Regulation on the collection, processing, storage and protection of personal data. - Yekaterinburg.
Regulation on the collection, processing, storage and protection of personal data.
1. Terms and definitions
Blocking of personal data - temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
Personal data information system - a set of personal data contained in databases and providing information processing of information technologies and technical means;
Limited access information - information access to which is limited by federal laws;
Use of personal data - actions (operations) with personal data performed by the operator in order to make decisions or take other actions that give rise to legal consequences in relation to the subject of personal data or other persons or otherwise affect the rights and freedoms of the subject of personal data or other persons;
Confidentiality of personal data is a requirement not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data or other legal grounds for the operator or other person who has gained access to personal data to observe;
Anonymization of personal data - actions, as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data;
Personal data processing - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Publicly available personal data - personal data, access to an unlimited number of persons to which is provided with the consent of the subject of personal data or to which, in accordance with federal laws, the requirement of confidentiality does not apply;
Operator - a state body, municipal body, legal or natural person, independently or jointly with other persons, organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Personal data - any information relating directly or indirectly to a specific or determined individual (subject of personal data);
Provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons;
Worker - an individual who has entered into an employment relationship with an employer;
Employer - An agency that has entered into an employment relationship with an employee;
Distribution of personal data - actions aimed at the disclosure of personal data to an indefinite circle of persons;
Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.
2. General Provisions
The Regulation on the protection of personal data (hereinafter - the Regulation) is developed in accordance with the Constitution of the Russian Federation, Federal Law dated July 27, 2006 No. 152 "On Personal Data", and Decree of the President of the Russian Federation dated March 6, 1997. No. 188 “On approval of the list of information of a confidential nature” and other regulatory acts.
These Regulations establish the requirements for the processing and protection of personal data, determine the rights, duties and responsibilities of the employees of the Inter Stage Theater Agency (hereinafter referred to as the Agency). The agency is the operator of personal data.
Agency employees are allowed to process personal data of customers in the amount determined by job responsibilities.
The requirements of this Regulation are communicated against signature to all Agency employees directly processing the personal data of the Company's customers.
3. The concept and composition of personal data
The processing of personal data at the Agency is carried out in the amount determined by the list of information constituting personal data. The Agency processes the personal data of customers, the data on which is processed in order to fulfill the tasks of fulfilling customer orders. Information about personal data may be contained on paper or electronic media, as well as in information and telecommunication networks and other information systems.
The agency independently establishes methods for processing personal data depending on the purposes of such processing and material and technical capabilities.
Composition of personal data when registering on the site:
- electronic address / e-mail (required) - is an individual identifier of the client, as well as an address for electronic notifications of orders, information and advertising mailings;
- password (required) - is a confirming client identifier for entering the user part of the site;
- surname name / first name (required) - serves to contact the employees of the Agency to the client;
- telephone (required) - serves for direct contact between the Agency and the client when confirming and clarifying the order, for delivery notifications and other messages of an informational and advertising nature;
- address (optional) - serves to store the delivery address of customer orders;
- date of birth (optional) - is used to send gift certificates or gifts to the client.
Composition of personal data when placing an order:
- email address / e-mail (required) - is the address for electronic order notifications;
- surname name / first name (required) - serves to contact the employees of the Agency to the client;
- telephone (required) - serves for direct contact between the Agency and the client when confirming and clarifying the order and, if necessary, for notifications of delivery of the order;
- address (optional) - serves to determine the delivery address of the customer’s order;
- bank details (optional) - serves to invoice for payment of the order in case of non-cash payment by bank transfer.
Personal data when sending a Feedback form and Request for price reduction from the website are not stored and subsequently are not processed.
4. Processing of personal data
The processing of personal data of Agency clients necessary for its normal functioning is carried out by authorized persons in compliance with all the mandatory and necessary requirements of the legislation of the Russian Federation. The processing of personal data of Agency clients is carried out by employees only at workplaces allocated for the performance of their official duties.
The collection of personal data of the Company's customers can be carried out solely for the purposes of:
- the provision of services and the execution of orders for the purchase of goods in the Agency;
- execution of contracts to which personal data subjects are parties;
- other cases determined by the activities of the Agency.
The volume and nature of the processed personal data, the methods of processing personal data must comply with the purposes of processing personal data. The processing of personal data that is excessive in relation to the goals stated during the collection of personal data is not allowed. Personal data of clients can be obtained both from the subject of personal data and from a third party.
A notice on the processing of personal data of a subject received from a third party should include the following information:
- name or surname, name, patronymic and address of the operator or his representative;
- the purpose of the processing of personal data and its legal basis;
- prospective users of personal data;
- source of personal data.
The Agency does not have the right to receive and process personal data regarding race, nationality, political views, religious or philosophical beliefs, as well as the state of health and intimate life of the subject of personal data without his written consent. All documents containing personal data of the Company’s customers must be destroyed in accordance with the established procedure upon reaching the purpose for which they were collected and used.
5. Access to personal data
Persons whose access to personal data processed in the information systems of the Company is necessary for the performance of official (labor) duties are allowed to relevant personal data on the basis of a list approved by the Agency
Persons with access to personal data agree to maintain the confidentiality of personal data and the rules for their processing, and also have the right to receive and process only those personal data that they need to perform specific labor functions.
State bodies exercising control (supervision) functions are granted access rights to personal data processed by the Agency only in the scope of their competence and in the manner provided by applicable law.
The Agency’s client or his representative has the right to free access to his personal data, to receive copies thereof (except as otherwise provided by federal law) on the basis of an appeal or a written request.
6. Transfer of personal data
It is forbidden to transfer personal data to a third party without the consent of the personal data subject, unless it is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by the legislation of the Russian Federation.
The personal data of the subject can be provided to relatives or members of his family, as well as representatives of the subject only with the permission of the subject, with the exception of cases where the transfer of personal data of the subject without his consent is allowed by the current legislation of the Russian Federation.
All facts of the transfer of personal data to third parties should be taken into account in the Journal of accounting for the transfer of information containing personal data. This Journal shall indicate information about the request received (who is the sender of the request, the date it was received), the date of the response to the request, data, what information was transmitted, or a note about the refusal to provide it.
7. Protection of personal data
The protection of the rights of subjects of personal data from the unlawful use of their personal data or their loss is provided by the Agency, in the manner prescribed by applicable law, by the implementation of a set of organizational and technical measures to ensure their safety.
Documents on paper containing personal data must be stored in securely locked storage facilities (they can be stored in non-locked cabinets, provided that unauthorized access by unauthorized persons to the storage facilities is excluded).
The organization of the protection of personal data in the information systems of the Company is carried out as part of the information protection system in the Agency. Access to the Agency’s information systems containing personal data is provided by a password system, as well as software and hardware tools for protecting information.
The storage of personal data should occur in an order that excludes their loss or their unlawful use. It is not allowed to answer questions related to the transfer of personal information by phone or fax.
8. Rights of subjects to protect their personal data
In order to ensure the protection of their personal data, the subject has the right:
- receive complete information about your personal data and the processing of this data (including automated);
- to provide free free access to your personal data, including the right to receive copies of any record containing personal data, with the exception of cases provided for by the Federal Law;
- demand the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the Federal Law;
- require the Agency or its authorized person to notify all persons who previously reported incorrect or incomplete personal data about all changes made to them or exceptions to them;
- appeal in court any illegal actions or inaction of the head of the organization or his authorized person in the processing and protection of personal data.
9. Responsibility for violation of the rules governing the processing and protection of personal data
Officials with access to personal data are personally responsible for violation of the personal data protection regime in accordance with the legislation of the Russian Federation. Employees of the Agency, to whom information about personal data became known due to their official position, are responsible for their disclosure. Obligations to maintain the confidentiality of personal data remain valid after the work of the above persons is completed.
Workers whose responsibility is the processing of personal data are required to provide each client of the Agency, if necessary, the opportunity to familiarize themselves with documents and materials directly affecting their rights and freedoms, unless otherwise provided by law. Unlawful refusal to provide documents collected in the prescribed manner, or untimely provision of such documents or other information in cases provided by law, or the provision of incomplete or knowingly false information - entails the imposition of an administrative fine on them in the amount determined by the Code of Administrative Offenses.
Persons guilty of violating the rules governing the receipt, processing and protection of personal data are brought to disciplinary and material liability in the manner prescribed by federal laws, as well as are brought to civil, administrative and criminal liability in the manner established by the legislation of the Russian Federation.