Regulations on the processing of personal data in OOO Inkamp.ru

1.     General provisions

1.1.         The Regulation on the processing of personal data (hereinafter referred to as the "Regulations") defines the conditions and the procedure for processing personal data, which is performed by LLC "INKEMP.RU" (the & mdash; Operator).

1.2.         The Regulations have been developed in compliance with the Policy regarding the processing of personal data (hereinafter referred to as the "Policy") and in accordance with Cl. 2 Part 1, Art. 18.1 of the Federal Law of July 27, 2006 No. 152-FZ & About Personal Data & raquo; (hereinafter referred to as & mdash; FZ & lquo; About Personal Data & raquo;), as well as the following regulatory legal acts:

& mdash;     part two of the Civil Code of the Russian Federation of January 26, 1996 No. 14-FZ (hereinafter referred to as part two of the Civil Code of the Russian Federation);

& mdash;     The Labor Code of the Russian Federation of December 30, 2001 No. 197-FZ (hereinafter referred to as "the RF LC)";

& mdash;     part one of the Tax Code of the Russian Federation of July 31, 1998 No. 146-FZ (hereinafter referred to as part one of the Tax Code of the Russian Federation);

& mdash;     Federal Law & About Accounting & raquo; of December 6, 2011 No. 402-FZ (hereinafter referred to as & mdash; FZ & About Accounting & raquo;);

& mdash;     Decree of the Government of the Russian Federation of September 15, 2008, No. 687 on "Approval of the Regulation on the Specifics of Processing Personal Data Performed Without the Use of Automation Tools";

& mdash;     Decree No. 1119 of the Government of the Russian Federation of November 1, 2012 on the approval of the requirements for the protection of personal data when processing them in personal information systems & raquo;

2.       Organization of personal data processing

2.1.         In order to ensure the fulfillment of the duties provided by the Federal Law "On Personal Data" & raquo; and the normative legal acts adopted in accordance with it, the Operator shall be responsible for organizing the processing of personal data (hereinafter referred to as "Responsible").

2.2.       Responsible must:

& mdash;     ensure approval, enactment, as well as update, if necessary, the Policy, Regulations and other local acts on the processing of personal data;

& mdash;     provide unlimited access to the Policy, a copy of which is located at the address of the Operator;

& mdash;     to evaluate the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the Operator's information system;

& mdash;     annually carry out an assessment of the harm that may be caused to the subjects of personal data in case of violation of the Federal Law on Personal Data & raquo;

& mdash;     annually carry out internal control over compliance by the Operator and his employees with legislation on personal data, Policies, Regulations and other local acts on the processing of personal data, including requirements for the protection of personal data (hereinafter referred to as "regulatory acts");

& mdash;     to bring employees of the Regulations upon signing the provisions of the Normative Acts at the conclusion of the employment contract, and also on their own initiative;

& mdash;     to admit workers to the personal data processed in the information system of the Operator, as well as to their material carriers only for the performance of labor duties;

& mdash;     organize and control the reception and processing of requests and requests of subjects of personal data, ensure the exercise of their rights;

& mdash;     ensure interaction with the authorized body for the protection of the rights of subjects of personal data (hereinafter referred to as "Roskomnadzor").

3.       Ensuring the security of personal data

3.1.       Employees who have access to personal data must not disclose to third parties or distribute them without the consent of the subject of personal data, unless otherwise provided by federal law.

3.2.       In order to protect personal data from illegal actions (in particular, improper or accidental access, destruction, modification, blocking, copying, provision, distribution), the Operator applies a set of legal, organizational and technical measures to ensure the security of personal data, which constitutes a personal data protection system.

3.3.       The use of a set of measures to ensure the security of personal data provides an established level of protection of personal data when processing them in the information system of the Operator.

3.4.         In order to ensure the fulfillment of the duties provided by the Federal Law "On Personal Data" & raquo; and the normative legal acts adopted in accordance with it, the Operator shall be responsible for ensuring the security of personal data in the information system.

3.5.       The person responsible for ensuring the security of personal data in the information system is required to:

& mdash;     annually carry out the definition of threats to the security of personal data when processing them in the information system of the Operator;

& mdash;     ensure the implementation of organizational and technical measures to ensure the security of personal data and the use of information security tools necessary to achieve the established level of protection of personal data when processing in the information system of the Operator;

& mdash;     establish rules for access to personal data processed in the information system of the Operator, and ensure registration and accounting of all actions with them;

& mdash;     to organize detection of the facts of unauthorized access to personal data and the adoption of response measures, including the restoration of personal data modified or destroyed due to unauthorized access to them;

& mdash;     annually carry out internal control to ensure the established level of protection of personal data when processing in the information system of the Operator.

 

4.       Exercise of the rights of subjects of personal data

4.1.       When a personal data subject is contacted or upon receiving his request (hereinafter referred to as "Request"), the Responsible shall provide the subject with personal information about the availability of personal data related to him, as well as the possibility of acquaintance with these personal data within 30 days from the date of the Appeal.

4.2.         If there are legitimate reasons for refusing to provide personal data to the subject about the availability of personal data related to him, and also the possibility of acquaintance with these personal data, the Responsible provides a reasoned reply to the subject of personal data in writing, containing a reference to the provision of Part 8 of Art. 14 FZ & la About personal information & raquo; or other federal law, which is the basis for such refusal, within 30 days from the date of the Appeal.

4.3.       If the subject provides personal data with information confirming that his personal data processed by the Operator is incomplete, inaccurate or irrelevant, the Responsible ensures the necessary changes to the personal data within 7 working days from the date of the Appeal.

4.4.       If the subject provides personal data with information confirming that his personal data processed by the Operator is illegally obtained or is not necessary for the stated purpose of the processing, the Responsible shall ensure the destruction of such personal data within 7 working days from the date of the Appeal.

4.5.       The responsible ensures the notification of the subject of personal data about changes and measures taken in his personal data, and also takes reasonable measures to notify third parties to whom the personal data of this subject have been transferred.

4.6.       In the event of the subject's withdrawal of personal data consent to their processing, it can be continued if there are grounds specified in cl. 2, item 11, part 1, Art. 6, part 2 of Art. 10 and part 2 of Art. 11 of the Federal Law & About Personal Data & raquo;.

5.     Interaction with Roskomnadzor

5.1.       At the request of Roskomnadzor, the Responsible organizes the provision of local acts regarding the processing of personal data and documents confirming the adoption of measures to comply with the requirements of the Federal Law "On Personal Data", within 30 days from the date of receipt of the request.

5.2.       At the request of Roskomnadzor, the Responsible organizes the clarification, blocking or destruction of inaccurate or illegally obtained personal data within 30 days from the date of receipt of the request.

5.3.       In the cases provided for in Art. 22 of the Federal Law "On Personal Data", the Responsible sends a notice to Roskomnadzor about the intention to process personal data.

5.4.       In case of need, the Responsible sends to Roskomnadzor appeals concerning the processing of personal data carried out by the Operator.

 

6.       Responsibility for violation of the procedure for processing and ensuring the security of personal data

6.1.         If the employee violates the provisions of the legislation in the field of personal data, he may be brought to disciplinary, material, civil, administrative and criminal liability in the manner established by the Labor Code of the Russian Federation and other federal laws, in accordance with Part 1 of Art. 24 ФЗ About the personal data & raquo; and art. 90 of the LC RF.

6.2.       In case of disclosure of personal data by the employee, which became known to him in connection with the performance of his labor duties, the employment contract with him may be terminated in accordance with subparagraphs & laquo; in & raquo; paragraph 6 of Art. 81 of the LC RF.