This Personal Data Processing Policy (hereinafter — the "Policy") has been developed pursuant to Article 18.1 of Federal Law 152-FZ "On Personal Data", the requirements of the Constitution of the Russian Federation, the Council of Europe Convention on the Protection of Individuals with regard to Automated Personal Data Processing, international treaties to which the Russian Federation is a party, federal laws, and other regulations of the Russian Federation concerning personal data.
This Policy shall apply to relations involving the processing and security assurance of sensitive data that may be qualified as personal data pursuant to the legislation of the Russian Federation (hereinafter — "Personal Data, PD").
This Policy determines ground rules, objectives, procedure, and terms of processing Personal Data of employees of ZAO (JSC) CROC incorporated (hereinafter — the "Company") and other subjects whose Personal Data is processed by the Company. This Policy sets forth provisions concerning liability of the Company and its employees for violation of personal data processing legislation.
This Policy is a public document available on the Company’s official website. This Policy shall not apply to relations arising out of:
All the Company employees shall follow this Policy.
PD means Personal Data
PDISmeans Personal data information systems
UA means Unauthorized access
The Company shall process PD following the following principles:
The Company shall process personal data in order to carry out its activities pursuant to the legislation of the Russian Federation and the Company’s Articles of Association.
The Company shall process PD (using or without automation tools) of the following subjects
The Company shall process PD of the following categories:
The Company has appointed a person responsible for PD processing arrangement
The Company has appointed a person responsible for PD and PD information system security
The Company has appointed persons responsible for PD processing arrangement within business units
The Company employees take part in PD processing within the scope of their job duties.
The Company may process PD in the following cases:
The Company may only include PD subjects into publicly available PD sources as required by the federal legislation or upon receipt of PD subject’s written consent.
The Company shall carry out cross-border transmission of employees’ PD for the purpose of fulfillment of contractual obligations by counterparties only upon PD subject’s written consent.
The Company shall not, solely based on automated PD processing, make any decisions that may entail legal consequences for PD subject or otherwise affect its rights and legitimate interests.
Unless otherwise stipulated by the federal law, the Company may only assign PD processing to another person upon the consent of PD subject based on an agreement entered into with that person (hereinafter — "Processor’s assignment"). In this case the Company shall oblige the person assigned to process PD, to comply with PD processing principles and rules stipulated in the federal law. If the Company assigns PD processing to other person then the Company shall be liable before PD subject for actions of such person. The person assigned by the Company to process PD shall be liable before the Company.
The Company shall itself and shall oblige other persons having access to PD, not to disclose PD to third parties and not disseminate PD without PD subject’s consent, unless otherwise stipulated by the federal law.
The Company shall terminate PD processing in the following cases:
When processing PD, the Company takes all necessary legal, organizational and technical measures to protect PD from unauthorized or accidental access, destruction, modification, blocking, copying, submission, distribution, and other wrongful acts with respect to PD.
The Company takes the following measures to arrange processing and protection of PD that is processed without using automation tools, including:
information systems are implemented, including:
The Company is responsible for personal data processing and protection in compliance with legislation. All the Company employees involved in PD processing are responsible for compliance with this Policy and other internal regulations of the Company relating to PD processing and security.
Any employee who has been aware of this Policy violation or suspects such violation must report to a person responsible for organization of PD processing in compliance with procedures adopted in the Company.
Any violations of this Policy and other internal regulations of the Company relating to PD processing and security shall be investigated in compliance with procedures adopted in the Company.
The persons found guilty of violation of existing order and procedures of PD processing and security may be subject to disciplinary, financial, civil, administrative and criminal liability in compliance with the legislation of the Russian Federation.