This document determines the policy of METALLOINVEST MC, LLC (hereinafter referred to as the Company) regarding personal data processing (hereinafter referred to as PD) of the Company's employees and other subjects of the PD.
The Company is a PD operator in accordance with the law of the Russian Federation on personal data.
The personal data processing policy of METALLOINVEST MC, LLC (hereinafter referred to as the Policy) has been developed according to the applicable laws of the Russian Federation on personal data, including:
Constitution of the Russian Federation;
Federal Law of the Russian Federation dated 27 July 2006 No. 152-ФЗ On Personal Data (hereinafter referred to as the FL On Personal Data);
Order of the Government of the Russian Federation dated 01 November 2012 No. 1119 On the Approval of Requirements to Personal Data Protection during Processing in Information Systems of Personal Data;
Order of the Government of the Russian Federation dated 15 September 2008 No. 687 On Approval of the Provision on Particularities of Personal Data Processing Performed without Automation Means;
other regulations, which regulate PD processing.
This Policy covers any action (operation) or a set of actions (operations) performed with or without automated means with PD including collection, recording, classification, accumulation, storage, clarification (update, amendment), extraction, use, transmission (distribution, provision, access), depersonalisation, blocking, deletion, destruction of PD.
This Policy is subject to review and, if necessary, update when significant amendments are made to the laws of the Russian Federation regarding personal data.
Personal data are any information which is directly or indirectly related to a particular or identifiable person (personal data subject);
Operator is a state authority, municipal authority, legal entity or person, which individually or collectively with other subjects organises personal data processing and determines objectives for personal data processing, content of personal data to be processed, activities (operations) made with personal data;
Personal data processing is any action (operation) or a set of actions (operations) made with or without automated means with personal data, including collection, recording, classification, accumulation, storage, clarification (update, amendment), extraction, use, transmission (distribution, provision, access), depersonalisation, blocking, deletion, destruction of personal data;
Automated personal data processing is personal data processing by means of computers;
Distribution of personal data are activities aimed at personal data disclosure to unspecified group of persons;
Personal data provision refers to the activities aimed at personal data disclosure to a particular person or group of persons;
Personal data blocking is a temporary termination of personal data processing (except for cases when processing is necessary to clarify personal data);
Personal data destruction refers to activities which result in an inability to restore the content of personal data in the personal data information system and/or which result in destruction of physical devices containing personal data;
Personal data depersonalisation are activities which result in an inability to determine the belonging of personal data to a particular subject of personal data without additional information;
Personal data information system is a set of personal data contained in databases and information technologies and technical means, which ensure their processing;
Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign country to the authority of a foreign country, foreign person or foreign legal entity.
The Company processes PD based on the following principles:
PD are processed on a legal and equitable basis;
PD processing is limited to achieving particular pre-set and legal objectives;
PD processing which is not compatible with PD collection objects is prohibited;
The combination of databases containing PD which are processed for incompatible purposes is prohibited;
The content and amount of PD processed comply with declared processing objectives. PD processed do not exceed the declared processing objectives;
During PD processing, the accuracy of PD and their sufficiency and, if necessary, relevance regarding the declared processing objectives are ensured;
The necessary measures are taken to delete or clarify incomplete or inaccurate PD;
PD are stored in a form which enables the identification of a PD subject for no longer than required by PD processing objectives, if a PD storage period is not determined by the federal law, contract, the party of which, beneficiary, or guarantee of which is a PD subject;
PD processed are subject to destruction or depersonalisation when processing objectives are met or if there is no longer a need to achieve these objectives, unless otherwise is stipulated by the federal law.
The PD are processed by the Company in compliance with the principles and rules set by the FL On Personal Data and may be processed in the following cases:
PD are processed with PD subject's consent to their PD processing;
PD processing is necessary to achieve the objectives stipulated by the laws of the Russian Federation for performance and completing the functions, duties and responsibilities entrusted to the operator by the laws of the Russian Federation;
PD processing is necessary to implement a contract the party of which, beneficiary or guarantee of which is a PD subject and to make a contract on PD subject's initiative, or a contract according to which the PD subject will be a beneficiary or guarantee;
PD processing is necessary for the protection of life, health or other critical interests of the PD subject if the PD subject's consent cannot be obtained;
PD processing is necessary to implement rights or legal interests of the operator or third parties or to achieve socially significant objectives providing that PD subject's rights and freedoms are not violated thereat;
PD are processed for statistical or other study purposes under condition of full depersonalisation of PD. An exception is PD processing for the promotion of goods, works, services in the market by direct contact with potential customers using communication means;
PD is processed with the access of an unlimited group of persons provided by the PD subject or on his/her request (hereinafter referred to as personal data made public by the personal data subject).
The Company may include employees' PD in public PD sources; at the same time, the Company shall receive the written consent of the employee prior to processing his/her PD.
The Company may process personal data on employee's health under the following conditions:
In compliance with the laws on state social assistance, labour laws, retirement laws of the Russian Federation;
For the protection of life, health or other vital interests of the employee or for the protection of life, health or other vital interests of other persons, when it is not possible to receive the PD subject's consent;
To determine or implement the rights of an employee or third parties, as well as due to delivery of justice;
In compliance with the laws on compulsory insurance and insurance laws.
Biometric PD (the information which characterises the physiological and biological particularities of a person on the basis of which it is possible to identify the subject and which are used by the operator to identify the subject) are not processed by the Company.
The Company does not perform cross-border transfer of personal data.
Decisions are not made on the basis of solely automated PD processing which provoke legal consequences regarding the PD subject or otherwise affect his/her rights and legal interests.
If the subject's written consent is to be obtained for his/her PD processing, this subject's consent may be given by both the PD subject and his/her representative in any form, which enables the fact of obtaining it to be confirmed.
When delegating PD processing to another entity, the Company enters into a contract (hereinafter referred to as operator's delegation) with this entity and receives the PD subject's consent unless otherwise stipulated by Federal Law. At the same time, in the operator's delegation the Company binds the entity which processes PD on behalf of the Company to comply with the principles and rules of PD processing stipulated by the FL On Personal Data.
When the Company delegates employee's PD processing to another entity, the Company is responsible for the activities of the specified entity before the PD subject. The subject who processes PD on behalf of the Company is responsible to the Company.
The Company and other subjects who gain access to the PD are obliged not to disclose the PD to third parties and do not share the PD without the PD subject's consent, unless otherwise stipulated by Federal Law.
According to FL On Personal Data, the Company shall:
Provide the PD subject with information regarding his/her PD processing on request or provide a legally-based rejection by thirty days fr om the receipt of the request from the PD subject or his/her representative.
To clarify, block or delete the PD processed on request from the PD subject if PD are incomplete, obsolete, incorrect, were obtained illegally or are not necessary for the declared processing objective during the period not more than seven working days from the date of provision of the information confirming these facts by the PD subject or his/her representative.
To keep a Log of PD Subjects Requests, wh ere PD subject requests for the PD receipt shall be registered, as well as the information on the PD provided under these requests.
To notify the PD subject on PD processing when the PD were obtained not from the PD subject. The following cases are exceptions:
The PD subject has been notified on the processing of his/her PD by the Company;
PD were obtained by the Company in connection with the execution of the Contract, the party of which, beneficiary or guarantee of which is the PD subject or on the basis of the Federal Law;
PD have been made public by the PD subject or obtained from a public source;
The Company processes PD for statistical or other study objectives if the rights and legal interests of the PD subject are not infringed;
Provision of the information contained in the Notification of PD processing to the PD subject infringes rights and legal interests of third parties.
If PD processing objectives are met, PD processing shall be stopped and the respective PD shall be destroyed during a period not more than thirty days from the date of meeting the PD processing objective, unless otherwise stipulated by the contract, the party of which, beneficiary or guarantee of which is the PD subject, another agreement between the Company and PD subject without PD subject's consent on the basis stipulated by the FL On Personal Data or other federal laws.
If the PD subject withdraws the consent for his/her PD processing, the PD processing shall be stopped and the PD shall be destroyed during a period not more than thirty days from the date of receipt of the specified withdrawal, unless otherwise specified in the agreement between the Company and the PD subject. The Company shall notify the PD subject of the PD destruction.
If requirements from a PD subject are received to terminate PD processing obtained for the promotion of goods, works, services in the market, PD processing shall be immediately terminated.
While processing PD, the Company uses all the necessary legal, organisational and technical measures to protect PD from inappropriate or accidental access, destruction, change, blocking, copy, provision, distribution of PD and from other inappropriate activities regarding PD.
PD safety is assured by the following measures:
Determination of threats for PD when processed in personal data information systems (hereinafter referred to as PDIS);
Use of organisational and technical measures to ensure PD safety when processed in the PDIS necessary to meet the requirements for PD protection, compliance with which assures PD protection levels established by the Government of the Russian Federation;
Evaluation of efficiency of PD safety assurance measures taken before PDIS is put into operation;
Accounting of machine carriers of PD;
Detection of the facts of unlawful access to PD and taking measures;
Restoration of PD, modification or destruction due to unlawful access;
Establishment of the rules of access to PD processed in the PDIS and assurance of registration and accounting of all the actions taken with PD in the PDIS;
Control over PD safety assurance measures and PDIS protection level.
A PD subject has the right to obtain the information regarding PD processing by the Company, namely:
Confirmation of PD processing by the Company;
Legal basis and objective of PD processing by the Company;
Methods used by the Company for PD processing;
Name and location of the Company, information on the entities
(except for Company's employees), who have access to PD or to whom PD may be disclosed under the contract with the operator or under the Federal Law;
The PD processed, which are related to respective PD subject, source by which they were obtained, unless another procedure for these data provision is stipulated by Federal Law;
Terms of processing by the Company, including storage terms;
Procedure for provision of rights by the PD subject stipulated by the FL On Personal Data;
Information on performed or supposed cross-border transfer of personal data;
Name or surname, name, patronymic of person who processes PD on behalf of the Company, if the processing has been delegated to such person;
Other information stipulated by the FL On Personal Data and other federal laws.
The PD subject may request the Company to clarify his/her PD, block or destroy them if PD are incomplete, obsolete, inaccurate, obtained illegally or are not necessary for the declared processing objective.
The PD subject has the right to withdraw the consent to PD processing in the cases stipulated by the law.
Application (request) from the PD subject to the operator for implementation of his/her right established by the FL On Personal Data shall be performed in writing according to the set form during a personal visit of the PD subject or his/her representative to the Company.
The request form shall be provided by the Company's employee responsible and shall be filled in by the PD subject or his/her representative and shall be signed in the presence of the specified employee.
After the request is received according to the set form, the employee responsible for the receipt of applications from the PD subjects shall review the information on the main identification document of the PD subject, the basis on which a person acts as a representative of the PD subject and original documents provided during the application indicated therein.
The answer to the request shall be sent to the PD subject in writing by mail to the address specified in the application.
The term of the answer forming and transmission to the postal department for sending shall not exceed thirty days from the date at which the request from the PD subject is received by the operator.
The term of making the necessary amendments to the PD which are incomplete, inaccurate or obsolete shall not exceed seven working days from the date of provision of the information confirming that PD are incomplete, inaccurate or obsolete by the PD subject or his/her representative.
The term of destruction of PD which have been illegally obtained or are not necessary for the declared processing objective shall not exceed seven working days from the date of provision of the information confirming that PD have been illegally obtained or are not necessary for the declared processing objective by the PD subject or his/her representative.
The PD subjects' right to access their PD is limited when PD provision infringes rights and legal interests of third parties.
If the information related to PD processing and PD processed are provided to the PD subject for familiarisation on his/her request, the PD subject may send a follow-up request to receive the information related to PD processing and familiarise with them not earlier than thirty days after sending the initial request, unless a shorter term is set by the Federal Law, legal act adopted in compliance with it or contract, the party of which or beneficiary or guarantee of which is the PD subject.
The PD subject may send a follow-up request to the Company to obtain the information related to PD processing and to familiarise with the PD processed before expiration of a thirty-day period, if such information and/or PD processed were not provided to him/her for familiarisation in full volume according to the results of the review of the initial request. A follow-up request must contain justification of sending the follow-up request.
The Company may reject the PD subject's follow-up request, if it does not comply with the terms stipulated by this Policy.
The Company's employees who have access to personal data of PD subjects are responsible for the integrity and confidentiality of PD.
Persons found guilty for infringement of the laws of the Russian Federation regarding personal data processing bear disciplinary, civil, administrative and criminal responsibility, according to the procedure stipulated by the applicable laws of the Russian Federation.