Personal data processing policy

Approved by: General Director of Beltel JSC

K.B. Tsutskarev

June 01, 2013

Locus sigilli

Personal data processing policy

  1. General information
    • This Policy has been developed to protect personal data.
    • This Policy applies to all processes for the collection, recording, systematization, accumulation, storage, clarification, retrieval, use (including for newsletters), transfer, depersonalization, and deletion of personal data.
    • This Policy is an internal document of Beltel JSC and is kept in the office of the company, and is also subject to publication on the corporate websites of the company.
    • The policy is obligatory for familiarization and execution by the heads of structural units whose employees take part in the processing of personal data.
    • This Policy has been prepared in accordance with Clause 2, Part 1, Art. 18.1 of the Federal Law of the Russian Federation dated July 27, 2006 No. 152-FZ «On Personal Data» and is valid for all personal data processed by Beltel JSC.
  1. Terms and concepts
    • Personal data (PD) — any information relating directly or indirectly to a specific individual (subject of personal data).
    • Personal data processing — any action performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, deletion of personal data.
    • Operator — a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions performed with personal data.
    • Personal data subject is an individual who owns personal data.
  2. Information about the operator of personal data

Beltel JSC is registered in the Register of Operators Carrying out Personal Data Processing (registration number 78-17-003740).

Address: 191025, St. Petersburg, st. Mayakovsky 3B, letter A. Phone: +7 (812) 303 91 20

Fax: +7 (812) 303 91 21.

  1. Principles of processing personal data
    • The company considers the most important task to ensure the legality and fairness of the processing of personal data, compliance with their confidentiality and the safety of their processing.
    • The processing of personal data in the company is based on the following principles:
  • Processing personal data on a legal and fair basis;
  • Restricting the processing of personal data to achieve specific, predetermined and legitimate goals;
  • Compliance of the content and volume of processed personal data with the stated purposes of their processing, the absence of data redundancy in relation to the purposes;
  • Ensuring the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of processing;
  • Storing personal data in a form that allows you to determine the subject of personal data, no longer than the purpose of processing personal data requires, if their storage period is not regulated by the legislation of the Russian Federation, by an agreement to which the subject of personal data is a party, beneficiary or guarantor.
  1. Requirements for the processing and security of personal data

The processing of personal data in the company is carried out in accordance with the requirements of the following documents:

  • Constitution of the Russian Federation
  • Labor Code of the Russian Federation
  • Federal Law of July 27, 2006 No. 152-FZ «On Personal Data»
  • Decree of the Government of the Russian Federation of September 15, 2008 No. 687 «On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools»
  • Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 «On approval of requirements for the protection of personal data during their processing in personal data information systems»
  • Order of the FSTEC of Russia dated February 18, 2013 No. 21 «On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems», as well as other applicable regulatory legal acts of the Russian Federation.
  1. Implementation of requirements for the processing and security of personal data
    • In order to implement the requirements for processing and ensuring the security of personal data (section 5) in the company:
      • A person responsible for organizing the processing and ensuring the security of personal data has been appointed
      • A set of documents regulating the processing and security of personal data has been developed and put into effect
      • Legal, organizational and technical measures are applied to ensure the security of personal data in accordance with section 7 of this Policy
      • Internal control and audit of the compliance of the processing of personal data in the company with the requirements for it (section 5), the provisions of this Policy and other internal documents of the company on the processing and security of personal data is carried out
      • An assessment is made of the damage that may be caused to subjects of personal data in case of violation of Federal Law No. 152-FZ «On Personal Data», the ratio of this damage and the measures taken by the Company aimed at ensuring the fulfillment of the obligations provided for by the data of the Federal Law
      • An acquaintance with the requirements of the company’s internal documents, as well as the requirements of the current legislation of the Russian Federation in terms of processing and ensuring the security of personal data, is made under the personal signature of the company’s employees who directly process personal data.
  • When collecting personal data, the company provides for the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data, data of citizens of the Russian Federation, using databases located in the territory of the Russian Federation.
  1. Measures to ensure the safety of personal
    • The company has taken the necessary and sufficient legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions with them by third parties, in particular:
      • Measures to ensure the confidentiality of personal data;
      • Measures for identification and authentication, access control and registration of events in the company’s information systems;
      • Security measures when handling material carriers of personal data;
      • Anti-virus protection measures for personal data;
      • Intrusion detection measures in the company’s information systems;
      • Measures to back up and restore personal data;
      • Measures to protect the virtualization environment;
      • Measures to physically protect and control access to company premises where personal data is processed.
    •  The right of access to the personal data processed in the company is granted to the employees of the company, who need this data to perform their duties stipulated by the job descriptions, in accordance with the procedure established by the company.
    • If the company entrusts the processing of personal data to a third party on the basis of an agreement, a prerequisite for such an agreement is the obligation of the third party to ensure the security of personal data during their processing. The company is responsible to the subject of personal data for the actions of the person who processes personal data on behalf of the company.
    • If the company is entrusted with the processing of personal data by another operator on the basis of an agreement, the company processes these personal data, and also ensures their confidentiality and security in accordance with the terms of the agreement and the provisions of the legislation of the Russian Federation.
  1. Terms of processing personal data

The terms for processing personal data are established by the company in accordance with the requirements of the current legislation of the Russian Federation.

  1. Termination of processing of personal data
    • The processing of personal data is terminated, and the collected personal data is destroyed by the company in the following cases within the time limits established by Federal Law No. 152-FZ «On Personal Data» (unless otherwise provided by the legislation of the Russian Federation):
      • Upon the expiration of the established period for the processing of personal data
        ◦ Upon reaching the goals of processing personal data or if there is no need to achieve them
      • When the subject of personal data revokes consent to the processing of his personal data, if such consent is required in accordance with the legislation of the Russian Federation
      • At the request of the subject of personal data or the Authorized body for the protection of the rights of subjects of personal data — if the personal data is incomplete, outdated, unreliable, illegally obtained or is not necessary for the stated purpose of processing
      • In the event of unlawful processing of personal data by a company or a person acting on its behalf, if it is impossible to ensure the legality of the processing of personal data.
  1. Rights of the subject of personal data
    • The subject of personal data decides on the provision of his personal data to the company and consents to their processing, including the transfer to third parties freely, of his own free will and in his own interests.
    • The subject of personal data has the right to revoke the consent given to the company to the processing of his personal data. For this, the subject of personal data must send a statement in any form to the company.
    • If the subject of personal data withdraws consent to the processing of personal data, the company has the right to continue processing personal data without the consent of the subject if there are grounds provided for by Federal Law No. 152-FZ «On Personal Data».
    • The subject of personal data has the right to receive information regarding the processing of his personal data by the company, including containing:
      • Confirmation of the fact of processing personal data by the company
      • Legal bases and purposes of personal data processing
      • Methods of processing personal data used by the company
      • Company name and location
      • Information about persons (with the exception of a company employee) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the company or on the basis of federal law
      • Processed personal data related to this subject of personal data, the source of their receipt
      • Terms of processing personal data, including the terms of their storage
      • The procedure for the exercise by the subject of personal data of the rights provided for by Federal Law No. 152-FZ «On Personal Data»
      • Information about the carried out or about the intended cross-border transfer of personal data
      • The name and address of the person who processes personal data on behalf of the company, if the processing is entrusted or will be entrusted to this person
      • Other information provided by federal laws.
    • The right of the subject of personal data to access his personal data may be limited in accordance with the legislation of the Russian Federation.
    • The subject of personal data has the right to demand from the company clarification of his personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their right.
    • As part of the exercise of his rights, the subject of personal data or his representative can send inquiries to the company regarding the processing of his personal data or contact the company personally.
    • The request of the subject of personal data or his representative regarding the processing of his personal data is made in any form and must contain:
      • Main identity document number
      • Information about the date of issue and the issuing authority
      • Information confirming the participation of the personal data subject in relations with the company, or information otherwise confirming the fact of the processing of personal data by the company
      • Signature of the personal data subject or his representative.
  • The request can be sent to the address of the company in electronic form and signed with an electronic signature in accordance with the legislation of the Russian Federation.
  • Personal appeal is understood as an oral statement by the subject of personal data or his representative at the time of visiting the company’s offices.
  1. Final conditions

This Policy may be revised in any of the following cases:

  • When changing the legislation of the Russian Federation in the field of processing and protection of personal data
  • In cases of receiving orders to eliminate inconsistencies affecting the scope of the Policy
  • When changing company information
  • When the principles and approaches to the processing and security of personal data change, as well as the composition of measures to ensure the security of personal data.

Agreed:

Legal advisor

M.A. Matusevich

June 01, 2013

We use cookies and other technologies to make our Website and its services convenient for you. By continuing to visit or use our services, you are agreeing to the use of Cookies and similar technologies for the purposes we describe in the «Cookie Statement»