ТОВАР ДОБАВЛЕН В ИЗБРАННОЕ
ПерейтиPERSONAL DATA PROCESSING PROVISION
Moscow, 2023
Content
Terms and abbreviations
- General Provisions
- The Regulation on the processing of personal data “BEAUTY GLOBAL” LIMITED LIABILITY COMPANY (hereinafter - the Regulation) was developed based on the requirements of the Federal Law of the Russian Federation of July 27, 2006 No. 152-Federal Law “Personal Data”.
- These Regulations determine the procedure for the processing of personal data of employees and customers, as well as the rights, duties and responsibilities of officials of “BEAUTY GLOBAL” LIMITED LIABILITY COMPANY (hereinafter the Company).
- The Regulation is an internal regulatory document governing the Company's activities in the field of PD processing. The requirements of the Regulation are mandatory for all employees of the Company who are allowed to work with PD.
- This Regulation has been developed in order to comply with the legislation in the field of personal data, preserve the inviolability of private, personal and family secrets, protect against unauthorized access and disclose personal data processed by the Company.
- The provision is subject to change, addition in the event of the appearance of new legislative acts and special regulatory documents on the processing of personal data or a significant change in the processing of personal data in the Company.
- All employees of the Company processing PD must be familiarized with this Regulation under the signature.
- These Regulations are approved and enforced by order of the General Director of the Company.
- Scope
- This Regulation is binding upon all employees of the Company with access to personal data processed at the Company.
- Normative references
- These Regulations are developed based on the following legislative acts of the Russian Federation and regulatory documents in the field of PD:
- Constitution of the Russian Federation.
- Federal Law of the Russian Federation of July 27, 2006 No. 152-Federal Law “Personal Data”.
- Federal Law of the Russian Federation of July 27, 2006 No. 149-Federal Law “Information, Information Technologies and Information Protection”.
- Labor Code of the Russian Federation.
- Decree of the President of the Russian Federation of March 6, 1997 No. 188 “Approving the List of Confidential Information”.
- Government Decree of November 1, 2012 N 1119 "Approval of the requirements for the protection of personal data during their processing in personal data information systems.
- Decree of the Government of the Russian Federation of September 15, 2008 N 687 "Approval of the Regulation on the features of the processing of personal data carried out without the use of automation".
- These Regulations are developed based on the following legislative acts of the Russian Federation and regulatory documents in the field of PD:
- The concept of PD and the purpose of processing
- PD is any information relating to a specific person (subject of PD) defined or determined on the basis of such information, including his or her last name, first name, middle name, year, month, day and place of birth, address, marital, social and property status, education, profession, income and other information.
- The subjects of PD processing of personal data of which is carried out by the Company are:
- Candidates for filling vacant positions in the Company;
- Company employees who entered into an employment contract with the Company;
- Clients of the Company (applicants) who have signed an agency agreement with the Company on the submission of documents necessary for obtaining visas for tourist and other trips to the Consulate of a foreign state. Clients may be individuals who are in a contractual relationship with the Company, or individuals who are representatives of legal entities that are in a contractual relationship with the Company;
- Counterparties (individuals, including individual entrepreneurs, individuals - representatives of legal entities that are counterparties, subcontracting organizations, other third parties engaged by contractors);
- Visitor.
- The purpose of processing PD of candidates for vacant positions is to consider the issue of hiring and signing an employment contract.
- The purposes of obtaining and processing PD of employees are maintaining personnel records, payroll, calculating tax and pension deductions, providing mandatory reporting to tax authorities and social insurance funds in accordance with the requirements of the legislation of the Russian Federation, organizing accounting of the Company's personnel, ensuring compliance with laws and other regulatory legal acts, assisting an employee in finding a job, training, promotion, receiving various types of benefits in accordance with the Labor Code of the Russian Federation Russian Federation, the Tax Code of the Russian Federation, federal laws, in particular: “Individual (personified) training in the system of compulsory pension insurance”.
- The purpose of receiving and processing PD of clients is to fulfill the instructions of individuals based on the signed agency contract with the Company applying for an entry visa to foreign countries to transfer packages of documents and data of such persons to the Diplomatic missions of foreign states for obtaining visas by these persons.
- The purpose of processing PD of counterparties (individuals, including individual entrepreneurs, representatives of legal entities) is the organization and conduct of procurement of goods, works, services, the implementation of the procedure for selecting a counterparty, the conclusion and execution of civil contracts in accordance with the Civil Code of the Russian Federation other regulatory legal acts and local regulatory acts of the Company.
- The purpose of processing visitors' PD is to comply with the access regime in order to ensure the safety of business meetings and negotiations on the territory of the Company.
- In determining the volume and content of PD processed by subjects, the Company should be guided by the objectives of obtaining and processing PD.
- Resources containing PD of subjects are created by:
- copying of original documents containing PD (for example, passport, state pension insurance certificate);
- entering information into accounting paper forms (personal card in the form of T-2);
- entering information into the database;
- receiving the originals of the necessary documents (workbook, autobiography, profile form and application).
- The composition of the processed personal data of subjects is approved by the order of the Company “The implementation of the list of processed personal data, the list of personal data information systems and the list of officials authorized to work with personal data”.
- Rights and Obligations of the Company
- PD processing is carried out with the consent of the PD subject. The company is obliged to explain to the PD subject the consequences of refusing to provide their personal data.
- The consent of the subject of personal data to the processing of personal data is not required in cases provided for in paragraph 2 of Article 6 of the Federal Law “Personal Data".
- The company ensures the confidentiality of personal data, except for cases of depersonalization and in relation to publicly available personal data.
- The company provides the subject free of charge with the opportunity to familiarize with his personal data at his request (written request), as well as information regarding the processing of his personal data.
- In case of withdrawal by the subject of consent to the processing of its personal data, the Company stops processing personal data and destroys the personal data within a period not exceeding thirty days from the date of receiving the request, unless otherwise provided by the agreement to which the beneficiary or guarantor is the subject.
- In case of revealing inaccurate personal data or illegal actions with them when the subject of personal data is addressed, the Company blocks the personal data from the moment of such treatment.
- In case of confirmation of the inaccuracy of the PD of the subject, the Company is obliged to clarify to the PD within seven business days and remove their blocking.
- In case of unlawful actions with PD, the Company is obliged to eliminate the violations. If it is impossible to eliminate the violations, the Company is obliged to destroy the PD within a period not exceeding ten business days.
- The Company is obliged to notify the subject of the PD, as well as those persons to whom the PD of this subject were transferred to eliminate the committed violations or to destroy the personal data.
- In the event that the purpose of processing personal data is reached, the Company stops processing personal data and destroys personal data within a period not exceeding thirty days from the date the processing goal was achieved, unless otherwise provided by the contract to which the data subject is a party or federal laws.
- Rights of PD subjects
- PD subjects make a decision on the provision of their PD and consent to the processing of their own free will and in their interest, with the exception of cases provided for in paragraph 2 of Article 9 of the Federal Law "Personal Data".
- The PD subject may withdraw consent to the processing of PD.
- PD subjects have the right to receive information about the Company, its location, the availability of its PD, as well as to familiarize themselves with such PD.
- PD subjects have the right to receive information regarding the processing of their PD.
- PD subjects have the right to demand the exclusion or correction of incorrect or incomplete PD, as well as data processed in violation of the requirements of the law.
- PD subjects have the right to require the Company to notify all persons to whom incorrect or incomplete PD was previously informed of all exceptions, corrections or additions made to the specified information.
- PD subjects have the right to protect their rights and legitimate interests, including compensation for losses and (or) compensation for non-pecuniary damage in court. PD subjects have the right to appeal in court any illegal actions or inaction of the Company in the processing and protection of its PD.
- PD collection procedure
- Obtaining PD is carried out by providing it by the subject of PD, or its legal representative.
- When collecting PD, the Company is obliged to provide the subject of PD at its request with information about:
- legal basis and purpose of processing PD;
- goals and methods of PD processing used by the Company;
- information about persons (with the exception of operator’s employees) who have access to personal data or to whom personal data can be disclosed on the basis of an agreement or on the basis of federal law;
- terms of PD processing, including periods of its storage;
- the procedure for the exercise by the subject of personal rights provided for by Federal Law No. 152;
- information on the possibilities of cross-border PD transfer.
- If PD can be obtained only from a third party, then the PD subject must be notified in advance and consent must be obtained from him, indicating: purpose, alleged sources and methods of receiving PD, as well as information about the nature of the PD to be received and the consequences of refusal give written consent to receive PD.
- The company does not collect and does not process personal data relating to racial, nationality, political views, religious or philosophical beliefs, health status, intimate life of the personal data subject. In cases directly related to issues of labor relations, in accordance with Art. 24 of the Constitution of the Russian Federation, the Company has the right to receive and process data on the employee’s private life only with his or her written consent.
- The procedure for collecting candidates’ PD
- Processing candidates’ PD for filling vacant posts occurs only with the consent of the subject.
- If the candidate’s resume is received on public networks, an employee contacts the candidate to invite him or her for an interview. Otherwise, such a resume must be destroyed.
- The company does not keep PD of candidates who have not become employees, the company destroys PD of candidates within a month.
- The procedure for collecting PD of Company employees
- When hiring, the employee provides the necessary documents for signing an employment contract and filling out a personal profile.
- The volume of PD provided by the employee is determined by the Labor Code of the Russian Federation.
- The employee gives written consent to the processing and transfer of their personal data when applying for a job.
- The personal profile of the employee is executed after signing of an employment contract with him or her and the issuance of an order for employment. All documents of a personal profile are filed in a cover of the established sample. It indicates the surname, name, middle name of the employee, the number of the personal profile. All documents received in a personal profile are arranged in chronological order. Sheets of documents filed in a personal profile are numbered. A personal profile is conducted throughout the entire labor activity of the employee. Changes made to the personal profile must be confirmed by relevant documents. A personal profile is deemed completed upon dismissal of the employee and is deposited in the archive.
- The procedure for collecting personal data clients
- The Client provides the Company with personal data, the volume and nature of which corresponds to the purposes of receiving and processing personal data in the Company. The company begins processing the customer’s PD only after obtaining consent from a subject. Processing customer data not for the purpose of fulfilling the contract is prohibited.
- Procedure for collecting PD Counterparties
- Processing PD on the counterparty, its representative, founder, beneficiary (last name, first name, middle name of the counterparty or other person authorized to interact with the Company regarding the conclusion or execution of the contract or to sign the contract, founder, ultimate beneficiary, their place of residence, telephone, other personal data) is carried out without the consent of PD subjects.
- To execute a civil law contract, the counterparty (legal entity) can provide personal data of the organization’s employees (counterparty’s representatives) in order to draw up the Company powers of attorney and other documents necessary in the process of performing the contract. The obligation to obtain consent for the transfer and processing of personal data rests with the counterparty.
- Processing PD on the counterparty, its representative, founder, beneficiary (last name, first name, middle name of the counterparty or other person authorized to interact with the Company regarding the conclusion or execution of the contract or to sign the contract, founder, ultimate beneficiary, their place of residence, telephone, other personal data) is carried out without the consent of PD subjects.
- The procedure for collecting Visitors’ PD
- The visitor provides the Company with personal data, the volume and nature of which corresponds to the purposes of receiving and processing personal data in the Company. Visitors’ PD are recorded in the Visitor Log (Appendix 5 to the Regulation.) Visitors’ PD is not processed in an automated way.
- PD transfer procedure
- Transfer of personal data to third parties is possible only with the consent of the subject of personal data. The consent of the subject of personal data should indicate the third party to whom the personal data are transferred, as well as the purpose of the transfer and processing of personal data.
- When transferring personal data to third parties, which, on the basis of agreements, process personal data in the manner prescribed by the legislation of the Russian Federation, the Company restricts this information only to those personal data that are necessary for these persons to perform their functions (services, work).
- The company has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement signed with this person. A person who processes personal data on behalf of the Company is obliged to comply with the principles and rules for processing personal data provided by this Regulation. The instruction shall determine the list of actions with PD that will be performed by the person carrying out the processing and processing goals, should establish the obligation of such a person to maintain the confidentiality of PD and ensure safety during their processing, and should also indicate the requirements for the protection of processed PD in accordance with article 19 of the Federal Law “Personal data”.
- In order to fulfill obligations under an agency agreement between the Company and individuals, the Company carries out cross-border transfer of personal data of clients.
- The company provides (transfers) information containing personal data of employees to the Pension Fund of the Russian Federation and the Federal Tax Service via telecommunication channels and, in accordance with the requirements of the law, using cryptographic means to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking , copying, distribution of PD.
- Access to the Company's personal data is provided only to those employees who are allowed to work with personal data.
- Transfer of PD to the employee is possible only upon written application of the employee. The company is obliged, no later than three working days from the date of submission of this application, to issue the employee with copies of documents related to work (copies of the order for hiring, orders for transferring to another job, order for dismissal from work; extracts from the work book; certificate of salary , on accrued and actually paid insurance contributions for compulsory pension insurance, on the period of work with this employer and more). Copies of documents related to work must be duly certified and provided to the employee free of charge.
- The transfer (distribution) of information containing personal data of clients is carried out in a closed form (in sealed envelopes) or in another way that ensures confidentiality.
- Access to PD
- Granting Access to Company Officials:
- Access to personal data subject to automated and non-automated processing is permitted only to employees authorized to process personal data in accordance with the List of officials authorized to work with personal data of Intershtamp, LLC. At the same time, these persons are granted access only to personal data necessary for the performance of official duties.
- All changes, additions made to the List of officials admitted to work with PD are approved by the Order of the General Director.
- Employees of the Company who have gained access to personal data accept obligations to ensure the confidentiality of processed personal data, which are defined:
- an employment contract;
- confidentiality non-disclosure obligation (PD);
- job descriptions regarding security PD.
- Access of employees to information systems and related works (operations with personal data) is carried out in accordance with the requirements of the Regulation on the provision of access to ISPD.
- The access of workers to the material carriers of personal data and places of their storage is determined in accordance with the List of places of storage of material carriers of personal data.
- Provision of PD to public authorities:
- Access PD to public authorities is provided in the following cases provided for by federal laws:
- in order to prevent threats to the life and health of the subject of PD;
- in order to protect the foundations of the constitutional order, morality, rights and legitimate interests of others;
- in order to ensure the defense of the country and the security of the state, including upon receipt of official requests in accordance with the provisions of the Federal Law “Operational search measures”.
-
<
- Granting Access to Company Officials:
- The procedure for accounting, storage and destruction of PD
- The company establishes a special storage mode for PD:
- Separate storage of PD is provided, the processing of which is carried out for various purposes, in accordance with the List of storage locations for tangible carrier.
- The following rules apply to all indicated storage locations:
- personal data contained on paper is stored in a locked cabinet or in a safe.
- keys to lockable cabinets are only issued to authorized persons.
- The registration of material carriers of personal data and the issuance of material carriers of personal data, which are recorded in the Journal of accounting of carriers of confidential information (Appendix 2), is provided.
- Workers are not allowed to leave documents containing PD on the desktop if they do not currently work with them. Executable documents are not allowed to be stored in separate sheets, they must be formed in folders on which the type of actions performed with them is indicated (filing in personal files, for sending, etc.).
- Tangible personal data carriers must be destroyed after reaching the goals of processing personal data and / or after the expiration of the storage period of personal data. The form of the Act for the destruction of PD carriers is given in Appendix 3 to the Regulation.
- The company establishes a special storage mode for PD:
- Regulatory Audits
- In accordance with the requirements of 152-Federal Law “Personal data”, the authorized body for the protection of the rights of subjects of personal data may conduct inspections of the Company for compliance with legal requirements.
- In accordance with the requirements of the Federal Law “On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Implementation of State Control (Supervision) and Municipal Control”, inspections are carried out in accordance with the approved administrative regulations.
- Information on the inspection procedure is provided:
- by posting on the official website of Roskomnazdor in the public Internet;
- directly in the central office of Roskomnazdor and its territorial bodies.
- The term for conducting both scheduled and unscheduled inspections may not exceed twenty business days. In exceptional cases related to the need for complex and (or) long-term studies, tests, special examinations and investigations based on motivated proposals from officials of Roskomnadzor or its territorial body conducting an on-site scheduled inspection, the on-site scheduled inspection may be extended by the head of Roskomnadzor or Head of the territorial body of Roskomnadzor, but not more than twenty business days.
- The issues of ensuring the security of personal data during their processing in the ISPD, as well as the requirements for the material carriers of biometric personal data and technologies for storing such data outside the ISPD, are within the competence of the Federal Security Service of the Russian Federation, the Federal Service for Technical and Export Control.
- Unscheduled inspections may be carried out on the following grounds:
- the expiration of the Company’s fulfillment of a previously issued order to eliminate a detected violation of the established requirements of the legislation of the Russian Federation in the field of personal data.
- receipt in Roskomnadzor or its territorial bodies of appeals and applications of citizens, legal entities, individual entrepreneurs, information from state authorities, local authorities, from the media about the following facts:
- the occurrence of a threat of harm to life and health of citizens;
- causing harm to the life and health of citizens;
- violation of consumers' rights (in the event that Roskomnadzor or its territorial body receives appeals and applications of citizens and (or) legal entities on issues related to violation of consumer rights when the Company provides a service within the framework of which PD is processed).
- The Company shall be notified of an unscheduled on-site inspection by Roskomnadzor or its territorial body at least twenty-four hours prior to the start of its conduct by any available means. If as a result of the Company’s activities harm or harm to life and health of citizens is caused, prior notification of the Company about the start of an unscheduled field inspection is not required.
- When conducting an audit (planned or unscheduled) from the Company, the person responsible for conducting the audit is appointed. The person in charge is the official representative of the Company during inspections.
- All inspections of the Company regarding the processing and protection of PD should be recorded in the Journal of accounting of inspections conducted by state control (supervision) bodies (Appendix 4).
- Responsibility
- The Company shall appoint a person responsible for organizing the processing of personal data.
- Responsible for organizing PD processing, receives instructions directly from the CEO, and reports to him.
- Responsible for organizing the processing of personal data is obliged:
- exercise internal control over compliance by the Company and its employees with the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data;
- bring to the attention of the Company's employees the provisions of the legislation of the Russian Federation on PD, local acts on the processing of PD, requirements for the protection of PD;
- organize the reception and processing of applications and requests of PD subjects or their representatives and monitor the reception and processing of such applications and requests.
- Responsibility for ensuring security
- Persons (Workers, representatives of the Company, Company) who are guilty of violation of regulatory legal acts and internal acts of the Company governing the processing and protection of Worker's PD are subject to disciplinary, administrative, civil or criminal liability in accordance with federal laws.
- The company, as the owner of information resources, information systems, technologies and means of their support, exercising the powers of possession, use, disposal of confidential information within the limits established by law, is liable to PD subjects in case of causing property and moral harm.
- Responsibility for violation of the requirements of this Regulation
- The heads of the structural divisions of the Company are responsible for bringing this Regulation to the employees (under signature) and ensuring its compliance with the divisions.
- Employees of the Company are personally responsible for compliance with this Regulation.
- Employees of the Company are liable under the current legislation of the Russian Federation for the disclosure of information constituting personal data that became known to them by chance or by type of work.
Appendix 1 to the Regulation
“The processing of personal data “BEAUTY GLOBAL” LIMITED LIABILITY COMPANY”
Reference list
ваша корзина пуста
возможно, Вас заинтересуют следующие товары
или подберите что-нибудь подходящее в каталоге