This document (hereinafter – “Policy”) defines the policy of group of Companies “Fersol” (hereinafter – “Company”, “Operator”), operating on the territory of the Russian Federation in relation to processing of the personal data, defines the procedure of processing personal data and actions taken to secure personal data.
Personal data processed by the Company may be transferred within the group of companies “Fersol” which are connected between each other with confidentiality agreements.
This Policy is made subject to Russian personal data laws, other federal laws to secure rights and freedoms of the personal data subjects when personal data is processed and describes how it is secured and processed.
The companies of Fersol group are Russian legal entities. The Policy of Fersol group of companies includes companies as at present in force as follows:
Fersol Private Employment Agency Limited Liability Company (Tax ID 7709475222)
Fersol Service Limited Liability Company (Tax ID 7709467574)
The Company processes personal data of the following categories of personal data subjects within its business activity:
- Company’s employees who work under labor contract and also natural persons performing works for the benefit of the Company under civil contracts for the purposes of compliance with laws and other regulations, promotion of employment, factual employment and also formation of a personnel reserve with the consent of the personal data subjects;
- Employees’ close relatives, whose personal data processing is provided for by the federal law and also is performed by the Operator as the employer subject to requirements of the Federal State Statistics Service;
- Foreign employees of the Company, and also their close relatives to reach aims stated in the Russian legislation, to perform functions laid upon the Company by the Russian legislation, authorities and obligations , to assist in issuing invitations, visas and migration registration, receiving working permit, patent, to form personnel reserve with the consent of the personal data subjects and also to conclude and perform contract which Party or beneficiary or guarantor is the personal data subject, including the purposes of provision of insurance with the consent of the personal data subjects;
- candidates for vacant positions of the Company, as well as clients of the Company (providing their personal data, including by sending a resume to the Company’s email) in order to facilitate the employment of candidates for vacant positions, hiring employees, offering candidates for positions in the company of clients, as well as to form a personnel reserve;
- customers, partners, suppliers, and their representatives with whom the Operator has a contractual relationship or with whom the Operator intends to enter into a contractual relationship;
- students sent to the Company by educational institutions for internships;
- site users on the Internet https://www.fersol.ru
The processing of personal data of the above categories of personal data subjects is carried out for pre-defined and legitimate purposes:
- with respect to employees and their relatives-compliance with laws and other regulatory legal acts, employment, education and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property, calculating and paying wages and other remuneration, calculating and transferring taxes and insurance premiums; providing benefits to employees and guarantees provided by the legislation for persons who have (adopted) children, persons with family responsibilities, performing the following tasks: requirements of regulatory legal acts of state statistical accounting bodies; providing employees and their family members with additional guarantees and compensations, including non-state pension provision, voluntary health insurance, medical care and other types of social security;
- in relation to candidates-assistance in the employment of candidates applying to fill vacant positions in the Operator’s company or in the company of the Operator’s client.
- in respect of clients, partners, suppliers and their representatives – compliance with the norms of the Civil Code regulating contractual work, conclusion and execution of contracts with counterparties; in respect of representatives of subjects – the Operator performs actions on behalf of representatives of personal data subjects.
As part of the processing of personal data, the company collects, records, systematizes, accumulates, stores, clarifies (updates, changes), uses, transmits (distributes, provides access to a limited number of persons in accordance with the current legislation), depersonalizes, blocks, deletes, and destroys personal data.
The Operator processes the following categories of personal data:
- last name; first name; patronymic; gender
- year, month, date and place of birth
- data of the identity document (type, series and number of the document; issuing authority; date of issue)
- address of the place of registration, residence
- marital status and documents confirming your marital status
- information about education, advanced training, professional retraining, and places of study (details of educational documents)
- data about current and previous jobs
- data on total and total work experience
- information about job-related skills and experience
- data of the state pension insurance certificate, TIN
- data of military registration documents – for those liable for military service and persons subject to conscription for military service
- information about income and social benefits
- information about citizenship and work permit
- driver’s license and vehicle details
- information about the state of health (information about the possibility of performing a labor function to fill a vacancy related to harmful and (or) dangerous production factors and works)
- contact phone numbers, email address
- cookie files
The Company’s processing of biometric personal data – photos – can only be carried out with the written consent of the personal data subject.
The Company does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, or intimate life. Information about the state of health
(information about the possibility of performing a work function to fill a vacancy related to harmful and / or dangerous production factors and work) may be processed by the Company on the basis of the written consent of the personal data subject in order to verify the candidate’s compliance with the position, establish or exercise the rights of the personal data subject, as well as in accordance with labor legislation.
The Company may transfer personal data across borders to States that are parties to the Council of Europe Convention, as well as to other foreign states that provide adequate protection of the rights of personal data subjects and do not provide such protection.
Cross-border transfers to the member States of the Council of Europe Convention, as well as to countries with adequate protection of personal data, may be carried out without the consent of the personal data subject.
Cross-border transfer of personal data of subjects to countries that do not provide adequate PD protection can be carried out by the Company if the personal data subject has written consent to the cross-border transfer of his personal data; fulfillment of the terms of the contract to which the personal data subject is a party.
Prior to making such a transfer The Company is obliged to make sure that the foreign state to whose territory it is intended to transfer personal data is provided with an adequate information security system. protection of the rights of personal data subjects.
PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING IN THE COMPANY
When processing personal data, the Operator is guided by the following principles:
- legality and fair basis:
- processing only those categories of personal data that meet the purposes of their processing;
- prevention of personal data processing that is incompatible with the purposes of personal data collection;
- prevention of combining databases containing personal data that are processed for purposes that are incompatible with each other;
- compliance of the content and scope of the processed personal data with the stated purposes of processing; avoiding redundancy of the processed personal data in relation to the stated purposes of their processing;
- ensuring the accuracy, sufficiency, and, where appropriate, relevance of personal data in relation to the stated purposes of processing;
- storage of personal data in a form that makes it possible to determine the subject of personal data, no longer than the purposes of processing personal data require, unless the period of storage of personal data is established by federal law or an agreement for which the subject of personal data is a party, beneficiary or guarantor.;
- destruction or depersonalization of personal data upon achieving the purposes of processing or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.
Personal data is processed by the Operator if the following conditions are met:
- availability of the personal data subject’s consent to the processing of their personal data;
- the processing of personal data is necessary for achieving the goals stipulated by an international treaty of the Russian Federation or a law, for performing and fulfilling the functions, powers and duties assigned to the operator by the legislation of the Russian Federation;
- for the execution of a contract to which the personal data subject is a party, as well as for the conclusion of a contract on the initiative of the personal data subject or a contract under which the personal data subject will be the beneficiary;
- processing of personal data is necessary to exercise the rights and legitimate interests of the Operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of personal data subjects are not violated;
- processing of personal data is carried out, access to which is granted to an unlimited number of persons by the subject of personal data or at his request;
- processing of personal data subject to publication or mandatory disclosure in accordance with federal law is carried out.
The terms of processing personal data are determined taking into account::
- established purposes of personal data processing;
- terms of validity of contracts with personal data subjects and consents of personal data subjects to the processing of their personal data;
- of the Ministry of Culture of the Russian Federation No. 558 of August 25, 2010 “On approval of the “List of standard administrative archival documents formed in the Course of the activities of State Bodies, local Self-government Bodies and organizations, indicating the retention periods”.
On the basis of a written request from the personal data subject with a request to stop processing their personal data, the Operator will stop processing such personal data within 30 (thirty) calendar days.
RIGHTS OF PERSONAL DATA SUBJECTS
The personal data subject has the right to receive information concerning the processing of his / her personal data. The subject of personal data has the right to demand that the Operator clarify their personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take measures provided for by federal law to protect their rights.
If the personal data subject considers that the Operator processes his / her personal data in violation of the requirements of federal legislation or otherwise violates his / her rights and freedoms, the personal data subject has the right to appeal the Operator’s actions or omissions to the authorized body for the protection of the rights of personal data subjects or in court.
The subject of personal data has the right to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
A request to perform actions with the subject’s personal data may be sent by the personal data subject as follows:
- in the form of an electronic document to the e-mail address email@example.com;
- in writing to the address: 5 Nizhni Susalny Pereulok, building 19, office 430, Moscow, 105064.
INFORMATION ABOUT THE IMPLEMENTED REQUIREMENTS FOR PERSONAL DATA PROTECTION
The protection of personal data processed by the Operator is ensured by the adoption of legal, organizational and technical measures necessary and sufficient to meet the requirements of federal legislation in the field of personal data protection. These measures include:
- development of local acts of the Operator that implement the requirements of federal legislation, including this Policy posted on information stands in the Operator’s offices, Regulations on the procedure for storing, processing and using personal data of employees;
- appointment of a person responsible for organizing the processing of personal data; appointment of a person responsible for ensuring the security of personal data in personal data information systems;
- determination of the type of personal data security threats relevant to personal data information systems, taking into account the assessment of possible harm to personal data subjects that may
be caused in the event of a violation of security requirements, determination of the level of personal data security;
- limiting the number of employees of the Operator who have access to personal data and organizing a permissive system for access to them; familiarizing employees of the Operator with the provisions of the federal legislation of the Russian Federation on personal data, including requirements for personal data protection, with the Regulations and other local acts of the Operator on personal data processing
- employees of the Company who directly process personal data are familiar with the provisions of the Federal Law of the Russian Federation “On Personal Data” No. 152-FZ of July 27, 2006 and the regulatory legal acts adopted in accordance with it, this Policy and local acts of the Company on personal data processing;
- organization of accounting of material carriers of personal data and their storage, ensuring the prevention of theft, substitution, unauthorized copying and destruction;
- identification of threats to the security of personal data when processing them in information systems, formation of threat models based on them;
- placement of technical means of personal data processing within the Operator’s protected territory;
- restriction of access of unauthorized persons to the Operator’s premises, prevention of their presence in the premises where personal data is processed and technical means of processing them are located, without control by the Operator’s employees.
- development of a personal data protection system based on the threat model for the corresponding class of information systems;
- implementation of a permissive system for user access to information resources, software and hardware tools for processing and protecting information;
- registration and accounting of actions of users of personal data information systems;
- password protection of users ‘ access to the personal data information system;
- use of cryptographic information protection tools, if necessary, to ensure the security of personal data when transmitted over open communication channels and stored on machine-based storage media;
- implementation of anti-virus control, prevention of introduction of malicious programs (virus programs)into the corporate network and software bookmarks by using antivirus programs;
- The requirements established by the Decree of the Government of the Russian Federation No. 687 of September 15, 2008 “On Approval of the Regulation on the Specifics of Personal Data Processing performed without the use of automation tools” have been implemented.
Other obligations and rights of the Operator as an operator of personal data and a person organizing their processing on behalf of other operators are determined by the legislation of the Russian Federation in the field of personal data.
Officials and employees of the Operator who are guilty of violating the rules governing the processing and protection of personal data bear material, disciplinary, administrative, civil or criminal liability in accordance with the legislation of the Russian Federation.
This version of the Policy was approved on July 19, 2022 and applies its requirements to legal entities belonging to the Fersol Group of Companies operating in the Russian Federation.