Appendix No. 1 to Order No. 01 — PD dated December 1, 2020
GRANATUM LLC POLICY REGARDING THE PROCESSING OF PERSONAL DATA
Version 1.0 dated December 1, 2020
Saratov region, 2020
Terms and definitions
Automated processing of personal data is processing of personal data with the help of computer equipment.
Blocking of personal data is temporary termination of processing of personal data (except in cases where processing is necessary to specify personal data).
Personal data information system is a set of personal data contained in databases and information technologies and technical means ensuring their processing.
Depersonalization of personal data is actions which result in impossibility to determine the affiliation of personal data to a specific subject of personal data without using additional information.
Personal data processing is any action (transaction) or a set of actions (transactions) performed with personal data both using automation means, and without the use of such means, including collection, recording, systematization, accumulation, storage, specification (update, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
The Operator is a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and/or processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (transactions) performed with personal data.
Personal data is any information directly or indirectly related to a specific or determined natural person (personal data subject).
Provision of personal data is actions aimed at disclosure of personal data to a certain person or a certain circle of persons.
Distribution of personal data is actions aimed at disclosure of personal data to an indefinite circle of persons (transfer of personal data), familiarization of an indefinite circle of persons with personal data, including the publication of personal data in the mass media, placement in information and telecommunication networks or providing access to personal data in any other way.
Destruction of personal data is actions which result in impossibility to restore the content of personal data in the personal data information system and/or destruction of the material carriers of personal data.
This document defines the policy of GRANATUM LLC (hereinafter referred to as the Operator) in relation to the processing of personal data and discloses information on the implemented measures to ensure security of personal data processed by the Operator in order to protect the rights and freedoms of a person and a citizen during processing of their personal data, including protection of the rights to privacy, personal and family confidentiality.
This document, Granatum LLC’s “Policy regarding the processing of personal data” (hereinafter referred to as the Policy) is drafted in accordance with the Constitution of the Russian Federation, Federal Law No. 160—FZ “On the ratification of the Council of Europe Convention on the protection of individuals with regard to automatic processing of personal data”, the Labour Code of the Russian Federation No. 197—FZ, Federal Law No. 152-FZ “On Personal Data” (hereinafter referred to as FZ—152), other federal laws and bylaws of the Russian Federation defining cases and peculiarities of personal data processing and ensuring the security and confidentiality of such information.
The provisions of this Policy shall be mandatory for execution by all employees of the Operator who process personal data, including those working in branches and standalone Operator’s divisions.
The provisions of this Policy are the basis for the organization of work on the personal data processing by the Operator, including for the development of internal regulatory documents regulating the processing and protection of personal data by the Operator.
In the event that certain provisions of this Policy are in conflict with the current legislation on personal data, the provisions of the current legislation shall prevail. Requests of personal data subjects regarding the processing of their personal data by the Operator are accepted at the addresses: 410012, Saratov region, Saratov city, V.G. Rakhov street, 61/71 litera 1, room 3.
Personal data subjects can also send their request signed by an enhanced qualified electronic signature to the e-mail address info@granatum.solutions.
The term of consideration of applications shall not exceed 30 (thirty) days from the date of appeal.
This Policy is a document to which unrestricted access is ensured. To ensure unrestricted access, the Policy, in particular, is published on the official websites of the Operator at: granatum.solutions; next.granatum.solutions.
2.1. Principles of personal data processing
Personal data processing by the Operator shall be based on the following principles: – legality and fairness;
– limiting the processing of personal data to the achievement of specific, predetermined and legitimate goals;
– preventing the processing of personal data incompatible with the purposes of collecting personal data;
– preventing the integration of databases containing personal data, which are processed for purposes incompatible with each other;
– processing only those personal data that meet the purposes of their processing;
– compliance with the content and volume of processed personal data to the stated purposes of processing;
– preventing the processing of personal data redundant in relation to the stated purposes of their processing;
– ensuring the accuracy, sufficiency and update of personal data in relation to the purposes of personal data processing;
– destruction or depersonalization of personal data upon achievement of the purposes of their processing or in case of loss of need to achieve these purposes, if the Operator fails to eliminate the violations on personal data, unless otherwise provided by federal law.
2.2. Terms of personal data processing
The Operator processes personal data in the presence of at least one of the following conditions:
– processing of personal data is carried out with the consent of the personal data subject to the processing of their personal data;
– processing of personal data is necessary in order to achieve the objectives provided for by the international agreement of the Russian Federation or law for the implementation and fulfillment of the functions, powers and duties imposed by the legislation of the Russian Federation on the Operator;
– processing of personal data is necessary for the implementation of justice, execution of a court act, an act of another body or official, to be executed in accordance with the legislation of the Russian Federation on enforcement proceedings;
– processing of personal data is necessary for execution of a contract to which the personal data subject is a party as a beneficiary or a guarantor, as well as for conclusion of a contract on the initiative of the personal data subject or a contract according to which the personal data subject will be a beneficiary or a guarantor;
– processing of personal data is necessary to exercise the rights and legitimate interests of the Operator or third parties or to achieve socially significant purposes provided that the rights and freedoms of the personal data subject are not violated;
– the processing of personal data, access to which has been provided by the subject or at their request for an indefinite circle of persons (hereinafter referred to as publicly available personal data);
– processing of personal data subject to publication or mandatory disclosure in accordance with federal law.
2.3. Confidentiality of personal data
The Operator and other persons who have access to personal data shall not disclose to third parties and shall not distribute personal data without the consent of the personal data subject unless otherwise provided by federal law.
2.4. Public sources of personal data
For the purposes of information support, the Operator may create publicly available sources of personal data on personal data subjects, including directories and address books. With the written consent of the personal data subject, public sources of personal data may include their surname, first name, patronymic, date and place of birth, position, contact phone numbers, e-mail address and other personal data reported by the personal data subject.
Information about the personal data subject shall at any time be excluded from publicly available sources of personal data at the request of the personal data subject, the authorized body for the protection of the rights of personal data subjects or by court decision.
2.5. Special categories of personal data
The Operator may process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health, intimate life, in cases where: – the personal data subject has given their written consent to the processing of their personal data;
– the personal data subject has made their personal data publicly available; – processing of personal data shall be carried out in accordance with the legislation on state social assistance, labor legislation, the legislation of the Russian Federation on pensions: state pension provision, on labor pensions;
– processing of personal data is necessary to protect the life, health or other vital interests of the personal data subject or the life, health or other vital interests of others and it is impossible to obtain the consent of the personal data subject;
– processing of personal data is carried out for healthcare and prevention purposes, in order to establish a medical diagnosis, provide healthcare and social services given that the processing of personal data is carried out by a person professionally engaged in healthcare activity and is obliged to keep health-related information confidential in accordance with the legislation of the Russian Federation;
– processing of personal data is necessary for establishing or exercising the rights of the personal data subject or third parties, as well as in connection with the implementation of justice;
– processing of personal data is carried out in accordance with the legislation on compulsory types of insurance, and in accordance with insurance legislation. Processing of special categories of personal data, carried out in the cases provided for in
paragraph 4 of Art. 10 FZ-152, must be immediately terminated if the reasons for which the data was processed have been eliminated unless otherwise established by federal laws. Processing of personal data on criminal records may be carried out by the Operator only in cases and in the manner determined in accordance with federal laws.
2.6. Biometric personal data
Information that characterizes the physiological and biological characteristics of an individual, on the basis of which it is possible to establish his/her identity — biometric personal data — can only be processed by the Operator with the written consent of the personal data subject.
2.7. Entrusting processing of personal data to another person
The Operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of the contract concluded with that person. The person who processes personal data on behalf of the Operator shall comply with the principles and rules of personal data processing provided for by FZ-152 and this Policy.
2.8. Personal data processing of citizens of the Russian Federation
The Operator provides collection, recording, systematization, accumulation, storage, specification (updating, modification), retrieval of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation, except for the cases specified in paragraphs 2, 3, 4, 8 part 1 of Art. 6 FZ-152.
As part of processing personal data, the following rights are defined for the Operator and personal data subjects.
The personal data subject has the right to:
– receive information concerning processing of their personal data in the manner, form and terms established by the legislation on personal data;
– require specification of their personal data, their blocking or destruction in the event that personal data is incomplete, obsolete, unreliable, illegally obtained, are not necessary for the stated purpose of processing or used for purposes not previously stated when the personal data subject granted their consent to the processing of personal data;
– take measures provided for by law to protect their rights;
– withdraw their consent to the processing of personal data;
– other rights provided by the legislation on personal data.
The Operator has the right to:
– process personal data of the personal data subject in accordance with the stated purpose; – require from the personal data subject to provide reliable personal data necessary for the execution of a contract, identification of the personal data subject, and in other cases, provided by the legislation on personal data;
– limit the access of the personal data subject to his/her personal data in the event that the personal data subject’s access to their personal data violates the rights and legitimate interests of third parties, as well as in other cases provided for by the legislation of the Russian Federation;
– process publicly available personal data of individuals;
– process personal data subject to publication or mandatory disclosure in accordance with the legislation of the Russian Federation;
– entrust processing of personal data to another person with the consent of the personal data subject;
– other rights provided by the legislation on personal data.
The security of personal data processed by the Operator is ensured by the implementation of legal, organizational and technical measures necessary to ensure the requirements of federal legislation in the sphere of personal data protection.
To prevent unauthorized access to personal data, the Operator shall apply the following organizational and technical measures:
– appointment of a person responsible for organization of processing of personal data; – appointment of persons responsible for ensuring measures to protect personal data and exclude unauthorized access to them;
– appointment of a person responsible for ensuring the security of personal data in information systems;
– limiting the number of persons admitted to the processing of personal data; – familiarization of subjects with the requirements of federal legislation and regulatory documents of the Operator for the processing and protection of personal data; – organization of accounting, storage and circulation of media containing information with personal data;
– identification of threats to the security of personal data during their processing, building threat models based on them;
– development of personal data protection system based on the threat model; – verification of readiness and effectiveness of the use of information security tools; – isolation of users’ access to information resources and software-hardware tools for information processing;
– registration and track record of actions of users of personal data information systems; – use of antivirus software and means of restoring the personal data protection system; – use of firewall, intrusion detection, security analysis and cryptographic information protection tools, where necessary;
– organization of access control to the territory of the Operator, protection of the premises with technical means of processing personal data.
Other rights and obligations of the Operator in connection with the processing of personal data are determined by the legislation of the Russian Federation in the sphere of personal data. Employees of the Operator guilty of violating the rules governing the processing and protection of personal data shall bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by federal laws.