FOR THE PROCESSING OF PERSONAL DATA
CONTENT
1. General terms……..............................................................................................................................3
2. Principles and conditions for the processing of personal data.....................................................5
2.1 Principles for the processing of personal data…..........................................................................5
2.2 Conditions for the processing of personal data...........................................................................5
2.3 Privacy of personal data…….…………………...............................................................................6
2.4 Public sources of personal data…..………………….....................................................................6
2.5 Special categories of personal data………………........................................................................6
2.6 Biometric personal data…………………........................................................................................7
2.7 Delivering the processing of personal data into the charge of a third person….....................7
2.8 Cross-border communication of personal data ……...................................................................7
3 Rights of the subject of the personal data........................................................................................8
3.1 Consent of the subject of the personal data to his personal data processing...………….......8
3.2 Rights of the subject of the personal data ....................................................................................8
4. Protection of personal data………………………….........................................................................9
5. Final clauses…………………............................................................................................................10
- GENERAL TERMS
The Policy stipulates the practice for the personal data processing and the measures to protect the security of the personal data in ONE GOAL INTERNATIONAL CORP. (hereinafter referred to as the Operator) aimed at protecting the rights and freedoms of man and citizen during his personal data processing, including his right of his personal and family privacy.
In the Policy the following general terms are used:
Computerized personal data processing – the processing оf personal data by means of computer;
Personal data block – temporary stop of the processing оf personal data
(with the exception of the cases when the processing is necessary to specify some personal data);
Information system of the personal data is the complex of the personal data from the database and the technologies and means for its processing;
Depersonalization of personal data are the measures undertaken to prevent the identification of the certain personal data without a reference to additional information;
Personal data processing is an action, operation or complex of computerized or non-computerized measures including data collection, its record, arrangement, accumulation, storage, update (or change), retrieval, use, forwarding (sharing, giving access), depersonalization, block, withdrawal, destruction of personal data;
Operator is a state or municipal body, legal body or private person that executes processing of the personal data independently or jointly with other persons/bodies, who sets the purposes of the personal data processing, the content of personal data, subject of processing, the actions (operations) for the personal data handling;
personal data is the information that directly or indirectly refers to a certain individual (subject of the personal data);
personal data provision is the actions aimed at personal data disclosure to a certain person or group of persons;
personal data sharing is the actions aimed at personal data disclosure to a wide group of persons including publishing of the personal data in media, social networks or giving wide unlimited access to them by any other means;
Cross-border communication of personal data is forwarding the personal data to a foreign state body or a foreign individual or a legal body
destruction of personal data are actions aimed at impossibility to restore the personal data in the personal database and (or) destruction of data storage devices;
the company is bound to publish or to provide by other means an unlimited access to the Policy of personal data processing under Part 2 Art. 18.1. ФЗ-152.
2. principles and conditions of personal data processing
2.1 Principles for the processing of personal data
The processing of personal data organized by the Operator is based on following principles:
- legitimacy and impartial basis;
- certain and legal aims that set limits for the personal data processing;
- non admittance of the personal data processing with the aims other than the aims of collecting personal data;
- non admittance of the combination of databases that contain personal data processed for
contradictory aims ;
- personal data processing limited by the personal data that are adequate to the aims of its processing;
- Content and volume of personal data being in accordance with the declared aims of its processing;
- non admittance of personal data processing excessive for the aims of its processing
- providing accuracy, adequacy and applicability of personal data with reference to the aims of its processing;
- destruction or depersonalization of personal data upon the achieving the aim of its processing or in case of loss of the necessity of its processing, if the committed violation of the procedure cannot be overpassed provided no other is stipulated by the legislation.
2.2 Terms of personal data processing
The Operator executes personal data processing provided any of the below stated conditions exists:
- personal data processing is done with the consent of the subject of the personal data
To his personal data processing;
- personal data processing is vital for the aim set under the international agreement of the Russian Federation or the law that stipulates the functions, authority and responsibility for the Operator;
personal data processing is vital for effectuation of justice, execution of a judicial procedure as well as other governmental procedures under the legislation of the Russian Federation;
- personal data processing is vital for the contract execution where the subject of personal data is a party as well as for the purposes of signing a contract under the initiative of the subject of personal data, or a contract where the subject of personal data is a beneficiary or warrantor;
- personal data processing is vital for the exercise of a right and legal interest of the operator or third parties aimed at worthwhile causes provided no rights and liberties of the subject of the personal data are violated;
- personal data processing is executed if the access of unlimited group of persons is given under the consent of the subject of personal data or authorized by the subject of personal data (hereinafter referred to as Generally available personal data);
- personal data processing is executed if they are subject to publishing or obligatory disclosure in accordance with the federal legislation.
2.3 Privacy of personal data
The Operator or other persons that have access to personal data are bound to keep the data out of reach of the third parties and not to share the personal data without prior consent of the subject of personal data provided other is not stipulated in the federal legislation.
2.4 Public sources of personal data
For the purposes of information sharing the Operator may create commonly shared sources of personal data including reference books and directories. The generally shared sources of the personal data may include under the written consent of the subject of the personal data his surname, first name, father's name, date and place of birth, appointment, personal phone numbers, email address and other personal contact data delivered by the subject of the personal data.
The subject's data must be at any time excluded from the public sources on his request or following the decision of the court or other authorized government bodies
2.5 Special categories of personal data
The Operator's processing of special categories of personal data linked with race, nation, political commitments, religion, philosophic and other principles as well as the state of health, and intimacy are allowed provided that:
- subject of personal data has given his written consent for the processing of his personal data;
- the personal data are publicly shared by the subject of personal data;
- the processing of personal data is executed under the Law On the state social care, labor legislation, Retiring pension legislation;
- the processing of personal data is necessary to protect life or health or other vital interests of the subject of personal data or life or health or other vital interests of third persons and there is no possibility to obtain the consent of subject of personal data;
- the processing of personal data is executed in the frames of preventive and curative interventions, to determine a diagnosis, provide medical and social care on condition that the person processing the personal data is a professional health care worker bound to keep privacy of health-care providers in accordance with the legislation of the Russian Federation;
- the processing of personal data is necessary to determine or exercise a right of the subject of personal data or third persons as well as due to the effectuation of justice;
- processing of personal data is executed under the legislation on the obligatory insurance.
The processing of special categories of personal data must be stopped immediately after the elimination of reasonable conditions for its processing unless the other is stipulated by the federal legislation.
The processing of personal data of a former conviction may be executed by the Operator only In certain cases and following the procedures set by the federal legislation.
2.6 Biometric personal data
The data associated to the biological and physical features of an individual and may be used as a reference for such individual
- Biometric personal data may be processed by the Operator only under the condition of prior written consent of the subject of personal data.
2.7 Delivering the processing of personal data into the charge of a third person
The Operator has a right to deliver the processing of personal data into the charge of a third person under the consent of the subject of personal data, if the other is not stipulated in the Federal law under the conditions of the contract signed with this third person. The person in charge of processing of personal data on request of the Operator is bound to follow the principles and terms of the processing of personal data stipulated in ФЗ-152.
2.8 Cross-border communication of the personal data.
The Operator is bound to assure that the foreign states to which he forwards the personal data undertake adequate security measures to protect the rights of the subject of the personal data prior to the personal data communication.
Cross-border communication of personal data to the foreign state that cannot provide adequate protection of the rights of the subject of the personal data is allowed under the following conditions:
- written consent of the subject of the personal data for the cross-border communication of the personal data;
- execution of the contract in which the subject of the personal data acts as a party.
3. RIGHTS OF THE SUBJECT OF THE PERSONAL DATA
3.1 The consent of the subject of personal data for his personal data processing
The subject of personal data decides upon the provision of his personal data and gives consent for its processing voluntarily by his will and in his favor. The consent for the processing of personal data may be given by the subject of personal data or his representative in any form that may confirm the fact of the consent given provided the other is not required by the federal law.
The Operator is bound to provide the proof of the consent of the subject of personal data for the processing of his personal data or the proof for existence of the conditions stipulated in ФЗ-152.
3.2 The rights of the subject of personal data
The subject of personal data has the right to claim from the Operator the information associated to the processing of his personal data provided this right is not limited by the federal law. The subject of personal data has the right to claim from the Operator the specification of the personal data, its block and destruction in case they are incomplete, incorrect, inadequate or obtained by illegal means or they are not necessary for the aims of processing, as well as the right to undertake measures to protect his rights within the legal frames.
Processing of personal data aimed at promotion of goods, labors and services at market by means of direct contacts with potential customers as well as aimed at political agitation is acceptable only under the condition of prior consent of the subject of the personal data. The above mentioned processing of personal data is considered unauthorized if the company does not prove that the consent of the subject of personal data was duly received.
The Operator is bound to stop immediately the processing of personal data upon the request of the subject of the personal data.
It is forbidden to make decisions based only on the computerized processing of personal data that provoke legal consequences for the subject of the personal data or affect his rights and legal interests with the exception of the cases stipulated in the federal legislation and under the prior written consent of the subject of the personal data.
If the subject of the personal data consider the Operator's processing the data violates the statements of ФЗ-152 or other rights and liberties of the subject of personal data, he has right to make a complaint of the Operator's actions to the Judicial bodies or court.
The subject of personal data has a right to protect his legal interests including the refurbishment and (or) compensation for moral harm under the legal procedure.
4. PROTECTION OF PERSONAL DATA
The security of the personal data processed by the Operator is provided by means of legal, organizational and technical measures required by the Federal legislation in order to guarantee the protection of personal data.
The Operator uses the following measures to prevent an improper access to the personal database:
- appointment of employees responsible for the processing and protection of the personal data;
- limited quantity of employees who have access to the personal database;
- instruction of the employees on the requirements of the Federal legislation and the regulatory norms of the Operator for the protection of the personal data;
- organization of the record, storage and exchange of the information holders;
- identification of the security risks for personal data while processing, visualization of such security risks;
- development of the system for the protection of personal data based on the visualized security risks;
- efficiency testing of the means developed for the protection of information;
- access differentiation for the users to the protected information and the means of its processing;
- registration and recording users' actions in the personal databases;
- antivirus tools and restoring tools for the system of protection of personal data;
- using of firewall where necessary, detection of attacks, analysis of the security and data cryptography means;
- organization of pass control at the Operator's office, supervision of the sites where means of the processing of personal data are located.
5. FINAL CLAUSES
The other rights and responsibilities of the Operator as the holder of personal data are stipulated by the legislation of the Russian Federation in the sphere of personal data.
The employees of the Operator considered guilty for breach of the norms regulating the processing and protection of personal data are brought to account under disciplinary and administrative procedures, held liable under civil and criminal law as it is stipulated by the Federal legislation.