Policy of personal data protection

General working conditions 

 APPROVED 

 Managing Director of NPO Uran 

 Cherepkova N. And. 29.07.2019 year

1. General provisions 

1.1. Personal data processing policy at SPE URANUS (hereinafter referred to as the Policy) defines the basic principles, goals, conditions and methods of personal data processing, lists of subjects and personal data processed in the organization, the functions of SPEURANUS in the processing of personal data, the rights of personal data subjects, as well as the requirements for personal data protection implemented in the organization. 

1.2. The policy is developed taking into account the requirements of the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation in the field of personal data. 

1.3. The Policy provisions serve as the basis for the development of local regulations that regulate the processing of personal data of employees of the organization and other personal data subjects in SPE URANUS. 

2. Legislative and other normative legal acts of the Russian Federation that determine the policy for processing personal data in SPE URANUS 

2.1. The personal data processing policy of SPE URANUS is determined in accordance with the following regulatory legal acts:

• Federal law No. 152-FZ of July 27, 2006 " on personal data»; 

• Decree of the President of the Russian Federation of March 06, 1997 No. 188 " on approval Of the list of confidential information»; 

• Labor code of the Russian Federation; 

• resolution of the Government of the Russian Federation of September 15, 2008 No. 687 " on approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools»; 

• resolution of the Government of the Russian Federation of July 6, 2008 No. 512 " on approval of requirements for material carriers of biometric personal data and technologies for storing such data outside of personal data information systems»; 

• resolution of the Government of the Russian Federation of November 1, 2012 No. 1119 " on approval of requirements for the protection of personal data when processing them in personal data information systems»; 

• order of FSTEC of Russia No. 55, FSB of Russia No. 86, Ministry of Digital Development, Communications and Mass Media of the Russian Federation The goals of the Ministry 2012-2018 

• Main events of Russia No. 20 of February 13, 2008 "On approval Of the procedure for classification of personal data information systems»; 

• order of the FSTEC of Russia dated February 18, 2013 No. 21 " on approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems»; 

• Roskomnadzor order No. 996 dated September 05, 2013 " on approval of requirements and methods for depersonalization of personal data»; 

• other normative legal acts of the Russian Federation and normative documents of authorized state authorities. 

2.2. In order to implement the Policy provisions, SPE URANUS develops relevant local regulations and other documents. 

3. Principles and purposes of personal data processing 

3.1. SPE URANUS processes personal data of employees of the organization and other personal data subjects who are not in labor relations with SPE URANUS 

3.2. The processing of personal data in SPE URANUS in is carried out taking into account the need to protect the rights and freedoms of employees of the organization and other personal data subjects, including the protection of the right to privacy, personal and family secrets, based on the following principles: 

• personal data is processed by the organization on a legal and fair basis; 

• the processing of personal data is limited to the achievement of specific, predetermined and legitimate goals; 

• personal data processing that is incompatible with the purposes of personal data collection is not allowed; 

• it is not allowed to combine databases containing personal data that are processed for purposes incompatible with each other; 

• only personal data that meets the purposes of processing are subject to processing; 

• the content and volume of personal data processed corresponds to the stated purposes of processing. Redundancy of the processed personal data in relation to the stated purposes of their processing is not allowed; 

• when processing personal data, we ensure the accuracy of personal data, their sufficiency, and, where necessary, their relevance to the purposes of personal data processing. SPE URANUS takes the necessary measures or ensures that they are taken to delete or clarify incomplete or inaccurate personal data; 

• storage of personal data is carried out in a form that allows you to determine the subject of personal data, no longer than required for the purpose of processing personal data, unless the term of storage of personal data is established by Federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor; 

• the processed personal data is destroyed or depersonalized upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by Federal law. 

3.3. Personal data is processed by SPE URANUS for the following purposes:

• ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, and local regulations of SPE URANUS; 

• performing the functions, powers and duties assigned by the legislation of the Russian Federation to LLC NPO Uran, including providing personal data to state authorities, the Pension Fund of the Russian Federation, the social insurance Fund of the Russian Federation, the Federal compulsory medical insurance Fund, and other state bodies; 

• regulation of labor relations with employees of the organization (assistance in employment, training and promotion, personal security, control of the quantity and quality of work performed, ensuring the safety of property); 

• providing employees of SPE URANUS with additional guarantees and compensation, including voluntary medical insurance, medical care and other types of social security; 

• protection of life, health or other vital interests of personal data subjects; 

• preparation, conclusion, execution and termination of contracts with contractors; 

• formation of reference materials for internal information support of the activities of SPE URANUS 

• execution of judicial acts, acts of other bodies or officials subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings; 

• implementation of the rights and legal interests of SPE URANUS in the framework of activities provided for by the Charter and other local regulations of the organization; 

• for other legitimate purposes. 

4. List of subjects whose personal data is processed in SPE URANUS 

4.1. SPE URANUS processes personal data of the following categories of subjects 

• employees of SPE URANUS; 

• other personal data subjects (to ensure the implementation of the processing purposes specified in section 3 of the Policy). 

5. List of personal data processed by SPE URANUS 

5.1. The list of personal data processed by SPE URANUS is determined in accordance with the legislation of the Russian Federation and local regulations of SPE URANUS, taking into account the purposes of personal data processing specified in section 3 of the Policy. 

6. Functions of SPE URANUS in the processing of personal data 

6.1. SPE URANUS in the implementation of the processing of personal data: 

• takes measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Russian Federation and local regulations of SPE URANUS in the field of personal data; 

• takes legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data; 

• appoints the person (s) responsible for organizing the processing of personal data in SPE URANUS; 

• issues local regulations that define the policy and issues of processing and protection of personal data in SPE URANUS 

• familiarizes employees of SPE URANUS who directly process personal data with the provisions of the legislation of the Russian Federation and local regulations of SPE URANUS in the field of personal data, including requirements for personal data protection; 

• publishes or otherwise provides unrestricted access to this Policy; 

• informs the personal data subjects or their representatives in accordance with the established procedure about the availability of personal data related to the relevant subjects, provides an opportunity to get acquainted with these personal data when contacting and (or) receiving requests from the specified personal data subjects or their representatives, unless otherwise established by the legislation of the Russian Federation; 

• stops processing and destroys personal data in cases stipulated by the legislation of the Russian Federation in the field of personal data; 

• performs other actions stipulated by the legislation of the Russian Federation in the field of personal data. 

7. Terms of personal data processing in SPE URANUS 

7.1. The processing of personal data in SPE URANUS is carried out with the consent of the personal data subject to the processing of his personal data, unless otherwise provided by the legislation of the Russian Federation in the field of personal data. 

7.2. SPE URANUS does not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by Federal law. 

7.3. SPE URANUS has the right to entrust the processing of personal data to another person with the consent of the personal data subject on the basis of a contract concluded with this person. The agreement must contain a list of actions (operations) with personal data that will be performed by the person processing personal data, the purpose of processing, the obligation of such person to respect the confidentiality of personal data and ensure the security of personal data during their processing, as well as requirements for the protection of personal data processed in accordance with article 19 of the Federal law "on personal data". 

7.4. Access to personal data processed by SPE URANUS is allowed only to employees of the organization who hold positions that give the Company an Obligation to not disclose personal data of employees. 

8. List of actions with personal data and ways to process them. 

8.1. SPE URANUS carries out the collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (provision), blocking, deletion and destruction of personal data. 

8.2. Processing of personal data in SPE URANUS is carried out in the following ways: 

• automated processing of personal data;

• automated processing of personal data. 

9. Rights of personal data subjects 

9.1. Personal data subjects have the right to: 

• full information about their personal data processed by SPE URANUS 

• access to their personal data, including the right to obtain a copy of any record containing their personal data, except as provided by Federal law; 

• clarification of your personal data, blocking or destruction if your personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing; 

• revocation of consent to the processing of personal data; 

• taking legal measures to protect their rights; 

• appeal to the authorized body for the protection of the rights of personal data subjects or to the court against an action or omission of SPE URANUS that violates the requirements of the legislation of the Russian Federation in the field of personal data; 

• exercise of other rights stipulated by the legislation of the Russian Federation. 

10. Measures taken by SPE URANUS to ensure compliance with obligations in the processing of personal data 

10.1. Measures necessary and sufficient to ensure that SPE URANUS fulfills its obligations under the legislation of the Russian Federation in the field of personal data include: 

• appointment of the person (s) responsible for organizing the processing of personal data in SPE URANUS 

• adoption of local regulations and other documents in the field of personal data processing and protection; 

• organizing training and conducting methodological work with employees who hold positions where personal data is processed; 

• obtaining the consent of personal data subjects to the processing of their personal data, except in cases stipulated by the legislation of the Russian Federation; 

• separation of personal data processed without the use of automation tools from other information, in particular by fixing them on separate material carriers of personal data, in special sections; 

• ensuring separate storage of personal data and their material carriers, which are processed for different purposes and which contain different categories of personal data; 

• establishing a ban on the transfer of personal data over open communication channels, computer networks outside of protected or controlled Internet communication channels without applying the measures established in SPE URANUS to ensure the security of personal data (with the exception of publicly available and (or) depersonalized personal data); 

• storage of material carriers of personal data in compliance with the conditions that ensure the safety of personal data and prevent unauthorized access to them; 

• internal control of compliance of personal data processing with the Federal law "on personal data" and this Policy of SPE URANUS ; 

• other measures provided for by the legislation of the Russian Federation in the field of personal data. 

11. Monitoring compliance with the legislation of the Russian Federation and local regulations of SPE URANUS in the field of personal data, including requirements for personal data protection 

11.1. Internal control over compliance of SPE URANUS with the legislation of the Russian Federation and local regulations of SPE URANUS in the field of personal data, including requirements for personal data protection, is performed by the person (s) responsible for organizing the processing of personal data in SPE URANUS. 

11.2. Personal responsibility for compliance with the requirements of the legislation of the Russian Federation and local regulations of SPE URANUS in the field of personal data in the organization, as well as for ensuring the confidentiality and security of personal data is assigned to the head(s) of the organization. 

11.3. By email address director@spe-uranus.com the Manager(s) may receive suggestions for improving personal data processing activities, as well as requests from employees and third parties.