Personal Data Protection and Processing Policy

Personal Data Protection and Processing Policy

Страницы 0 Источник: Scott Graham
22 Jan 2023 10:48

Document revision dated 01/22/2023

1. General Provisions

1.1. This Policy regarding the processing of personal data (hereinafter referred to as the "Policy") has been drawn up in accordance with paragraph 2 of Article 18.1 of the Federal Law "On Personal Data" No. 152-FZ of July 27, 2006, as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data and applies to all personal data (hereinafter referred to as "data") that the Organization (hereinafter referred to as the "Operator", "Company", "Website") may receive from a personal data subject who is a party to a civil law contract, from an Internet user (hereinafter referred to as the "User") while using any of the ixbt.games websites, services, functions, programs, products or services, as well as from a personal data subject who is in a relationship with the Operator regulated by labor legislation (hereinafter referred to as the "Employee").

1.2. The Operator ensures the protection of processed personal data from unauthorized access and disclosure, unlawful use or loss in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".

1.3. The Operator has the right to amend this Policy. When amendments are made, the date of the last revision update is indicated in the header of the Policy. The new version of the Policy comes into force from the moment it is posted on the website, unless otherwise provided by the new version of the Policy.

2. Terms and Abbreviations

Personal data – any information relating directly or indirectly to a specific or identifiable natural person (personal data subject).

Processing of personal data – any action (operation) or set of actions (operations) performed using automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.

Automated processing of personal data – processing of personal data using computer technology.

Personal data information system (PDIS) – a set of personal data contained in databases and information technologies and technical means that ensure their processing.

Personal data made publicly available by the personal data subject – personal data to which an unlimited number of persons have access granted by the personal data subject or at his request.

Blocking of personal data – temporary suspension of the processing of personal data (unless processing is necessary to clarify personal data).

Destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.

Operator – an organization that independently or jointly with other persons organizes the processing of personal data, and also determines the purposes of processing personal data, subject to processing, actions (operations) performed with personal data. The operator is Nevkor LLC (OGRN 1167847293261, St. Petersburg, Baltic Marine Center Business Center, Mezhevoy Canal St., 5 letter AX, room 5N, office 803).

3. Processing of Personal Data

3.1. Obtaining personal data.

3.1.1. All personal data should be obtained from the subject himself. If the subject's personal data can only be obtained from a third party, then the subject must be notified of this or consent must be obtained from him.

3.1.2. The Operator must inform the subject about the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid, and the procedure for its withdrawal, as well as the consequences of the subject's refusal to give written consent to their receipt.

3.1.3. Documents containing personal data are created by:

copying originals of documents (passport, education document, TIN certificate, pension certificate, etc.);

entering information into accounting forms;

obtaining originals of necessary documents (employment record, medical report, characterization, etc.).

3.2. Processing of personal data.

3.2.1. The processing of personal data is carried out:

with the consent of the personal data subject to the processing of his personal data;

in cases where the processing of personal data is necessary for the implementation and fulfillment of the functions, powers and obligations assigned by the legislation of the Russian Federation;

in cases where personal data is processed, access to which an unlimited number of persons is granted by the personal data subject or at his request (hereinafter – personal data made publicly available by the personal data subject).

3.2.2. Purposes of personal data processing:

implementation of labor relations;

implementation of civil law relations;

to contact the user in connection with filling out the feedback form on the website, including sending notifications, requests and information regarding the use of the website, processing, agreeing on orders and their delivery, execution of agreements and contracts;

depersonalization of personal data to obtain anonymized statistical data, which is transferred to a third party for research, performance of work or provision of services on behalf.

3.2.3. Categories of personal data subjects.

The following categories of personal data subjects are processed:

  • individuals who are in labor relations with the Company;
  • individuals who have resigned from the Company;
  • individuals who are candidates for work;
  • individuals who are in civil law relations with the Company;
  • individuals who are Users of the Site.

3.2.4. Personal data processed by the Operator:

  • data obtained during labor relations;
  • data obtained for the selection of candidates for work;
  • data obtained during civil law relations;
  • data obtained from Site Users.

3.2.5. Personal data processing is carried out:

  • using automation tools;
  • without the use of automation tools.

3.3. Storage of personal data.

3.3.1. Personal data of subjects can be obtained, further processed and transferred for storage both on paper and in electronic form.

3.3.2. Personal data recorded on paper are stored in lockable cabinets or in lockable rooms with limited access.

3.3.3. Personal data of subjects processed using automation tools for different purposes are stored in different folders.

3.3.4. It is not allowed to store and place documents containing personal data in open electronic catalogs (file sharing networks) in the ISPD.

3.3.5. Storage of personal data in a form that allows identifying the subject of personal data is carried out no longer than the purposes of their processing require, and they are subject to destruction upon achievement of the processing goals or in case of loss of the need to achieve them.

3.4. Destruction of personal data.

3.4.1. Destruction of documents (carriers) containing personal data is carried out by burning, crushing (grinding), chemical decomposition, turning into an amorphous mass or powder. For the destruction of paper documents, the use of a shredder (paper cutting device) is allowed.

3.4.2. Personal data on electronic media is destroyed by erasing or formatting the media.

3.5. Transfer of personal data.

3.5.1. The Operator transfers personal data to third parties in the following cases:

  • the subject has expressed his consent to such actions;
  • the transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by law.

3.5.2. List of persons to whom personal data is transferred.

  • Pension Fund of the Russian Federation for accounting (on legal grounds);
  • Tax authorities of the Russian Federation (on legal grounds);
  • Social Insurance Fund of the Russian Federation (on legal grounds);
  • Territorial Fund for Mandatory Medical Insurance (on legal grounds);
  • Insurance medical organizations for compulsory and voluntary medical insurance (on legal grounds);
  • Banks for payroll accrual (based on the contract);
  • Internal Affairs bodies of Russia in cases established by law;
  • Anonymized personal data of Site Users is transferred to the Operator's counterparties.

4. Protection of personal data

4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (SZPD), consisting of subsystems of legal, organizational and technical protection.

4.2. The legal protection subsystem is a set of legal, organizational, administrative and regulatory documents that ensure the creation, functioning and improvement of the SZPD.

4.3. The organizational protection subsystem includes the organization of the SZPD management structure, the authorization system, the protection of information when working with employees, partners and third parties.

4.4. The technical protection subsystem includes a set of technical, software, hardware and software tools that ensure the protection of personal data.

4.4. The main measures for the protection of personal data used by the Operator are:

4.5.1. Appointment of a person responsible for the processing of personal data, who organizes the processing of personal data, training and instruction, internal control over compliance by the institution and its employees with the requirements for the protection of personal data.

4.5.2. Determination of current threats to the security of personal data during their processing in the ISPD and the development of measures and activities to protect personal data.

4.5.3. Development of a policy regarding the processing of personal data.

4.5.4. Establishing rules for access to personal data processed in the PDIS, as well as ensuring the registration and accounting of all actions performed with personal data in the PDIS.

4.5.5. Establishing individual access passwords for employees to the information system in accordance with their job responsibilities.

4.5.6. Application of information security tools that have undergone the conformity assessment procedure in the established order.

4.5.7. Certified antivirus software with regularly updated databases.

4.5.8. Compliance with conditions ensuring the safety of personal data and preventing unauthorized access to it.

4.5.9. Detection of facts of unauthorized access to personal data and taking measures.

4.5.10. Restoration of personal data modified or destroyed as a result of unauthorized access to them.

4.5.11. Training of the Operator's employees directly involved in the processing of personal data in the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, documents defining the Operator's policy regarding the processing of personal data, local acts on the processing of personal data.

4.5.12. Implementation of internal control and audit.

5. Basic rights of the personal data subject and obligations of the Operator

5.1. Basic rights of the personal data subject.

The subject has the right to access his personal data and the following information:

  • confirmation of the fact of personal data processing by the Operator;
  • legal grounds and purposes of personal data processing;
  • purposes and methods of personal data processing used by the Operator;
  • name and location of the Operator, information about persons (with the exception of the Operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
  • terms of personal data processing, including storage periods;
  • procedure for exercising the rights of the personal data subject provided for by the Federal Law;
  • name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if the processing is entrusted or will be entrusted to such person;
  • обращения к Оператору и направление ему запросов;
  • appeal against actions or omissions of the Operator.

5.2. Obligations of the Operator

The operator is obliged:

  • when collecting personal data, provide information about the processing of personal data;
  • in cases where personal data was not received from the personal data subject, notify the subject;
  • if the provision of personal data is refused, the subject is informed of the consequences of such refusal;
  • publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data;
  • take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data;
  • provide answers to requests and appeals from personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.
22 Jan 2023 10:48