1. General Provisions
1.1. This Personal Data Processing Policy of ASP-AQUA Limited Liability Company (hereinafter referred to as the «Policy») has been developed in accordance with c.2, p.1, Article 18.1 of Federal Law No. 152-FZ dated 27.07.2006 «On Personal Data» (hereinafter referred to as the «Personal Data Law») in order to ensure the protection of the rights and freedoms of individuals when processing their personal data, including the protection of the rights to privacy, personal and family secrets.
1.2. This Policy applies to all personal data processed by ASP-AQUA Limited Liability Company (hereinafter referred to as the «Operator», ASP-AQUA LLC).
1.3. This Policy applies to all personal data processing activities of the Operator, regardless of whether such relations arose before or after the approval of this Policy.
1.4. In compliance with the requirements of p.2 of Article 18.1 of the Law «On Personal Data», this Policy is published freely on the Internet on the Operator’s website.
2. Terms and Abbreviations Used
Personal data (PD) – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).
Personal data permitted by the subject for dissemination – personal data that the subject has made accessible to an unlimited number of persons by giving consent for the processing of such data for dissemination.
Personal data operator (Operator) – a government body, municipal authority, legal or natural person that, independently or jointly with others, organizes and/or performs the processing of personal data, as well as determines the purposes of processing personal data, the composition of the personal data to be processed, and the actions (operations) performed with personal data.
Processing of personal data – any action (operation) or set of actions (operations) performed on personal data, with or without the use of automation tools. Personal data processing includes, but is not limited to:
- collecting;
- recording;
- systematization;
- accumulation;
- storage;
- clarification (updating, modification);
- retrieval;
- usage;
- transfer (provision, access);
- dissemination;
- anonymization;
- blocking;
- deletion;
- destruction.
Automated processing of personal data – processing of personal data using computing equipment.
Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons.
Dissemination of personal data – actions aimed at disclosing personal data to an indefinite group of persons.
Blocking of personal data – temporary cessation of the processing of personal data (except in cases where processing is necessary to clarify personal data).
Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or which result in the destruction of tangible media containing personal data.
Anonymization of personal data – actions as a result of which it becomes
impossible, without the use of additional information, to identify the data as relating to a specific personal data subject.
Personal data information system – a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual, or foreign legal entity.
Personal data protection – activities aimed at preventing leaks of protected personal data and unauthorized or accidental access, use, alteration, or destruction of such data.
3. Procedure and Conditions for Processing and Storage of Personal Data
3.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
3.2. Personal data is processed with the consent of the personal data subjects, as well as without such consent in cases stipulated by the legislation of the Russian Federation.
3.3. Consent to the processing of personal data allowed by the personal data subject for dissemination is executed separately from other consents given by the subject for the processing of their personal data.
3.4. Consent to the processing of personal data allowed for dissemination may be provided to the Operator:
— directly;
— through the information system of the authorized body for the protection of personal data subjects’ rights.
3.5. The Operator carries out both automated and non-automated processing of personal data.
3.6. Only those employees of the Operator whose job responsibilities include the processing of personal data are allowed to process personal data.
3.7. Personal data is processed by:
— obtaining personal data orally or in writing directly with the consent of the subject to the processing or dissemination of their personal data;
— entering personal data into the Operator’s journals, registers, and information systems;
— using other methods of processing personal data.
3.8. Disclosure and dissemination of personal data to third parties without the consent of the personal data subject is not allowed unless otherwise provided by federal law.
3.9. Personal data may be transferred to investigative and inquiry authorities, the Federal Tax Service, the Pension Fund, the Social Insurance Fund, and other authorized executive authorities and organizations in accordance with the legislation of the Russian Federation.
3.10. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, dissemination, and other unauthorized actions, including:
— identifying threats to the security of personal data during processing;
— adopting local regulations and other documents governing the processing and protection of personal data;
— appointing persons responsible for ensuring the security of personal data in structural divisions and information systems of the Operator;
— creating necessary conditions for working with personal data;
— organizing the accounting of documents containing personal data;
— managing work with information systems that process personal data;
— storing personal data in conditions ensuring its safety and preventing unauthorized access;
— organizing training for Operator employees engaged in personal data processing.
3.11. The Operator stores personal data in a form that allows identification of the data subject for no longer than required to achieve the purposes of processing unless a longer storage period is established by federal law, contract, or agreement.
3.12. When collecting personal data, including via the Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation, except as provided by the Personal Data Law.
3.13. Purposes of processing personal data:
3.13.1. Only personal data that correspond to the purposes of processing shall be processed.
3.13.2. The Operator processes personal data for the following purposes:
— compliance with the Constitution, federal laws, and other regulatory legal acts of the Russian Federation;
— conducting business activities in accordance with the charter of ASP-AQUA LLC;
— maintaining personnel records;
— assisting employees with employment, education, career advancement, ensuring personal safety of employees, monitoring the quantity and quality of work performed, and protecting property;
— recruiting and selecting job candidates for employment with the Operator;
— organization of individual (personalized) employee registration in the mandatory pension insurance;
— preparing and submitting mandatory reports to executive authorities and other authorized organizations;
— implementation of civil law relations;
— maintaining accounting records;
— managing access control.
3.14.3. Processing of employees’ personal data may only be carried out for the purpose of complying with laws and other legal regulations.
3.15. Categories of personal data subjects:
Personal data is processed for the following PD subjects:
— individuals employed by ASP-AQUA LLC;
— individuals who have left employment with ASP-AQUA LLC;
— individuals applying for employment;
— individuals who have entered into civil-law relations with ASP-AQUA LLC.
3.16. PD processed by the Operator:
— data obtained during employment;
— data obtained during the selection of candidates for employment;
— data obtained during civil-law relations.
3.17. Storage of PD.
3.17.1. PD may be received, further processed, and stored both on paper and in electronic form.
3.17.2. PD on paper is stored in lockable cabinets or locked rooms with restricted access.
3.17.3. PD processed for different purposes using automation tools is stored in separate folders.
3.17.4. Storage and placement of documents containing PD in open electronic directories (file-sharing services) within the PDIS is not permitted.
3.17.5. PD is stored in a form that allows identification of the subject for no longer than required to fulfill the purposes of processing, and must be destroyed once the purpose is achieved or the need for it no longer exists.
3.17. Destruction of PD.
3.17.1. Destruction of documents (media) containing PD is carried out by burning, shredding, chemical decomposition, or converting into shapeless mass or powder. Shredders may be used to destroy paper documents.
3.17.2. PD on electronic media is destroyed by deleting or formatting the storage device.
3.17.3. The destruction of PD is documented by an act confirming the destruction of the media.
4. Personal Data Protection
4.1. In accordance with regulatory requirements, the Operator has established a Personal Data Protection System (PDPS), which consists of legal, organizational, and technical protection subsystems.
4.2. The legal protection subsystem is a set of legal, organizational-administrative, and regulatory documents that ensure the creation, operation, and improvement of the PDPS.
4.3. The organizational protection subsystem includes the organization of PDPS management structure, the access control system, and information protection during interactions with employees, partners, and third parties.
4.4. The technical protection subsystem consists of a set of technical, software, and hardware-software tools that ensure the protection of personal data.
4.4. The main PD protection measures used by the Operator include:
4.5.1. Appointing a person responsible for PD processing, who organizes the processing of PD, conducts training and instruction, and oversees internal compliance by the institution and its employees with PD protection requirements.
4.5.2. Identifying current security threats to PD when processed in PDIS and developing appropriate protective measures and activities.
4.5.3. Development of a personal data processing policy.
4.5.4. Establishing access rules for PD processed in PDIS and ensuring the registration and accounting of all actions performed with PD in the PDIS.
4.5.5. Assigning individual passwords for employees to access the information system, in accordance with their job responsibilities.
4.5.6. Using information security tools that have passed the conformity assessment procedures as prescribed.
4.5.7. Certified antivirus software with regularly updated virus databases.
4.5.8. Compliance with conditions that ensure the safety of PD
and prevent unauthorized access.
4.5.9. Detection of unauthorized access to PD and implementation of corrective measures.
4.5.10. Restoration of PD modified or destroyed as a result
of unauthorized access.
4.5.11. Training of the Operator’s employees directly involved in the processing of personal data in the provisions of Russian Federation legislation on personal data, including data protection requirements, the Operator’s personal data processing policy, and internal regulations on personal data processing.
4.5.12. Implementation of internal control and audits.
5. Key Rights of Personal Data Subjects and Obligations of the Operator
5.1. Key rights of the PD subject
The data subject has the right to access their personal data and the following information:
— confirmation of the fact that personal data is being processed by the Operator;
— legal grounds and purposes for processing the personal data;
— purposes and methods used by the Operator for processing the personal data;
— name and location of the Operator, as well as information about individuals (except for the Operator’s employees) who have access to the personal data or to whom personal data may be disclosed under an agreement with the Operator or based on federal law;
— the duration of personal data processing, including the data retention period;
— procedures for the data subject to exercise their rights as provided by the Federal Law;
— name or full name and address of the person processing the personal data on behalf of the Operator, if processing is or will be entrusted to such a person;
— the right to contact the Operator and send requests;
— the right to appeal actions or inaction by the Operator.
5.2. Operator’s obligations.
The Operator is obliged to:
— provide information about the processing of PD when collecting it;
— notify the data subject if PD was obtained from a source other than the data subject;
— inform the subject of the consequences in the event of refusal to provide PD;
— publish or otherwise ensure unrestricted access to the document defining its PD processing policy and to information about the implemented PD protection requirements;
— take necessary legal, organizational, and technical measures (or ensure that such measures are taken) to protect PD from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as from other unlawful actions to the PD;
— respond to requests and inquiries from PD subjects, their representatives, and the authorized body for the protection of the rights of PD subjects.
6. Updating, Correction, Deletion, and Destruction of Personal Data; Responses to Data Subject Requests for Access to Personal Data
6. Updating, Correction, Deletion, and Destruction of Personal Data; Responses to Data Subject Requests for Access to Personal Data
6.1. Confirmation of the fact of PD processing by the Operator, the legal grounds and purposes of processing, as well as other information specified in p.7 of Article 14 of the Personal Data Law, shall be provided by the Operator to the PD subject or their representative upon request.
The information provided shall not include personal data relating to other data subjects, except when there are legal grounds for disclosing such personal data.
The request must include:
— the number of the main identity document of the personal data subject or their representative, including the date of issue and the issuing authority;
— information confirming the subject’s involvement in a relationship with the Operator (contract number, date of conclusion, verbal reference designation and/or other relevant information), or other information confirming the fact of personal data processing by the Operator;
— the signature of the personal data subject or their representative.
The request may be submitted in the form of an electronic document signed with an electronic signature in accordance with the legislation of the Russian Federation.
If the request does not contain all required information in accordance with the Personal Data Law, or if the data subject does not have access rights to the requested data, a reasoned refusal will be issued.
The personal data subject’s right of access to their personal data may be restricted in accordance with p.8 of Article 14 of the Personal Data Law, including if access would violate the rights and lawful interests of third parties.
6.2. If inaccurate personal data is identified upon request of the personal data subject or their representative, or by request from Roskomnadzor, the Operator shall block the personal data related to that subject from the moment of such request or receipt of the specified request for the duration of verification, provided that such blocking does not violate the rights and lawful interests of the subject or third parties.
If the inaccuracy of the personal data is confirmed, the Operator shall, based on the information provided by the subject, their representative, Roskomnadzor, or other necessary documents, update the personal data within seven business days from the date such information is provided and lift the data blocking.
6.3. If unlawful processing of personal data is discovered upon request by the data subject, their representative, or Roskomnadzor, the Operator shall block the unlawfully processed personal data related to that subject from the moment of the request or receipt of such notice.
6.4. Upon achieving the purposes of personal data processing, or if the data subject withdraws their consent, the personal data shall be destroyed, unless:
— otherwise stipulated by a contract to which the PD subject is a party, beneficiary, or guarantor;
— the Operator is not entitled to process the data without the subject’s consent as per the Personal Data Law or other federal laws;
— otherwise stipulated in another agreement between the Operator and the personal data subject.
7. Final Provisions
7.1. Liability for violation of the requirements of the legislation of the Russian Federation and the internal regulations of ASP-AQUA LLC in the area of personal data shall be determined in accordance with the legislation of the Russian Federation.
7.2. This Policy enters into force from the moment of its approval and remains valid indefinitely until a new Policy is adopted.
7.3. All amendments and additions to this Policy must be approved by the General Director of ASP-AQUA LLC.
