Personal Data Processing Policy
LLC PLP Polifas, 199178, St. Petersburg, 5th line V. O., 70A, room 11N, office 34
1. GENERAL PROVISIONS
This Personal Data Processing Policy (hereinafter referred to as the “Policy”) has been developed in accordance with the Federal Law No. 152 FZ ‘On Personal Data’ of 27.07.2006 (hereinafter referred to as “FZ No.152”).
This Policy describes the procedure for personal data processing and measures to ensure the security of personal data on the website belonging to PLP Polifas (hereinafter referred to as the “Operator”) to protect the rights of a person when processing his personal data. This includes the protection of the rights to privacy, personal and family secrets.
The Policy’s basic concepts:
automated processing of personal data – processing of personal data carried out by computers;
blocking of personal data – temporary termination of personal data processing (except in cases where the rectification of personal data is obligatory);
personal data information system – a set of personal data contained in databases, that uses information technologies and technical means to ensure personal data processing;
depersonalization of personal data – this step results in the impossibility to determine the owner of personal data without using additional methods;
personal data processing – any action or set of actions carried out either by automation tools or without them. This includes collection, recording, systematization, accumulation, storage, rectification (update, change), extraction, use, transfer (distribution, provision, and access), depersonalization, blocking, deletion, and destruction of personal data;
operator – a state body, a municipal body, a legal entity or an individual who independently or jointly with other persons organize and (or) carry out the processing of personal data, as well as determine the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
personal data – any information related directly or indirectly to a specific or identifiable individual (owner of personal data);
provision of personal data – actions aimed at disclosing personal data to a certain person or a certain number of persons;
distribution of personal data – actions aimed at disclosure of personal data to an indefinite number of persons (transfer of personal data) or at familiarization with personal data of an unlimited number of persons, including publication of personal data in the mass media, in information and telecommunications networks or providing access to personal data in any other way;
cross-border transfer of personal data – is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity.
destruction of personal data – actions aimed to the impossibility to restore the content of personal data in the personal data information system and (or) as a result of which the physical carriers of personal data are destroyed;
The Company is obliged to publish or otherwise provide unrestricted access to this Personal Data Processing Policy in accordance with Part 2 of Article 18.1. FZ No.152. 5
2. PERSONAL DATA PROCESSING RULES AND CONDITIONS
2.1 Rules of personal data processing
The processing of personal data by the Operator is regulated by the following principles:
• rule of law and order;
• limitations of the processing of personal data by the achievement of specific, predetermined, and legitimate purposes;
• preventing the processing of personal data incompatible to collect personal data;
• avoid combining databases containing personal data, processing of which is carried out for purposes that are incompatible with each other;
• process only those personal data that meet the objectives of their processing;
• compliance of the content and volume of processed personal data with the stated processing purposes;
• preventing the processing of personal data that is redundant concerning the stated purposes of their processing;
• ensure accuracy, adequacy, and relevance of personal data concerning the stated purposes of their processing;
• destruction or depersonalization of personal data after reaching the goals of their processing or in case of loss of the need to achieve these goals, if it is impossible for the Operator to eliminate the violations of personal data, unless otherwise provided by federal law.
2.2 Conditions of personal data processing
The operator processes personal data in compliance with at least one of the following conditions:
• personal data shall be processed only with the consent of its owner;
• personal data processing is necessary to realize an objective stipulated by the international treaty of the Russian Federation or by any other federal law, and for implementation of the functions, powers, and duties assigned by the legislation of the Russian Federation to the operator;
• personal data processing is necessary for the administration of justice, execution of judicial or other acts (made by other institutions or officials) that are enforceable following the legislation of the Russian Federation on enforcement proceedings;
• the processing of personal data is necessary for the execution of an agreement to which the owner of personal data is a party or a beneficiary or guarantor, as well as for agreeing on the initiative of the owner of personal data or an agreement under which the owner of personal data will be the beneficiary or guarantor;
• processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially significant goals, provided that this does not violate the rights of the owner of personal data;
• personal data that is being processed is available to an unlimited number of persons who have been granted access or who have been asked by the owner of personal data (hereinafter — publicly available personal data);
• processing of personal data subject to publication or mandatory disclosure under federal law.
The operator and other persons who have obtained access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the personal data owner unless otherwise provided by federal law.
2.4 Publicly available sources of personal data
To provide information, the Operator may create publicly available sources of the owner’s personal data, including directories and address books. The publicly available sources of personal data may include, with the written consent of the owner, his last name, first name, patronymic, date and place of birth, contact phone numbers, email address, and other personal data provided by him.
Information about the personal data owner must be excluded from publicly available sources at any time at the request of the owner or by a court or other authorized state bodies.
2.5 Special categories of personal data
The processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life is allowed in cases where:
• the data owner has consented in writing to the processing of his data;
• the personal data was made public by the data owner;
• processing of personal data is necessary to protect the life, health, or other vital interests of the data owner or the life, health or other vital interests of others when it is impossible to obtain the consent;
• the processing of personal data needed to establish or exercise the rights of data owners or third parties, as well as in connection with the administration of justice.
The processing of special categories of personal data should be immediately terminated if the reasons due to which they were processed are eliminated unless otherwise provided by federal law.
The processing of personal data on criminal records can be carried out by the Operator only in cases and in the manner that is determined under federal laws.
2.6 Personal data processing by another person
The operator has the right to entrust the processing of personal data to another person with the consent of the personal data owner, unless otherwise provided by federal law, based on a contract concluded with this person. A person who processes personal data on behalf of the Operator is obliged to comply with the regulations and rules for processing personal data provided for in FZ No.152.
3. RIGHTS OF THE PERSONAL DATA OWNER
3.1 Consent of the personal data owner to his personal data processing
The owner of personal data decides on the provision of his data and agrees to their processing freely, of his own free will, and in his interest. Consent to the processing of personal data can be given by the owner of personal data or his representative in any form that allows confirming the fact of its receipt unless otherwise provided by federal law.
The obligation to provide proof of obtaining the consent of the subject of personal data to the processing of his data or proof of the existence of the purposes specified in FZ No.152 rests with the Operator.
3.2 Rights of the personal data owner
The owner of personal data has the right to receive information from the Operator regarding the processing of his data if such a right is not limited under federal laws. The subject of personal data has the right to demand that the Operator clarify his data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, as well as take measures provided for by law to protect their rights.
The processing of personal data to promote goods, works, services on the market by making direct contacts with a potential consumer using communication means, as well as for political campaigning, is allowed only with the prior consent of the owner of personal data. The specified processing of personal data is recognized as carried out without the prior consent of the owner of personal data unless the Company proves that such consent has been obtained.
The operator is obliged to immediately stop, at the request of the owner of personal data, the processing of his data for the above purposes.
It is prohibited to make decisions based on solely automated processing of personal data that give rise to legal consequences about the owner of personal data or otherwise affect his rights and legitimate interests, except for cases provided for by federal laws, or with the consent in writing of the owner of personal data.
If the owner of personal data believes that the Operator is processing his data in violation of the requirements of FZ No.152 or otherwise violates his rights, the subject of personal data has the right to appeal against the actions or inaction of the Operator to the Authorized body for the protection of the rights of the owner of personal data or in court.
The owner of personal data has the right to protect his rights and legitimate interests, including compensation for losses and (or) compensation for non-pecuniary damage in court.
4. SECURITY OF PERSONAL DATA
The security of personal data processed by the Operator is ensured by the implementation of legal, organizational, and technical measures necessary to meet the requirements of federal legislation on personal data protection.
To prevent unauthorized access to personal data, the Operator applies the following managerial and technical measures:
• limiting the number of persons with access to personal data;
• familiarizing subjects with the requirements of the Operator’s regulatory documents on the processing and protection of personal data;
• organizing accounting, storage, and circulation of information carriers; •
ensuring the protection of personal data;
• delimiting user access to information resources and software and hardware for information processing;
• registration and accounting of actions of users of information systems of personal data.
Other rights and obligations of the Operator as an operator of personal data are determined by the legislation of the Russian Federation on personal data.
Operator’s officials guilty of violating the rules governing the processing and protection of personal data carry material, disciplinary, administrative, civil, or criminal liability in the manner prescribed by federal laws.