Terms and Definitions
Personal data means any information relating to a directly or indirectly identified or identifiable natural person (personal data subject).
Processing of personal data means any action (operation) or cumulative action (operation) performed with personal data with or without the use of automation technologies, including collection, recording, systematization, accumulation, storage, rectification (update, change), retrieval, use, transmission (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.
Cross-border transmission of personal data means transmission of personal data to the territory of a foreign state to a public authority of a foreign state, a foreign natural person or a foreign legal entity.
1. General Provisions
1.1. PJSC ALROSA Personal Data Processing Policy (hereinafter referred to as the Policy) is developed in line with the requirements of the Federal Law of July 27, 2006 No. 152-FZ On Personal Data (hereinafter referred to as the Federal Law) and the General Data Protection Regulation (Regulation (EU) 2016/679) of April 27, 2016 (hereinafter referred to as the GDPR) and contains the information about the requirements applicable to personal data processing and protection.
1.2. The Policy is developed in line with the requirements of the Council of Europe Convention for the Protection of Individuals with regard to Automated Processing of Personal Data, the Constitution of the Russian Federation, international treaties of the Russian Federation, federal laws and other laws and regulations of the Russian Federation related to personal data.
1.3. The purpose of this document is to inform personal data subjects and other persons engaged in personal data processing that PJSC ALROSA (hereinafter referred to as the Company) adheres to fundamental principles of legitimacy, justice, non-redundancy, and that the content and scope of processed personal data complies with declared processing purposes.
1.4. The protection of human rights and freedoms as part of personal data processing, including the protection of rights to privacy, personal and family secrets, is one of the Company’s priorities. 1.5. The Policy is a public document covering all personal data processed in the Company.
2. Legal Grounds for Personal Data Processing
2.1. The Company processes personal data depending on the purposes of processing:
2.1.1 with consent of personal data subjects to processing of their personal data;
2.1.2 for the purpose of execution of laws of the Russian Federation, international treaties of the Russian Federation, governmental decrees and other laws and regulations of the Russian Federation;
2.1.3 for the purpose of execution or conclusion of an agreement where the personal data subject is a party, beneficiary or guarantor, including in cases where the Company exercises its right to cession of rights (claims) under such an agreement;
2.1.4 for the purpose of fulfilment of the Company’s statutory tasks.
3. Purposes and Applied Methods of Personal Data Processing
3.1. The Company processes personal data either with the use of automation technologies, including personal data information systems, or without the use of such technologies (mixed personal data processing).
3.2. In case of the automated data processing method, personal data are transmitted either via the internal network or via the Internet information and telecommunications network.
3.3. The purposes of personal data processing comply with the activities that are actually carried out by the Company and defined in the Company’s charter documents, and specific business processes in specific personal data information systems (by the Company’s structural subdivisions and their procedures relating to certain categories of personal data subjects).
3.4. Purposes of personal data processing are as follows:
3.4.1 assisting employees and candidates in employment, training and career advancement; monitoring the quantity and quality of work performed, complying with labor regulations and other legal acts containing labor regulations;
3.4.2 providing social benefits and guarantees, ensuring the personal safety or other vital interests of the Company’s employees and their families;
3.4.3 concluding and implementing civil law contracts, including service contracts;
3.4.4 protecting the rights and legitimate interests of the Company and its officers in court, dispute settlement and administrative authorities;
3.4.5 reporting or preparing statutory applications, notifications and similar documents to be submitted to the RF Pension Fund, Social Insurance Fund, Federal Compulsory Medical Insurance
Fund, Federal Tax Service, and other state bodies and agencies;
3.4.6 consolidating statistics and indicators across the Company;
3.4.7 conducting inspections and audits of the Company;
3.4.8 conducting procurement procedures stipulated by the Company’s internal regulations;
3.4.9 drafting powers of attorney in favor of the Company’s employees, other organizations and individuals;
3.4.10 organizing access and on-site control in the Company’s administrative buildings, ensuring property protection;
3.4.11 maintaining corporate databases of phone numbers and other information, posting messages on in-house portals, recognition boards and in public personal data systems;
3.4.12 fulfilling other obligations in the context of the legal grounds set out in Clause 2.1 of the Policy.
4. Processed Personal Data and Data Sources
4.1. The Company obtains personal data directly from the personal data subject or his representative, unless the Federal Law stipulates another procedure for obtaining personal data.
4.2. The Company can obtain personal data from a person other than the personal data subject if the personal data subject agrees to submit his personal data to the Company for processing, unless the Federal Law stipulates another procedure for obtaining personal data.
4.3. The Company prohibits processing of special categories of personal data (those concerning ethnicity, national identity, political stance, religious or philosophical beliefs, health status, love life), biometrical personal data (those characterizing physiological and biological features of an individual that help identify the personal data subject), except for the cases stipulated by Clause 2 Article 10 and Article 11 of the Federal Law.
4.4. It is not allowed to use personal data for political agitation and promotion of goods, works, and services, except for the cases provided by the Federal Law.
4.5. The Company processes personal data owned by:
4.5.1 the Company’s employees, their relatives;
4.5.2 employees of the Company’s affiliates;
4.5.3 candidates for employment contracts;
4.5.4 subjects whose personal data are processed in connection with the execution of concluded contracts;
4.5.5 personal data subjects―parties to employment contracts or civil law contracts concluded with the Company;
4.5.6 persons who had employment relationship with the Company;
4.5.7 potential contractors (individuals);
4.5.8 founders (individuals) of potential contractors;
4.5.9 lawyers, notaries who interact with the Company;
4.5.10 authors of written applications to the Company;
4.5.11. other personal data subjects (for the purpose of personal data processing set out in Clause 3 of the Policy).
4.6. The Company processes, among other things, personal data of the Company’s employees that such employees allowed to disseminate and that are included in public personal data sources with the written consent of the personal data subject, i.e. family name, first name, patronymic, facial image (photo), month and date of birth, position and place of work, employee ID, number and location of office premises, employee status (works or is absent on leave, etc.), name of the structural subdivision, official e-mail, business telephone numbers (including mobile phone).
5. Personal Data Processing and Storage Period
5.1. The Company does not start processing personal data until the legal grounds for personal data processing set out in Clause 3 of the Policy arise.
5.2. The Company stops processing personal data as soon as the purposes of processing are achieved, legal grounds for data processing cease to exist, or the document storage period stipulated by the legislation on archives in the Russian Federation and the Company’s internal regulations expires.
5.3. When the period of processing expires, personal data are destructed or anonymized for statistical or other research purposes.
6. Rights of Personal Data Subjects
6.1. The personal data subject has the right to be informed about the processing of his personal data within the period and according to the procedure stipulated by the Federal Law.
6.2. The personal data subject has the right to demand from the Company to update, block or destroy his personal data, if they are incomplete, outdated, inaccurate, illegally obtained or if they are not required for the declared purpose of processing; the personal data subject has the right to take measures stipulated by the Federal Law to protect his rights.
6.3. The Federal Law may restrict the personal data subject’s right of access to his personal data.
6.4. It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences for the personal data subject or otherwise affect his rights and legitimate interests, except the personal data subject agrees in writing.
6.5. The personal data subject has the right to challenge the Company’s actions or omissions through the recourse to authorized bodies for the protection of rights of the personal data subject or through the courts.
6.6. The personal data subject has the right to protect his rights and legitimate interests, including the right to damages and/or compensation for moral injury through the courts.
6.7. The Company ensures the functioning of the process of accepting and monitoring the processing of applications and requests from personal data subjects.
6.8. To exercise his rights, the personal data subject should contact the person responsible for organizing the personal data processing at the address: 24, Ozerkovskaya nab., Moscow, 115184.
6.9. The Company processes requests from personal data subjects and replies to them within 30 (thirty) days.
7. Information about Third Parties Engaged in Personal Data Processing
7.1. With the consent of the personal data subject, the Company may charge a third party with the personal data processing, unless otherwise stipulated by the Federal Law, under the agreement with such a third party.
7.2. The Company’s agreement defines the list of actions (operations) with personal data to be performed by the person responsible for the personal data processing, purposes of processing, sets out confidentiality obligations assumed by such a person towards personal data, obligations to protect personal data as they are processed, and requirements to the protection of personal data.
7.3. The person responsible for the personal data processing on behalf of the Company is not obliged to obtain the consent of the personal data subject to the processing of his personal data.
7.4. If the Company charges a third party with the personal data processing, the Company is liable to the personal data subject for such a third party’s actions. The person responsible for the personal data processing on behalf of the Company is liable to the Company.
8. Liability for Violation of Personal Data Processing Rules and Requirements to Personal Data Protection
In accordance with the current legislation of the Russian Federation, the Company’s employees engaged in the personal data processing bear disciplinary, civil, administrative or criminal liability for the violation of rules of personal data processing and requirements to personal data protection.
9. Rectification, Correction, Deletion and Destruction of Personal Data
9.1. Whenever there is a confirmed case of inaccuracy of personal data, personal data are subject to rectification by the Company, and whenever there is a confirmed case of illegal processing, personal data processing must be stopped.
9.2. When objectives of the personal data processing are achieved, and if the personal data subject withdraws his consent to the personal data processing, the Company shall stop their processing or ensure that such processing is stopped (if a third party acting on behalf of the Operator is engaged in the personal data processing), and if the storage of personal data is no longer required for the purposes of the personal data processing, destroy personal data or ensure that they are destroyed (if a third party acting on behalf of the Company is engaged in the personal data processing) within a period not exceeding 30 (thirty) days from the date of receipt of the said withdrawal:
unless otherwise provided by the agreement where the personal data subject is a party, beneficiary or guarantor;
if the Company has no right to process personal data without a consent from the personal data subject on the grounds stipulated by the Federal Law On Personal Data or other federal laws;
unless otherwise provided by the agreement between the Company and the personal data subject.
9.3. If it is impossible to destroy personal data within the period specified in Clause 9.2, the Company blocks such personal data and ensures that personal data are destroyed within a period not exceeding 6 (six) months, unless another period is provided by federal laws.
10. Cross-Border Personal Data Transmission
10.1. Processing and storage of personal data take place in the territory of the Russian Federation.
10.2. If the personal data subject is a resident of a country other than the Russian Federation, there will be cross-border transmission of personal data to the Company’s servers, i.e. to the territory of the Russian Federation.
10.3. The Company transmits no personal data outside the territory of the Russian Federation.
11. Correlation between the Policy and the EU General Data Protection Regulation
11.1. The Policy is developed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) of April 27, 2016 (hereinafter referred to as the GDPR).
11.2. PJSC ALROSA acts as an operator and data controller under the GDPR and is liable accordingly.
11.3. Additional rights for the personal data subjects who are subjects of EU law:
11.3.1. The right to request a copy of the personal data kept by the Company.
If the personal data subject wishes to obtain a copy of part or all of the personal data kept by the Company, he should send an e-mail to email@example.com.
11.3.2. The right to challenge the personal data processing.
11.3.3. The right to obtain personal data in a structured, widely used and machine-readable format.
11.3.4. The right to arrange the data transmission from one data controller to another provided that:
(a) personal data are processed based on a consent or a contract, and (b) personal data are processed with the use of automation technologies.
To exercise this right, you should send an e-mail to firstname.lastname@example.org.
11.3.5. The right to be forgotten.
To totally delete all the data of the personal data subject, you should send an e-mail to email@example.com.
11.3.6. The right to obtain the information about the personal data breach.
11.3.7. The right to lodge a complaint with the data protection authority regarding the collection and use by the Company of the personal data of the personal data subject.
11.4. The Company ensures the protection and confidentiality of the processed personal data of the personal data subjects that fall under the GDPR.
12. Ensuring Security and Confidentiality of Personal Data
12.1. To ensure security and confidentiality of the personal data processed by the Company, it takes legal, organizational and technical steps necessary to meet requirements of federal laws on personal data protection.
12.2. The Operator takes the following organizational and technical steps to prevent unauthorized access to personal data: appointing officials responsible for the organization of the personal data processing and protection; restricting the list of persons admitted to the personal data processing; familiarizing personal data subjects with the requirements of federal laws and the Company’s internal regulations on the personal data processing and protection; registering, storing and handling media that contain information with personal data; identifying threats to the security of personal data while processing, forming threat models based thereon; developing a personal data protection system based on the threat model; checking the readiness and effectiveness of the use of information protection tools; differentiating user access to information resources and software and hardware for the processing of information; registering and accounting user actions of personal data information systems; using anti-virus and recovery tools for the personal data protection system; using firewalls, intrusion detection, security analysis and cryptographic protection of information where necessary; organizing access control in the Company, protecting premises with technical means of the personal data processing.
13. Final Provisions
13.1. The Company has the right to amend the Policy without the consent of the personal data subject.
13.2. The Policy is valid indefinitely until it is replaced with a new version.
13.3. The current version of the Policy is freely available in a special section of the corporate website at https://alrosa.ru.