Privacy policy and data protection
1. General provisions
1.1. The current Privacy Policy regarding the processing of personal data (hereinafter referred to as the Policy) has been drawn up and applies to all personal data (hereinafter referred to as the Data) that the Organization (hereinafter referred to as the Operator, the Company) can receive from the subject of personal data, provided for in Articles 12, 14 of the REGULATIONS (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
1.2. The Operator protects the processed personal data from unauthorized access, disclosure, misuse, or loss.
1.3. Policy Changes
1.3.1. The Operator has the right to amend this Policy. When making changes in the heading of the Policy, the date of the last revision is indicated. The new version of the Policy comes into force from the moment it is posted on the website unless otherwise provided by the new version of the Policy.
2. Terms and authorized abbreviations
Personal data (PD) is any information relating directly or indirectly to a specific or identifiable individual
(the subject of personal data).
Processing of personal data means any action (operation) or a set of actions
(operations) performed using automation tools or without using such tools with personal data, including
collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use,
transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated processing of personal data: personal data processing by means of computer technologies.
Information
system of personal data (ISPD) is a set of personal data contained in databases and information technologies and
technical means that ensure their processing.
Personal data made publicly available by the subject of personal data, i.e. PD, access to an unlimited number of persons to which is provided by the subject of personal data or at his request.
Blocking of personal data is a temporary suspension of the personal data processing (unless the processing is necessary to clarify personal data).
Destruction of personal data: actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed.
The Operator is an organization that independently or jointly with other persons organizes the processing of personal data, as well as defines the aims of personal data processing, the volume of personal data subject to processing, and personal data handling. The Operator is “Effektiv App. Ltd”.
3. Personal data processing
3.1. Obtaining personal data.
3.1.1. All personal data should be obtained from the subject himself. If the subject’s PD can only be obtained from a third party, then the subject must be notified of such action or give his consent.
3.1.2. The Operator must inform the subject about the aims, intended sources and methods of obtaining PD, type of the PD to be received, the list of actions with PD, the period during which the consent is valid and the procedure for withdrawing it, as well as the consequences of the subject’s refusal to give written consent to receive them.
3.1.3. Documents containing PD are created by means of:
- copying original documents;
- entering information into accounting forms;
- obtaining originals of the required documents.
3.2. PD processing.
3.2.1. The processing of personal data is carried out:
- with the consent of the subject of personal data to the processing of his personal data;
- in cases where the processing of personal data is necessary for the implementation and execution of the functions, powers and duties assigned to the state;
- in cases when the processing of personal data is carried out, access of an unlimited number of persons to which it is provided by the subject of personal data or at his request (hereinafter – personal data that was made public by the subject of personal data).
3.2.2. Purposes of personal data processing:
- implementation of labor relations;
- implementation of civil law relations.
3.2.3. Categories of subjects of personal data.
PD of the following subjects of personal data are processed:
- individuals who are in labor relations with the Company;
- individuals who quit the Company;
- individuals who are potential employees;
- individuals who are in civil law relations with the Company.
3.2.4. PD processed by the Operator:
- data obtained during the implementation of labor relations;
- data obtained for the applicants’ selection for work;
- data obtained in the implementation of civil law relations.
3.2.5. Personal data processing is carried out:
- using automation tools;
- without using automation tools.
3.3. Storage of personal data
3.3.1. PD of subjects can be obtained, undergo further processing and transferred for storage both in paper and in electronic form.
3.3.2. PD recorded on paper are stored in lockable cabinets or in locked rooms with limited access rights.
3.3.3. PD of subjects that are processed using automation tools for different purposes are stored in different folders.
3.3.4. Storage and placement of documents containing PD in open electronic catalogs (file sharing) in ISPD are not allowed.
3.3.5. The storage of PD in a form that allows you to determine the subject of PD is carried out no longer than the purpose of their processing, and they are subject to destruction upon reaching the processing purposes or in case when it’s no longer necessary to obtain them.
3.4. Destruction of personal data.
3.4.1. Destruction of documents (carriers) containing PD is carried out by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass or powder. For the destruction of paper documents, the use of a shredding machine is allowed.
3.4.2. PD stored on computer media is destroyed by erasing or formatting the media.
3.4.3. The fact of the destruction of PD is confirmed by the documentary act of destruction of carriers.
3.5. Transfer of personal data.
3.5.1. The Operator transfers PD to third parties in the following cases:
- the subject has expressed his consent to such actions;
- the transfer is provided for by Russian or other applicable law within the framework of the procedure established by law.
3.5.2. The list of individuals to whom PD is transferred: state authorities.
4. Personal data protection
4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (PDPS), consisting of subsystems of legal, organizational, and technical protection.
4.2. The subsystem of legal protection is a complex of legal, organizational, administrative, and regulatory documents that ensure the creation, functioning, and improvement of the PDPS.
4.3. The subsystem of organizational protection includes the organization of the management structure of the data protection system, the authorization system, and information protection when working with employees, partners, and third parties.
4.4. The subsystem of technical protection includes a set of technical, software, firmware, and hardware tools that ensure PD protection.
4.4. The principal PD protection measures used by the Operator are as follows:
4.5.1. Appointing a person responsible for the processing of PD, organizing the processing of PD, training and instructing, internal control over the compliance of the institution and its employees with the requirements for the PD protection.
4.5.2. Identifying actual threats to the security of PD when processing them in the ISPD and the development of measures and measures to protect PD.
4.5.3. Developing a policy regarding personal data processing.
4.5.4. Establishing rules for accessing PD processed in the ISPD, as well as ensuring the registration and accounting of all actions performed with the PD in the ISPD.
4.5.5. Setting up individual passwords for employees’ access to the information system in accordance with their production responsibilities.
4.5.6. Applying the procedure for assessing the conformity of information protection means that have passed in the prescribed manner.
4.5.7. Certified antivirus software with regularly updated databases.
4.5.8. Complying with the conditions that ensure the PD protection and exclude unauthorized access to them.
4.5.9. Identifying unauthorized access to personal data and taking measures.
4.5.10. Recovering PD that were modified or destroyed due to unauthorized access to them.
4.5.11. Training of the Operator’s employees who are directly involved in the processing of personal data, the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, documents defining the Operator’s policy regarding the processing of personal data, local acts on the processing of personal data.
4.5.12. Implementing internal control and audit.
5. Basic rights of the PD subject and obligations of the Operator
5.1. Basic rights of the PD subject.
The subject has the right to access his personal data and the following information:
- confirmation of PD processing by the Operator;
- legal grounds and purposes of PD processing;
- purposes and methods of PD processing used by the Operator;
- name and location of the Operator, information about individuals (with the exception of the Operator’s employees) who have access to PD or to whom PD can be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
- terms of processing personal data, including the terms of their storage;
- procedure for exercising the rights by the subject of PD provided for by this Federal Law;
- name or surname, first name, patronymic name, and address of the person who processes PD on behalf of the Operator, if the processing is entrusted or will be entrusted to such a person;
- contacting the Operator and sending him requests;
- appeal against the actions or omissions of the Operator.
5.2. Obligations of the Operator.
The operator is obliged to:
- provide information on PD processing when collecting PD;
- notify the subject in cases where the PD was not received from the PD subject;
- in case of refusal to provide PD, the subject is explained the consequences of such refusal;
- publish or otherwise provide unrestricted access to the document defining its policy in relation to PD processing, to information about the implemented requirements for PD protection;
- take the necessary legal, organizational, and technical measures or ensure their adoption to protect PD from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions in relation to PD;
- answer to requests and appeals of PD subjects, their representatives, and the authorized body for the protection of the rights of PD subjects.