1 Purpose This Policy of processing of personal data of LLC "E-motion" (further - Policy) is developed for the purpose of maintenance of protection of personal data of users and other categories of citizens according to requirements of the current legislation of the Russian Federation.
The policy was developed in accordance with Articles 23 and 24 of the Constitution of the Russian Federation, Chapter 14 of the Labor Code of the Russian Federation, the Federal Law "On Personal Data", the Federal Law "On Information, Information Technologies and Information Protection" and other laws and regulations of the Russian Federation.
Policy regulates order of gathering, systematization, accumulation, storage, specification (updating, change), extraction, use, transfer (distribution, granting, access), depersonalization, blocking, destruction, removal, registration of the documents containing data, referred to personal data of subjects (users and other categories of citizens) LLC "E-motion" with or without use of such means, and also defines rights, duties and responsibility of management and the officials having access to personal data, for non-fulfillment of requirements of norms, regulating the order of processing and protection of personal data.
The operator according to item 3 of the Federal law "About personal data" is E-motion LLC carries out processing of personal data which purpose and the maintenance is defined by E-motion LLC.
This policy is put into force for the first time since the date of its approval.
2 General provisions
2.1 Scope of application The application of this document is "For guidance".
2.2 Regulatory References The following normative documents are referenced in this Policy:
- Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data;
- Constitution of the Russian Federation;
- Labor Code of the Russian Federation of 30.12.2001 № 197-FZ;
- Federal Law of Russian Federation "On Personal Data" dated 27.07.2006 No. 152-FZ;
- Federal Law of Russian Federation No. 149-FZ "On Information, Information Technologies and Information Protection" dated 27.07.2006;
- Decree of the President of the Russian Federation dated 06.03.1997 # 188 "On Approval of the List of Data of Confidential Nature";
- Decree of the Government of the Russian Federation dated 06.07.2008 N 512 "On Approval of the requirements for material media biometric personal data and technology to store such data outside information systems of personal data";
- Decree of the Government of the Russian Federation of 01.11.2012 N 1119 "On Approval of the requirements for the protection of personal data at their processing in the information systems of personal data";
- Decree of the Government of the Russian Federation dated 15.09.2008 № 687 "On Approval of the Regulations on the specifics of the processing of personal data carried out without the use of automation";
- Order of FSTEC of Russia from 18.02.2013 No. 21 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems";
- E-Motion LLC User Agreement;
- Regulation on processing and protection of personal data of LLC "E-motion".
2.3 Terms, Definitions and Abbreviations For the purposes of this Policy, the following terms and abbreviations are defined herein:
Automated processing of personal data - processing of personal data by means of computer technology.
User (Subscriber) - a user of rental services with which a contract for the provision of such services is concluded, as well as other categories of citizens.
Personal Data - any information relating directly or indirectly to a particular or identifiable individual (the subject of the personal data).
Blocking - a temporary cessation of processing of Personal Data (except in cases where the processing is necessary to clarify the Personal Data).
Access to information - the ability to obtain information and use it.
Use of Personal Data - actions (operations) with Personal Data, performed by the operator in order to make decisions or perform other actions, generating legal consequences with respect to the User or other persons or otherwise affecting the rights and freedoms of the User or other persons.
KISPDn - Corporate Information System of Personal Data, which collects and stores information about the subjects of personal data and the history of relationships with them, on the use of rental services and their tariffing and payment processing.
Confidentiality of Personal Data - mandatory for compliance with the operator or other person having access to personal data, the requirement to prevent their dissemination without the consent of the user or the existence of any other legal basis.
Unauthorized access to information assets - access to information in violation of established access control rules.
Impersonalization of Personal Data - any action that makes it impossible, without the use of additional information, to determine what personal data belongs to a particular subject of personal data.
Processing of personal data - any action (operation) or a set of actions (operations), performed with or without the use of automation with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of personal data.
Operator - the state body, municipal body, legal or physical person, independently or together with other persons organizing and (or) carrying out processing of the personal data, and also defining purposes of processing of the personal data, structure of the personal data subject to processing, actions (operations) made with the personal data.
Operator - LLC "E-motion".
Responsible person of the Operator - the Operator's employee whose functional duties include personal data processing.
Personal data (PDN) - any information relating to directly or indirectly defined or determinable physical person (subject of PDN).
Provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons.
KISPDN user - a person participating in KISPDN functioning or using its results.
Potential user - a natural person who intends to become a user.
Dissemination of personal data - actions aimed at disclosure of personal data to an indefinite circle of persons.
Subject of personal data - an individual to whom the relevant personal data relates.
Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which tangible personal data carriers are destroyed.
Electronic document - documented information presented in electronic form, i.e. in a form suitable for human perception using electronic computing machines, as well as for transmission via information and telecommunications networks or processing in information systems (IS).
IS - information security.
IS - information system.
ISPDN - information system of personal data.
PDN - personal data.
RF - Russian Federation.
TS - technical means.
FSB of Russia - Federal Security Service of Russia.
FSTEC of Russia - Federal Service for Technical and Export Control of Russia.
Protected Email - additional service allowing to protect email messages by means of encryption and electronic signature by certified means of cryptographic protection of information.
Authorized by the operator - E-motion LLC, to which the operator entrusts processing of Personal Data of users and potential users on the basis of a contract.
3 The concept and composition of processed personal data
3.1 General provisions Personal Data of Data Subjects means information required by the Operator in connection with the contractual relations in connection with the provision of rental services. The subject's Personal Data is confidential information. Personal data confidentiality regime shall be withdrawn in case of depersonalization, upon expiry of statute of limitations or 75 years of prescribed retention period, unless otherwise stipulated by RF statutory acts.
3.2 Scope and Content of Personal Data Processed The scope and content of Personal Data processed by the Operator shall be determined in accordance with the Civil Code of the Russian Federation, the Labor Code of the Russian Federation, the RF Law of 07.02.1992 N 2300-1 "On Protection of Consumer Rights", the Federal Law "On Personal Data" № 152-FZ of July 21, 2014 and other regulatory acts.
3.3 Categories of Data Subjects The Operator shall process the Personal Data of the subjects whose Personal Data is processed in support of the Operator's principal activities:
- persons who have applied to the Operator in order to receive rental services;
- Persons to whom rent services are provided;
- Persons under a civil law contract;
- Persons under an apprenticeship agreement.
3.4 Information pertaining to processed PDN The subject's Personal Data processed by the Operator includes, inter alia, the following information:
- data of the identity document (type of document, series, number, date and place of issue, subdivision code, date of registration at the place of residence);
- date and place of birth;
- address of residence (registration) or address of installation of terminal equipment;
- information on payments for the rendered services, including information on the route of the rental;
- unique user account number;
- contact phone number;
- e-mail address
3.5 Personal Data Documents The operator's Personal Data may be contained in documents, related to main activities (documents drawn up in connection with the conclusion and execution of rental contracts, a copy of identity documents, etc.);
Documents containing Personal Data shall be created by:
- copying the originals;
- Entering information into paper and electronic media.
4 Principles of Personal Data Processing
4.1 General requirements and principles In order to ensure the rights of Personal Data Subjects, the Operator shall comply with the following general requirements and principles when processing Personal Data of Personal Data Subjects:
- Processing of Personal Data shall be limited to achieving specific, predetermined and legitimate purposes. Processing of Personal Data incompatible with the purposes of collecting Personal Data shall not be permitted;
- No pooling of databases containing Personal Data, processed for purposes incompatible with each other, shall be permitted;
- Only Personal Data satisfying the purposes of its processing shall be processed;
- The content and scope of processed Personal Data shall comply with the declared processing purposes. Processed Personal Data shall not be excessive in relation to the declared purposes of its processing;
- Processing of Personal Data shall ensure the accuracy of Personal Data, their adequacy and, if necessary, relevance in relation to the Purpose of Personal Data Processing. The Operator shall take necessary measures, or ensure that such measures are taken, to remove or clarify incomplete or inaccurate data
4.2 Storage of Personal Data Storage of Personal Data shall be in a form that allows identifying the subject of Personal Data no longer than required by the purposes of Personal Data processing, unless the term of Personal Data storage is prescribed by federal law, an agreement to which the subject of Personal Data is a party, a beneficiary or a guarantor. Processed Personal Data shall be destroyed or depersonalized upon attainment of the processing objectives or when it is no longer necessary to attain such objectives.
4.3 Transferring the Processing of Personal Data to another person The Operator shall entrust Processing of Personal Data to a Person Authorized by the Operator, with the consent of the Data Subject, based on a contract to be concluded with that person. The person authorized by the Operator to process Personal Data on behalf of the Operator shall be obliged to comply with the principles and rules of Personal Data processing stipulated by this Policy. The person authorized by the Operator on behalf of, on behalf of and at the expense of the Operator shall perform the following Personal Data processing activities: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, distribution (including transfer), depersonalization, blocking, destruction of personal data.
The Authorized Person of the Operator undertakes to observe the confidentiality regime in respect of the data, which has become known to him in the course of execution of the Operator's order.
When processing the Personal Data, the Authorized Operator shall ensure the security of the Personal Data by a set of organizational and technical measures in the extent necessary to achieve the specified goal. In particular, security is achieved by applying the following measures as necessary:
1) determining the threats to the security of the Personal Data when they are processed in the IS of the Personal Data;
2) using organizational and technical measures for ensuring security of Personal Data in the course of their processing in Personal Data Information Systems, necessary for fulfillment of requirements to protection of Personal Data, execution of which ensures the levels of Personal Data security, established by the Government of the Russian Federation;
3) Applying the information protection means which have passed the conformity assessment procedure in accordance with the established procedure;
4) Evaluation of efficiency of measures to ensure PDN security prior to commissioning of Personal Data Information Systems;
5) Accounting of machine-readable carriers of PDN;
6) Detection of facts of unauthorized access to PDN and taking measures;
7) Restoring of Personal Data modified or destroyed as a result of unauthorized access;
8) Establishing the rules for access to the Personal Data processed in the Personal Data Information System, and ensuring registration and accounting of all actions taken with Personal Data in the Personal Data System;
9) control over measures taken to ensure PDN security and the level of IS PDN security.
Person authorized by the Operator, processing Personal Data on behalf of the Operator, shall not be obliged to obtain consent from a Data Subject to process his Personal Data.
The Operator shall be liable to the Data Subject for the actions of the Person authorized by the Operator. The Person authorized by the Operator to process Personal Data on behalf of the Operator shall be liable to the Operator.
4.4 Confidentiality of Personal Data The Operator and other persons who have obtained access to the Personal Data are obliged not to disclose or distribute the Personal Data to any third party without the consent of the subject of the Personal Data.
4.5 Publicly Accessible Sources of Personal Data In order to provide information support to Operator's activity, yet available sources of Personal Data (including reference books, etc.) may be created.
5 Procedure for processing of Personal Data by the Operator
5.1 Collection, systematization and accumulation of Personal Data Collection, storage, processing, including transfer, dissemination, use, blocking and destruction of Personal Data Subjects may be carried out solely for the purpose of ensuring compliance with laws and other regulations, performance of contracts.
Collection and recording of PD subjects' personal data shall be performed on the Operator's behalf by a person authorized by the Operator when submitting an application (offer) to conclude an agreement.
Based on User's application (offer) Operator shall process Personal Data Subjects.
The subject of Personal Data shall submit his/her Personal Data when filling out an application (offer) and/or executing a service agreement to the extent required to conclude an agreement in accordance with the approved forms.
PDN shall be systematized, accumulated and amended by the Authorized Person.
Based on the PD subject's application (offer), the Operator's Authorized Person shall, at the PD subject's request, generate records on PDN in the Personal Information System (PIS). Updating (updating, amending) the Personal Data shall be performed by the Operator's Authorized Person at the request of the subject of Personal Data, presenting the originals of the necessary documents. Making alterations to the PDN shall be performed via the KISPDN management user interface. When processing PD in hard copy - the change is made by replacing data in hard copy in the presence of the subject of PD.
All Personal Data of the subject of Personal Data shall be obtained from him/herself.
An operator-authorized person shall accept documents from the subject of personal data, check their completeness and compliance of the data provided with reality.
Upon receipt of the Personal Data, the person authorized by the operator shall verify their accuracy by checking the data provided against the documents available to the subject.
The Operator shall be entitled to process Subjects' Personal Data only with their written consent in the following cases provided by the Federal Law "On Personal Data":
- When transferring the processing of Personal Data to a third party;
- Processing special categories of Personal Data;
- Inclusion of the Subject's Personal Data into public sources of Personal Data (including directories, address books etc.);
- In case of necessity of cross-border transfer of Personal Data to foreign countries, which do not provide for adequate protection of Personal Data subjects' rights;
- In case of taking decisions, giving rise to legal consequences in relation to the subject of Personal Data or otherwise affecting his/her rights and legitimate interests based solely on the automated processing of his/her Personal Data;
- In case of incapacity of a subject of Personal Data, when the subject's legal representative gives consent to the processing of his/her Personal Data on his/her behalf.
Personal Data Subject's consent to process his Personal Data shall not be required in the following cases:
- Processing of Personal Data is necessary for execution of an agreement, a party to which or a beneficiary or guarantor, under which the Data Subject is a subject, as well as for conclusion of an agreement at the initiative of the Personal Data Subject or an agreement, under which the Personal Data Subject will be a beneficiary or guarantor;
- Processing of Personal Data is necessary to exercise the rights and lawful interests of the Operator or third parties or to achieve Operator-significant goals, provided that the rights and freedoms of the subject of Personal Data are not violated;
- Processing of Personal Data is necessary to protect life, health or other vital interests of the subject of Personal Data, if consent of the subject of Personal Data cannot be obtained;
- Processing of Personal Data is necessary for the Operator's settlements with users of rent services, as well as for the consideration of users' claims;
- Processing of Personal Data subject to publication or compulsory disclosure in accordance with federal laws;
- Processing of Personal Data shall be carried out for statistical or other scientific purposes subject to obligatory depersonalization of Personal Data, except when Personal Data is processed for marketing purposes;
- Processing of Personal Data is necessary to achieve the goals stipulated by an international treaty of the Russian Federation or by law, to perform and fulfill the functions, powers and obligations imposed on the operator by the legislation of the Russian Federation;
- Processing of Personal Data is necessary for administration of justice, execution of a judicial act, act of another body or official to be executed in accordance with the legislation of the Russian Federation on enforcement proceedings.
In case consent to the Processing of Personal Data is received from the representative of the Data Subject, the authority of such representative to give consent on behalf of the Data Subject shall be verified by the Authorized Person of the Operator.
If the Data Subject withdraws his consent to process his Personal Data, the Operator shall be obliged to stop processing the Personal Data or ensure that such processing ceases (if the Personal Data is processed by another person acting on behalf of the Operator) and, if the preservation of Personal Data is no longer required for the purposes of processing the Personal Data, destroy the Personal Data or ensure their destruction (if the Personal Data is processed by another person acting on behalf of the Operator) within thirty days of receipt of such withdrawal, unless otherwise stipulated by the agreement, to which the subject of Personal Data is a party, beneficiary or guarantor, by any other agreement between the Operator and the subject of Personal Data, or unless the Operator has the right to process Personal Data without the consent of the subject of Personal Data on the grounds stipulated by Russian law.
If it is not possible to destroy the Personal Data within the specified period, the Operator shall ensure that they are blocked and shall ensure the destruction of the Personal Data within a period not exceeding six months, unless other period is prescribed by federal laws.
5.2 Use and transfer of the Personal Data
5.2.1 General Requirements Pursuant to the Federal Law "On Personal Data", in order to secure human and civil rights and liberties, the Operator and its Authorized Person shall comply with the following general requirements when processing Personal Data of a subject of Personal Data.
Processing of Personal Data may be carried out solely for the purpose of ensuring compliance with laws and other regulations, performance of rental contracts, one party to which is a user.
When determining the scope and content of processed Personal Data, the Operator shall be guided by the Constitution of the Russian Federation and other federal laws.
In making decisions affecting the subject's interests, the Operator and its authorized person shall not be entitled to base their decisions on the subject's Personal Data obtained solely as a result of their automated processing or electronic receipt.
The Operator shall protect the subject's Personal Data from unauthorized use or loss at its own expense, as prescribed by federal law.
5.2.2 Processing of Personal Data received in connection with the execution of civil law contracts The processing of Personal Data received in connection with the execution of civil law contracts, concluded within the framework of the Operator's core activities, shall be carried out in accordance with the terms included in the relevant contracts, as well as in accordance with the internal organizational and regulatory documents.
5.2.3 Requirements for transfer of Personal Data When transferring the Subject's Personal Data, the Operator shall comply with the following requirements:
- Not to share the Subject's Personal Data for commercial purposes without the Subject's written consent. Processing of Subjects' Personal Data for the purpose of promoting goods, works, services in the market by direct contact with the potential consumer by means of communication is allowed only with their prior consent;
- To warn entities, who received subjects' Personal Data, that this data may be used only for the purposes, for which it was communicated, and to require from these persons to confirm that this rule is complied with;
- Persons who have received the Subject's Personal Data shall be obliged to respect the confidentiality regime.
In the case of the transfer of Personal Data to an external consumer:
- the transfer of Personal Data from the Operator to an external consumer may be allowed in a minimum amount and only for the purpose of performing tasks appropriate to the objective reason for collecting this data;
- transfer of Personal Data by verbal requests and unprotected communication channels shall not be permitted.
5.2.4 Requests from Data Subjects to provide information Subjects of Personal Data (representatives of Personal Data Subjects), Authorized bodies on protection of rights of Personal Data Subjects shall be entitled to request necessary information (Personal Data) from Operator using a written appeal (request).
A written request (query) must contain the following mandatory details:
- name of the body to which the subject of Personal Data applies, and postal address;
- Surname, first name, and patronymic of the person who signed the appeal;
- Number and series of the main document certifying the identity of the subject of personal data or his legal representative, information on the date of issue of such document and the body that issued it, information confirming the subject of personal data in relations with the Operator (contract number, contract conclusion date, conventional designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator, the signature of the subject of personal data or his legal representative;
- The purpose of the request (this requisite is not obligatory for Data Subjects' rights protection authorized bodies);
- Reference to the norm of federal legislation of the Russian Federation, in accordance with which the right to request the Data Subject's Personal Data arises, full details (surname, first name, patronymic in the nominative case, year of birth)
The subject of Personal Data shall have the right to request the following information:
- confirmation of the fact of processing of Personal Data by the Operator;
- The legal grounds and purposes for processing Personal Data;
- Purposes and methods of Personal Data processing used by the Operator;
- Name and location of the Operator, information on the persons (excluding the Operator's employees), who have access to the Personal Data or to whom the Personal Data may be disclosed based on the agreement with the Operator or on the basis of the federal law;
- Processed Personal Data pertaining to the respective subject of Personal Data, the source of their receipt, unless other procedure of providing such data is stipulated by the federal law;
- The deadlines for processing the Personal Data, including their retention period;
- The procedure of exercising by the subject of personal data the rights provided for by the Federal Law "On Personal Data";
- information on actual or prospective cross-border data transfer;
- Name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if processing is or will be assigned to such person;
- Other information required by the Federal Law "On Personal Data" or other federal laws.
Preparation of requested information and formation of the substantive part of the response shall be performed by the Authorized Person of the Operator, with a clear definition of the purposes and terms of processing of Personal Data to a particular subject of Personal Data. The prepared answer shall be drawn up in writing.
If requested data, as well as processed Personal Data were provided for familiarization to the subject of Personal Data by his request, the subject of Personal Data shall have the right to apply repeatedly to the Operator or send a repeated request to obtain the above data and familiarize with such Personal Data no earlier than thirty days after the initial application or sending an initial request, unless a shorter term is established by the federal law, a legal act adopted in accordance with it or an agreement, which party or beneficiary is a party to the agreement.
Subject of Personal Data shall be entitled to apply repeatedly to the Operator or send a repeated request to obtain the above information, as well as to get acquainted with processed Personal Data before the thirty-day period expires, if such information and (or) processed Personal Data were not provided to him for familiarization in full upon review of the initial application. A repeated request, along with mandatory information, shall contain a justification for sending a repeated request.
In case of refusal to provide the subject of Personal Data or his legal representative with information on availability of Personal Data on respective subject of Personal Data, as well as such Personal Data, the Operator shall prepare a written reasoned reply containing a reference to provision of part 8 article 14 of the Federal Law "On Personal Data" or any other federal law being the basis for such refusal, within thirty working days from the date of request by the subject of Personal Data or his legal representative, within the period not exceeding
5.3 Storage and destruction of personal data Paper-based Personal Data shall be stored in secure premises, access to which shall be restricted to the Operator's Responsible Person and the Operator's Authorized Person.
In electronic form, PDN shall be stored in the KIPPDN. Retention period shall be at least 5 years after expiry of the agreement, application (offer).
Destruction of Personal Data shall be performed by the Authorized Person of the Operator after achievement of the purpose of Personal Data processing or upon expiry of the retention period.
Destruction of data carriers containing Personal Data shall be documented by an Act of destruction of tangible data carrier.
Tangible media in paper form containing Personal Data shall be destroyed by shredding, which does not allow their subsequent recovery (e.g., using a paper cutting machine (PMM)).
The destruction of Personal Data shall be organized and ensured by the Operator's Responsible Person and the Operator's Authorized Person.
Electronic files containing Personal Data shall be deleted using the KISPDN management user interface.
The Authorized Person of the Operator shall destroy the electronic PDN in accordance with the established technological process and the requirements of the EIS operational documentation.
In the event that the Authorized Person of the Operator's office equipment is transferred to a third party for repair, the Authorized Person of the Operator shall arrange for the destruction of the information containing the Personal Data placed on the transferred equipment.
The following terms of processing and storage of the Personal Data processed by the Operator shall be established:
- Personal Data processed for the purpose of carrying out core activities - during the validity of the relevant civil contract and the limitation period after its completion;
- the Personal Data of the Operator's potential users - until the moment of withdrawal of the application for the provision of services.
5.4 Access to Personal Data Access of the Operator's Authorized Personnel to Process Personal Data shall be arranged in accordance with the approved list of positions authorized for processing of Personal Data.
The rights of the officials on the Processing of the Personal Data in the Authorized Person of the Operator are determined on the basis of the functional (job) duties of the officials of the relevant structural subdivisions, the owners of the ISPDN, the information security departments.
Access to the Personal Data, processed in the Operator's Authorized Person's ISPDN, is carried out in accordance with the procedure established by the local regulatory documents.
Supervisory and controlling authorities shall have access to information only in the specified area of activity and within the limits of the powers stipulated by the current legislation of the Russian Federation.