top of page

Policy on personal data processing RCHS LLC

1. General terms

1.1. This Policy of the Limited Liability Company “RCHS” in relation to the processing of personal data (hereinafter - the Policy) is developed in fulfilment of the requirements of paragraph 2, part 1, Article 18.1 of the Federal Law dated 27.07.2006 N 152-FZ “On Personal Data” (hereinafter - the Personal Data Law) in order to ensure the protection of human and civil rights and freedoms in the processing of personal data, including the protection of the right to privacy, personal and family secrecy..

1.2. The Policy applies to all personal data processed by RCHS Limited Liability Company (hereinafter referred to as the Operator, RCHS LLC).

1.3. The Policy applies to the relations in the field of personal data processing, which have arisen for the Operator both before and after the approval of this Policy.

1.4. Pursuant to the requirements of Article 18.1 (2) of the Law on Personal Data, this Policy shall be published on the Operator's website in free access in the information and telecommunication network of the Internet.

1.5. Key Concepts Used in the Policy:

personal data - any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data);

personal data operator (operator) - state authority, municipal authority, legal or natural person, independently or jointly with other persons organising and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data;

personal data processing - any action (operation) or set of actions (operations) with personal data, performed with or without the use of means of automation. Processing of personal data includes, but is not limited to:

  • collection;

  • recording;

  • systematisation;

  • accumulation;

  • storage;

  • clarification (update, modification);

  • extraction;

  • use;

  • transfer (distribution, provision, access);

  • anonymisation;

  • blocking;

  • deletion;

  • destruction;

automatic processing of personal data - processing of personal data by means of computer equipment;

personal data distribution - actions aimed at disclosure of personal data to an indefinite number of persons;

personal data provision - actions aimed at disclosure of personal data to a certain person or a certain circle of persons;

personal data blocking - temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data));

personal data destruction - actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;

personal data anonymisation - actions, as a result of which it becomes impossible to determine the identity of personal data to a particular personal data subject without using additional information;

personal data information system – a set of personal data contained in databases and information technologies and technical means ensuring their processing

1.6. Main rights and obligations of the Operator.

1.6.1. The Operator has the right to:

1) to independently determine the composition and list of measures necessary and sufficient to ensure the fulfilment of obligations stipulated by the Law on personal data and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on personal data or other federal laws;

2) to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided for by the federal law, on the basis of a contract concluded with this person. The person carrying out personal data processing on behalf of the Operator is obliged to comply with the principles and rules of personal data processing stipulated by the Personal Data Law, to observe confidentiality of personal data, to take necessary measures aimed at ensuring fulfilment of obligations stipulated by the Personal Data Law;

3) in case the personal data subject revokes his/her consent to personal data processing, the Operator has the right to continue personal data processing without the consent of the personal data subject if there are grounds specified in the Personal Data Law.

1.6.2. The Operator is obliged to:

1) organise the processing of personal data in accordance with the requirements of the Personal Data Law;

2) to respond to appeals and requests of personal data subjects and their legal representatives in accordance with the requirements of the Law on personal data;

3) report to the authorised body for the protection of the rights of personal data subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) at the request of this body the necessary information within 10 working days from the date of receipt of such a request. This term may be extended, but not more than for five working days. For this purpose, the Operator should send a motivated notification to Roskomnadzor indicating the reasons for extending the deadline for providing the requested information;

4) in accordance with the procedure determined by the federal executive body authorised in the field of security, ensure interaction with the state system of detection, prevention and liquidation of consequences of computer attacks on information resources of the Russian Federation, including informing it of computer incidents that resulted in unlawful transfer (provision, distribution, access) of personal data.

1.7. Basic rights of the personal data subject. The subject of personal data has the right to:

1) to receive information regarding the processing of his/her personal data, except for cases stipulated by federal laws. Information shall be provided to the subject of personal data by the Operator in an accessible form and shall not contain personal data relating to other subjects of personal data, except in cases where there are legal grounds for disclosure of such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;

2) demand from the operator to clarify his personal data, block or destroy them in case the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his rights;

3) give prior consent to the processing of personal data for the purpose of promoting goods, works and services on the market;

4) appeal to Roskomnadzor or in court against unlawful acts or omissions of the Operator in the processing of his/her personal data.

1.8. Control over compliance with the requirements of this Policy shall be exercised by the authorised person responsible for organisation of personal data processing by the Operator.

1.9. Responsibility for violation of the requirements of the legislation of the Russian Federation and regulations of RCHS LLC in the field of processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.

2. Purposes of personal data collection

2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data incompatible with the purposes of personal data collection is not allowed.

2.2. Only personal data that meet the purposes for which they are processed may be processed.

2.3. The Operator shall process personal data for the following purposes:

  • carrying out its activities in accordance with the Charter of RCHS LLC, including conclusion and execution of contracts with counterparties;

  • execution of labour legislation within the framework of labour and other directly related relations, including: assisting employees in employment, education and promotion, attracting and selecting candidates for employment with the Operator, ensuring personal safety of employees, controlling the quantity and quality of work performed, ensuring the safety of property, maintaining personnel and accounting records, completing and submitting required reporting forms to authorised bodies, arranging for individual (personalised) registration of employees with the Operator, ensuring the safety of property, maintaining personnel and accounting records, completing and submitting required reporting forms to authorised bodies, arranging individual (personalised) registration of employees with the Operator;

  • entry control.

2.4. Personal data of employees may be processed solely to ensure compliance with laws and other regulatory legal acts.

 

3. Legal basis for processing personal data

3.1. The legal basis for personal data processing is a set of regulatory legal acts, pursuant to which and in accordance with which the Operator processes personal data, including the following:

  • Russian Constitution;

  • Russian Civil Code;

  • Russian Labour Code;

  • Russian Tax Code;

  • Federal Law of 08.02.1998 N 14-FZ “On Limited Liability Companies”;

  • Federal Law of 06.12.2011 N 402-FZ “On Accounting”;

  • Federal Law of 15.12.2001 N 167-FZ “On Compulsory Pension Insurance in the Russian Federation”;

  • other normative legal acts regulating relations related to the Operator's activities.

3.2. The legal basis for the processing of personal data also includes:

  • Charter of RCHS LLC;

  • contracts concluded between the Operator and personal data subjects;

  • consent of personal data subjects to the processing of their personal data.

4. Scope and categories of processed personal data, categories of personal data subjects

4.1. The content and scope of processed personal data shall comply with the stated purposes of processing as provided for in Section 2 of this Policy. 2 of this Policy. Processed personal data shall not be redundant in relation to the stated purposes of their processing

4.2. The Operator may process personal data of the following categories of personal data subjects.

4.2.1. Candidates for employment with the Operator - for the purposes of implementation of labour legislation within the framework of labour and other directly related relations, implementation of pass regime:

  • surname, first name;

  • gender;

  • nationality;

  • date and place of birth;

  • contact details;

  • information on education, work experience, qualifications;

  • other personal data provided by candidates in their CVs and cover letters.

4.2.2. Employees and former employees of the Operator - for the purposes of enforcement of labour legislation within the framework of labour and other directly related relations, implementation of a pass regime:

  • surname, first name;

  • gender;

  • nationality;

  • date and place of birth;

  • image (photo);

  • passport details;

  • address of residence registration;

  • actual residence address;

  • contact details;

  • individual tax number;

  • Insurance number of individual personal account (SNILS));

  • information on education, qualifications, vocational training and professional development;

  • marital status, children, family ties;

  • information on labour activity, including incentives, awards and (or) disciplinary penalties;

  • marriage registration;

  • military registration information;

  • disability information;

  • alimony deductions;

  • income information from previous employment;

  • other personal data provided by employees in accordance with the requirements of labour legislation.

4.2.3. Family members of the Operator's employees - for the purposes of labour law enforcement within the framework of labour and other directly related relations:

  • surname, first name;

  • degree of relationship;

  • birth year;

  • other personal data provided by employees in accordance with the requirements of labour legislation.

4.2.4. Operator's clients and counterparties (individuals) - for the purposes of carrying out their activities in accordance with the Charter of RCHS LLC, implementation of access control regime:

  • surname, first name;

  • birth date and place;

  • passport details;

  • address of residence registration;

  • contact details;

  • substitute position;

  • individual tax number;

  • account number;

  • other personal data provided by clients and counterparties (individuals) necessary for the conclusion and execution of contracts.

4.2.5. Representatives (employees) of the Operator's clients and counterparties (legal entities) - for the purposes of carrying out their activities in accordance with the Charter of RCHS LLC, implementation of access control regime:

  • surname, first name;

  • passport details;

  • contact details;

  • substitute position;

  • other personal data provided by representatives (employees) of clients and counterparties necessary for the conclusion and execution of contracts.

4.3. The Operator shall process biometric personal data (information that characterises physiological and biological features of a person on the basis of which his/her identity can be established) in accordance with the legislation of the Russian Federation.

4.4. The Operator does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, state of health, intimate life, except for cases stipulated by the legislation of the Russian Federation.

 

5. Procedure and conditions of personal data processing

5.1. Processing of personal data shall be carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. Processing of personal data shall be carried out with the consent of personal data subjects to the processing of their personal data, as well as without it in cases stipulated by the legislation of the Russian Federation.

5.3. The Operator processes personal data for each purpose of its processing in the following ways:

  • non-automated personal data processing;

  • automated processing of personal data with or without transmission of the received information via information and telecommunication networks;

  • mixed processing of personal data.

5.4. The Operator's employees whose job description includes personal data processing are allowed to process personal data.

5.5. The processing of personal data for each purpose of processing specified in clause 2.3 of the Policy is carried out by means of:

  • receiving personal data orally and in writing directly from personal data subjects;

  • entering personal data into journals, registers and information systems of the Operator;

  • use of other methods of personal data processing.

5.6. It is not allowed to disclose to third parties and disseminate personal data without the consent of the personal data subject, unless otherwise provided for by the federal law. Consent to the processing of personal data authorised by the subject of personal data for dissemination shall be executed separately from other consents of the subject of personal data to the processing of his/her personal data.

Requirements for the content of the consent to the processing of personal data authorised by the subject of personal data for dissemination, approved by the Order of Roskomnadzor of 24.02.2021 N 18.

5.7. The transfer of personal data to enquiry and investigation bodies, the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other authorised executive authorities and organisations shall be carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The Operator shall take the necessary legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, dissemination and other unauthorised actions, including:

  • identifies threats to the security of personal data during their processing;

  • adopts local normative acts and other documents regulating relations in the field of personal data processing and protection;

  • appoints persons responsible for ensuring personal data security in the structural subdivisions and information systems of the Operator;

  • creates the necessary conditions for working with personal data;

  • organises record keeping of documents containing personal data;

  • organises work with information systems in which personal data are processed;

  • stores personal data in conditions that ensure their safety and prevent unauthorised access to them;

  • organises training of the Operator's employees processing personal data.

5.9. The Operator shall store personal data in a form that allows to identify the personal data subject for no longer than required by each purpose of personal data processing, unless the period of personal data storage is established by federal law, agreement.

5.9.1. Personal data on paper media shall be stored in the LLC ‘RCHS’ during the retention periods of documents for which these periods are provided by the legislation on archiving in the Russian Federation (Federal Law dated 22.10.2004 N 125-FZ ‘On archiving in the Russian Federation’, the List of standard management archival documents formed in the process of activity of state bodies, local governments and organisations, with indication of their retention periods (approved by the Order of Rosarkhiv dated 20.12.2019 N 236)).

5.9.2. The period of storage of personal data processed in personal data information systems corresponds to the period of storage of personal data on paper carriers.

5.10. The Operator stops processing of personal data in the following cases:

  • the fact of their unauthorised processing has been revealed. Deadline - within three working days from the date of detection;

  • the purpose of their processing has been achieved;

  • the personal data subject's consent to the processing of the said data has expired or has been withdrawn, when under the Personal Data Law the processing of such data is allowed only with consent.

5.11. When the purposes of personal data processing are achieved, as well as in case the subject of personal data withdraws his/her consent to their processing, the Operator stops processing such data if:

  • otherwise is not provided for by the contract to which the personal data subject is a party, beneficiary or surety;

  • The operator may not carry out processing without the consent of the personal data subject on the grounds provided for by the Personal Data Law or other federal laws;

  • not otherwise provided for by another agreement between the Operator and the subject of personal data.

5.12. If the personal data subject appeals to the Operator with a request to stop processing personal data within a period not exceeding 10 working days from the date of receipt of the relevant request by the Operator, the processing of personal data shall be stopped, except for cases provided for by the Law on Personal Data. The said term may be extended, but not more than for five working days. For this purpose, the Operator shall send a motivated notice to the personal data subject indicating the reasons for extending the term.

5.13. When collecting personal data, including via the information and telecommunications network Internet, the Operator shall ensure recording, systematisation, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases specified in the Law on Personal Data.

 

6. Updating, correction, deletion, destruction of personal data, responses to requests of subjects for access to personal data

6.1. Confirmation of the fact of personal data processing by the Operator, legal grounds and purposes of personal data processing, as well as other information specified in part 7 of Article 14 of the Law on Personal Data shall be provided by the Operator to the personal data subject or his/her representative within 10 working days from the moment of application or receipt of the request of the personal data subject or his/her representative. This term may be extended, but not more than for five working days. For this purpose, the Operator should send a motivated notification to the personal data subject indicating the reasons for extending the term for providing the requested information.

Personal data relating to other personal data subjects shall not be included in the information provided, unless there are legitimate grounds for disclosure of such personal data.

The request shall contain:

  • number of the main identity document of the personal data subject or his/her representative, information on the date of issuance of the said document and the authority that issued it;

  • information confirming the personal data subject's participation in relations with the Operator (contract number, date of contract conclusion, conventional word designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator;

  • signature of the personal data subject or his/her representative.

The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

The Operator provides the information specified in part 7 of Article 14 of the Law on Personal Data to the personal data subject or his/her representative in the form in which the respective appeal or request was sent, unless otherwise specified in the appeal or request.

If the appeal (request) of the personal data subject does not reflect all necessary information in accordance with the requirements of the Law on personal data or the subject does not have access rights to the requested information, a reasoned refusal shall be sent to him/her.

The right of the personal data subject to access his/her personal data may be restricted in accordance with part 8 of Article 14 of the Law on Personal Data, including if the access of the personal data subject to his/her personal data violates the rights and legitimate interests of third parties.

6.2. If inaccurate personal data is detected upon application of the personal data subject or his/her representative or at their request or at the request of Roskomnadzor, the Operator blocks personal data relating to this personal data subject from the moment of such application or receipt of the said request for the period of verification, if blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

If the fact of inaccuracy of personal data is confirmed, the Operator, based on the information submitted by the personal data subject or his/her representative or Roskomnadzor, or other necessary documents, clarifies personal data within seven working days from the date of submission of such information and removes the blocking of personal data.

6.3. In case of detection of unlawful processing of personal data upon application (request) of a personal data subject or his/her representative or Roskomnadzor, the Operator shall block the unlawfully processed personal data related to this personal data subject from the moment of such application or request receipt.

6.4. If the Operator, Roskomnadzor or any other interested party identifies the fact of unlawful or accidental transfer (provision, dissemination) of personal data (access to personal data) resulting in violation of the rights of personal data subjects, the Operator shall:

  • within 24 hours - notify Roskomnadzor about the incident, the alleged reasons for the violation of the rights of personal data subjects, the alleged harm caused to the rights of personal data subjects and the measures taken to eliminate the consequences of the incident, as well as provide information about the person authorised by the Operator to interact with Roskomnadzor on issues related to the incident;

  • within 72 hours - notify Roskomnadzor of the results of the internal investigation of the detected incident and provide information on the persons whose actions caused the incident (if any).

6.5. Procedure for destruction of personal data by the Operator.

6.5.1. Conditions and terms of personal data destruction by the Operator:

  • achievement of the purpose of personal data processing or loss of necessity to achieve this purpose - within 30 days;

  • achieving the maximum retention period of documents containing personal data - within 30 days;

  • provision by the personal data subject (his/her representative) of confirmation that the personal data were obtained unlawfully or are not necessary for the declared purpose of processing - within seven working days;

  • revocation by the personal data subject of consent to the processing of his/her personal data, if their preservation for the purpose of their processing is no longer required - within 30 days.

6.5.2. Upon achievement of the purpose of personal data processing, as well as in case the personal data subject revokes his/her consent to their processing, the personal data shall be destroyed if:

  • otherwise is not provided for by the contract to which the personal data subject is a party, beneficiary or surety;

  • The operator may not carry out processing without the consent of the personal data subject on the grounds provided for by the Personal Data Law or other federal laws;

  • not otherwise provided for by another agreement between the Operator and the subject of personal data.

6.5.3. Destruction of personal data shall be carried out by a commission established by the order of the General Director of RCHS LLC.

6.5.4. Methods of personal data destruction shall be set out in the Operator's local regulatory acts.

bottom of page