1. General Provisions
1.1. The purpose of this Policy on the processing and protection of personal data (hereinafter referred to as the Policy) is to ensure the process of processing personal data (hereinafter also referred to as the "PD") in accordance with the norms and principles of the current federal legislation.
1.2. This Policy applies to all business processes of the Company and is mandatory for all employees of the Company.
1.3. The General Director of the Company is the person responsible for organizing the processing of personal data.
2.1. Personal data - any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data);
2.2. Operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, the actions (operations) performed with personal data;
2.3. Processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
2.4. Automated processing of personal data - processing of personal data using computer technology;
2.5. Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
2.6. Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;
2.7. Blocking of personal data - temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
2.8. Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;
2.9. Depersonalization of personal data - actions as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information;
2.10. Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;
2.11. Machine medium - a magnetic disk, magnetic tape, laser disk and other material media used to record and store information using electronic computers.
3. Principles and conditions for processing PD
3.1. The processing of PD in the Company is carried out strictly in accordance with the following principles:
The processing of PD is carried out on a legal and fair basis.
The processing of PD is limited to the achievement of specific, predetermined and legitimate purposes.
The content and volume of the processed PD correspond to the stated purposes of processing, the Company does not process redundant personal data.
The processing ensures the accuracy of PD, their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data.
Processed PD are destroyed upon reaching the goals of processing or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.
3.2. The Company may include PD of subjects in public sources of PD, while the Company takes the written consent of the subject to the processing of his PD.
3.3. The Company does not process personal data related to race, nationality, political views, religious, philosophical and other beliefs, intimate life, membership in public associations, including trade unions.
3.4. Biometric PD (information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established and which is used by the operator to identify the PD subject) is not processed by the Company.
3.5. The Company does not carry out cross-border transfer of PD.
3.6. In cases established by the legislation of the Russian Federation, the Company has the right to transfer PD to third parties (the federal tax service, the state pension fund and other state bodies) in cases provided for by the legislation of the Russian Federation.
3.7. The Company has the right to entrust the processing of PD of PD subjects to third parties on the basis of an agreement concluded with these persons.
3.8. Persons processing PD on the basis of an agreement concluded with the Company (instruction of the operator) undertake to comply with the principles and rules for the processing and protection of PD provided for by the Law.
3.9. In order to comply with the requirements of the current legislation of the Russian Federation and its contractual obligations, the processing of PD in the Company is carried out both with and without the use of automation tools, i.e. mixed processing of personal data.
3.10. Decisions that give rise to legal consequences are not made on the basis of automated processing of PD in the Company. Otherwise, the appropriate consent of the PD subjects is required.
3.11. The processing of PD in the Company should be carried out with the consent of the subject of the PD, except when such consent is not required or on behalf of, in cases where the Company is not the operator of the PD of the subjects.
3.12. Consent to PD processing must meet the following requirements:
- the consent of the subject must be obtained freely, according to the will of the subject and in his interests;
- consent must be given by the PD subject in any form that allows confirming the fact of its receipt.
3.13. The terms of processing (storage) of PD are determined based on the purposes of processing PD, in accordance with the validity period of the contract with the subject of PD, the requirements of federal laws, the requirements of PD operators on behalf of which the Company processes PD, the main rules for the operation of archives of organizations, the statute of limitations.
3.14. PD whose processing (storage) period has expired must be destroyed, unless otherwise provided by federal law. Storage of PD after the termination of their processing is allowed only after their depersonalization.
4. Legal grounds and purposes of PD processing
4.1. The processing and security of PD in the Company is carried out in accordance with the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, by-laws, other federal laws of the Russian Federation that determine the cases and features of processing PD, guidelines and methodological documents of the FSTEC of Russia and the FSB of Russia.
4.2. The subjects of PD processed by the Company are:
candidates for vacant positions;
employees of the Company, relatives of employees of the Company, within the limits determined by the legislation of the Russian Federation, if information about them is provided by the employee;
persons who are members of the management bodies of the Company and who are not employees;
individuals with whom the Company enters into civil law contracts;
representatives of legal entities - counterparties of the Company;
members of bonus loyalty programs;
customers - consumers, incl. visitors to the sites owned by the Company: modest-story.com (hereinafter referred to as the "Sites"), including for the purpose of placing an order with subsequent delivery to the client;
customers are newsletter subscribers.
4.3. The Company processes PD of subjects for the following purposes:
implementation of the functions, powers and obligations assigned to the Company by the legislation of the Russian Federation in accordance with federal laws, including, but not limited to: the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, the Federal Law of 01.04 .1996 No. 27-FZ “On individual (personalized) accounting in the system of compulsory pension insurance”, Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, Federal Law of March 28, 1998 No. 53 -FZ "On military duty and military service", Federal Law of February 26, 1997 No. 31-FZ "On mobilization training and mobilization in the Russian Federation", Federal Law of February 8, 1998 No. 14-FZ "On societies with Limited Liability”, Federal Law No. 2300-1 of February 7, 1992 “On Protection of Consumer Rights”, Federal Law No. 129-FZ of November 21, 1996 “On Accounting”, F Federal Law No. 326-FZ dated November 29, 2010 “On Compulsory Medical Insurance in the Russian Federation”, as well as PD operators, the Charter and local acts of the Company.
Employees for the following purposes:
compliance with labor, tax and pension legislation of the Russian Federation, namely:
assistance to employees in employment, training and promotion;
calculation and payroll;
organization of business trips (business trips) of employees;
drawing up powers of attorney (including for representing the interests of the Company before third parties);
ensuring the personal safety of employees;
control of the quantity and quality of work performed;
ensuring the safety of property;
compliance with the access control in the premises of the Company;
accounting of working time;
Candidates for vacant positions in order to:
making a decision on the possibility of concluding an employment contract with persons applying for available vacancies;
Persons who are members of the management bodies of the Company, who are not employees, in order to:
fulfillment of the requirements stipulated by the legislation, incl. mandatory disclosure of information, audit, verification of the possibility of transactions, including transactions with interest and / or major transactions.
Counterparties-individuals in order to:
conclusion and execution of an agreement, one of the parties to which is an individual;
considering opportunities for further cooperation.
Representatives of legal entities - counterparties of the Company in order to:
negotiating, concluding and executing contracts under which the PD of employees of such a legal entity is provided for the purpose of executing the contract in various areas of the Company's business activities.
Participants of bonus loyalty programs in order to:
providing information on goods, ongoing promotions, the state of the personal account;
identification of the participant in the loyalty program; ensuring the procedure for accounting for the accumulation and use of bonuses;
fulfillment by the Company of obligations under the loyalty program.
Clients - consumers in order to:
providing information on goods/services, ongoing promotions and special offers;
analysis of the quality of the service provided by the Company and improvement of the quality of customer service of the Company;
informing about the status of the order;
performance of the contract, incl. purchase and sale agreements, incl. concluded remotely on the Sites, paid provision of services;
delivery of the ordered goods to the customer who placed an order on the Sites, return of the goods.
4.4. The Company may process personal data of customers received online - on the Internet (Sites, mobile applications, social networks, e-mail), offline - stores (boutiques), points of sale, events (by filling out printed registration forms), as well as when calling to call centers (customer support centers).
5. Rights and obligations of PD subjects
5.1. The subject whose PD is processed by the Company has the following rights:
receive from the Company information regarding the processing of his PD (including confirmation of the fact of PD processing, legal grounds, purposes, processing, processing time, storage periods, name and address of the person processing PD on behalf of the Company, if the processing is or will be entrusted such person, other information provided for by the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data");
require the Company to clarify its PD, block it or destroy it if the PD is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect their rights;
withdraw your consent to the processing of PD at any time.
5.2. Information is provided to the PD subject on the basis of a request. The request must contain the number of the main document proving the identity of the PD subject or its representative, information on the date of issue of the specified document and the authority that issued it, information confirming the participation of the PD subject in relations with the Company, or information otherwise confirming the fact of PD processing by the Client, the signature of the subject or his representative.
5.3. The request can be sent to the address of the company's location: Russian Federation, 127051, Moscow, st. Petrovka, 16, room. 45, in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
6. Rights and Obligations of the Company
6.1. The company in the process of processing PD is obliged to:
provide the PD subject, at his request, with information regarding the processing of his PD, or legally provide a refusal within thirty days from the date of receipt of the request of the PD subject or his representative;
take the necessary legal, organizational and technical measures or ensure their adoption to protect PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions in relation to PD;
publish on the Internet and provide unrestricted access via the Internet to a document that defines its policy regarding the processing of PD, to information on the implemented requirements for the protection of PD;
provide PD subjects and/or their representatives free of charge with the opportunity to familiarize themselves with the Data when making a relevant request within 30 days from the date of receipt of such a request;
to block illegally processed PD related to the PD subject, or ensure their blocking (if PD processing is carried out by another person acting on behalf of the Company) from the moment of application or receipt of a request for the verification period, in case of detection of illegal PD processing when the PD subject or his a representative, or at the request of the PD subject or his representative, or an authorized body for the protection of the rights of PD subjects;
clarify the PD or ensure their clarification (if the PD is processed by another person acting on behalf of the Company) within 7 working days from the date of submission of the information and remove the blocking of the PD, if the fact of inaccuracy of the PD is confirmed based on the information provided by the subject of the PD or his representative;
stop illegal processing of PD or ensure the termination of illegal processing of PD by a person acting on behalf of the Company, in case of detection of illegal processing of PD carried out by the Company or by a person acting on the basis of an agreement with the Company, within a period not exceeding 3 working days from the date of such discovery;
stop PD processing or ensure its termination (if PD processing is carried out by another person acting under an agreement with the Company) and destroy PD or ensure their destruction (if PD processing is carried out by another person acting under an agreement with the Company) upon reaching the purpose of PD processing, unless otherwise not provided for by the agreement, to which the PD subject is a party, beneficiary or guarantor, if the purpose of PD processing is achieved;
stop processing of PD or ensure its termination and destroy PD or ensure their destruction if the PD subject withdraws consent to PD processing, if the Company is not entitled to process PD without the consent of the PD subject;
maintain a register of requests from PD subjects, which should record the requests of PD subjects to receive PD, as well as the facts of providing PD on these requests.
7. Ensuring the security of PD during their processing
7.1. When processing PD, the Company takes the necessary legal, organizational and technical measures to protect PD from unauthorized and / or accidental access to them, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions in relation to PD.
7.2. Such measures in accordance with the Law, in particular, include:
appointment of a person responsible for organizing the processing of PD and a person responsible for ensuring the security of PD;
development and approval of local acts on the processing and protection of PD;
application of legal, organizational and technical measures to ensure the security of PD:
identification of threats to the security of PD during their processing in information systems of personal PD;
application of organizational and technical measures to ensure the security of PD during their processing in PD information systems necessary to fulfill the requirements for the protection of PD, the fulfillment of which ensures the levels of PD security established by the Government of the Russian Federation;
the use of information security tools that have passed the conformity assessment procedure in accordance with the established procedure;
assessment of the effectiveness of the measures taken to ensure the security of PD before the commissioning of the PD information system;
accounting for PD machine media, if PD is stored on machine media;
detection of facts of unauthorized access to the Data and taking measures to prevent such incidents in the future;
restoration of PD modified or destroyed due to unauthorized access to them;
establishing rules for access to the Data processed in the PD information system, as well as ensuring the registration and accounting of all actions performed with the Data in the PD information system.
control over the measures taken to ensure the security of PD and the level of security of PD information systems;
assessment of the harm that may be caused to PD subjects in case of violation of the requirements of the Law, the ratio of the specified harm and the measures taken by the Company aimed at ensuring the fulfillment of the obligations provided for by the Law;
compliance with the conditions that exclude unauthorized access to material media of PD and ensure the safety of PD;
familiarization of the Company's employees directly involved in the processing of PD with the provisions of the legislation of the Russian Federation on PD, including the requirements for the protection of PD, local acts on the processing and protection of PD, and training of the Company's employees.
7.3. Requirements for the processing of PD on physical media:
Employees who process PD on physical media must be informed about the categories of PD, about the features and rules for processing PD before the start of processing.
An employee of the Company is responsible for the storage and destruction of physical media with PD with which he works.
PD processed on tangible media should be stored separately from other information.
Storage of tangible PD carriers is carried out only if there is a valid consent of the PD subject to the processing of PD or a valid agreement to which the PD subject is a party.
The Company stores resumes and profiles of candidates for vacant positions, regardless of whether the candidate is hired or not. Storage of these resumes and questionnaires can be carried out only with the consent of the candidate for the processing of his PD, indicating the validity period of the consent. In cases of the expiration of the PD processing period or the request of the PD subject to destroy the PD, resumes and questionnaires are destroyed using a shredder.
Storage of material carriers of PD in the public domain in the working premises of the Company's divisions and on the tables of employees is allowed only during the working day, under the personal responsibility of the employee. Upon completion of work with the material carrier, the employee must remove the material carrier into a lockable cabinet assigned to the employee, or into the cabinet of the immediate supervisor. Access to cabinets should be limited to the list of persons with access to PD.
In the event of the expiration of the PD processing period, the employee destroys PD paper media using a shredder without issuing an act of destruction.
7.4. The audit is carried out independently by each employee in relation to the material carriers of PD with which he works. During the audit, paper carriers of personal data that are not required by employees for the further performance of their labor duties should be identified.
7.5. Company employees receive access to PD only to the extent necessary to perform their job duties.
8. Responsibility for violations of the rules governing the processing of PD
8.1. Ensuring the confidentiality of PD processed by the Company is a mandatory requirement for all employees who become aware of PD, both in connection with work activities, and by accident or mistake.
8.2. Employees are personally responsible for compliance with the requirements for processing and ensuring the security of PD established by the Company.
8.3. In cases of violation of the established procedure for processing and ensuring the security of PD, unauthorized access to PD, disclosure of PD and infliction of material or other damage by the company, its employees, customers and counterparties, the guilty persons shall be liable under the current legislation of the Russian Federation.
9. Final provisions
9.1. This Policy is a local regulatory act of the Company. This Policy is public. The general availability of this Policy is ensured by its publication on the Sites, placement in stores (boutiques) and on a network drive accessible to all employees of the Company.
9.2. This Policy may be revised due to changes in the norms of the current legislation or by decision of the Company.