RU

JSC "Sochi-Park"

Personal Data Processing Policy

Table of contents

Symbols and abbreviations

AVT — antivirus tools
AWP — automated work place
AEaS — auxiliary equipment and systems
ISPDn — personal data information system
CA — controlled area
LAN — local area network
FW — Firewall
UA — unauthorized access
OS — operating system
PD — personal data
SWaMI — software and mathematical impact
SW — software
SEMRaI — secondary electromagnetic radiation and interference
SAS — security analysis system
IPT — information protection tools
SPDP — system (subsystem) of personal data protection
IDS — intrusion detection system
TCIL — technical channels of information leakage
TPDS — threats to the personal data security

Introduction

This document defines the policy of JSC "Sochi-Park" (hereinafter — the Company) in relation to the processing of personal data.

This Policy is developed in accordance with the current legislation of the Russian Federation on personal data.

This Policy applies to all processes of collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data carried out by automation tools and without them.

Principles of processing personal data

The processing of personal data is based on the following principles:

  • the processing of personal data is carried out on a legal and fair basis;
  • the processing of personal data is limited only to the achievement of specific, predetermined and legitimate purposes;
  • the processing of personal data is incompatible with the prohibited purposes of collecting personal data;
  • it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
  • only those personal data that meet the purposes of their processing are subject to processing;
  • the content and volume of the processed personal data is consistent with the stated processing purposes. The processed personal data is not redundant in relation to the declared purposes of processing;
  • when processing personal data, the accuracy of personal data, its adequacy, and, if necessary, its relevance in relation to the stated purposes of their processing is ensured;
  • the personal data are destroyed and depersonalized after achievement of the purposes of its processing or in case of loss of need to achieve these purposes, if it is impossible for the Company to eliminate the committed violations of personal data, unless otherwise provided by federal law.

Terms of personal data processing

The processing of personal data is carried out in compliance with the regulations and rules established by the Federal Law "On Personal Data". The processing of personal data is allowed in the following cases:

  • processing of personal data is carried out with the consent of the subject of personal data to the processing of his/her personal data;
  • the processing of personal data is necessary to achieve the purposes stipulated by the international agreement of the Russian Federation or the law to carry out and fulfill the functions, authorities and obligations assigned to the operator, according to the legislation of the Russian Federation;
  • the processing of personal data is necessary for execution of justice, execution of a judicial act, an act of another authority or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
  • processing of personal data is necessary for the execution of an agreement to which the subject personal data is the party, the beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the personal data subject or an agreement under which the personal data subject will be the beneficiary or guarantor;
  • processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if it is not possible to obtain the consent of the subject of personal data;
  • processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, or to achieve socially significant purposes, provided that this does not violate the rights and freedoms of the personal data subject;
  • processing of personal data is implemented only for statistical or other research purposes, subject to the mandatory depersonalization of personal data. The exception is the processing of personal data in order to promote goods, works, services on the market by making direct contacts with potential consumers using communications, as well as for political campaigning;
  • those personal data are processed which are available to an unlimited number of persons and the access is provided by the subject of personal data or at his/her request (hereinafter — personal data made publicly available by the subject of personal data);
  • the processing of personal data is carried out if this data is subject to publication or mandatory disclosure in accordance with federal law.

Company may include personal data of entities into the public sources of personal data, while Company takes the written consent of the entity to process its personal data.

The Company may process special categories of personal data regarding race, nationality, state of health, and the Company undertakes to take the written consent of the subject for processing of his/her personal data.

Biometric personal data (information that characterizes the physiological and biological features of a person, on the basis of which it is possible to verify his/her identity and which are used by the operator to establish the identity of the subject of personal data) is processed in the Company in accordance with the norms of the law.

The Company carries out cross-border transfer of personal data only to the territory of foreign states, ensuring adequate protection of the rights of subjects of personal data.

No decision are made on the basis of exclusively automated processing of personal data, generating legal consequences in relation to the subject of personal data or otherwise affecting his rights and legitimate interests.

Under the terms of the Company’s license to carry out the activities there is no prohibition for the transfer of personal data to the third parties without the written consent of the personal data subject.

If there is no need for the written consent of the subject to the processing of his/her personal data, the consent of the subject can be given by the subject of personal data or his/her representative in any form that allows to acknowledge the fact of its receipt.

The Company has the right to entrust the processing of personal data to the other person under condition of the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person (hereinafter referred to as the operator’s order). In this agreement the Company obliges the person, who processes personal data on behalf of the Company, to comply with the principles and rules for the processing of personal data provided for by this Federal Law.

If the Company entrusts the processing of personal data to the other person, the Company is responsible to the personal data subject for the actions of the specified person. The person who processes personal data on behalf of the Company is responsible to the Companies.

The Company undertakes and obliges other persons who have access to the personal data not to disclose to third parties and not to distribute personal data without the consent of the personal data subject, unless otherwise provided by federal law.

Rights of the subject of personal data

The subject of personal data decides to provide his/her personal data and agrees to its processing voluntary, by his/her free will and in his/her interest. The consent for processing of personal data may be given by the subject of personal data or his/her representative in any form that confirms the fact of its receipt, unless otherwise provided by federal law.

The obligation to provide evidence of the consent obtained from the personal data subject to the processing of his/her personal data or to prove the legal grounds specified by the Federal Law «On Personal Data« is conferred upon the Company.

A personal data subject has the right to receive information regarding the processing of his personal data, if such a right is not limited in accordance with federal laws. The personal data subject has the right to require the Company to clarify its personal data, block it or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, and also take measures prescribed by law to protect their rights.

The processing of personal data in order to promote goods, works, services on the market by direct contacts with a potential consumer using communication means, as well as for political campaigning, is allowed only with the prior consent of the subject of personal data. The specified processing of personal data is considered as carried out without the prior consent of the subject of personal data, unless the Company proves that such consent has been obtained.

By the request of the subject of the personal data the Company is obliged to immediately terminate the processing of his/her personal data for the above-listed purposes.

It is forbidden to make decisions on the basis of exclusively automated processing of personal data that lead to legal consequences in relation to the subject of personal data or otherwise affect his/her rights and legitimate interests, with the exception of cases provided for by federal laws, or in availability of the written consent of the subject of personal data.

If the subject of personal data believes that the Company is processing his/her personal data in violation of the requirements of the Federal Law »On Personal Data" or otherwise violates his/her rights and freedoms, the subject of the personal data has the right to appeal the actions or omissions of the Company to the competent authorized agency for the protection of the rights of personal data subjects or to file the claim to the Company in court.

The subject of the personal data has the right to protect his rights and legitimate interests, including compensation for losses and (or) compensation for non-pecuniary damage in court.

Measures to ensure the security of personal data during its processing

When processing personal data, the Company takes the necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access to it, its destruction, modification, blocking, copying, granting, distribution of personal data, as well as from other illegal actions in relation to personal data.

The security of personal data is achieved, in particular by the following:

  • determination of threats to the security of personal data during their processing in personal data information systems;
  • the application of organizational and technical measures to ensure the security of personal data when they are processed in personal data information systems necessary to fulfill the requirements for the protection of personal data, which implementation ensures the levels of personal data security established by the Government of the Russian Federation;
  • application of the procedures for assessing the conformity of information protection measures that have passed their evaluation in the established procedure;
  • assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
  • taking into account the machine carriers of personal data;
  • detection of unauthorized access to personal data and taking measures;
  • restoration of personal data modified or destroyed due to unauthorized access;
  • making of regulations for access to personal data processed in the personal data information system, as well as the registration and recording of all actions performed with personal data in the personal data information system;
  • control over measures taken to ensure the security of personal data and the level of security of personal data information systems.