Privacy policy

1. GENERAL PROVISIONS

1.1. JSC "MH Balakovo" Policy on Personal Data Processing" (hereinafter - the Policy) defines the general principles and procedure of personal data processing and measures to ensure their security at JSC "MH Balakovo" (hereinafter - the Company or the Operator).

1.2. The purpose of the Policy is to ensure protection of human and civil rights and freedoms when processing personal data, including protection of rights to privacy, personal and family secrets, clear and strict compliance with the requirements of Russian legislation in the field of personal data.

1.3. This Policy is developed in accordance with the provisions of the Federal Law of 27.07.2006 № 152-FZ "On Personal Data", other legislative and regulatory acts governing the processing of personal data and requirements to ensure their security.

1.4. This Policy is the basis for the development of local regulations of the Company to ensure security of personal data.

1.5. This Policy shall be binding upon all employees of the Company, involved in the processing of personal data.

2. TERMS AND DEFINITIONS

Automated processing of personal data - processing of personal data by means of computer equipment. Biometric personal data - information, which characterizes the physiological and biological characteristics of the person, which can be used by the operator to identify the subject of personal data.

Blocking of personal data - temporary termination of personal data processing (except in cases where processing is necessary to clarify personal data). Access to personal data - familiarization of certain persons (including employees) with the personal data of subjects, processed subject to the confidentiality of these data.

Personal Data Information System (PDIS) - a set of personal data contained in databases of personal data and providing information technology and technical means for its processing.

Counterparty is a party to the contract with MH Balakovo JSC.

Confidentiality of personal data - the obligation of persons who obtained access to personal data not to disclose to third parties and not to disseminate personal data without the consent of the subject of personal data, unless otherwise provided by law.

Depersonalization of personal data - any action, as a result of which it becomes impossible, without the use of additional information, to determine ownership of personal data to a specific personal data subject.

Processing of personal data - any action (operation) or a set of actions (operations), performed with or without the use of automation with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of personal data.

Publicly available personal data - personal data, access to which is provided to the general public on the basis of legislation by the subject of personal data or at his request, including data that are subject to mandatory disclosure or publication.

Operator - a state body, municipal authority, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out processing of personal data, as well as defining the purpose of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

Personal data (PDN) - any information relating to directly or indirectly identified or defined by an individual (the subject of personal data). Provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of people.

Dissemination of personal data - actions aimed at disclosure of personal data to an indefinite circle of persons.

Subject of personal data - an individual to whom personal data relates.

Cross-border transfer of personal data - transfer of personal data to a foreign country to a foreign authority, a foreign individual or a foreign legal entity.

Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which tangible carriers of personal data are destroyed.

3. MAIN PROVISIONS

3.1 Basic rights of the subject (s) of personal data

3.1.1 The subject of personal data has the right to receive information concerning the processing of his/her personal data, including:

confirmation of the fact of processing of his personal data by the Company;
legal basis and purpose of personal data processing;
Information about the methods of personal data processing used by the Company;
Name and location of the Company, information on persons (except for the Company's employees), who have access to personal data or to whom personal data may be disclosed based on the agreement with the Company or based on the legislation;
Processed personal data pertaining to the respective personal data subject, its source;
terms of processing of personal data, including terms of their storage;
Procedure of personal data subject realization of rights, provided by the Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data";
Information about performed or supposed trans-border data transfer;
Name or full name and address of the person processing personal data on behalf of the Company, if such person is or will be appointed to process such data;
Other information required by law.

Information about the availability of personal data must be provided to the subject of personal data by an authorized employee of the Company in an accessible form, and it must not contain personal data relating to other subjects of personal data.

3.1.2 The subject of personal data has the right to demand from the Operator the clarification of his personal data, their blocking or destruction in case the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take statutory measures to protect their rights.

3.1.3 The subject of personal data has the right to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral harm in court.

3.2 Main obligations of the subject (s) of personal data

3.2.1 The subject of personal data is obliged to provide the Operator with accurate personal data.

3.2.2 The subject of personal data is obliged to inform the Operator about changes in personal data in a timely manner. Failure of the Operator to make changes, additions, exceptions to personal data due to the failure of the subject of personal data to provide clarifying, modifying information, exempts the Operator from liability.

3.2.3 The subject of personal data shall comply with the requirements of Federal Law № 152-FZ of 27.07.2006 "On Personal Data".

3.3 The basic rights of the Operator

3.3.1 The operator has the right to process personal data without notifying the Competent Authority for protection of the rights of subjects of personal data in the cases provided by Part 2 of Article 22 of the Federal Law of 27.07.2006 № 152-FZ "On Personal Data".

3.3.2 The operator may entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with that person, including a state or municipal contract, or by a state or municipal authority adopting the relevant act (hereinafter - the operator's instruction).

3.4 The main duties of the Operator

3.4.1 When collecting personal data, the operator is obliged to provide the subject of personal data, at their request, with the information stipulated in clause 3.1.1.

3.4.2 If providing personal data is obligatory in accordance with the Federal Law of 27.07.2006 № 152-FZ "On Personal Data", the operator is obliged to explain to the subject of personal data the legal consequences of refusal to provide their personal data.

3.4.3 If personal data is not received from the subject of personal data, the operator, with the exception of cases stipulated by Part 4 of Article 18 of the Federal Law of 27.07.2006 № 152-FZ "On Personal Data", before processing of such personal data is obliged to provide the subject of personal data the following information

Name or surname, first name, patronymic and address of the operator or its representative;
The purpose of personal data processing and its legal basis;
The intended users of personal data;
The statutory rights of the personal data subject;
The source of receipt of personal data.

3.4.4 The operator is obliged to publish or otherwise provide unrestricted and unhindered access to the document defining its policy in relation to personal data processing.

3.4.5 The operator is obliged within 30 days to provide information about his personal data and allow familiarization with it the subject of personal data, as well as Roskomnadzor and its territorial bodies on relevant requests in accordance with Part 1 and 4 of Article 20 of the Federal Law of 27.07.2006 № 152-FZ "On Personal Data".

3.4.6 The operator shall be obliged to take measures, necessary and sufficient for ensuring fulfillment of obligations provided by Federal Law dated July 27, 2006 #152-FZ "On Personal Data" and regulatory legal acts adopted in compliance therewith. The operator shall independently determine the composition and list of measures necessary and sufficient for ensuring performance of obligations provided by Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data" and regulatory legal acts adopted pursuant thereto, unless otherwise provided by Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data" or other federal laws.

3.4.7 Ensuring the confidentiality and security of personal data processing is one of the Company's top priorities.

4. PURPOSES OF COLLECTING PERSONAL DATA

4.1 The Company processes personal data on the basis of general principles.

Processing of personal data is limited to achieving specific, predetermined and legitimate purposes. The Company shall take necessary measures and shall not allow processing of personal data that is incompatible with the purposes of personal data collection.

The Company processes personal data for the following purposes:

Execution of concluded labor contracts; fulfillment of requirements of current legislation and other normative legal acts; obtaining education and promotion; ensuring personal safety; control of quantity and quality of work performed and ensuring security of property and information; calculation and payment of wages, other remuneration; calculation and payment of taxes and insurance premiums; registration of execution certificates and certificates of disability; maintaining military records; conducting mandatory preliminary and periodic;
Execution of concluded labor contracts; fulfillment of requirements of current legislation and other normative legal acts; obtaining education and promotion; ensuring personal safety; control of quantity and quality of work performed and ensuring security of property and information; calculation and payment of wages, other remuneration; calculation and payment of taxes and insurance premiums; registration of execution certificates and certificates of disability; maintaining military records; conducting mandatory preliminary and periodic;
Providing employees with the benefits and guarantees stipulated by federal law for persons who have (adopted) children and persons with family obligations;
Fulfillment of the requirements of regulatory legal acts of the state statistical accounting bodies;
Fulfilling the requirements of the Labor Code of the Russian Federation on informing relatives about accidents;
Making a decision on the possibility of filling vacant positions by applicants who most fully meet the requirements of the Company;
Ensuring that persons who do not have permanent passes are able to enter the Company's territory and protected premises, and controlling their departure;
Conducting all kinds of practices of students in accordance with the curriculum, registration of temporary passes for the period of practice;
Enabling Customers to purchase/sell services and products offered/realized/purchased by the Company;
Performance of contractual obligations with customers, contractors, subcontractors, suppliers, students and other individuals and entities having contractual relations with the Company;
Forming reference materials for internal information support of the Company's activities;
Carrying out construction and installation and other work at the Company's facilities;
For other purposes permitted by the laws of the Russian Federation.

Processing of personal data is carried out in accordance with the content and volume of processed personal data to the stated processing purposes.

The Company does not allow processing of personal data that is inconsistent with the purposes of personal data collection, as well as redundant in relation to the stated purpose of personal data processing.

The Company does not collect and process personal data not required to achieve the purposes specified in paragraph 2.2 of the Policy, does not use the subjects' personal data for any purposes other than those specified.

It is not permitted to combine databases containing personal data whose processing is carried out for purposes that are incompatible with each other.

5. LEGAL BASIS FOR PROCESSING PERSONAL DATA

5.1 The legal basis for processing personal data is:

5.1.1 A set of legal acts, in execution of which and in accordance with which the Company carries out the processing of personal data:

Labor Code of the Russian Federation;
Tax Code of the Russian Federation;
Civil Code of the Russian Federation;
Federal Law of 26.12.1995 № 208-FZ "On Joint-Stock Companies";
Federal Law No. 149-FZ of 27.07.2006 "On Information, Information Technology and Information Protection";
Federal Law No. 27-FZ of April 1, 1996 "On Individual (Personalized) Accounting in the Mandatory Pension Insurance System";
Federal Law No. 27-FZ of April 1, 1996 "On Individual (Personalized) Accounting in the Mandatory Pension Insurance System";
Federal Law of 30.12.2008 N 307-FZ "On Auditing Activities";
Federal Law of 02.10.2007 № 229-FZ "On Enforcement Proceedings";
Federal Law No. 53-FZ of March 28, 1998 "On Military Duty and Military Service;
Federal Law No. 53-FZ of March 28, 1998 "On Military Duty and Military Service;
Decree of the Government of the Russian Federation of November 1, 2012 № 1119 "On approval of the requirements for the protection of personal data during their processing in personal data information systems;
Decree of the Government of the Russian Federation No. 719 of 27 November 2006 "On Approval of the Provisions on Military Registration";
Order of the Federal Service for Technical and Export Control (FSTEC of Russia) of February 18, 2013 № 21 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems;
Articles of Association of the Company.

Contracts concluded between the Operator and the subject of personal data (employment contracts, civil law contracts, student contracts, etc.).

Consent of the subject of personal data to the processing of his personal data.

Other normative documents and legislative acts of the Russian Federation.

6. VOLUME AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS

6.1 The content and scope of processed personal data comply with the stated processing purposes provided for in Section 2 of this Policy. 2 of this Policy. Processed personal data is not excessive in relation to the stated purposes of its processing.

6.2 The Company processes personal data on the following categories of personal data subjects:

6.2.1 Individuals in an employment relationship with the Company (Company employees). Composition of processed data:

- Surname, first name, patronymic; sex; year, month and date of birth; place of birth; citizenship; information about the main identity document; taxpayer identification number (TIN); insurance number individual personal account (SNILS); compulsory health insurance policy (MHI); bank account number; registration address; address of actual place of residence; contact information; information on marital status and close relatives; photo image (not for identification purposes); information on education, qualifications and special knowledge or special training; information on academic degree, academic rank; information on professional development and retraining; information on employment and seniority; information on number, series and date of issue of a labor book and the records in it;

6.2.2 Individuals who are close relatives of the Company's employees. Composition of processed data:

- Individuals who are close relatives of the Company's employees. Composition of processed data:

6.2.3 Surname, first name, patronymic; degree of kinship; date of birth; place of work/study; position; address of residence, contact telephone numbers (mobile, home).

- Surname, first name, patronymic; sex; citizenship; date and place of birth; contact information; information about education, work experience, qualifications; other personal data reported by candidates in resumes and cover letters.

6.2.4 Individuals with whom an apprenticeship contract is signed, as well as students and trainees. Composition of the data processed:

- Surname, first name, patronymic; address of residence; passport data; contact number; education, qualifications, professional training and information about advanced training.

6.2.5 Individuals sent to the Company on business trips. Composition of processed data:

- surname, first name, patronymic; place of work; position; sex; date of birth; citizenship; passport data (date of issue, series, number, and who issued it); contact phone number.

6.2.6 Individuals who perform work or provide services and have entered into a civil contract with the Company. Composition of processed data:

- Surname, first name, patronymic; date and place of birth; passport data; residence registration address; contact data; substituted position; individual taxpayer number; settlement account number; other personal data necessary for the conclusion and execution of contracts.

6.2.7 Individuals who are representatives/employees of the customer, contractors, subcontractors, suppliers and other individuals and entities having contractual relations with the Company. Composition of processed data:

- surname, first name, patronymic; passport data; contact information; substituted position; other personal data provided by representatives, necessary for the conclusion and execution of contracts.

6.2.8 Other individuals who have given their consent to the processing of their personal data by the Company or individuals whose processing of personal data is necessary for the Company to achieve the processing goals set forth in Section 2 of this Policy.

6.3 The operator does not process biometric personal data (information that characterizes the physiological and biological characteristics of the person, on the basis of which you can identify him), in order to identify the person.

6.4 The operator processes special categories of personal data relating to health conditions in accordance with the laws of the Russian Federation.

7. PROCEDURE AND CONDITIONS OF PERSONAL DATA PROCESSING

7.1 Processing of personal data

Processing of personal data includes the following main processes:

collection of personal data;
use of personal data;
storage of personal data;
transfer of personal data;
clarification of personal data;
blocking of personal data;
destruction of personal data.

7.2 Collection of personal data

7.2.1 If possible, personal data should be obtained personally from the subject of personal data (except when obtaining personal data from publicly available sources);

7.2.2 Receipt of personal data from third parties is possible only on the basis of a contract with these third parties or on the grounds stipulated by the legislation of the Russian Federation.

7.2.3 Personal data must be collected from the subject only with his or her written consent to process personal data. The following are exceptions:

processing of personal data is carried out in accordance with the legislation on state social assistance, labor legislation, the legislation of the Russian Federation on pensions under the state pension provision, on labor pensions;
personal data is made publicly available by the subject of personal data;
Processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data or the life, health or other vital interests of others and obtaining the consent of the subject of personal data is impossible;
for other purposes permitted by the laws of the Russian Federation.

7.2.4 When collecting personal data, it is not allowed to record on the same material medium personal data of the subject, the purposes of which are known to be incompatible.

7.3 Use of personal data

7.3.1 The use of personal data collected in accordance with Section 7.2 of this Policy is carried out by employees of departments authorized to work with personal data.

7.4 Storage of personal data

7.4.1 Storage of personal data is carried out in a form that allows you to identify the subject of personal data, no longer than required by the objectives of its processing, unless the period of storage of personal data is not established by law, the contract, to which the subject of personal data.

7.4.2 Storage of personal data on tangible (paper) media is carried out by the Company in a way that eliminates unauthorized access to personal data, including the use of metal lockable cabinets, lockable bollards, safes.

7.4.3 Company employees with the right to access personal data are responsible for the storage of personal data at their workplaces, including automated workplaces.

7.4.4 Storage of personal data in the Company's information systems is carried out in accordance with the following requirements:

Unauthorized copying of personal data onto removable media is prohibited;
When storing personal data, conditions are observed to ensure the confidentiality and security of personal data;
storage of documents submitted in electronic form at the automated workplaces of employees is prohibited. Information from the above documents shall be stored in the information system of personal data, in specially designated sections with restricted user access;
Unauthorized access to personal data is excluded. Access is only allowed as part of job duties or as part of a contract, respectively.

7.4.5 Terms or conditions for termination of personal data processing:

The Company shall store the personal data of employees, former employees of the Company for seventy-five (75) years after the expiration of the employment contract with the employee;
during the retention period of documents in accordance with the established retention periods for certain categories of documents, unless otherwise provided for by federal law;
withdrawal of consent by the subject of personal data, unless otherwise stipulated by law.

7.4.6 When storing personal data on subjects processed by the Company, server equipment located in the Russian Federation is used.

7.5 Transfer (distribution and provision) of personal data

7.5.1 Transfer of personal data processed in the Company to third parties (including supervisory, law enforcement agencies) is possible only in cases expressly provided by applicable law of the Russian Federation and local regulations of the Company, or in the case of the consent of the subject of personal data.

7.5.2 Trans-border transfer of personal data, the territory of foreign states can be carried out by the Company in accordance with the provisions of Art. 12 of the Federal Law of 27.07.2006 № 152-FZ "On Personal Data". In this case, the Company shall, prior to the cross-border transfer of personal data, make sure that the foreign country, the territory of which is intended to transfer personal data, provides reliable protection of the rights of personal data subjects.

7.5.3 Transborder transfer of personal data in foreign countries that do not provide adequate protection of the rights of personal data subjects can be carried out only in cases:

availability of consent in writing of the subject of personal data for cross-border transfer of his personal data;
stipulated by international treaties of the Russian Federation;
stipulated by federal laws, if this is necessary in order to protect the foundations of the constitutional order of the Russian Federation, to ensure the defense of the country and the security of the state;
The contract, to which the subject of personal data is a party;
protection of life, health, other vital interests of the subject of personal data or other persons in case of impossibility to obtain consent in writing of the subject of personal data.

7.5.4 Dissemination of the subject's personal data is only possible with an appropriate Consent for dissemination of personal data, which is executed separately from other consents. This consent must contain a list of information that may be disseminated to an unlimited number of persons.

Dissemination of personal data processed in the Company is possible in case of use of information resources of the Company in the Internet (telephone directories, web-sites, etc.)

7.5.5 Provision of personal data processed by the Company is possible in the following cases:

The performance by employees of their job duties related to the processing of personal data;
within the framework of the execution of the legislation of the Russian Federation.

7.6 Clarification, blocking, destruction of personal data

7.6.1 If it is confirmed that the subject's personal data is inaccurate, the Company shall suspend its processing. Clarification of personal data is carried out by updating them: updates, changes.

7.6.2 If the Company discovers improper processing of the subject's personal data, it stops processing the data until the violations are eliminated.

7.6.3 When the purposes of personal data processing have been achieved or the personal data subject has withdrawn his or her consent, the personal data must be destroyed if:

Other than as provided for in the contract, to which the personal data subject is a party, beneficiary or guarantor;
The operator may not process without the consent of the subject of personal data on the grounds provided by the Federal Law of 27.07.2006 № 152-FZ "On Personal Data" or other federal laws;
Otherwise not stipulated by any other agreement between the Operator and the subject of personal data.

7.7 Methods of personal data processing

The Company processes personal data in the following ways:

with the use of automation;
without the use of automation.

8. SAFEGUARDING THE PRIVACY OF PERSONAL DATA

8.1 When working with documents and information containing personal data, Company employees observe the principle of confidentiality of personal data.

8.2 The Company has adopted a set of measures to comply with the requirements of confidentiality of personal data in the process of its processing, which allows to ensure:

Restrict access to personal data processed by the Company;
Preventing the disclosure of confidential information;
Identification of violations of the confidentiality regime;
Suppression of violations of the confidentiality regime;
Holding those who violate the confidentiality regime accountable.

8.3 Upon employment, each employee of the Company shall sign a nondisclosure obligation for confidential information, including personal data. The obligation of nondisclosure of personal data shall remain with the Company's employees even upon termination of the employment contract for three years.

8.4 The job descriptions of the Company's employees establish liability for failure to perform or improper performance of the Company's procedures and conditions for handling confidential information containing personal data.

9. FINAL CLAUSES

9.1 This Policy is an internal regulatory document of the Company.

9.2 This Policy is available for unrestricted access.

9.3 This Policy is subject to change, amendment in the following cases:

In case of changes in the legislation of the Russian Federation in the field of processing and protection of personal data;
In cases where orders have been received from competent governmental authorities to eliminate nonconformities affecting the scope of the Policy;
By decision of the management of the Company;
If there is a need to change the process of processing personal data related to the Company's activities.

9.4 In the event of non-compliance with the provisions of this Policy, the Company and its employees shall be held liable in accordance with the applicable laws of the Russian Federation.

9.5 Compliance with the requirements of this Policy is monitored by those responsible for organizing the processing of personal data of the Company, as well as for the security of personal data.