1. Introduction
1.1 The most important condition for the realization of the objectives of the activity of IE Pronin S.V. (brand "STEKLO") is to ensure the necessary and sufficient level of information security of information, which, among other things, includes personal data.
1.2 The Policy on personal data processing in IE Pronin S.V. (hereinafter - the Policy) defines the procedure for collection, storage, transfer and other types of personal data processing in IE Pronin S.V. (hereinafter - the Company), as well as information about the requirements for personal data protection.
1.3 The Policy is developed in accordance with the current legislation of the Russian Federation.
2. Composition of personal data
2.1 Information constituting personal data is any information relating to a directly or indirectly defined or identifiable natural person (subject of personal data). The detailed list of personal data is fixed in the local regulatory documentation of IE Pronin S.V..
2.2 All personal data processed by IE Pronin S.V. is confidential, strictly protected information in accordance with the law.
3. Purposes of personal data processing
3.1 Personal data are processed by IE Pronin S.V. for the purposes of labor and other contractual relations, personnel, accounting, tax accounting, as well as for the purposes of retail and wholesale activities on the grounds provided for by Article 22 of the Federal Law of 27.06.2006 № 152-FZ, 85-90 of the Labor Code of the Russian Federation.
3.2 For the purpose of proper fulfillment of its obligations as an Operator, Pronin S.V. shall process the following personal data necessary for proper fulfillment of contractual obligations:
- personal data of the Operator's employees who have labor relations with the Operator;
- personal data of other individuals, including, but not limited to, those in contractual, apprenticeship, civil law relations with the Operator, including, but not limited to, apprentices, customers, regular customers.
4. Procedure for collection, storage, transfer and other types of personal data processing
4.1 Personal data processing carried out without the use of automation means is carried out in such a way that it is possible to determine the storage locations of personal data (material carriers) for each category of personal data. The Operator has established a list of persons who process personal data or have access to them. Separate storage of personal data (tangible media) processed for different purposes is ensured. The operator ensures the safety of personal data and takes measures to prevent unauthorized access to personal data.
4.2 Processing of personal data carried out with the use of automation tools shall be carried out provided that the following actions are performed:
- The operator carries out technical measures aimed at preventing unauthorized access to personal data and (or) transferring them to persons who do not have the right of access to such information;
- security tools are configured for timely detection of unauthorized access to personal data;
- technical means of automated processing of personal data are isolated in order to prevent the impact on them, as a result of which their functioning may be disturbed;
- The Operator performs data backup in order to be able to immediately restore personal data modified or destroyed due to unauthorized access to it;
- exercises constant control over ensuring the level of protection of personal data.
5. Information on implemented requirements to personal data protection
5.1 The Operator shall carry out the following activities:
- determines threats to the security of personal data during their processing, forms threat models on their basis;
- develops, based on the threat model, a personal data protection system ensuring the neutralization of anticipated threats using methods and techniques of personal data protection provided for the relevant class of information systems;
- Forms a plan of inspections of readiness of new information protection means for use with drawing up conclusions on the possibility of their operation;
- installs and puts into operation information protection means in accordance with the operational and technical documentation;
- conducts training of persons using information protection means applied in information systems on the rules of working with them;
- keeps records of applied information protection means, operational and technical documentation, personal data carriers;
- keeps records of persons authorized to work with personal data in the information system;
- exercises control over compliance with the conditions for the use of information protection means stipulated in the operational and technical documentation;
- has the right to initiate proceedings and drawing conclusions on the facts of non-compliance with the conditions of storage of personal data carriers, use of information protection means, which may lead to violation of personal data confidentiality or other breaches resulting in the reduction of personal data protection level, development and implementation of measures to prevent possible dangerous consequences of such breaches;
- has a description of the personal data protection system.
5.2 For development and implementation of specific measures to ensure personal data security during their processing in the information system by the Operator or authorized person, the Operator's information technology department shall be responsible. Persons whose access to personal data processed in the information system is necessary for performance of official (labor) duties are allowed to access the relevant personal data on the basis of the list approved by the Operator. Requests of the information system users to obtain personal data, as well as the facts of providing personal data on these requests are registered by automated means of the information system in the electronic log of requests. The content of the electronic log of requests is periodically checked by the relevant officials (employees) of the Operator or authorized person. In case of detection of violations of the procedure of personal data provision, the Operator or the authorized person shall immediately suspend the provision of personal data to the users of the information system until the causes of violations are identified and eliminated.
6. Rights and obligations of the Operator
6.1. IE Pronin S.V. as the Operator of personal data has the right:
- to plead your case in court;
- provide personal data of the subjects to third parties, if this is provided for by applicable law (tax, law enforcement agencies, etc.);
- refuse to provide personal data in cases stipulated by law;
- use personal data of the subject without his/her consent, in cases stipulated by the legislation.
7. Rights and obligations of the subject of personal data
7.1 The subject of personal data has the right:
- to demand clarification of his/her personal data, their blocking or destruction in case the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his/her rights;
- request a list of his/her personal data processed by the Operator and the source of their receipt;
- receive information on the timeframes for processing their personal data, including the timeframes for storing them;
- require notification of all persons who have been previously informed of incorrect or incomplete personal data about all exceptions, corrections or additions made thereto;
- to appeal to the authorized body for the protection of the rights of personal data subjects or in court against unlawful acts or omissions in the processing of his/her personal data;
- to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
8. Final provisions
8.1 This Policy is subject to change, amendment in case of new legislative acts and special regulatory documents on processing and protection of personal data.
8.2 This Policy is an internal document of IE Pronin S.V., and is subject to placement on the official websites of IE Pronin S.V. trademarks.
8.3 Control over the fulfillment of the requirements of this Policy shall be carried out by the person responsible for personal data security of IE Pronin S.V..