Alexey Ankudinov
head of Set products
1.1. The policy regarding personal data processing in Crystal Service Integration LLC (hereinafter referred to as the Policy) is aimed at protecting the rights and freedoms of individuals whose personal data is processed by Crystal Service Integration LLC (hereinafter referred to as the Operator).
1.2. The Policy was developed in accordance with cl. 2 p. 1 Art. 18.1 of the Federal Law dated July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Federal Law “On Personal Data”).
1.3 The Policy contains information to be disclosed in accordance with p. 1 Art. 14 of the Federal Law “On Personal Data”, and is a public document.
1.4 The following basic concepts are used in the Policy:
personal data blocking is temporary suspension of personal data processing (unless the processing is necessary to clarify personal data);
personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure its processing;
personal data processing is any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
operator is a state body, municipal body, legal entity or individual, independently or jointly with other persons arranging and (or) performing personal data processing, as well as determining the purposes of personal data processing, the content of personal data to be processed, the actions (operations) performed with personal data;
personal data is any information relating to a directly or indirectly identified or identifiable natural person (personal data subject);
personal data provision is actions aimed at personal data disclosing to a certain person or a certain circle of persons;
personal data distribution is actions aimed at disclosing personal data to an indefinite circle of persons;
personal data destruction is actions, as a result of which it becomes impossible to restore the personal data content in personal data information system and (or) as a result of which personal data mediums are destroyed.
1.5. The Policy takes effect from the moment it is approved and is valid indefinitely until it is replaced by a new policy.
2. Purpose of personal data processing
2.1 Personal data is processed in order to perform contractual obligations towards Customers and employees of Crystal Service Integration LLC.
2.2 The e-mail provided by the user may be used to send news and information to him/her about products and services.
2.3 The User IP address is not used to identify the User and his/her exact location.
The Operator processes personal data in accordance with the following regulatory and legal acts:
the Constitution of the Russian Federation;
the Labor Code of the Russian Federation dated December 30, 2001 No. No. 197-FZ (Art. 86-90);
the Civil Code of the Russian Federation;
the Tax Code of the Russian Federation;
the Federal Law dated July 27, 2006 No. No. 152-FZ “On Personal Data”;
the Charter of Crystal Service Integration LLC.
Subjects, purposes and grounds for PD processing are indicated in Table 1.
Table 1
| No. | Subjects of PD being processed | List of PD being processed | Processing purpose |
| 1 | Employees, former employees | Last name, first name, patronymic; job title; personnel number; data of the Russian Federation passport or other identity document (number, date and place of issue, name of the issuing authority); military registration information; SNILS; TIN; address of residence/registration address; contact phone number; military registration information; photograph (not biometric PD, as it is not used to identify an individual); e-mail address. | 1. Performance of the requirements of the Labor Code of the Russian Federation. 2. Performance of the requirements of tax legislation regarding the calculation and payment of personal income tax, as well as the unified social tax. 3. Compliance with the requirements of pension legislation regarding the formation and submission of personalized data on each recipient of income taken into account when calculating insurance premiums for mandatory pension insurance and security. |
| 2 | Clients of Customers | Last name, first name, patronymic; contact phone number. | 1. Implementation of the types of activities provided for by the Operator Charter. 2. Automation of the Customers activities. 3. Contractual obligations performance. |
| 3 | Employees of Customers | Last name, first name, patronymic; job title; organization. | Contractual obligations performance. |
| 4 | Candidates for vacancies | Information contained in the CV | 1. Compliance with regulatory legal acts of the Russian Federation, local acts; 2. Implementation of communication with the subject; 3. Sending letters, responses to the subject; 4. Providing a personnel reserve, assistance in finding a job, assistance in choosing a suitable position. |
5. Description of personal data processing
5.1 Processing personal data of employees
5.1.1 The Operator processes the personal data of the Operator’s employees within the framework of legal relations regulated by the Labor Code of the Russian Federation dated December 30, 2001 No. 197-FZ (hereinafter referred to as the Labor Code of the Russian Federation), including Chapter 14 of the Labor Code of the Russian Federation, concerning the personal data of employees protection.
5.1.2 The Operator does not make decisions affecting the interests of employees based on their personal data obtained solely as a result of automated processing.
5.1.3 The Operator requires employees to read, and acknowledge in writing that they understand the documents establishing the procedure for processing employees’ personal data, as well as their rights and obligations in this field.
5.1.4 The Operator allows access to employees’ personal data only to those persons who need it to perform their official duties. The list of employees admitted to personal data processing is approved by the order of the Director General of Crystal Service Integration LLC.
5.1.5 The Operator receives all personal data of employees from them. In case the employee’s data can only be obtained from a third party, the Operator notifies the employee in advance and obtains his/her written consent.
5.1.6 The Operator informs an employee about the purposes, sources, methods of obtaining, as well as the nature of the data to be obtained and the consequences of the employee’s refusal to give written consent to receive it.
5.1.7 The Operator processes employees’ personal data during the employment contract term. The Operator processes the personal data of dismissed employees within the period established by cl. 5 p. 3 Art. 24 of the first part of the Tax Code of the Russian Federation dated July 31, 1998 No. 146-FZ, p. 1 Art. 29 of the Federal Law “On Accounting” dated December 6, 2011 No. No. 402-FZ and other regulatory legal acts.
5.1.8 The Operator may process special categories of employees’ personal data (information about the state of health related to their ability to perform labor functions) based on cl. 2.3 p.2 Art. 10 of the Federal Law “On Personal Data”.
5.1.9 The Operator does not process employees’ biometric personal data.
5.1.10 The Operator does not receive data on employees’ membership in public associations or their trade union activities, except as provided for by the Labor Code of the Russian Federation or other federal laws.
5.1.11 The Operator does not provide a third party with employee personal data without his/her written consent, except when it is necessary to prevent a threat to the life and health of the employee, as well as in other cases provided for by the Labor Code of the Russian Federation, the Federal Law “On Personal Data” or other federal laws.
5.1.12 Employees’ personal data is stored in the premises located at the address: St. Petersburg, 50 Chkalovsky Ave., letter A, room 3-N, 2nd floor, and processed with and without the use of automation.
5.2 Processing of personal data of employees’ relatives
5.2.1 The Operator processes personal data of employees’ relatives using automation tools at the address: St. Petersburg, 50 Chkalovsky Ave., letter A, room 3-N, 2nd floor.
5.2.2 The Operator allows access to personal data of employees’ relatives only to those persons who need it to perform their official duties. Access to personal data is granted to persons defined by the “List of employees admitted to personal data processing in Crystal Service Integration LLC”, approved by the order of the Director General of Crystal Service Integration LLC.
5.2.3 The Operator processes personal data of employees’ relatives during the term of the employment contract with the employee.
5.2.4 The Operator does not disclose to a third party the personal data of employees’ relatives without their consent, except when it is necessary to prevent a threat to the life and health of the employee, as well as in other cases provided for by the Labor Code of the Russian Federation, the Federal Law “On Personal Data” or other federal laws.
5.2.5 The Operator processes personal data of employees’ relatives within the framework of legal relations regulated by the Labor Code of the Russian Federation.
5.2.6 The Operator does not make decisions affecting the interests of employees’ relatives based on their personal data obtained solely as a result of automated processing.
5.2.7 The Operator receives personal data of employees’ relatives from the Operator employees in accordance with the Labor Code of the Russian Federation.
5.2.8 The Operator informs the employee about the purposes, sources, methods of obtaining, as well as the nature of the data of employees’ relatives to be obtained and the consequences of the employee refusal to provide the personal data.
5.2.9 The Operator does not process biometric personal data of employees’ relatives.
5.3 Processing of personal data of candidates for vacant positions
5.3.1 The Operator processes the personal data of candidates for vacant positions using automation tools at the address: St. Petersburg, 50 Chkalovsky Ave., letter A, room 3-N, 2nd floor.
5.3.2 The Operator allows access to personal data of candidates for vacant positions only to those persons who need it to perform their official duties. Access to personal data is granted to persons defined by the “List of employees admitted to personal data processing in Crystal Service Integration LLC”, approved by the order of the Director General of Crystal Service Integration LLC.
5.3.3 In case of refusal to hire, the information provided by the candidate for a vacant position may be stored for no more than 3 years after the Operator makes the relevant decision (in accordance with the Order of the Ministry of Culture of the Russian Federation dated August 25, 2010 No. 558 “On approval of the “List of typical managerial archival documents generated in the course of the activities of state bodies, local governments and organizations, indicating the storage periods”).
5.3.4 The Operator does not provide a third party with personal data of candidates for vacant positions.
5.3.5 Personal data of candidates for vacant positions is possessed with the consent of these personal data subjects, which is given for the period when the employer makes a decision on hiring or refusing to hire. Consent is obtained by filling out the “Send CV” form on the official website of the Operator.
5.3.6 In case of a CV receipt of candidates for vacant positions via e-mail, facsimile, the Operator additionally takes measures aimed at confirming the fact that the specified CV was sent by the candidate himself/herself. Such events are inviting the candidate to a personal meeting with the Operator authorized employees, feedback via e-mail, telephone, etc.
5.3.7 Upon receipt by the Operator of a CV drawn up in any form, in which it is impossible to unambiguously determine the individual who sent it, this CV is destroyed on the day of receipt.
5.3.8 The standard form of the questionnaire for personal data collection of candidates for vacant positions, approved by the Operator, if used, complies with the requirements of p. 7 of the Regulations on the features of the processing of personal data performed without the use of automation tools, approved by the Decree of the Government of the Russian Federation dated September 15, 2008 No. 687, and also contains information on the term for its consideration and decision-making on hiring or refusing to hire.
5.4 Processing of personal data of clients and employees of the Customers
5.4.1 Personal data of individuals being clients and employees of the Operator Customers (hereinafter referred to as the Individuals) is stored in the premises at the address: St. Petersburg, 50 Chkalovsky Ave., letter A, room 3-N, 2nd floor. Processing is performed using automation tools.
5.4.2 The Operator allows access to the personal data of the Individuals only to those persons who need it to perform their official duties. Access to personal data is granted to persons defined by the “List of employees admitted to personal data processing in Crystal Service Integration LLC”, approved by the order of the Director General of Crystal Service Integration LLC..
5.4.3 Clients’ personal data is stored for 30 days, after which they are guaranteed to be destroyed. Personal data is destroyed by the committee for the selection of documents for storage and destruction and is formalized by a certificate.
5.4.4 Personal data of the Individuals is not transferred to third parties.
6. Conditions for personal data processing
6.1 Personal data processing is allowed in the following cases:
– personal data is processed with the consent of a personal data subject to the processing of his/her personal data;
– personal data processing is necessary to achieve the goals stipulated by an international treaty of the Russian Federation or the law, to exercise and perform the functions, powers and duties assigned to the Operator by the Russian Federation legislation;
– personal data processing is necessary for the administration of justice, the execution of a judicial act, an act of another body or official being subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
– personal data processing is necessary for the agreement performance to which a personal data subject is a party or beneficiary or guarantor, including in case that the Operator exercises its right to assign rights (claims) under such an agreement, as well as to conclude an agreement on the initiative of the personal data subject or an agreement under which a personal data subject will be the beneficiary or guarantor;
– personal data processing is necessary to protect the life, health or other vital interests of a personal data subject, in case obtaining the consent of a personal data subject is impossible;
– personal data processing is necessary for the implementation of the rights and legitimate interests of third parties operator or for socially significant goals achievement, provided that the rights and freedoms of personal data subject are not violated;
– personal data is processed, the access to which has been provided to an unlimited circle of persons by a personal data subject or at his/her request;
– personal data processing being subject to publication or mandatory disclosure in accordance with federal law is performed.
6.2 The Operator does not provide or disclose information containing personal data of subjects to a third party without the consent of a personal data subject, except when it is necessary to prevent a threat to life and health, as well as in cases established by federal laws.
6.3 Upon a reasoned request, solely for the performance of the functions and powers assigned by law, personal data of a personal subject without his/her consent may be transferred to:
- the judicial authorities in connection with the administration of justice;
– the bodies of the federal security service;
– the prosecutor’s office;
– the police department;
– other bodies and organizations in cases established by regulatory legal acts that are binding.
6.4 The Operator stops processing personal data in the following cases:
– achievement of personal data processing goals or maximum storage periods – within 30 days;
– loss of the need to achieve the purposes of processing personal data – within 30 days;
– provision by a personal data subject or his/her legal representative of information confirming that personal data is illegally obtained or not necessary for the stated purpose of processing – within 7 days;
– the impossibility of ensuring the legality of personal data processing – within 10 days;
– withdrawal by a personal data subject of consent to personal data processing, in case the storage of personal data is no longer required for the purposes of personal data processing – within 30 days;
– expiration of the limitation periods for legal relations within which personal data is processed or has been processed.
7. Measures to ensure personal data security
7.1 The security of personal data processed by the Operator is ensured by the implementation of legal, organizational and technical measures necessary and sufficient to ensure compliance with the legislation requirements in the field of personal data protection.
7.2 The Operator takes the necessary organizational and technical measures to ensure personal data security from accidental or unauthorized access, destruction, modification, blocking access and other unauthorized actions.
7.3 The Operator takes the following organizational and technical measures necessary and sufficient to ensure the obligations performance stipulated by the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance therewith:
– appointment of officials responsible for arranging personal data processing and protection;
– issuance of local acts on personal data processing, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, and eliminating the consequences of such violations;
– implementation of internal control and (or) audit of personal data processing compliance with the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance therewith, the requirements for personal data protection, the Operator policy regarding personal data processing, local acts of the Operator;
– assessment of the harm that may be caused to personal data subjects in case of violation of the Federal Law “On Personal Data”, the ratio of the specified harm and the measures taken by the Operator;
– familiarization of employees directly involved in personal data processing with the provisions of the Russian Federation legislation on personal data, including the requirements for personal data protection, documents defining the Operator policy regarding personal data processing, local acts on personal data processing and (or) training of indicated employees;
– determination of threats to personal data security during its processing in personal data information systems;
– application of organizational and technical measures to ensure personal data security during its processing in personal data information systems necessary to perform the requirements for personal data protection, the implementation of which ensures the level of security established in personal data information system ;
– use of information security tools that have passed the conformity assessment procedure in the prescribed manner when the use of such tools is necessary to neutralize actual threats;
– assessment of the effectiveness of measures taken to ensure personal data security;
– accounting of personal data mediums;
– detection of facts of unauthorized access to personal data and taking measures;
– recovery of personal data modified or destroyed due to unauthorized access thereto;
– establishing rules for access to personal data processed in personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in personal data information system;
– control over the measures taken to ensure personal data security and the security level of personal data information systems.
8. Rights of personal data subjects
8.1 A personal data subject is entitled to receive information regarding the processing of his/her personal data, including information containing:
– confirmation of the fact of personal data processing by the Operator;
– legal grounds and purposes for personal data processing;
– the purposes and methods used by the Operator for personal data processing;
– the Operator name and location, information about persons (excluding employees/employees of the Operator) who have access to personal data or to whom personal data may be disclosed based on an agreement with the Operator or based on the federal law;
– personal data being processed relating to the relevant personal data subject, its receipt source, unless a different procedure for such data provision is envisaged by the federal law;
– terms of personal data processing, including its storage terms;
– the procedure for the exercise by a personal data subject of the rights provided for by the Federal Law “On Personal Data”;
– information about the completed or proposed cross-border data transfer;
– the denomination or surname, name, patronymic and address of the person who processes personal data on behalf of the Operator, in case the processing is or will be entrusted to such a person;
– other information provided for by the Federal Law “On Personal Data” or other federal laws.
8.2 A personal data subject is entitled to demand from the Operator the clarification of his/her personal data, its blocking or destruction in case the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take measures provided by law to protect his/her rights.
8.3 In case a personal data subject believes that the Operator is processing his/her personal data in violation of the requirements of the Federal Law “On Personal Data” or otherwise violates his/her rights and freedoms, a personal data subject is entitled to appeal against the actions or inaction of the Operator to a higher authority for the protection of the rights of personal data subjects (Federal Service for Supervision of Communications, Information Technology and Mass Communications – Roskomnadzor) or in court.
8.4 A personal data subject is entitled to protect his/her rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
8.5 In order to exercise their rights and legitimate interests, personal data subjects are entitled to contact the Operator or send a request in person or with the help of a representative. The request must contain the information specified in p. 3 Art. 14 of the Federal Law “On Personal Data”.
9. Final provisions
9.1 Control over the requirements performance of the Policy is made by the person responsible for arranging personal data processing in Crystal Service Integration LLC.
9.2 Other rights and obligations of the Personal Data Operator are determined by the Federal Law “On Personal Data” and other regulatory legal acts in the field of personal data protection.
9.3 Officials guilty of violating the rules governing personal data processing and protection bear material, disciplinary, administrative, civil and criminal liability in the manner prescribed by federal laws.
Alexey Ankudinov
head of Set products