Personal Data Processing Policy

/ Personal Data Processing Policy

Personal data processing policy of "RPF “Luminofor” Corp."

1. General Provisions

1.1. This Personal Data Processing Policy of “Research and Production Firm “Luminophor” Corp. (“RPF “Luminofor” Corp.) regarding the processing of personal data (hereinafter referred to as the Policy) has been drawn up in accordance with the requirements of the Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter referred to as the Law on Personal Data personal data) to ensure the protection of human and civil rights and freedoms when processing personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. This Policy on the processing of personal data applies to all information that “RPF “Luminofor” Corp. (hereinafter, the "Operator") may receive.

1.3. The Policy applies to the relations in the field of personal data processing that arose with the Operator both before and after the approval of this Policy.

1.4. In compliance with the requirements of Part 2 of Article 18.1 of the Law on Personal Data, this Policy is published freely on the Internet on the Operator’s website.

1.5. The main concepts used in the Policy are:

Personal Data - any information relating directly or indirectly to a certain or defined User of the Software (personal data subject).

Operator of personal data (Operator)- a state authority, municipal authority, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data.

Processing of personal data - any action (operation) or set of actions (operations) performed with the use of automation means or without the use of such means with personal data, including:

  • collection;

  • recording;

  • systematization,;

  • accumulation;

  • storage;

  • clarification (update, change);

  • extraction;

  • use;

  • transfer (distribution, provision, access);

  • depersonalization,;

  • blocking;

  • deletion;

  • destruction of personal data;

Automated processing of personal data - processing of personal data by means of computer equipment;

Dissemination of personal data - any actions aimed at disclosure of personal data to an indefinite number of persons;

Provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons;

Blocking of personal data is the temporary termination of the processing of personal data (except in cases where the processing is necessary to clarify personal data);

Destruction of personal data - any actions, as a result of which personal data are irretrievably destroyed with the impossibility of further recovery of the content of personal data in the personal data information system and (or) material carriers of personal data are destroyed;

Depersonalization of personal data is an action that results in the inability to determine the identity of personal data to a specific User or person without using additional information;

Personal data information system - a set of personal data contained in databases and information technologies and technical means ensuring their processing.

1.6. Basic Rights and Obligations of the Operator.

1.6.1. The Operator has the Right to:

  1. - independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws.;

  2. entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of a contract concluded with this person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing provided for by the Personal Data Law, to respect the confidentiality of personal data, and to take the necessary measures to ensure compliance with the obligations provided for by the the Personal Data Law;

  3. in case the personal data subject revokes his/her consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds specified in the Personal Data Law.

1.6.2. Its necessary for the Operator:

  1. organize the processing of personal data in accordance with the Personal Data Law;

  2. respond to appeals and requests of personal data subjects and their legal representatives in accordance with the requirements of the Law on personal data;

  3. to inform the authorized body for the protection of the rights of personal data subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor)) at the request of this body, the necessary information is provided within 10 working days from the date of receipt of such request. This period may be extended, but not for more than 5 working days. To do this, the Operator must send a reasoned notification to Roskomnadzor indicating the reasons for extending the deadline for providing the requested information.

  4. in accordance with the procedure established by the federal executive governmental body authorized in the field of security, ensure interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, including informing it about computer incidents that have resulted in the unlawful transfer (provision, dissemination, access) of personal data.

1.7. Basic Rights and Obligations of Personal Data Subjects. Personal Data Subjects have the Right to:

  1. to receive information regarding the processing of his/her personal data, except for cases provided for by federal laws. Information shall be provided to the subject of personal data by the Operator in an accessible form and shall not contain personal data relating to other subjects of personal data, except in cases where there are legal grounds for disclosure of such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;

  2. demand from the operator to clarify his personal data, block or destroy it in case the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect his rights;

  3. to impose the condition of prior consent when processing personal data in order to market goods, works and services;

  4. to appeal to Roskomnadzor or in court against unlawful acts or omissions of the Operator in the processing of his/her personal data.

1.8. Control over the fulfillment of the requirements of this Policy is carried out by an authorized person responsible for organizing the processing of personal data by the Operator.

1.9. Responsibility for violation of the requirements of the legislation of the Russian Federation and the regulations of “RPF “Luminofor” Corp. in the field of processing and protecting personal data is determined in accordance with the legislation of the Russian Federation.

2. Purpose of processing personal data

2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.

2.2. Only personal data that meet the purposes of their processing are subject to processing.

2.3. The processing of personal data by the Operator is carried out for the following purposes:

  • carrying out its activities in accordance with the Charter of “RPF “Luminofor” Corp., including the conclusion and execution of contracts with counterparties;

  • implementation of labor legislation within the framework of labor and other directly related relations, including: assistance to employees in finding employment, obtaining education and career advancement, attracting and selecting candidates for work from the Operator, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property, maintaining personnel and accounting records, filling out and submitting required reporting forms to authorized bodies, organization of individual (personalized) registration of employees in the systems of compulsory pension insurance and compulsory social insurance;

  • implementation of access control.

2.4. The processing of personal data of employees may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

3. Legal basis for processing personal data

3.1. The legal basis for the processing of personal data is a set of regulatory legal acts, pursuant to which and in accordance with which the Operator processes personal data, including:

  • the Constitution of the Russian Federation;

  • the Civil Code of the Russian Federation;

  • the Labor Code of the Russian Federation;

  • the Tax Code of the Russian Federation;

  • Federal Law No. 14-FZ of February 8, 1998 “On Limited Liability Companies”;

  • Federal Law No. 402-FZ of December 6, 2011 “On Accounting”;

  • Federal Law No. 167-FZ of December 15, 2001 “On Compulsory Pension Insurance In Russian federation”;

  • other regulatory legal acts regulating the activities of the Operator.

3.2. The legal grounds for processing of personal data by the Operator also are:

  • Charter of “RPF “Luminofor” Corp.;

  • contracts and other agreements concluded between the Operator and the subject of personal data;

  • Users' consent to the processing of their personal data.

4. Volume and categories of processed personal data,

categories of personal data subjects

4.1. The content and scope of the processed personal data must comply with the stated purposes of processing, provided for in sect. 2 of this Policy. The processed personal data should not be excessive in relation to the stated purposes of their processing.

4.2. The Operator may process personal data of the following categories of personal data subjects.

4.2.1. Candidates for employment with the Operator - for the purposes of the implementation of labor legislation in the framework of labor and other directly related relations, the implementation of access control:

  • last name, first name, patronymic;

  • gender;

  • citizenship;

  • date and place of birth;

  • contact details;

  • information about education, work experience, qualifications;

  • other personal data reported by candidates in resumes and cover letters..

4.2.2. Employees (including former) of the Operator - for the purposes of implementing labor legislation within the framework of labor and other directly related relations, and for the implementation of access control:

  • surname, first name, patronymic;

  • gender;

  • nationality;

  • image (photograph);

  • passport data;

  • address of registration at the place of residence and address of actual residence; адрес фактического проживания;

  • contact information;

  • individual taxpayer number;

  • insurance number of an individual personal account (SNILS);

  • information on education, qualification, professional training and advanced training;

  • marital status, presence of children, family ties;

  • information on labor activity, including existence of encouragements, awards and (or) disciplinary punishments;

  • data on marriage registration;

  • information on military registration;

  • information on disability;

  • information on maintenance payments;

  • information on income from previous jobs;

  • other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.3. Family members of the Operator’s employees - for the purposes of implementing labor legislation within the framework of labor and other directly related relations:

  • surname, first name, patronymic;

  • degree of kinship;

  • date of birth;

  • other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.4. Clients and counterparties of the Operator (individuals) - for the purposes of carrying out its activities in accordance with the Charter of “RPF “Luminofor” Corp., the implementation of access control:

  • last name, first name, patronymic;

  • passport data;

  • address of registration at the place of residence;

  • contact details (phone numbers, e-mail);

  • position held;

  • individual taxpayer number;

  • current account number;

  • other personal data provided by customers and contractors and their employees (individuals), necessary for the conclusion and execution of contracts.

4.2.5. Representatives (employees) of the Operator's clients and counterparties (legal entities) - for the purposes of carrying out their activities in accordance with the charter of CJSC NPF Luminophor, the implementation of access control:

  • last name, first name, patronymic;

  • passport data;

  • contact details;

  • position held;

  • other personal data provided by representatives (employees) of clients and counterparties necessary for the conclusion and execution of contracts.

4.3. The processing by the Operator of biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity) is carried out in accordance with the legislation of the Russian Federation.

4.4. The processing by the Operator of biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity) is carried out in accordance with the legislation of the Russian Federation.

5. Procedure and Conditions of Personal Data Processing

5.1. The operator processes personal data in accordance with the requirements of the legislation of the Russian Federation.

5.2. The processing of personal data is carried out with the consent of the subjects of personal data for their processing, as well as without consent in cases provided for by the legislation of the Russian Federation.

5.3. The Operator processes personal data for each purpose of their processing in the following ways:

  • non-automated processing of personal data;

  • automated processing of personal data with or without transmission of the received information via information and telecommunication networks;

  • mixed processing of personal data.

5.4. The Operator's employees, whose job responsibilities include processing personal data, are allowed to process personal data.

5.5. Personal data is processed by:

  • receiving them orally and in writing directly from the subjects of personal data;

  • entering them into the journals, registers and information systems of the Operator;

  • using other methods of processing personal data.

5.6. It is not allowed to disclose to third parties and distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law. Consent to the processing of personal data authorized by the personal data subject for dissemination is issued separately from other consents of the personal data subject to the processing of his personal data.

The requirements to the content of processing of personal data authorized by the personal data subject for distribution were approved by Roskomnadzor Order No. 18 dated 02/24/2021.

5.7. The transfer of personal data to the bodies of inquiry and investigation, the Federal Tax Service, the Pension Fund of the Russian Federation, the FSS of the Russian Federation and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, distribution and other unauthorized actions, including:

  • determines threats to security of personal data during its processing;

  • adopts local regulations and other documents regulating relations in the field of processing and protection of personal data;

  • appoints persons responsible for the organization of personal data processing;

  • creates the necessary conditions for working with personal data;

  • organizes the accounting of documents containing personal data;

  • organizes work with information systems, in which personal data is processed;

  • keeps personal data in conditions, which ensure its safety and exclude unauthorized access to it;

  • organizes the training of the Operator's employees who process personal data.

5.9. The Operator stores the personal data in a form that makes it possible to identify the subject of personal data for no longer than is required by each purpose of personal data processing, unless the period of personal data storage is established by federal law, contract.

5.9.1. Personal data on paper is stored in “RPF “Luminofor” Corp. during the retention periods of documents for which these periods are stipulated by the legislation on archival affairs in the Russian Federation (Federal Law No. 125-FZ of 22.10.2004 "On Archival Affairs in the Russian Federation", a list of standard administrative archival documents formed in the course of the activities of government agencies, local self-government bodies and organizations, indicating the terms of their storage (approved by Order of the Federal Archive of 20.12.2019 N 236)).

5.9.2. The storage period of personal data processed in personal data information systems corresponds to the storage period of personal data on paper.

5.10. The Operator stops processing personal data in the following cases:

  • the fact of their illegal processing has been revealed. The deadline is within three working days from the date of detection;

  • the goal of their processing has been achieved;

  • the consent of the personal data subject to the processing of the specified data has expired or been revoked, when, according to the Law on Personal Data, the processing of this data is allowed only with consent.

5.11. Upon achieving the objectives of personal data processing, as well as in case of withdrawal of personal data subject’s consent to its processing, personal data shall be destroyed, unless:

  • otherwise is not provided by the contract, to which the personal data subject is a party, beneficiary or guarantor;

  • the Operator is not entitled to carry out processing without the consent of the subject of personal data on the grounds provided by the Personal Data Law or other federal laws;

  • unless otherwise stipulated by another agreement between the operator and the subject of personal data.

5.12. If a personal data subject requests the Operator to terminate the processing of personal data within a period not exceeding 10 working days from the date of receipt by the Operator of the relevant request, the processing of personal data is terminated, except in cases provided for by the Law on Personal Data. The specified period may be extended, but not more than five working days. To do this, the Operator must send a reasoned notification to the subject of personal data indicating the reasons for the extension of the period.

5.13. When collecting personal data, including through the Internet information and telecommunications network, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in the Law on Personal Data.

6. Updating, Correcting, Deleting and Destroying Data, Responding to Subjects Requests for Access to Personal Data

6.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of the "Law on Personal Data" shall be provided by the Operator to the personal data subject or his representative within 10 working days from the date of request or receipt of a request from the personal data subject or his representative. This period may be extended, but not for more than five business days. To do this, the Operator should send a reasoned notification to the personal data subject indicating the reasons for extending the deadline for providing the requested information.

The information provided does not include personal data related to other subjects of personal data, except in cases where there are legitimate grounds for the disclosure of such personal data.

The request must contain:

  • the number of the main document certifying the identity of the personal data subject or his representative, information on the date of issue of the said document and the body that issued it;

  • information confirming the participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator;

  • signature of the personal data subject or his/her representative.

The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

The operator provides the information specified in Part 7 of Article 14 of the Law on Personal Data to the personal data subject or his representative in the form in which the relevant request or request is sent, unless otherwise specified in the request or request.

If the request (request) of the personal data subject does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject does not have the right to access the requested information, then a reasoned refusal is sent to him/her.

The right of the personal data subject to access his/her personal data may be limited in accordance with Part 8 of Article 14 of the Law on Personal Data, including if the personal data subject's access to his/her personal data violates the rights and legitimate interests of third parties.

6.2. In the event that inaccurate personal data is discovered upon the request of the personal data subject or his/her representative or at their request or at the request of Roskomnadzor, the Operator blocks the personal data related to this personal data subject from the moment of such request or receipt of the said request for the verification period, if the blocking of the personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

In case of confirmation of the fact of inaccuracy of personal data, the Operator, on the basis of information provided by the personal data subject or his representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven working days from the date of submission of such information and removes the blocking of the personal data.

6.3. In case of detection of unlawful processing of personal data upon an appeal (request) of the personal data subject or his representative or Roskomnadzor, the Operator blocks the unlawfully processed personal data related to this personal data subject from the moment of such appeal or receipt of the request.

6.4. If the Operator, Roskomnadzor, or other interested person identifies the fact of unlawful or accidental transfer (provision, dissemination) of personal data (access to personal data), which has resulted in a violation of the rights of personal data subjects, the Operator:

  • within 24 hours, notifies Roskomnadzor of the incident, the alleged causes that led to the violation of the rights of personal data subjects, the alleged harm caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident, as well as provides information about the person authorized by the Operator to interact with Roskomnadzor on issues related to the incident;

  • within 72 hours, notify Roskomnadzor of the results of the internal investigation of the identified incident and provide information about the persons whose actions caused it (if any).

6.5. The procedure for the destruction of personal data by the Operator.

6.5.1. Terms and conditions of personal data destruction by the Operator:

  • achievement of the purpose of personal data processing or loss of the need to achieve this goal - within 30 days;

  • achieving the maximum retention period for documents containing personal data - within 30 days;

  • providing the personal data subject (his representative) with confirmation that the personal data was obtained illegally or is not necessary for the stated purpose of processing - within seven working days;

  • revocation by the personal data subject of consent to the processing of his personal data, if their retention is no longer required for the purpose of their processing, within 30 days.

6.5.2. within 72 hours, notify Roskomnadzor of the results of the internal investigation of the identified incident and provide information about the persons whose actions caused it (if any):

  • otherwise provided by the agreement to which the personal data subject is a party, beneficiary or guarantor;

  • the operator has no right to carry out processing without the consent of the personal data subject on the grounds provided for by the Law on Personal Data or other federal laws;

  • unless otherwise provided by another agreement between the Operator and the personal data subject.

6.5.3. The destruction of personal data is carried out by commission.


 


We use cookies to improve site performance, analyze traffic, and personalize content. You can learn more about cookies and how to manage them in our "Personal Data Processing Policy". By using the site or clicking the "I Agree" button, you agree to the use of all cookies, or you can customize their use.