4 Purposes of personal data processing
4.1 Ecolant LLC processes personal data for the following purposes:
4.2.1 To fulfill the requirements of labor legislation, including for the conclusion, execution, termination of employment contracts, personnel accounting and assistance in employment; training and development; control of the quantity and quality of work performed; provision of social benefits; travel and visa services and others actions, the fulfillment of which is necessary for the realization of the rights and obligations of the employer;
4.2.2 To assess the business and professional qualities of employees, organize their training and professional development;
4.2.3 For the purposes of including employees in corporate directories;
4.2.4 For physical protection and access control of personal data subjects at the Company's facilities;
4.2.5 For the execution of powers of attorney;
4.2.6 To provide charitable and social support;
4.2.7 For registration of a VMI policy;
4.2.8 For the conclusion of civil law contracts and the fulfillment of obligations stipulated by them;
4.2.9 Evaluation of contractors' satisfaction with manufactured products, as well as the implementation of quality control of manufactured products;
4.2.10 Offering its products and services to actual and potential counterparties (clients), as well as for the Company's participation in procurement procedures and conducting business negotiations with counterparties (clients);
4.2.11 The Company takes due diligence measures when interacting with actual and potential counterparties (agents, partners, contractors, suppliers, buyers), including the assessment of relevant legal, financial, reputational and other risks.
5 Principles and rules of personal data processing
5.2 The processing of personal data must be carried out in compliance with the following principles and rules:
5.2.2 The processing of personal data is carried out on a legal and fair basis;
5.2.3 The processing of personal data is limited to the achievement of specific, predetermined and legitimate goals. Processing of personal data incompatible with the purposes of their collection is not allowed;
5.2.4 It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
5.2.5 Only personal data that meet the purposes of their processing are subject to processing;
5.2.6 The content and volume of the processed personal data must correspond to the stated purposes of processing. The processed personal data should not be redundant in relation to the stated purposes of their processing;
5.2.7 When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing must be ensured. The Company must take the necessary measures, or ensure that they are taken to delete or clarify incomplete or inaccurate data;
5.2.8 The storage of personal data must be carried out in a form that allows determining the subject of personal data, no longer than the purposes of personal data processing require, provided that the storage period of personal data is not established by federal law, an agreement to which the beneficiary or guarantor is the subject of personal data;
5.2.9 The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by federal law;
5.2.10 The processing of personal data in the Company is carried out with the consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation;
5.2.11 When processing personal data, the Company respects their confidentiality.
6 Legal basis of personal data processing
6.2 The Company processes personal data in accordance with the current legislation of the Russian Federation on personal data, as well as the following legal grounds:
6.1.1 The Charter of the Company;
6.1.2 by the consent of the PD subjects (employees, applicants and other persons) to the processing of their PD;
6.1.3 contracts to which either the beneficiary or the guarantor are the subjects of PD;
6.1.4 powers of attorney issued to PD subjects.
6.3 The provisions of the General Data Protection Regulation of the European Union (GDPR) do not directly apply to the Company's activities, including when interacting with the Company's counterparties located both in the Russian Federation and on the territory of the European Union. Nevertheless, the Company respects the GDPR requirements and takes all necessary steps to ensure compliance with the provisions established therein.
7 Rights of personal data subjects
7.2 The subject of personal data has the right to receive information about the processing of his personal data. This right may be restricted in accordance with federal laws or if it violates the rights and legitimate interests of other personal data subjects.
7.3 The subject of personal data has the right to demand clarification, blocking or destruction of his personal data if they are inaccurate, outdated, illegally obtained and the purposes of processing do not correspond to the stated ones.
7.4 The subject of personal data has the right to withdraw consent to the processing of his personal data.
7.5 A personal data subject has the right to appeal to a court or an authorized body with a complaint against the Company's actions in the field of personal data processing if he considers that his rights have been violated.
8 Categories and volume of personal data processed
8.2 The content and scope of the processed personal data are determined by the purposes of their processing, given in section 4 of the Policy, and are indicated in the consent of the personal data subject to the processing of his personal data, except in cases where the processing of personal data can be carried out without obtaining such consent.
8.3 Processing of personal data that is excessive in relation to the stated purpose of their processing is not allowed.
8.4 Special categories of personal data, as well as biometric personal data of personal data subjects are processed in the Company in accordance with the procedure established by the legislation of the Russian Federation.
9 Organization of personal data processing
9.2 In order to exercise the rights of personal data subjects, the Company, when processing their personal data:
9.2.2 Takes the necessary measures to fulfill the obligations provided for by the legislation of the Russian Federation.
9.2.3 Explains to the subject of personal data the legal consequences of refusal to provide personal data, if this is mandatory in accordance with the legislation of the Russian Federation.
9.2.4 Performs blocking, clarification and destruction of unlawfully processed personal data, as well as termination of their unlawful processing.
9.2.5 Notifies the subject of personal data about the elimination of violations or the destruction of his personal data.
9.2.6 Provides, at the request of the personal data subject or his representative, information concerning the processing of his personal data, in accordance with the procedure established by the legislation of the Russian Federation, as well as the Company's regulatory documents.
9.3 In order to effectively organize the processes of personal data processing, responsible persons are appointed for organizing the processing of personal data, as well as for ensuring the security of personal data in information systems that, in accordance with the established powers, ensure:
9.3.2 Development and updating of the Company's regulatory documents on the processing and protection of personal data.
9.3.3 Bringing to the attention of the Company's employees the provisions of the legislation of the Russian Federation, the Company's regulatory documents on the processing of personal data, as well as the requirements for the protection of personal data.
9.3.4 Taking legal, organizational and technical measures to protect personal data, including those processed in information systems, from unauthorized or accidental access to them, destruction, modification, blocking, copying, dissemination of personal data, as well as from other illegal actions with respect to personal data.
9.3.5 Internal control over the Company's compliance with the requirements of the legislation of the Russian Federation and the Company's regulatory documents in the field of personal data, including personal data protection requirements.
9.3.6 Control over the processing of appeals and requests of personal data subjects or their representatives on the facts of violations of the legislation in the field of personal data committed by employees of the Company.
9.3.7 Interaction with government agencies on personal data protection issues.
9.4 The processing of personal data in the Company is carried out with the help of computer technology (automated processing) or with the direct participation of a person without the use of computer technology (non-automated processing).
9.5 The processing of biometric personal data (photographs and video footage, including in digital format) in the Company is carried out for the purpose of making a pass to the Company's facilities, as part of the access regime, as well as to include photographs of employees in corporate directories.
9.6 The Company does not process special categories of personal data, with the exception of health information processed solely for the purpose of fulfilling the requirements of the current labor legislation.
9.7 The processing of personal data authorized by the subject for distribution is carried out in the Company only with the written consent of the subject, in compliance with the prohibitions and conditions provided for by Federal Law No. 152-FZ of 27.07.2006 "On Personal Data";
9.8 The Company's managers, who are entitled to this right by the employer, as well as the Company's employees, whose job responsibilities include the processing of personal data, are allowed to process personal data. These managers and employees have the right to process only those personal data that they need to perform their official duties and provide relevant services.
9.9 The transfer of personal data to third parties is carried out with the written consent of the subjects of personal data, except in cases when it is necessary to prevent threats to the life and health of the subjects of personal data, as well as in other cases established by the legislation of the Russian Federation.
9.10 The transfer of personal data to state bodies is carried out in accordance with the requirements of the legislation of the Russian Federation.
9.11 The Company does not carry out cross-border transfer of personal data.
9.12 The Company has the right to entrust the processing of personal data to another legal entity or individual entrepreneur with the consent of the subjects of personal data on the basis of the concluded contract, the essential condition of which is the obligation of the contractor to ensure the confidentiality of personal data and their security during processing.
9.13 When collecting personal data, including using the Internet information and telecommunications network, the Company ensures the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases provided for by the legislation of the Russian Federation.
9.14 The terms of personal data storage in the Company are determined in accordance with the legislation of the Russian Federation and the Company's regulatory documents.
9.15 The Company's management is aware of the importance and necessity of ensuring the security of personal data and encourages the continuous improvement of the personal data protection system.
9.16 Ensuring the security of personal data, including when processing them in information systems, is carried out in accordance with the legislation of the Russian Federation and the requirements of the authorized state authority for the protection of the rights of personal data subjects, the federal executive authority authorized in the field of security, and the federal executive authority authorized in the field of countering technical intelligence and technical protection of information.
9.17 In order to ensure the security of personal data during their processing, the following protective measures are implemented:
9.17.2 Persons responsible for organizing the processing and ensuring the security of personal data have been appointed.
9.17.3 The right of access to personal data, including those processed in personal data information systems, is delimited.
9.17.4 Regulatory documents on personal data processing and local regulations have been issued, establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation in the field of personal data processing.
9.17.5 Threats to the security of personal data have been identified, including during their processing in personal data information systems.
9.17.6 The necessary and sufficient means of information protection, detection of unauthorized access to personal data, as well as means for monitoring and evaluating the effectiveness of personal data protection measures are used.
9.17.7 Employees who directly process personal data are familiar with the provisions of the legislation of the Russian Federation in the field of processing and ensuring the security of personal data.
9.17.8 The places of storage of material carriers of personal data have been determined, as well as their accounting and safety have been ensured.
9.17.9 The security regime of the premises in which personal data is processed or elements of personal data information systems are placed is ensured.
9.17.10 The recovery of personal data modified or destroyed as a result of unauthorized access is ensured.
9.18 The Company does not make decisions that generate legally significant consequences with respect to personal data subjects or otherwise affect their rights and legitimate interests based solely on automated processing of personal data.
10 Conditions for termination of personal data processing
10.2 In accordance with the principles of personal data processing, the Company defines the following conditions for the termination of personal data processing:
10.2.2 Achieving the goals of personal data processing and maximum retention periods.
10.2.3 Loss of the need to achieve the purposes of personal data processing.
10.2.4 Withdrawal by the subject of personal data (his legal representative) of consent to the processing of his personal data, provided that the storage of the specified personal data is not required to fulfill the obligations stipulated by regulatory legal acts.
10.2.5 Obtaining reliable information from the personal data subject (his legal representative) about the illegality of processing his personal data and the inability of the Company to ensure the legality of processing their processing.
10.2.6 Expiration of the limitation period for the legal relations within which the processing of personal data was carried out.
11 Final provisions
11.2 The current version of the Policy on paper is stored at the location of the Company. The electronic version of the current version of the Policy is publicly available and posted on the Company's website: https://ecolant.net
11.2 The Policy is reviewed as necessary, including in the case of amendments to the regulations of the Russian Federation in the field of personal data protection.
11.3 Persons guilty of violating the norms governing the processing and protection of personal data bear responsibility provided for by the legislation of the Russian Federation, the Company's regulatory documents and contracts (agreements) regulating the Company's relations with third parties.
12 Regulatory references and related documents
12.1. This Policy takes into account the requirements and uses references to the following documents:
Document designation-Type and name of the document