing authority;
- Tourist passport (foreign passport);
- Availability and validity period of the Schengen visa;
- Seafarer's identity card;
- Navigation book;
- Qualification documents and certificates;
- Work record and work experience;
- Work experience;
- A copy of the diploma of education;
- INN;
- SNILS
- A document on military registration;
- State of health;
- The conclusion of the medical commission;
- Vaccination certificates;
- Bank details;
- Marine qualification documents and certificates;
- Periods and work experience on ships;
- Data on the availability of a Schengen visa and/or other visas and their validity periods.
4.6. The operator ensures that the content and volume of processed PD correspond to the declared processing goals and, if necessary, takes measures to eliminate their redundancy in relation to the declared processing goals.
4.7. The Operator does not process special categories of personal data related to race, political views, religious or philosophical beliefs, or intimate life.
4.8. The Operator does not process biometric personal data.
4.9. The processing of personal data by the Operator is carried out in the following ways:
- non-automated processing of personal data;
- automated processing of personal data;
- mixed processing of personal data.
4.10. PD processing takes place with and without transmission of the received information over information and telecommunication networks.
4.11. The Operator may make a cross-border transfer of PD in order to:
- organization of business trips.
- employment and job search on ships of foreign shipping and fleet management companies (for specialists in maritime professions).
5. ENSURING THE PROTECTION OF PERSONAL DATA DURING THEIR PROCESSING BY THE OPERATOR, THE RIGHTS AND OBLIGATIONS OF THE OPERATOR.
5.1. The Operator shall take measures necessary and sufficient to ensure the fulfillment of obligations provided for by Federal Law No. 152-FZ of July 27, 2006 'On Personal data' and regulatory legal acts adopted in accordance with it.
5.2. The Operator independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations provided for by Federal Law No. 152 of July 27, 2006 'On Personal Data', Government Decree No. 687 of September 15, 2008 'On Approval of the Regulation on the Specifics of Personal Data Processing carried out without the Use of Automation Tools', Government Decree dated November 01, 2012 No. 1119 'On Approval of requirements for the Protection of Personal Data during their Processing in Personal Data Information Systems', FSTEC Order No. 21 dated February 18, 2013 'On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during their Processing in Personal Data Information Systems' and other regulatory legal acts, unless otherwise provided by federal laws. Such measures include:
- appointment by the Operator of the person responsible for the organization of personal data processing;
- the issuance by the Operator of local acts on the processing of personal data, defining the Operator's policy regarding the processing of personal data, as well as establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
- application of legal, organizational and technical measures to ensure the security of personal data;
- implementation of internal control and (or) audit of compliance of personal data processing with Federal Law No. 152 dated July 27, 2006 'On Personal Data' and regulatory legal acts adopted in accordance with it, other legal requirements for personal data protection, Operator's policy regarding personal data processing, other local acts of the Operator;
- determination of the assessment of harm that may be caused to personal data subjects in case of violation of the Federal Law On Personal Data, the ratio of this harm and the measures taken by the operator aimed at ensuring the fulfillment of obligations provided for by the Federal Law On Personal Data;
- familiarization of the Operator's employees directly engaged in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the Operator's policy regarding the processing of personal data, local acts on the processing of personal data, and (or) training of these employees.
5.3. When processing personal data, the Operator takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful actions with respect to personal data.
5.4. The operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person.
6. DEADLINES FOR PROCESSING PD.
6.1. Terms of PD processing The processing of PD by the Operator, including their storage, is carried out within the time limits established by current legislation, as well as local regulations.
7. EXERCISING THE RIGHT TO ACCESS PERSONAL DATA
7.1. The subject of personal data has the right to receive information concerning the processing of his personal data, including information containing:
- confirmation of the fact of personal data processing by the Operator;
- legal grounds and purposes of personal data processing;
- the purposes and methods of processing personal data used by the Operator;
- the name and location of the Operator, information about persons (except for employees of the operator) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
- processed personal data related to the relevant personal data subject, the source of their receipt, unless another procedure for submitting such data is provided for by federal law;
- terms of processing of personal data, including the terms of their storage;
- the procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law On Personal Data;
- information about the implemented or proposed cross-border data transfer;
- the name or full name and address of the person who processes personal data on behalf of the Operator, if processing is or will be entrusted to such a person.
7.2. The PD subject has the right to require the Operator to clarify his personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights.
7.3. The operator is obliged to provide, free of charge, the subject of personal data or his representative with the opportunity to familiarize himself with personal data related to this subject of personal data. Within a period not exceeding seven working days from the date of submission by the personal data subject or his representative of information confirming that the personal data is incomplete, inaccurate or irrelevant, the operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date of submission by the personal data subject or his representative of information confirming that such personal data is illegally obtained or is not necessary for the stated purpose of processing, the operator is obliged to destroy such personal data. The operator is obliged to notify the personal data subject or his representative of the changes made and the measures taken and to take reasonable measures to notify third parties to whom the personal data of this subject has been transferred.
7.4. Information is provided to the personal data subject or his representative by the Operator when contacting or receiving a request from the personal data subject or his representative. The request must contain the number of the main document certifying the identity of the personal data subject or his representative, information about the date of issue of the specified document and the issuing authority, information confirming the participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information, otherwise confirming the processing of personal data by the Operator, the signature of the personal data subject or his representative. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
7.5. The Operator has the right to refuse a repeated request to the subject of personal data. Such a refusal must be motivated. The obligation to provide evidence of the validity of the refusal to fulfill a repeated request lies with the Operator.
7.6. If the personal data subject believes that the operator is processing his personal data in violation of the requirements of the Federal Law or otherwise violates his rights and freedoms, the personal data subject has the right to appeal the actions or omissions of the operator to the body authorized to protect the rights of personal data subjects, or in court.
7.7. The right of a personal data subject to access his/her personal data may be restricted in accordance with federal laws.
8. CROSS-BORDER TRANSFER OF PERSONAL DATA
8.1. The Operator is obliged to ensure that the foreign state to whose territory the transfer of personal data is supposed to be carried out ensures adequate protection of the rights of personal data subjects before such transfer begins.
8.2. Cross-border transfer of personal data on the territory of foreign states that do not adequately protect the rights of personal data subjects may be carried out in the following cases:
- the consent of the personal data subject to the transfer of his personal data;
- execution of the contract to which the subject of personal data is a party.