Engineering solutions and polymer production

Moscow, Serp i Molot lane 10, Integral Business Center





Regulation on the procedure for storing and protecting personal data of users.

1. Terms and definitions

A website is a set of software and hardware for computers that ensure the publication for public viewing of information and data united by a common purpose, through technical means used for communication between computers on the Internet. The Website in the Regulation means a Website located on the Internet at: http://www.gavarygroup.com/

User – a user of the Internet and, in particular, of the Site, who has his own personal page (profile/ account).

Federal Law (FZ) – Federal Law No. 152 FZ dated 27.07.2006 "On Personal Data" (hereinafter referred to as the Law on Personal Data).

Personal data – any information related directly or indirectly to a specific or identifiable individual (subject of personal data).

Personal data authorized by the subject of personal data for distribution – personal data to which an unlimited number of persons have access by the subject of personal data by giving consent to the processing of personal data authorized by the subject of personal data for distribution in accordance with the procedure provided for by the Law on Personal Data.

Operator is an organization that independently or jointly with other persons organizes the processing of personal data, as well as determines the purposes of processing personal data to be processed, actions (operations) performed with personal data.

The operator is a limited liability company "Gavari Group", located at the address: 142440, MOSCOW REGION, NOGINSK CITY, OBUKHOVO WORK SETTLEMENT, LENIN STREET, HOUSE 87, BUILDING 1, ROOM 1 ROOM 1.

Personal data processing – any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Automated processing of personal data is the processing of personal data using computer technology.

Provision of personal data – actions aimed at disclosure of personal data to a certain person or a certain circle of persons.

Blocking of personal data – temporary termination of processing of personal data (except in cases where processing is necessary to clarify personal data).

Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which the material carriers of personal data are destroyed.

Depersonalization of personal data – actions that result in it is impossible to determine the identity of personal data to a specific subject of personal data without the use of additional information.

The Personal Data Information System (ISPDn) is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

2. General provisions

2.1. The Regulation on the procedure for storing and protecting personal data of Site users (hereinafter referred to as the Regulation) has been developed in order to comply with the requirements of the legislation of the Russian Federation containing personal data and identification of Users on the Site.

2.2. The Regulation has been developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the current legislation of the Russian Federation in the field of personal data protection.

2.3. The Regulation establishes the procedure for processing personal data of Users of the Site: actions for the collection, systematization, accumulation, storage, clarification (updating, modification), destruction of personal data.

2.4. The Regulation establishes mandatory for the Operator's employees involved in the maintenance of the Site, general requirements and rules for working with all types of media containing personal data of Users of the Site.

2.5. The Regulation does not address the issues of ensuring the security of personal data classified in accordance with the established procedure as information constituting a state secret of the Russian Federation.

2.6. The objectives of the Regulation are:

·      ensuring the requirements for the protection of human and civil rights and freedoms in the processing of personal data, including the protection of the rights to privacy, personal and family secrets;

·      exclusion of unauthorized actions of the Operator's employees and any third parties for the collection, systematization, accumulation, storage, clarification (updating, modification) of personal data, other forms of illegal interference in information resources and the Operator's local computer network, ensuring legal and regulatory confidentiality mode of undocumented information of Site Users; protection of the constitutional rights of citizens to personal secrecy, confidentiality of information constituting personal data, and prevention of a possible threat to the security of Site Users.

2.7. Principles of personal data processing:

·      personal data processing must be carried out on a legal and fair basis;

·      the processing of personal data must be limited to the achievement of specific, predetermined and legitimate goals. Processing of personal data incompatible with the purposes of personal data collection is not allowed;

·      it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;

·      only personal data that meet the purposes of their processing are subject to processing;

·      the content and volume of the processed personal data must correspond to the stated purposes of processing. The personal data processed must not be:

·      redundant in relation to the stated purposes of their processing;

·      the content and volume of the processed personal data to an indefinite circle of persons is determined by the subject of personal data in the agreement on the distribution of personal data;

·      when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance to the purposes of personal data processing must be ensured;

·      personal data storage should be carried out no longer than the purposes of personal data processing require, unless the period of personal data storage is established by Federal Law, an agreement to which the User is a party;

·      the processed personal data is subject to destruction or depersonalization upon achievement of the processing objectives, upon withdrawal by the subject of personal data of consent to the dissemination of personal data or in case of loss of the need to achieve these goals, unless otherwise provided by Federal Law.

2.8. Terms of personal data processing.

2.8.1. The processing of personal data of the Website Users is carried out on the basis of the Civil Code of the Russian Federation, the Constitution of the Russian Federation, the current legislation of the Russian Federation in the field of personal data protection.

2.8.2. The processing of personal data on the Website is carried out in compliance with the principles and rules provided for by the Regulations and the legislation of the Russian Federation.

Processing of personal data is allowed in the following cases:

·      processing of personal data is necessary for the use of the Site to which the User is a party;

·      processing of personal data is necessary to protect the life, health or other vital interests of the Site User, if obtaining consent is impossible;

·      personal data processing is necessary to exercise the rights and legitimate interests of the Operator or third parties or to achieve socially significant goals, provided that the rights and freedoms of Site Users are not violated;

·      the processing of personal data is carried out for statistical or other research purposes, with the exception of the processing of personal data for the purpose of promoting goods, works, services on the market by making direct contacts with potential consumers using means of communication, as well as for political campaigning, subject to mandatory depersonalization of personal data.

2.9. Purposes of personal data processing.

2.9.1. The processing of personal data of the Site Users is carried out solely for the purpose of providing the User with the opportunity to interact with the Site.

2.9.1. The processing of personal data of the Site Users is carried out solely for the purpose of providing the User with the opportunity to interact with the Site.

2.9.2. The information constituting personal data on the Website is any information related to a certain or determined on the basis of such information to an individual (subject of personal data).

2.10. Sources of obtaining personal data of Users.

2.10.1. The source of information about all the User's personal data is the User himself.

2.10.2. The source of information about the User's personal data is the information obtained as a result of the Operator granting the User the rights to use the Site.

2.10.3. Users' personal data refers to confidential information of limited access.

2.10.4. The Operator has no right to collect and process the User's personal data about his race, nationality, political views, religious or philosophical beliefs, private life, except in cases provided for by applicable law.

2.10.5. The Operator has no right to receive and process the User's personal data about his membership in public associations or his trade union activities, except in cases provided for by Federal Law.

2.11. Methods of processing personal data.

2.11.1. Personal data of the Website Users are processed exclusively using automation tools.

2.12. Rights of subjects (Users) of personal data.

2.12.1. The User has the right to receive information about the Operator, about his location, about the availability of personal data related to a specific personal data subject (User), as well as to familiarize himself with such personal data, except for the cases provided for in part 8 of Article 14 of the Law on Personal Data.

2.12.2. The User has the right to receive from the Operator, when contacting him personally or when the Operator receives a written request from the User, the following information concerning the processing of his personal data, including the following:

·      confirmation of the fact of processing of personal data by the Operator, as well as the purpose of such processing;

·      legal grounds and purposes of personal data processing;

·      purposes and methods of personal data processing used by the Operator;

·      name and location of the Operator, information about persons (with the exception of operator employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of Federal Law;

·      processed personal data related to the relevant subject of personal data, the source of their receipt, unless another procedure for providing such data is provided by Federal Law; < /p>

·      terms of processing of personal data, including the terms of their storage;

·      the procedure for the exercise by the subject of personal data of the rights provided for by Federal law;

·      information about the trans-border data transfer carried out or proposed;

·      name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if processing is or will be entrusted to such a person;

·      other information provided by Federal law or other federal laws;

·      demand changes, clarifications, destruction of information about yourself;

·      appeal against unlawful actions or omissions in the processing of personal data and demand appropriate compensation in court;

·      on the addition of personal data of an evaluative nature with a statement expressing his own point of view;

·      identify representatives to protect their personal data;

·      require the Operator to notify of all changes made to them or exceptions to them.

2.12.3. The User has the right to appeal to the authorized body for the protection of the rights of personal data subjects or in court against the actions or inaction of the Operator if he believes that the latter processes his personal data in violation of the requirements of the Federal Law "On Personal Data" or otherwise violates his rights and freedoms.

2.12.4. The user of personal data has the right to protect his rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.

2.13. Obligations of the Operator.

2.13.1. Upon a personal request or upon receipt of a written request from a personal data subject or his representative, the Operator, if there are grounds, is obliged to provide information within 30 days from the date of the request or receipt of the request from the personal data subject or his representative to the extent prescribed by Federal Law. Such information must be provided to the subject of personal data in an accessible form, and it must not contain personal data related to other subjects of personal data, except in cases where there are legitimate grounds for disclosure of such personal data.

2.13.2. All appeals of personal data subjects or their representatives are registered in the Register of Citizens' (personal data subjects') appeals regarding personal data processing.

2.13.3. In case of refusal to provide the subject of personal data or his representative when contacting or receiving a request from the subject of personal data or his representative for information about the availability of personal data about the relevant subject of personal data, the Operator is obliged to give in writing a reasoned response containing a reference to the provision of part 8 of Article 14 of the Law on Personal Data or other federal law, which is the basis for such refusal, within a period not exceeding 30 days from the date of the request of the personal data subject or his representative, or from the date receiving a request from the personal data subject or his representative.

2.13.4. In case of receiving a request from the authorized body for the protection of the rights of personal data subjects for the provision of information necessary for the implementation of the activities of the specified body, the Operator is obliged to report such information to the authorized body within 30 days from the date of receipt of such request.

2.13.5. In case of detection of unlawful processing of personal data when contacting or at the request of a personal data subject or his representative or an authorized body for the protection of the rights of personal data subjects, the Operator is obliged to block the unlawfully processed personal data related to this personal data subject from the moment of such request or receipt of the specified request for the verification period.

2.13.6. In case of detection of illegal processing of personal data carried out by the Operator, the latter, within a period not exceeding three working days from the date of this detection, is obliged to stop the illegal processing of personal data. The Operator is obliged to notify the personal data subject or his representative about the elimination of the violations committed, and if the request of the personal data subject or his representative or the request of the authorized body for the protection of the rights of personal data subjects was sent by the authorized body for the protection of the rights of personal data subjects, also the specified body.

2.13.7. The subject of personal data has the right to request to stop the transfer (distribution, provision, access) of his personal data, previously authorized by the subject of personal data for distribution, to any person processing his personal data, in case of non-compliance with the provisions of this article, or to apply to the court with such a request. This person is obliged to stop the transfer (distribution, provision, access) of personal data within three working days from the date of receipt of the request of the personal data subject or within the period specified in the court decision that has entered into force, and if such a period is not specified in the court decision, then within three working days from the date of entry of the court decision into legal force.

2.13.8. The transfer (distribution, provision, access) of personal data authorized by the personal data subject for distribution must be terminated at any time at the request of the personal data subject. This requirement must include the surname, first name, patronymic (if any), contact information (phone number, email address or postal address) of the personal data subject, as well as a list of personal data whose processing is subject to termination. The personal data specified in this request can only be processed by the operator to whom it is sent.

2.13.9. In case of achievement of the purpose of personal data processing, the Operator is obliged to stop processing personal data and destroy personal data within a period not exceeding 30 working days from the date of achievement of the purpose of personal data processing, unless otherwise provided by the consent to the processing of personal data, to which the subject of personal data is a party.

2.13.10. It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences with respect to the subject of personal data or otherwise affect his rights and legitimate interests.

2.14. Privacy regime of personal data.

2.14.1. The Operator ensures the confidentiality and security of personal data when processing them in accordance with the requirements of the legislation of the Russian Federation.

2.14.2. The Operator does not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by Federal Law.

2.14.3. In accordance with the list of personal data processed on the site, the personal data of the Site Users is confidential information.

2.14.4. Persons processing personal data are obliged to comply with the requirements of the Operator's regulatory documents regarding the confidentiality and security of personal data.

3. Processing of personal data

3.1. The list of processed personal data of Users is indicated by the subject of personal data in consent to the processing of personal data authorized by the subject of personal data for distribution.

3.2. Persons who have the right to access personal data.

3.2.1. The right of access to the personal data of subjects is possessed by persons endowed with appropriate powers in accordance with their official duties.

3.2.2. The list of persons with access to personal data is approved by the Director of the Operator.

3.3. The procedure and terms for storing personal data on the Website.

3.3.1. The Operator only stores Users' personal data on the Website.

3.3.2. The terms of storage of Users' personal data on the Site are determined by the terms of the User Agreement, are put into effect from the moment of acceptance (acceptance) by the User of this Agreement on the Site and are valid until the User declares his desire to delete his personal data from the Site.

3.3.3. In case of deletion of data from the Site on the initiative of one of the parties, namely, termination of use of the Site, the User's personal data is stored in the Operator's databases for five years in accordance with the legislation of the Russian Federation.

3.3.4. After the expiration of the above-mentioned period of storage of the User's personal data, the User's personal data is deleted automatically by the algorithm specified by the Operator.

3.3.5. The Operator does not process Users' personal data on paper media.

3.4. Blocking of personal data.

3.4.1. The blocking of personal data is understood as the temporary termination by the Operator of operations for their processing at the request of the User when he reveals the unreliability of the processed information or illegal, in the opinion of the subject of personal data, actions with respect to his data.

3.4.2. The Operator does not transfer personal data to third parties and does not entrust the processing of personal data to third parties and organizations. The personal data of the Site Users is processed only by the Operator's employees (database administrators, etc.) who are allowed by the established procedure to process the personal data of Users.

3.4.3. Blocking of personal data on the Website is carried out on the basis of a written application from the subject of personal data.

3.5. Destruction of personal data.

3.5.1. Destruction of personal data means actions as a result of which it becomes impossible to restore the content of personal data on the Website and/or as a result of which the material carriers of personal data are destroyed.

3.5.2. The subject of personal data has the right to demand in writing the destruction of his personal data if the personal data are incomplete, outdated, unreliable, illegally obtained or are not necessary for the stated purpose of processing.

3.5.3. In the absence of the possibility of destruction of personal data, the Operator shall block such personal data.

3.5.4. The destruction of personal data is carried out by erasing information using certified software with guaranteed destruction (in accordance with the specified characteristics for the installed software with guaranteed destruction).

4. Personal data protection system

4.1. Measures to ensure the security of personal data during their processing.

4.1.1. When processing personal data, the Operator is obliged to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions with respect to personal data.

4.1.2. Ensuring the security of personal data is achieved, in particular:

·      identification of threats to the security of personal data during their processing in personal data information systems;

·      application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to meet the requirements for personal data protection;

·      the use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure;

·      assessment of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;

·      taking into account machine-based personal data carriers;

·      detection of unauthorized access to personal data and taking measures;

·      recovery of personal data modified or destroyed due to unauthorized access to them;

·      establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;

·      control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.

4.1.3. For the purposes of the Regulation, threats to the security of personal data are understood as a set of conditions and factors that create a danger of unauthorized, including accidental, access to personal data, the result of which may be the destruction, modification, blocking, copying, provision, dissemination of personal data, as well as other illegal actions during their processing in the personal data information system data. The level of personal data security is understood as a complex indicator characterizing the requirements, the fulfillment of which ensures the neutralization of certain threats to the security of personal data during their processing in the personal data information system.

4.2. Protected information about the subject of personal data.

The protected information about the subject of personal data on the Site includes data that allows you to identify the subject of personal data and / or obtain additional information about him provided for by law and Regulations.

4.3. Protected objects of personal data.

4.3.1. The protected objects of personal data on the Site include:

·      objects of informatization and technical means of automated processing of information containing personal data;

·      information resources (databases, files, etc.) containing information about information and telecommunication systems in which personal data circulates, about events that have occurred with managed objects, about plans to ensure uninterrupted operation and procedures for the transition to management in emergency modes;

·      communication channels that are used to transmit personal data in the form of informative electrical signals and physical fields;

·      alienable data carriers on a magnetic, magneto-optical and other basis used for the processing of personal data.

4.3.2. Technological information about information systems and elements of the personal data protection system to be protected includes:

·      information about the access control system for informatization objects where personal data is processed;

·      control information (configuration files, routing tables, security system settings, etc.); < /p>

·      technological information of access means to control systems (authentication information, access keys and attributes, etc.);

·      characteristics of communication channels that are used to transmit personal data in the form of informative electrical signals and physical fields;

·      information about personal data protection tools, their composition and structure, principles and technical solutions of protection;

·      service data (metadata) appearing during the operation of software, messages and protocols of inter-network interaction, as a result of the processing of personal data.

4.4. Requirements for the personal data protection system.

The personal data protection system must comply with the requirements of Government Decree No. 1119 dated 01.11.2012 "On approval of requirements for the protection of personal data during their processing in personal data information systems".

4.4.1. The personal data protection system must provide:

·      timely detection and prevention of unauthorized access to personal data and (or) their transfer to persons who do not have the right to access such information; < /p>

·      prevention of the impact on the technical means of automated processing of personal data, as a result of which their functioning may be disrupted; < /p>

·      the possibility of immediate recovery of personal data modified or destroyed due to unauthorized access to them;

·      constant monitoring of ensuring the level of protection of personal data.

4.4.2. Information security tools used in information systems must pass the conformity assessment procedure in accordance with the established procedure.

4.5. Methods and methods of information protection in personal data information systems.

4.5.1. Methods and methods of information protection in the Operator's personal data information systems must comply with the following requirements:

·      FSTEC Order No. 21 dated 18.02.2013 "On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems";

·      FSB Order No. 378 dated 10.07.2014 "On Approval of the Composition and Content of organizational and Technical measures to ensure the security of personal data during their Processing in Personal Data Information Systems using Cryptographic information Protection Tools Necessary to Meet the requirements established by the Government of the Russian Federation for the protection of personal data for each of the security levels" (if the Operator determines the need the use of cryptographic protection of information to ensure the security of personal data).

4.5.2. The main methods and methods of information protection in the information systems of Users' personal data are methods and methods of information protection from unauthorized, including accidental, access to personal data, the result of which may be the destruction, modification, blocking, copying, dissemination of personal data, as well as other unauthorized actions (hereinafter – methods and methods protection of information from NSD).

4.5.3. The selection and implementation of methods and methods of information protection on the Site is carried out in accordance with the recommendations of regulators in the field of information protection – the FSTEC of Russia and the FSB of Russia, taking into account the threats to the security of personal data determined by the Operator (threat models) and depending on the class of the information system.

4.5.4. The selected and implemented methods and methods of information protection on the Site should ensure the neutralization of the alleged threats to the security of personal data during their processing.

4.6. Measures to protect the information constituting personal data.

4.6.1. Measures to protect databases containing personal data taken by the Operator should include:

·      determination of the list of information constituting personal data;

·      restriction of access to information containing personal data by establishing the procedure for handling this information and monitoring compliance with this procedure.

4.6.2. Measures to protect the confidentiality of information are considered reasonably sufficient if:

·      access to personal data of any third parties is excluded without the consent of the Operator;

·      it is possible to use information containing personal data without violating the legislation on personal data;

·      when working with the User, such an Operator's procedure is established, in which the safety of information containing the User's personal data is ensured.

4.6.3. Personal data may not be used for purposes contrary to the requirements of Federal Law, protection of the foundations of the constitutional order, morality, health, rights and legitimate interests of other persons, ensuring the defense of the country and the security of the state.

4.7. Responsibility.

4.7.1. All employees of the Operator who process personal data are obliged to keep secret about information containing personal data in accordance with the Regulations and the requirements of the legislation of the Russian Federation.

4.7.2. Persons guilty of violating the requirements of the Regulation bear the responsibility provided for by the legislation of the Russian Federation.

4.7.3. Responsibility for compliance with the personal data regime in relation to personal data stored in the databases of the Site is borne by those responsible for processing personal data.

5. Final provisions

5.1. In the event of changes in the current legislation of the Russian Federation, amendments to regulatory documents on the protection of personal data, this Provision applies to the part that does not contradict the current legislation until it is brought into compliance with such.