Personal data processing policy and requirements to the protection of personal data of Khimprom PJSC
1. General provisions
1.1. This Policy was developed in accordance with the provisions of the Constitution of the Russian Federation, Labor Code of the Russian Federation, Federal Law “On Personal Data”, Federal Law "On Information, Information Technologies and the Protection of Information" and other laws, regulating the protection of personal data.
1.2. This Policy defines the main issues related to the processing of personal data in Khimprom PJSC (hereinafter referred to as the Company) using automation technology, including in information and telecommunication networks, or without using such technologies.
1.3. Personal data is confidential, protected information and are subject to all requirements established by the Company's internal documents for the protection of confidential information.
1.4. This policy applies to personal data obtained both before and after its approval.
2. Definitions and personal details
2.1. Information constituting personal data is any information relating to a directly or indirectly identified or identifiable natural person (personal data subject).
2.2. The Company processes personal data of the following categories of personal data subjects:
- personal data of the Company's employees - information, required by the Company due to the employment relations;
- personal data of contractor (prospective contractor), as well as personal data of the head, participant (shareholder) or employee of the legal entity that is a contractor (prospective contractor) of the Company - information, required by the Company to fulfill its obligations in the framework of the contractual relationships with a contractor;
- personal data of persons applying for job vacancies available in the Company;
- other persons sending appeals to the Company both on paper and through the official website of the Company, as well as persons mentioned in the publications of the Khimik newspaper.
3. Purposes and situations of personal data processing
3.1. The purposes of the personal data processing are the following:
- arrangement of staff record keeping, staff records management, promotion of employment, training and career advancement, execution of tax legislation of the Russian Federation in relation to calculation and payment of personal income tax, as well as pension legislation of the Russian Federation in case of generation and provision of identifying information on each recipient of income, assessable in insurance contributions for compulsory pension insurance, filling out of the primary statistical documentation;
- conclusion, execution and termination of civil contracts;
- fulfillment by the Company of obligations to disclose information stipulated by the Federal Law "On Joint Stock Companies", the Federal Law "On Countering the Misuse of Insider Information and Market Manipulation" and "On Amendment of Certain Legislative Acts of the Russian Federation";
- fulfillment by the Company of other obligations stipulated by the current legislation.
3.2. The processing of personal data in the Company is allowed in the following cases:
- if personal data are processed with the consent of the personal data subject;
- if personal data processing is necessary for performance of an agreement to which the personal data subject is a party, beneficiary or guarantor, and for conclusion of an agreement at the initiative of the personal data subject or an agreement under which the personal data subject shall be a beneficiary or guarantor;
- if personal data processing is necessary to protect the life, health or other vital interests of the personal data subject, if obtaining the consent of the personal data subject is impossible;
- if personal data processing is necessary to implement rights and legitimate interests of the Company or third parties, or to achieve socially significant objectives, provided that this does not violate rights or freedoms of the personal data subject;
- if personal data processing is necessary for the implementation of scientific, literary or other creative activities, provided that this does not violate the rights and legitimate interests of the personal data subject;
- if the processing of personal data is carried out for research, statistical or other purposes, subject to the mandatory depersonalization of personal data;
- in case of processing of personal data, access to which is granted to the general public by the personal data subject or at his/her request;
- in case of processing of personal data subject to publication or mandatory disclosure in accordance with the law;
- in other cases, as provided by the applicable law.
4. Basic principles of personal data processing
4.1. The processing of personal data is possible only in accordance with the purposes that determined their acquisition.
4.2. No integration of databases, which contain personal data processed for the purposes, which are inconsistent with each other, shall be allowed.
4.3. The employees of the Company have the right of access for the processing of personal data in accordance with the assigned job functions.
4.4. When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data, shall be ensured.
4.5. Personal data shall be stored in the form allowing to identify the personal data subject only as long as is needed for personal data processing, unless a period for retaining personal data is established by the federal law or an agreement, to which the personal data subject is a party, a beneficiary or guarantor.
4.6. Processed personal data shall be subject to destruction or anonymization after the purposes of processing are achieved, or when there is no further need to achieve such purposes, unless otherwise provided for by the federal law.
4.7. The period for retaining personal data is determined in accordance with the validity period of civil law relations between the personal data subject and the Company, the limitation period, the retention period for documents on paper and documents in electronic databases, other requirements of the legislation of the Russian Federation, as well as the validity period of the subject consent to processing of his/her personal data.
4.8. The personal data is processed on the basis of the conditions determined by the legislation of the Russian Federation.
5. Measures to ensure the protection of personal data
5.1. During processing of personal data the Company takes necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, sharing, distribution of personal data, as well as from other illegal actions in relation to personal data.
5.2. The personal data are protected as follows:
- application of organizational and technical measures to ensure the security of personal data during their processing in the personal data information systems necessary to meet the requirements for the protection of personal data, the implementation of which ensures the levels of personal data protection established by the Government of the Russian Federation;
- detecting facts of unauthorized access to personal data and taking the necessary measures;
- establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with the personal data in the personal data information system;
- control over the measures taken to ensure the security of personal data and the level of security of the personal data information system.
6. Rights of the personal data subject
Personal data subject has the right:
6.1. To receive information regarding the processing of his/her personal data, including:
- confirmation that the personal data are processed by the operator;
- legal reasons and purposes of personal data processing;
- purposes and methods of personal data processing used by the Company;
- name and address of the Company, information about the persons (except for the Company's employees), which have the access to the personal data or to which the personal data may be disclosed under the agreement with the Organization or under the federal law;
- processed personal data relating to the relevant personal data subject, the source of their acquisition, unless a different procedure for the provision of such data is provided by federal law;
- periods for processing of personal data, including periods for their retaining;
- procedure for the exercise by the personal data subject of the rights provided for by the Federal Law "On Personal Data";
- information about the performed or probable cross-border data transfer;
- name of full name and address of a person, who processes the personal data on behalf of the Company, if the processing is or will be entrusted to such a person;
- other information provided for by the Federal Law "On Personal Data" or other federal laws.
6.2. To require the Company to rectify his/her personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect their rights.
6.3. For free access to his/her personal data, including the right to receive copies of any record containing personal data, unless required by the legislation of the Russian Federation.
6.4. To appeal in court any illegal actions or inaction of the Company in the processing and protection of his/her personal data.
7. Rights and obligations of the Company
7.1. The Company as the operator of personal data hes the right:
7.1.1. To protect its interests in the court;
7.1.2. To provide personal data of subjects to third parties, if this is provided for by the applicable law (tax, law enforcement agencies, etc.);
7.1.3. To refuse to provide personal data in cases provided for by the law;
7.1.4. To use personal data of the subject without his/her consent in cases provided for by the legislation.
7.2. The Company is obliged to:
7.2.1. Take necessary and sufficient legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, sharing, distribution of personal data, as well as from other illegal actions in relation to personal data.
7.2.2. Take measures for the organizational and technical protection of personal data in accordance with the requirements of the legislation of the Russian Federation on the processing of personal data.
8. Obligations and responsibility of the Company's employees
8.1. The Company's employees who have access to the personal data processing are obliged to:
- know and fully comply with the requirements of this Policy;
- process personal data only within the scope of their job functions;
- not to disclose personal data obtained as a result of the performance of their job functions, as well as becoming known to them by the nature of their activities;
- prevent acts of third parties that may lead to the disclosure (destruction, corruption) of personal data;
- identify the facts of disclosure (destruction, corruption) of personal data and inform the immediate supervisor about it;
- keep a confidence of information containing personal data in accordance with local acts of the Company.
8.2. The Company's employees admitted to the processing of personal data are prohibited from unauthorized and unregulated copying of personal data on paper media and on any electronic media not intended for storing personal data.
8.3. Each new employee of the Company directly involved in the processing of personal data should be aware of the requirements of the legislation of the Russian Federation on the processing and security of personal data, this Policy and other local acts on the processing and security of personal data and undertakes to comply with them.
8.4. Persons guilty of violating the requirements of the legislation of the Russian Federation on the personal data bear disciplinary, material, civil legal, administrative or criminal liability.
9. Final provisions
9.1. This Policy is an internal document of the Company.
9.2. The electronic version of the current Policy is publicly available on the Company's website https://www.himprom.com/.
9.3. The policy may be updated and re-approved as changes are made to the regulatory legal acts on personal data or to local acts regulating the procedure of processing and ensuring the security of personal data.