POLICY processing of personal data of the State Unitary Enterprise of the Republic of Crimea "Crimean seaports"

 

1. General Provisions

1.1. Purpose of the Policy This document (hereinafter referred to as the Policy) defines the purposes and general principles of personal data processing, as well as the implemented measures to protect personal data in the Crimean Sea Port State Unitary Enterprise of the Republic of Crimea (hereinafter referred to as the Operator). The policy is a public document of the Operator and provides for the possibility of acquaintance of any persons with it.

1.2. Basic concepts

personal data - any information related to a directly or indirectly determined, or determined by an individual (subject of personal data); the subject of personal data is an individual who is directly or indirectly identified, or determined by means of personal data. Operator of personal data (Operator) - a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as defining the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data; personal data processing - any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. Processing of personal data includes, including:

- collection;

- record;

- systematization;

- accumulation;

- storage;

- clarification (update, change);

- extraction;

- use;

- transmission (distribution, provision, access);

- depersonalization;

- blocking;

- removal;

- destruction.

Automated processing of personal data - processing of personal data by means of computer facilities; distribution of personal data - actions aimed at disclosing personal data to an undefined circle of persons; provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons;

blocking of personal data - temporary termination of processing of personal data (except for cases when processing is necessary for specification of personal data); destruction of personal data - actions, as a result of which it becomes impossible to restore the contents of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed; depersonalization of personal data - actions resulting in the impossibility of using additional information to determine the ownership of personal data to a specific subject of personal data; information system of personal data - a set of personal data contained in databases and providing their processing of information technologies and technical means; cross-border transfer of personal data - the transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity.

1.3. Basic Rights of the Operator

The operator reserves the right to check the completeness and accuracy of the personal data provided. In case of identifying erroneous or incomplete personal data, the Operator has the right to terminate all

relationship with the subject of personal data.

1.4. Key Operator Responsibilities

The operator does not collect personal data, does not process or transmit personal data of subjects of personal data to third parties, without the consent of the personal data subject, unless otherwise provided by federal law.

1.5. Basic Rights of the Subject

The subject of personal data has the right:

1) to obtain information concerning the processing of his personal data by the Operator;

2) require the Operator to verify his personal data, blocking or destroying it in the event that personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of the processing;

3) withdraw consent to the processing of personal data in cases stipulated by law.

 

2. Objectives of collecting personal data

1) Ensuring compliance with labor laws of the Russian Federation;

2) To realize the powers conferred on the Enterprise by the current legislation;

3) organization of the access regime;

4) information support for the activities of authorized federal bodies in the field of transport security, as well as the formation and maintenance of automated centralized personal data bases on passengers and vehicle personnel (vehicles) (ACPVDP).

 

3. Legal basis for processing personal data

1) Federal Law of July 27, 2006, No. 152-FZ "On Personal Data";

2) art. Art. 85-90 of the Labor Code of the Russian Federation;

3) contracts with counterparties;

4) internal documents in the field of personal data protection;

5) the articles of association;

6) Federal Law dated February 9, 2007 No. 16-FZ "On Transport Security";

7) Federal Law No. 149-FZ of July 27, 2006 "On Information, Information Technologies and Information Protection";

8) Resolution of the Government of the Russian Federation of September 15, 2008 No. 687 "On approval of the Regulation on the specifics of processing personal data, carried out without the use of funds

automation ";

9) Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 "On approval of the requirements for the protection of personal data when processing them in personal data information systems";

10) Order FSTEC of February 18, 2013 No. 21 "On the approval of the composition and content of organizational and technical measures to ensure the safety of personal data when processing them in personal data information systems."

 

4. The volume and categories of personal data being processed, the categories of personal data subjects The operator performs, on a legal and fair basis, the processing of personal data of the following individuals (PDD entities):

The goal of "Ensuring compliance with labor laws of the Russian Federation" is achieved through the processing of personal data of the following categories for the following subjects:

1) employees:

Special categories: state of health, conviction. Other categories: surname, name, patronymic, year of birth, date of birth, place of birth, address, contact details, passport data, citizenship, information on military registration, marital status, family composition, degree of kinship, social status, property status, income, education, profession, information on labor activity, TIN, SNILS, access to state secrets, issued for the period of work, services, studies (form, number, date), bank details.

2) close relatives of employees:

Other categories: surname, name, patronymic, year of birth, date of birth, degree of relationship.

3) candidates for employment:

Other categories: surname, name, patronymic, year of birth, date of birth, place of birth, address, contact details, passport data, citizenship, information on military registration, marital status, family composition,

education, profession, information about work.

4) dismissed (dismissed) employees:

Special categories: previous conviction. Other categories: surname, name, patronymic, year of birth, date of birth, place of birth, address, contact details, passport data, citizenship, information on military registration, marital status, family composition, degree of kinship, education, occupation, information on labor activity , TIN, SNILS, access to state secrets issued for the period of work, service, study (form, number, date).

The goal "To realize the powers conferred on the Enterprise by the current legislation" is achieved by processing personal data of the following categories for the following subjects:

1) counterparties:

Other categories: surname, name, patronymic, year of birth, date of birth, place of birth, address, contact details, passport data, citizenship.

The purpose of "access control" is achieved through the processing of personal data of the following categories for the following subjects:

1) visitors:

Other categories: surname, name, patronymic, year of birth, date of birth, place of birth, address, passport data, citizenship, position.

The purpose of "information support for the activities of authorized federal bodies in the field of transport security, as well as the formation and maintenance of automated centralized personal data bases on passengers and vehicle personnel (vehicle crews)" is achieved through the processing of personal data of the following categories for the following subjects:

1) personnel (crew) of ferries of the enterprise:

Other categories: surname, name, patronymic, year of birth, date of birth, place of birth, passport data, position of personnel (crew) of the ferries of the enterprise.

2) passengers:

Other categories: surname, name, patronymic, year of birth, date of birth, place of birth, passport data, citizenship.

 

5. The procedure and conditions for the processing of personal data

5.1. The list of actions with personal data carried out by the Operator is carried out with the following actions with personal data: collection, recording, systematization, accumulation, storage, clarification

(update, change), extract, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.

5.2. Methods of processing personal data The operator uses the following methods for processing personal data: mixed processing of personal data with transmission over the internal network and the Internet.

5.3. Transfer of personal data to third parties In the case of ordering the processing of personal data to a third party, they are required to take the necessary organizational, technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution, and from Other illegal actions in relation to personal data, including:

Identification of threats to the security of personal data when processing them in information systems; accounting for computer storage of personal data; Detection of the facts of unauthorized access to personal data and taking measures; control over measures taken to ensure the security of personal data and the level of security of information systems of personal data. When transferring personal data on the basis of the federal law, the conditions for the transfer of personal data are established by the relevant federal law.

5.4. Ensuring the safety of personal data by the Operator is achieved, in particular by the following measures:

1) familiarize employees who process personal data with the provisions of the Russian Federation legislation on personal data, the Organization's policy regarding processing

personal data, local acts on the processing of personal data, and (or) training of these employees;

2) publication of the Organization's policy regarding the processing of personal data, local acts on the processing of personal data;

3) the appointment of the Person in charge of the processing of personal data;

4) establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions performed with personal data in the personal information system;

5) identification of threats to the security of personal data when processing them in personal data information systems.

5.5. The databases of the Operator's personal data are completely within the territory of the Russian Federation.

5.6. Terms for the processing of personal data Personal data of entities processed by the Operator shall be destroyed or depersonalized in the event of:

1) the achievement of the objectives of processing personal data or the loss of the need to achieve these goals;

2) termination of the Operator.

5.7. Conditions for processing personal data without using automation tools

When processing personal data carried out without the use of automation, the Operator fulfills the requirements established by the Resolution of the Government of the Russian Federation of 15

September 2008 № 687 "On approval of the Regulation on the specifics of processing personal data, carried out without the use of automation tools."

6. Rules for responding to requests for the circulation of personal data subjects and their representatives

When requesting, in writing or electronically, the subject of personal data or his legal representative, to access his personal data, the Institution shall be guided by the requirements of Articles 14, 18 and 20 of Federal Law No. 152-FZ; The entity or its legal representative may use the forms of requests specified in Annexes 1 to 3 to this Policy. Access by the personal data subject or his legal representative to his personal data is provided by the Operator only under the control of the person responsible for organizing the processing of the personal data of the Operator. The appeal of the subject of personal data or his legal representative is recorded in the register of records of citizens' appeals (subjects of personal data) concerning the processing of personal data. Request in written or electronic form of the subject of personal data or his legal representative is recorded in the register of written requests of citizens for access to their personal data. The person responsible for organizing the processing of personal data makes a decision to grant the subject access to personal data. In the event that the data provided by the subject is insufficient to establish his identity or the provision of personal data violates the constitutional rights and freedoms of others, the person responsible for organizing the processing of personal data prepares a reasoned response containing a reference to the provision of part 8 of Article 14 of Federal Law No. 152-FZ or another federal of the law, which is the basis for such refusal, within a period not exceeding thirty working days from the date of the request of the subject of personal data or his legal right dstavitelya or from the date of receipt of the request the personal data subject or his legal representative. In order to allow the subject of personal data or his legal representative access to the personal data of the subject, the person responsible for organizing the processing of personal data involves an employee (workers) of the structural unit that processes the personal data of the subject in agreement with the head of this structural unit. Information about the availability of personal data The operator provides the subject of personal data in an accessible form, and they should not contain personal data relating to other personal data subjects. Control over the provision of information to the subject or his legal representative is performed by the person responsible for organizing the processing of personal data. Information on the availability of personal data is provided to the subject when answering the request within thirty days from the date of receipt of the request of the personal data subject or his legal representative.

 

7. Rules of response to requests for applications from authorized bodies

In accordance with Part 4 of Article 20 of Federal Law No. 152-FZ, the Operator informs the authorized body for the protection of the rights of subjects of personal data upon request to provide the information necessary for carrying out the activities of this body within thirty days from the date of receipt of such request. Collection of information for the preparation of a reasoned response to the request of the supervisory authorities is performed by the person responsible for organizing the processing of personal data, if necessary, with the involvement of the Operator's employees. Within the established period, the person responsible for organizing the processing of personal data prepares and sends to the authorized body a reasoned response and other necessary documents.

Политика обработки персональных данных