Personal Data Processing Policy
1. General provisions
1.1. Personal Data Policy (hereinafter - the PD Policy) of Kodep LLC (hereinafter the Operator), personal tax reference number 1326209842, located at: 430005, the Russian Federation, the Republic of Mordovia, Saransk, was developed in accordance with the Constitution of the Russian Federation, the Russian federation labour code, the Civil Code of the Russian Federation, the Federal Law of 27.07.2006 №149-FZ "On Information, Information Technologies and the Protection of Information", the Federal Law of 27.07.2006. №152-FZ "On Personal Data", The Regulation No. 1119 of November 1, 2012, of the Government of the Russian Federation “On Approval of the Requirements to Personal Data Protection in the course of Its Processing in Personal Data Information Systems” and other federal laws and regulations.”
1.2. The policy was developed to meet the requirements of the Constitution of the Russian Federation, legislative and other regulatory legal instruments of the Russian Federation in the sphere of personal data;
1.3. The policy of PD processing is designed to protect the rights and liberties of the subject of personal data when processing his/her personal data (hereinafter - PD).
1.4. The Policy forms the basis for the development of local regulations governing the processing of personal data of employees of Kodep LLC and other subjects of personal data in Kodep LLC .
2. Purposes of personal data processing
The Operator performs personal data processing for the following purposes:
1) implementation and enforcement of functions, powers and duties assigned to the Operator by the legislation of the Russian Federation, in particular:
- compliance with the requirements of legislation in the sphere of labor and taxation;
- maintenance of current accounting and taxation, preparation, processing and timely supply of accounting, tax and statistical reports;
- compliance with the requirements of legislation to determine the procedure for processing and protecting PD of citizens who are customers or counterparties of Kodep LLC (hereinafter referred to as subjects of personal data).
2) exercitation of rights and legitimate interests of Kodep LLC for the purpose of implementation of the activities provided by the Charter, other local regulatory acts of Kodep LLC and third parties or the achievement of socially significant goals;
3) other legitimate purposes.
3. Legal basis for processing personal data
PD processing is carried out on the basis of the following federal laws and regulations:
1. the Constitution of the Russian Federation;
2. the Russian federation labour code;
3. the Federal Law of 27.07.2006. №152-FZ "On Personal Data";
4. the Federal Law of 27.07.2006 №149-FZ "On Information, Information Technologies and the Protection of Information".
5. Order of the Government of the Russian Federation of September 15, 2008 No. 687 "About approval of the Regulations on features of the personal data processing performed without use of the automation equipment"
6. The Regulation No. 1119 of November 1, 2012, of the Government of the Russian Federation “On Approval of the Requirements to Personal Data Protection in the course of Its Processing in Personal Data Information Systems”
7. Order of FSTEC of Russia No. 55, Federal Security Service of Russia No. 86, Ministry of Information and Communications of Russia No. 20 dated February 13, 2008 “On Approval of the Procedure for the Classification of Information Systems for Personal Data”;
8. Order FSTEC of Russia of February 18, 2013 No. 21 "On the approval of the composition and content of organizational and technical measures to ensure the safety of personal data when processing them in information systems of personal data";
9. Order of Roskomnadzor from September 5, 2013 No. 996 “On approval of requirements and methods for the depersonalization of personal data”;
10. Order of the Federal Tax Service of November 17, 2010 No MMV-7-3/611 "On Approval of the information on the income of individuals and recommendations for its completion, the format of data on incomes of individuals in electronic form, manuals.
11. Other normative legal acts of the Russian Federation and regulations of the authorized bodies of the state power.
4. A list of actions with personal data
In the treatment of PD Operator performs the following actions to PD: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
5. The composition of the processed personal data
5.1. The Operator performs processing of PD of the following PD subjects:
- Operator’s staff;
- Operator’s customers;
- Operator’s counterparties;
- Individuals addressed to the Operator in accordance with the Federal Law “On the Order of consideration of applications of citizens of the Russian Federation”.
5.2. The composition of PD of each category of subjects listed in Sec. 5.1 hereof defined by normative documents listed in Sec. 3 hereof as well as regulatory documents of the Company issued to ensure their execution.
5.3. In cases, stipulated by the current legislation, the personal data subject decides to provide his\her PD to the Operator and freely gives his/her consent to its processing, by his/her own will and in his/her interest.
5.4. The operator ensures that the content and the volume of the processed PD are in accordance with the stated purposes of processing and, if necessary, takes measures to eliminate their redundancy in relation to the stated purposes of processing.
5.5. Kodep LLC doesn’t carry out the processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs and intimate life.
6. Personal data processing
6.1. Kodep LLC performs the personal data processing in the following ways:
- non-automated processing of personal data;
- automated processing of personal data with or without received information transmission via information and telecommunication networks;
- mixed personal data processing.
7. Ensuring the protection of personal data when they are processed by the Operator.
7.1. The operator shall take measures that are necessary and sufficient to ensure the fulfillment of the duties stipulated by the Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" and regulatory legal acts adopted in accordance with it. The operator independently determines the composition and the list of measures that are necessary and sufficient to ensure the fulfillment of duties stipulated by the Federal Law No. 152 "On Personal Data" of July 27, 2006, Government Resolution No. 687 of September 15, 2008 "On Approval of the Statute on Special Aspects of Personal Data Processing Without the Use of Automation Technology" Government Decree No. 1119 of November 1, 2012 “On Approval of the Requirements to Personal Data Protection in the course of Its Processing in Personal Data Information Systems” Order No. 21 of February 18, 2013 "On the approval of the composition and content of organizational and technical measures to ensure the safety of personal data when processing them in information systems of personal data" and other normative legal acts, unless otherwise provided by federal laws. These measures include:
- the Operator designates the person responsible for organizing the processing of personal data;
- the Operator issues documents defining the operator's policy regarding the processing of personal data, local acts on the processing of personal data, as well as local acts establishing procedures aimed to prevent and detect violations of the legislation of the Russian Federation and to eliminate the consequences of such violations;
- implementation of legal, organizational and technical measures to ensure the safety of personal data;
- implementation of internal control and (or) audit of compliance of personal data processing with the Federal Law "On Personal Data" and regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, the Operator's policy regarding the processing of personal data, local acts of the Operator;
- definition of assessment of harm that may be caused to personal data subjects in case of violation of the Federal Law "On Personal Data", the ratio of this harm to measures taken by the operator aimed to ensure the fulfillment of obligations stipulated by the Federal Law "On Personal Data";
- familiarization of the Operator's employees who directly process personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the Operator's policy regarding personal data processing, local acts on personal data processing, and training of these employees.
7.2. While processing personal data, the Operator takes all the necessary legal, organizational and technical measures or ensures their assumption to protect personal data from illegal or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as other illegal actions regarding personal data.
8. The right of the subject of personal data to access his/her personal data
8.1. The PD subject has the right to demand from the Operator the specification of his personal data, their blocking or destruction in case personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, and also take measures provided by law to protect their rights.
8.2. The information is provided by the operator to the subject of personal data or his representative after the application or at the request of the subject of personal data or his representative. The request must contain the number of the main document certifying the identity of the personal data subject or its representative, information on the date of issue of the specified document and the issuing body, information confirming the engagement of the personal data subject in relations with the Operator (contract number, contract date, convectional verbal labels and (or) other information), or other information confirming the fact of processing of personal data by the Operator, the signature of the subject of personal data or his representative. The request can be sent in the form of an electronic document and signed by an electronic signature in accordance with the legislation of the Russian Federation
8.3. The operator has the right to refuse the subject of personal data in making a renewed request. Such refusal should be motivated. The Operator should provide evidence of the reasonableness of refusal to perform a renewed request.
8.4. The subject of personal data has the right to receive information concerning the processing of his personal data, including:
- confirmation of personal data processing by the Operator;
- legal grounds and objectives for personal data processing;
- purposes and methods of personal data processing used by the Operator;
- the name and location of the Operator, information about people (except for the operator's employees) who have access to personal data or who personal data can be disclosed to on the basis of a contract with the operator or on the basis of a federal law;
- processed personal data relating to the personal data subject, their source, if another procedure for the collection of such data is not provided for by federal law;
- the terms of personal data processing, including the terms of their storage;
- the order of exercising the rights granted to subject of personal data provided by the Federal Law "On Personal Data";
- information on the completed or expected transboundary data transfer;
- name, surname, patronymic name and address of the person carrying out the processing of personal data on behalf of the Operator, if the processing is entrusted or will be entrusted to such person.
8.5. If the subject of personal data believes that the processing his personal data by the Operator involves violation of the requirements of the Federal Law "On Personal Data" or violates his rights and freedoms, the subject of personal data has the right to to challenge acts and omissions of the Operator to the body authorized to protect the rights of the subjects of personal data, or in the courts.
8.6. The subject of personal data has the right to protect his/her rights and legitimate interests in the courts, including compensation for damages and (or) compensation for moral harm.
9.1. Cookies are small text files that are stored on a personal computer or mobile device while using various sites designed to assist in customizing the user interface according to the user's preferences.
9.3. Most browsers allow you to refuse receiving cookies and remove them from the hard disk of the device.
10 . Final provisions
10.1. This Policy is subject to change and addition, incl. cases of creation of a new legislation and special regulations for the processing and protection of personal data.
10.2. This Policy is an internal document of Kodep LLC, and is subject to posting on the official website of Kodep LLC. In the case of changes, the Policy, containing these changes is placed on the official website of Kodep LLC.