The policy regarding the processing of personal data of BLOYD Limited Liability Company (hereinafter referred to as the "Policy") was developed in order to comply with: the Constitution of the Russian Federation, the provisions of Chapter 14 of the Labor Code of the Russian Federation "Protection of personal employee data”, Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”, Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, Decree of the Government of the Russian Federation of September 15, 2008 N 687 "On approval of the Regulations on the features of the processing of personal data carried out without the use of automation tools", Decree of the Government of the Russian Federation of 01.11.2012 N 1119 "On approval of the requirements for the protection of personal data during their processing in personal data information systems" and other regulatory legal acts, and normative methods legal documents of the Russian Federation regulating relations related to ensuring the security of personal data during their processing in personal data information systems.
This Policy defines the policy of BLOYD Limited Liability Company (OGRN 1217800188363, TIN 7838099791, KPP 783801001) (hereinafter referred to as the "Operator") regarding the processing of personal data and is a publicly available document.
The requirements of this Policy are binding on all employees of the Operator who have access to personal data.
Decisions to change this Policy are made on the basis of:
The results of audits, measures to control and supervise the security of personal data carried out by authorized bodies;
Changes in regulatory legal acts and regulatory and methodological documents of the Russian Federation governing relations related to ensuring the security of personal data during their processing in personal data information systems (hereinafter referred to as ISPD);
Changes in the processing of personal data in the ISPD of the Operator;
The results of the analysis of information security incidents in ISPD.
Personal data - any data and any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data).
Processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated processing of personal data - processing of personal data using computer technology.
Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons.
Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons.
Blocking of personal data - temporary suspension of the processing of personal data (except when processing is necessary to clarify personal data).
Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which
material carriers of personal data are destroyed.
Depersonalization of personal data - actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.
Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.
regulatory legal acts of the Russian Federation, as well as in the framework of the implementation of activities defined in the internal documents of the Operator. 3.3. When processing personal data, the Operator is guided by the following principles and conditions:
3.3.1. The processing of personal data must be carried out on a legal and fair basis. 3.3.2. The processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data, except for the cases specified in subparagraphs 2-11 of part 1 of Article 6 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data".
3.3.3. Processing of special categories of personal data is carried out in cases provided for by subparagraphs 1-9 of part 2 of Article 10 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data".
The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adopting a relevant act by a state or municipal body (hereinafter referred to as the instruction operator). The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided for by the provisions of the Federal Law of July 27, 2006 N 152-ФЗ “On Personal Data”. The Operator's instruction must define a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of processed personal data must be indicated in accordance with Article 19 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data".
The processing of personal data should be limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.
It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.
Only personal data that meet the purposes of their processing are subject to processing. 3.8. The content and scope of the processed personal data must correspond to the stated purposes of processing. The processed personal data should not be excessive in relation to the stated purposes of their processing.
When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance in relation to the purposes of processing personal data, must be ensured. The operator must take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data.
Storage of personal data should be carried out in a form that allows determining the subject of personal data, no longer than required by the purposes of processing personal data, if the period for storing personal data is not established by federal law, an agreement to which the beneficiary or guarantor is a party, under which the subject of personal data is . The processed personal data is subject to destruction or depersonalization upon achievement of the purposes of processing or in case of loss of the need to achieve these purposes, unless otherwise
provided by federal law.
The operator independently determines the content, scope, purposes of processing and the terms of storage of personal data. The documents adopted by the Operator that define the Operator’s policy regarding the processing of personal data, local regulations on the processing of personal data, as well as local regulations establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations are communicated to the Operator’s employees in parts concerning them.
The operator processes personal data in accordance with:
Art. 23, 24 of the Constitution of the Russian Federation;
Art. 86-90 of the Labor Code of the Russian Federation;
This Policy regarding the processing of personal data;
Consent to the processing of personal data expressed by the subject of personal data;
Agreements concluded by the Operator with clients and counterparties, annexes to these agreements;
Processing of personal data is carried out for the following purposes:
Conclusion and execution of contracts with customers and contractors.
Processing incoming requests from users of the service located on the Internet at the address: www.bloyd.ru through feedback forms and other forms on the service. 5.1.3.Informing users about new events, special promotions and offers.
5.1.4. Carrying out activities in accordance with the constituent documents.
The operator processes the following categories of personal data subjects: 6.1.1. Personal data of clients (site visitors): Last name, first name, patronymic; contact phone number; E-mail address; postal address (country, region, city, street, house number, apartment number).
6.1.2. Personal data of counterparties: Last name, first name, patronymic of the authorized person, contact phone numbers; email addresses; postal address of counterparties (country, region, city, street, house number, apartment number).
Personal data is processed and stored until the achievement or loss is necessary to achieve the goals of personal data processing.
The operator is obliged to immediately stop, at the request of the subject of personal data, the processing of his personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using means of communication.
The operator is obliged to explain to the subject of personal data the procedure for making a decision on the basis of exclusively automated processing of his personal data and the possible legal consequences of such a decision, to provide an opportunity to object to such a decision, and also to explain the procedure for protecting the personal data subject of his rights and legitimate interests.
The operator is obliged to consider an objection against a decision based solely on automated
processing of personal data of the subject of personal data, within thirty days from the date of its receipt and notify the subject of personal data of the results of consideration of such an objection.
When collecting personal data, the Operator is obliged to provide the subject of personal data, at his request, with the information provided for by Part 7 of Article 14 of the Federal Law of July 27, 2006 N 152-ФЗ “On Personal Data”.
If the provision of personal data is mandatory in accordance with federal law, the Operator is obliged to explain to the subject of personal data the legal consequences of the refusal to provide his personal data.
The operator is obliged to inform, in the manner prescribed by Article 14 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data”, to the subject of personal data or his representative information about the availability of personal data relating to the relevant subject of personal data, as well as to provide an opportunity to familiarize themselves with these personal data at the request of the subject of personal data or his representative or within thirty days from the date of receipt of the request of the subject of personal data or his representative.
The operator is obliged to provide free of charge to the subject of personal data or his representative the opportunity to get acquainted with the personal data relating to this subject of personal data. Within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that personal data is incomplete, inaccurate or out of date, the Operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date of submission by the subject of personal data or his representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the Operator is obliged to destroy such personal data. The operator is obliged to notify the subject of personal data or his representative about the changes made and the measures taken and take reasonable measures to notify third parties to whom the personal data of this subject were transferred.
The operator is obliged to inform the authorized body for the protection of the rights of subjects of personal data, at the request of this body, the necessary information within thirty days from the date of receipt of such a request.
In the event that illegal processing of personal data is detected when the subject of personal data or his representative contacts, or at the request of the subject of personal data or his representative or the authorized body for the protection of the rights of subjects of personal data, the Operator is obliged to block the illegally processed personal data relating to this subject of personal data, or ensure their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) from the moment of such an application or receipt of the specified request for the period of verification. In the event that inaccurate personal data is detected upon contact by the subject of personal data or his representative, or at their request or at the request of the authorized body for the protection of the rights of subjects of personal data, the Operator is obliged to block personal data relating to this subject of personal data, or ensure their blocking (if processing personal data is carried out by another person acting on behalf of the Operator) from the moment of such application or receipt of the specified request for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the subject of personal data or third parties.
If the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the subject of personal data or his representative or the authorized body for the protection of the rights of subjects of personal data, or other necessary documents, is obliged to clarify personal data or ensure their clarification (if the processing of personal data is carried out by another person, acting on behalf of the Operator) within seven working days from the date of submission of such information and remove the blocking of personal data.
In case of revealing illegal processing of personal data carried out by the Operator or a person acting on behalf of the Operator, the Operator, within a period not exceeding three working days from the date of this discovery, is obliged to stop the illegal processing of personal data or ensure the termination of the illegal processing of personal data by a person acting on behalf of Operator. If it is impossible to ensure the legality of the processing of personal data, the
Operator, within a period not exceeding ten working days from the date of detection of illegal processing of personal data, is obliged to destroy such personal data or ensure their destruction. The Operator is obliged to notify the subject of personal data or his representative about the elimination of the violations committed or the destruction of personal data, and if the appeal of the subject of personal data or his representative or the request of the authorized body for the protection of the rights of subjects of personal data were sent by the authorized body for the protection of the rights of subjects of personal data data, also the specified authority.
If the purpose of processing personal data is achieved, the Operator is obliged to stop processing personal data or ensure its termination (if the processing of personal data is carried out by another person acting on behalf of the Operator) and destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) on behalf of the Operator) within a period not exceeding thirty days from the date of achievement of the purpose of processing personal data, unless otherwise provided by the agreement to which the subject of personal data is a party, beneficiary or guarantor, another agreement between the Operator and the subject of personal data, or if the Operator is not entitled to carry out the processing of personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" or other regulatory legal acts.
If the subject of personal data withdraws consent to the processing of his personal data, the Operator is obliged to stop processing them or ensure the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator) and if the storage of personal data is no longer required for the purposes of processing personal data, destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided by the agreement, the party to which, the beneficiary or guarantor on to which the subject of personal data is, another agreement between the Operator and the subject of personal data, or if the Operator is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by this federal law konom or other federal laws.
If it is not possible to destroy personal data within the period specified in clauses 8.11-8.13 of this provision, the Operator blocks such personal data or ensures their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) and ensures the destruction of personal data within a period of not more than six months, unless another period is established by federal laws.
subject has the right to receive information about the processing of his personal data by the Operator.
The subject of personal data has the right to demand from the Operator who processes them to clarify these personal data, block or destroy them if they are incomplete, outdated, inaccurate, illegally obtained or cannot be considered necessary for the stated purpose of processing, as well as accept the stipulated legal measures to protect their rights.
If the information specified in Part 7 of Article 14 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data”, as well as the personal data being processed, was provided for review by the subject of personal data at his request, the subject of personal data has the right to apply again to the Operator or send him a second request in order to obtain the information specified in Part 7 of this article and familiarize himself with such personal data no earlier than thirty days after the initial request or sending the initial request, unless a shorter period is established by federal law adopted in in accordance with it, a regulatory legal act or an agreement to which the subject of personal data is a party or beneficiary or guarantor.
The subject of personal data has the right to apply again to the Operator or send him a second request in order to obtain the information specified in part 7 of Article 14 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" the period specified in part 4 of Article 14 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" in the event that such information
and (or) processed personal data were not provided to him for review in full based on the results of consideration of the initial application .
The right of the subject of personal data to access to his personal data may be limited in accordance with Part 8 of Article 14 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" in the following cases:
If the processing of personal data, including those obtained in as a result of operational-search, counterintelligence and intelligence activities, is carried out in order to strengthen the country's defense, ensure the security of the state and protect law and order;
If the processing of personal data is carried out by bodies that detained the subject of personal data on suspicion of committing a crime, or charged the subject of personal data in a criminal case, or applied a measure of restraint to the subject of personal data before bringing charges, with the exception of cases provided for by the criminal procedural legislation of the Russian Federation if it is allowed to familiarize the suspect or the accused with such personal data;
If the processing of personal data is carried out in accordance with the legislation on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;
If the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties;
If the processing of personal data is carried out in cases provided for by the legislation of the Russian Federation on transport security, in order to ensure the stable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the field of the transport complex from acts of unlawful interference;
If the subject of personal data believes that the Operator is processing his personal data in violation of the requirements of this Federal Law or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal against the actions or inaction of the Operator to the authorized body for the protection of the rights of subjects of personal data or in court .
The subject of personal data has the right to protect his rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
Determination of threats to the security of personal data during their processing in information systems of personal data.
The application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of protection of personal data established by the Government of the Russian Federation.
The use of information security tools that have passed the conformity assessment procedure in the prescribed manner.
Detection of facts of unauthorized access to personal data and taking measures. 10.2.5. Recovery of personal data modified or destroyed due to unauthorized access to them. 10.2.6.
Establishing rules for access to personal data processed in the personal data
information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system.
10.2.7. Control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.
of violating the requirements of this Federal Law shall bear responsibility provided for by the legislation of the Russian Federation.
11.2. Moral damage caused to the subject of personal data as a result of violation of his rights, violation of the rules for processing personal data established by this Federal Law, as well as the requirements for the protection of personal data established in accordance with this Federal Law, is subject to compensation in accordance with the legislation of the Russian Federation. Compensation for moral damage is carried out regardless of compensation for property damage and losses incurred by the subject of personal data.