JSC Faberlic Policy on personal data processing and information on implemented requirements for personal data protection
1. General Provisions
1.1. This Policy (hereinafter referred to as the Policy) lays out the general principles and procedures for processing personal data, as well as measures to ensure security of said data, within the Joint Stock Company "Faberlic" (hereinafter referred to as the Company).
1.2. The Policy has been developed in accordance with the provisions of Federal law 152-FZ of 27.07.2006 "On personal data", and other legislative and normative legal acts that govern the procedures surrounding the use of personal data and requirements to ensure their safety.
1.3. The Policy uses the following terms and definitions:
Automated processing of personal data – the processing of personal data using computer technology
Biometric personal data – data that characterize a person's physiological and biological features, on the basis of which identity can be established and which are used by the operator to establish the identity of the data subject
Personal data blocking – the temporary cessation of personal data processing (except where processing is necessary for rectification of personal data)
Access to personal data – the disclosure of a subject's personal data that are processed by the Company to certain parties (including employees), while maintaining the privacy of this information
Contractor – the counterparty in a contract with the Company, not an employee of the Company
Personal data confidentiality – the responsibility of parties with access to personal data not to disclose said data to third parties and not to distribute personal data without the consent of the data subject, unless otherwise required by law
Depersonalization of personal data – action taken by which it becomes impossible to determine the particular subject of personal data without additional information
Processing of personal data – any action (operation) or a combination of actions (operations) performed both automatically and manually with personal data, including collection, recording, arrangement, accumulation, storage, rectification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data
Public personal data – personal data available to the public, access to which is provided according to legislation or at the subject's request, as well as data that are subject to mandatory disclosure or publication
Operator – state agency, municipal authority, legal entity or individual who independently or in cooperation with other entities organizes and/or processes personal data as well as determines the purposes, scope and subject of data processing and actions (operations) related to personal data (in the Policy, the Operator refers to the Company unless otherwise specified)
Personal data – any information referring directly or indirectly to a particular or identified individual (personal data subject);
Provision of personal data – actions intended to disclose personal data to a certain person or a certain group of persons
Distribution of personal data – actions intended to disclose personal data to the public at large
Personal data subject – the individual to whom the personal data refers
Cross-border transfer of personal data – the transfer of personal data to a foreign territory, foreign government body, foreign individual or foreign legal entity;
Destruction of personal data – actions performed on personal data contained in the database that prevent such data from being restored and/or actions aimed at the physical destruction of the tangible medium of personal data
2. Status of the Company and categories of subjects whose personal data is processed by the Company
2.1. The company acts as operator with respect to personal data of the following categories of individuals:
– Employees of the Company (and, if necessary, close relatives of employees) with whom the Company has entered into or previously entered into employment contracts, including former employees with whom employment contracts were terminated (hereinafter referred to as Employees)
– Applicants for vacancies in the Company (candidates for employment with the Company), who have submitted their resume or a form containing personal data, whether personally or through specialized recruitment organizations (recruitment agencies), including through specialized sites on the Internet (hereinafter referred to as Applicants)
– Employees of contractors hired by the Company for providing necessary access to the Company's Information Systems (hereinafter referred to as Contractor Employees)
– Representatives, whose data is received for the purpose of sales of the Company's products under the contract entered into through acceptance of an offer on the Company's website (hereinafter referred to as Representatives)
– Individual contractors who provide the Company with reimbursable services in accordance with civil contracts (hereinafter referred to as Individual contractors)
– Customers who buy the Company's products (hereinafter referred to as Customers), individuals who make purchases in the Company's online store
– Anonymous visitors to www.faberlic.com who visit the site without logging in, with intent to view the Company's products (hereinafter referred to as Users)
– Representatives of personal data subjects who report to the Company on behalf of personal data subjects (hereinafter referred to as Representatives of Subjects)
– Visitors to the company, in order to allow them access to secure areas of the Company and monitor their departure from the premises (hereinafter referred to as Visitors)
2.2. The Company is an entity that provides personal data to other operators in accordance with the requirements of legislation, which include, without limitation:
– Government authorities and extra-budgetary funds to which tax reports are sent with regard to the Company's employees as a tax agent, and employee funds or funds to be credited to employees ' accounts are transferred (Federal Tax Service inspectorates, offices of the Pension Fund of the Russian Federation, the Federal Mandatory Medical Insurance Fund, the Social Insurance Fund of the Russian Federation, etc.)
– Telecommunications operators which are given information about users of corporate communications services (landline and mobile telephones, Internet access) in accordance with the requirements of legislation
– Military commissioners and trade union bodies to which personal data is provided (transferred) in cases stipulated by law
In addition to the above, personal data is provided (transferred) to government authorities and extra-budgetary funds, telecommunications operators, military commissioners, and trade union bodies by the relevant government authorities and extra-budgetary funds within the limits of their mandates under the law. Special consent of the subjects for such transfer of personal data is not required.
3. Principles of personal data processing
The Company processes personal data according to the following principles:
3.1. Legality and equitable basis of personal data processing. The Company takes all necessary measures to comply with the requirements of the Law and does not process personal data in cases where it is not permitted by law or where it is not required for any specific purpose by the Company, and does not use personal data to harm the subject of such data.
3.2. Personal data processing is limited to specific, predefined, and legitimate purposes. The purposes of the Company's personal data processing are:
– With respect to Employees, including former employees (and, if necessary, close relatives of employees) – execution of signed employment contracts, including training and promotion, employees' personal security, quantity and quality control of work performed, the safeguarding of assets, calculation and payment of wages and other remunerations, calculation and deduction of taxes and insurance premiums, provision by the employer of additional services (pension insurance, transfer of income to employee payment cards); and fulfillment of the requirements of state statistical registration authorities; provision of benefits and protection to employees under legislation for individuals with (adopted) children and individuals with family responsibilities; and fulfillment of the requirements of the Labor Code of the Russian Federation on informing relatives of accidents
– With respect to Applicants – to select candidates who most closely meet the Company's requirements
– With respect to Contractor Employees – signing and execution of contracts with contractors, providing access to necessary information systems of the Company
– With respect to Representatives – sales of the Company's products on the basis of a contract entered into through acceptance of an offer on the Company's website Individual contractors
– With respect to Individual contractors – signing and execution of civil contracts for the sale of products, and fulfillment of contractual obligations to the Company
– With respect to Customers of the Company's internet store to provide the possibility to purchase products
– With respect to Users and visitors to www.faberlic.com – to facilitate user navigation of the site, get analytical data about visits, and improve the site's performance
– With respect to Representatives of subjects – fulfillment of actions taken by the Company on behalf of the representatives of personal data subjects
– With respect to Visitors – allowance of visitors to pass into the protected premises of the Company and monitoring of their exit from the protected premises
3.3. Processing only personal data that correspond to the pre-declared purposes of their processing; compliance of the content and volume of the processed personal data with the stated purposes of processing; prevention of processing personal data that is not compatible with the purposes of personal data collection or unnecessary in relation to the stated purposes of personal data processing. The company does not collect or process personal data that is not required to achieve the goals specified in clause 3.2 of this Policy, and does not use personal data of subjects for any purposes other than those specified.
3.4. Prevention of combining databases containing personal data processed for purposes that are not compatible with each other.
3.5. Ensuring the accuracy, completeness, and relevance of personal data in relation to the purposes of personal data processing. The Company takes all reasonable measures to maintain the relevance of the processed personal data, including (without limitation) exercising the right of each subject to receive their personal data for review and to require the Company to clarify, block, or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the purposes of processing stated above.
3.6. Storage of personal data in a form that allows identification of the data subject for no longer than required for the purpose of processing the personal data, if the retention period of personal data is not established by legislation, by an agreement where one of the parties is the personal data subject, or the consent of the personal data subject to data processing.
3.7. Destruction or depersonalization of personal data upon fulfillment of the declared purposes of their processing or in the event it is no longer necessary to fulfill these purposes, or it becomes impossible for the Company to prevent violations of the procedure for processing personal data established by law, or withdrawal of the subject's consent to personal data processing, or the end of the period for personal data processing established by the consent to personal data processing, unless otherwise provided for by law or by agreement with the personal data subjects.
4. Conditions of personal data processing
4.1. The company's personal data processing is allowed in the following situations:
4.1.1. With the personal data subject's consent to personal data processing.
4.1.2. Personal data processing that is necessary for implementation and fulfillment of the functions, powers and duties assigned to the Company by law. Such cases include, without limitation, processing of special categories of Employee personal data in order to fulfill purposes stipulated by labor and pension legislation.
4.1.3. To conclude a contract at the initiative of the personal data subject and to execute the contract to which the personal data subject is a party. Such contracts are, without limitation, employment contracts with Employees, civil contracts with Individual Contractors, and contracts for the sale of products with deferred payment with Representatives.
4.1.4. Prior to the conclusion of these contracts, the Company processes personal data at the stage of pre-contractual work with Individual Contractors and Representatives, as well as when conducting recruitment work when the subject's consent to processing is confirmed by the Applicant's own completed form or a form (resume) submitted by them to the Company or to a specialized recruitment organization, or posted by the Applicant, Contractor, or Representative on specialized websites on the Internet, or sent by them to the Company via e-mail.
4.1.5. Processing of personal data is necessary to protect the life, health, or other vital interests of the personal data subject, if it is not possible to obtain the subject's consent.
4.1.6. Processing of personal data by the Company is necessary to exercise the rights and legitimate interests of the Company and/or third parties, including in cases provided for by Federal law 320-FZ "On protection of the rights and legitimate interests of individuals when performing activities to repay overdue debts...", or to achieve socially significant goals, provided that the rights and freedoms of personal data subjects are not violated.
4.1.7. Personal data is processed by the Company for statistical or other research purposes, subject to mandatory depersonalization of personal data.
4.1.8. Processing of personal data to which the personal data subject has provided public access or public access has been provided at the personal data subject's request.
4.1.9. Personal data is subject to publication or mandatory disclosure in accordance with legislation.
4.2. The Company does not disclose or distribute personal data to third parties without the subject's consent, unless otherwise required by law, by contract with the personal data subject, or not specified in the subject's consent to process their personal data.
4.3. The Company does not process personal data in specialized categories related to racial or ethnic origin, political opinions, religious or philosophical beliefs, health status (with the exception of information that is relevant to the question of Employee's performance of job functions and that is necessary for the purposes of certain pension legislation), personal life, or membership in labor unions or union activity, except where expressly required by law.
4.4. The Company may process personal data on criminal records only in cases and in accordance with the procedure established by law.
4.5. When collecting personal data, the Company shall carry out recording, systematization, accumulation, storage, rectification (updating, changing), and extraction of personal data using databases located in the Russian Federation.
4.6. Cross-border personal data processing is carried out with the consent of the personal data subject, and the Company ensures the transfer of personal data using databases located in the Russian Federation.
4.7. The company does not make decisions that give rise to legal consequences for Employees or otherwise affect the rights and legitimate interests of Employees based solely on automated processing of personal data. Data that has legal consequences or affects the rights and legitimate interests of the Employee, such as the amount of accrued income, taxes and other deductions, are subject to verification by an authorized employee of the Company before use.
5. Methods of personal data processing
5.1. The company carries out the processing of personal data both with and without the use of automation.
5.2. The Policy applies in full to the processing of personal data using automation, and when processing personal data without using automation applies only in cases where such processing corresponds to the nature of the actions (operations) performed with the personal data using automation tools, that is, which allow you to search for personal data recorded on a material carrier and contained in card files or other systematic collections of personal data, and/or access to such personal data using a specified algorithm.
6. Confidentiality of personal data
6.1. Employees of the Company who have access to personal data must ensure the confidentiality of said data. Confidentiality is not required with respect to:
– Personal data after its depersonalization;
– Public personal data.
6.2. The Company may, with the consent of the subject, entrust the processing of personal data to another party, unless otherwise required by law, on the basis of a contract related to personal data processing on behalf of the Company entered into with said party, following the principles and rules of personal data processing as required by law. The amount of personal data transferred to another party for personal data processing and the number of processing methods used by said party must be the minimum necessary to fulfill their responsibilities to the Company. The Company's instructions must include a defined list of actions (operations) to be taken with personal data that will be performed by the party carrying out the personal data processing and purposes of the processing; said instructions must define the aforementioned party's responsibility to maintain the confidentiality of personal data and ensure the security of personal data during their processing as well as indicate the requirements for the protection of processed personal data in accordance with article 19 of Federal law 152-FZ of 27.07.2006 "On personal data".
When fulfilling the Company's instructions with regard to personal data processing, the party to whom the processing is entrusted shall be entitled to use their information systems located on the territory of the Russian Federation and conforming to safety measures required by law as instructed by the Company in the agreed-upon personal data processing contract.
6.3. In the event that the Company entrusts the processing of personal data to another party, the Company is responsible to the personal data subject for the actions of the specified party. The party processing personal data on behalf of the Company is liable to the Company.
7. Consent of personal data subject to personal data processing
7.1. The personal data subject makes the decision about providing their personal data to the Company and consents to the processing of their own free will and in their own interest. Consent to personal data processing must be specific, informed and conscious, and may be given by the subject in any form that allows confirmation of the fact of their consent, unless otherwise required by law.
7.2. Representatives and Customers provide their personal data when registering in the system, buying the products, using the services of the information system, or through other interactions on the Company's website.
7.3. The use of the Company's information system services means unconditional agreement to the Policy and the terms and conditions of personal information processing mentioned within. In the event that the user disagrees with these conditions, they must refrain from using the information system services.
7.4. If a Representative of a personal data Subject consents to the processing of personal data, the Company checks that the Representative of the Subject has authority to give consent on behalf of the personal data subject.
7.5. If the Company receives personal data from a Contractor on the basis of an agreement concluded with them, the Contractor is responsible for the legality and reliability of the personal data, as well as for obtaining the consent of the Contractor's Representatives to transfer their personal data to the Company, which is stipulated in the text of the agreement with the Contractor.
7.6. Having received personal data from a Contractor, the Company does not assume any obligation to inform the subjects (their representatives) whose personal data has been transferred to it about the start of personal data processing, since the Contractor that transferred the personal data is responsible for providing appropriate information when entering into an agreement with the personal data subject and/or obtaining consent to such transfer. This obligation of the Contractor is included in the agreement concluded between the Contractor and the Company.
7.7. The express consent of an Employee to the processing of their personal data is not required, since the processing is necessary for the performance of the employment contract to which the Employee who is the personal data subject is a party, except in cases where it is necessary to obtain the Employee's written consent for specific instances of personal data processing. Cases requiring the Employee's written consent include (without limitation):
7.7.1. Obtaining personal data of Employees from third parties, including for the purpose of verifying such personal data, as well as in cases where such data cannot be obtained from the Employee themself.
7.7.2. Transfer of an Employee's personal data to any third party, including the transfer of the Employee's personal data when sending them on business trips or trainings, when booking hotels and tickets, etc.
7.7.3. Providing an Employee's personal data to third parties for commercial purposes, including, but not limited to, banks, opening and providing maintenance of payment cards for payroll and other Employee income, insurance companies engaged in pension insurance at the expense of the Company as an employer, printing enterprises engaged in manufacturing business cards at the expense of the employer, etc.
7.8. Express consent of Relatives of the Company's Employees is not required if their personal data is processed on the basis of Federal laws (for calculating alimony, making social payments, providing benefits and guarantees, etc.), is necessary for informing relatives about accidents, and is performed by the Company as an employer in accordance with the requirements of state statistical accounting bodies. In all other cases, it is necessary to obtain proven (confirmed) consent of Employees' Relatives for the processing of their personal data by the Company.
7.9. An Applicant's express consent to the processing of their personal data is not required, since such processing is necessary for the purpose of concluding an employment contract at the initiative of the Applicant who is the personal data subject, except in cases where it is necessary to obtain the Applicant's written consent for specific cases of personal data processing. If a decision is made not to hire an Applicant, their personal data must be destroyed within 30 days from the date of such decision, unless otherwise stipulated in the agreement with the Applicant or specified in their consent to personal data processing.
7.10. The consent of Individual Contractors to the processing of their personal data is not required, since they are a party in an agreement with the Company.
7.11. Personal data of individuals who have signed agreements with the Company, contained in the unified state registers of legal entities and individual entrepreneurs, are open and publicly available, except for information about the number, date of issue, and the authority that issued the identity document of the individual. Protection of confidentiality and consent of personal data subjects to the processing of this data is not required.
In all other cases, the consent of personal data subjects who are Representatives of Contractors must be obtained, with the exception of individuals who have signed contracts with the Company or provided power of attorney to act for and on behalf of the Company's Contractors, have independently sent personal data by e-mail, thereby committing a conclusive action confirming their consent to the processing of personal data indicated in the text of the agreement (power of attorney) or e-mail. The Contractor may obtain the consent of its representative for transfer of their personal data to the Company and the company's processing of this personal data in the manner described in clause 7.5 of this Policy. In this case, The Company does not need to obtain the subject's consent to the processing of their personal data.
7.12. Consent of Representatives of Subjects to the processing of their personal data is provided in the form of conclusive action by granting power of attorney with authority to act for and on behalf of the personal data subjects, and the identity document of the Representative of the Subject.
7.13. A Visitor's consent to the processing of their personal data is provided in the form of a specific action, namely, the communication of information requested from them when visiting the Company.
7.14. Users of the site give consent to the processing of their personal data received by the Company when using cookies by placing a corresponding mark ("tick") in the checkbox on the site.
7.15. Consent from subjects regarding their provided personal data is not required when the Company receives, within the established powers, motivated requests from the prosecution authorities, law enforcement agencies, investigation and inquiry bodies, security agencies, state labor inspectors exercising state supervision and control over compliance with labor legislation, and other bodies authorized to request information in accordance with the competence provided by law.
A motivated request must include an indication of the purpose of the request, a reference to the legal grounds for the request, including confirming the authority of the agency submitting the request, as well as a list of the requested information.
7.16. If requests are received from organizations that do not have the appropriate authority, the Company must obtain consent from the non-Employee subject to provide their personal data in any form that can be proven, and warn the individuals receiving the personal data that this data can only be used for the purposes for which it was reported, as well as require these individuals to confirm that the specified rule will be (was) observed. The procedure for obtaining Employees' consent to transfer their personal data to other individuals is described in clause 7.7 of this Policy.
7.17. Consent to the processing of personal data with no legal requirement for processing or that is not required for the performance of the agreement with the Company to which the personal data subject is a party may be revoked by the personal data subject. In this case, the Company destroys the personal data relating to the revoked consent, and ensures their destruction by the contractors to whom the data was transferred within 30 days from the date the revocation of the subject's consent to the processing of their personal data is received.
7.18. In all cases, the Company is obligated to provide proof of obtaining the personal data subject's consent to the processing of their personal data or proof of the existence of the grounds specified in Federal law 152-FZ of 27.07.2006 "On personal data".
8. Rights of personal data subjects
8.1. The personal data subject has the right to receive information regarding the processing of their personal data. The personal data subject is entitled to request that the Company rectify, block, or destroy their personal data in the event that the personal data is incomplete, outdated, inaccurate, illegally obtained, or unnecessary for the declared purpose of processing; and also to take legal measures to protect their rights. The personal data subject may make requests in writing, by e-mail to firstname.lastname@example.org, or via the feedback form on the Company's website.
8.2. The subject's request concerning the Company's processing of their personal data in writing or by e-mail must contain:
- Surname, first name, and patronymic/middle name of the personal data subject or their representative;
- The number of a basic document proving the identity of the personal data subject as well as their representative (if the inquiry is made by a representative), the date the aforementioned document(s) was issued, and the issuing authority (authorities);
- Information that confirms the personal data subject's relationship with the Company (number and date of contract with the Company, a copy (scan or photograph) of written communication or an SMS from the Company, etc.), or information that otherwise confirms personal data processing by the Company;
- The signature of the personal data subject or their representative;
A subject's request submitted through the feedback form on the Company's website does not need to contain the information described above.
8.3. The subject has the right to revoke their consent to the Company's processing of their personal data at any time by written declaration in any form containing basic document information that proves the subject's identity or the personal data that was specified when providing it to the Company, or by sending a request via the feedback form on the Company's website (in this case, identity-proving document information is not required).
8.4. If the personal data subject believes that the Company is processing their personal data in violation of the law, or otherwise violating their rights and liberties, the personal data subject has the right to appeal the Company's actions or inaction to the authorized body on protection of the rights of personal data subjects (Federal Service for Supervision of Communications, Information Technology and Mass Media) or through legal action.
8.5. At the request of the authorized body on protection of the rights of personal data subjects, the Company is obliged to provide the requested information within thirty days from the date of receipt of such request..
8.6. The procedure for interaction with regulatory authorities is regulated by the current legislation of the Russian Federation.
9. Information concerning implemented requirements for personal data protection
9.1. The security of personal data processed by the Company is supported by the implementation of legal, organizational, and technical measures necessary and sufficient to meet the requirements of legislation concerning personal data.
9.2. Legal measures taken by the Company include:
– developing Company by-laws that implement the requirements of legislation, including this Policy and the "Regulations on the organization of personal data processing and protection within JSC Faberlic";
–refusing to use any personal data processing methods that do not fulfill the purposes and legal requirements set out in the Policy.
9.3. Organizational measures taken by the Company include:
– appointing individuals responsible for organizing personal data processing and for ensuring the security of personal data in personal data information systems;
– restricting the number of Company employees who have access to personal data, and organizing a permit system for access to them;
– familiarizing the Company's employees who directly process personal data with the provisions of the legislation on personal data, including requirements for personal data protection, the Company's Policy, and other by-laws on personal data processing;
– training all categories of Company employees directly engaged in processing personal data, on the rules of working with personal data and ensuring the security of the processed data;
– defining the responsibilities for ensuring the security of personal data processing and responsibility for violation of the established procedure in the job descriptions of Company employees;
– regulating the personal data processing procedures;
– organizing an accounting system for material carriers of personal data and their storage, ensuring the prevention of theft, substitution, unauthorized copying and destruction;
– identifying current threats to the security of personal data, and determining the level of security and requirements for the protection of personal data when processing them in information systems that ensure the established levels of personal data security;
– making technical resources for processing personal data available within a secure area;
– restricting access to the Company's premises by unauthorized individuals, prevention of their presence on the premises where personal data is processed and technical resources for processing them are located, without supervision by the Company's employees.
9.4. Technical measures taken by the Company include:
– developing a personal data protection system based on current threats for the levels of personal data protection established by the Government of the Russian Federation during processing in information systems;
– using information security tools that have passed compliance assessment to neutralize current threats;
– assessing the effectiveness of measures taken to ensure the security of personal data;
– implementing an employee permission system for access to personal data processed in information systems, as well as to hardware and software tools for information protection;
– registering and recording the actions taken with personal data by users of information systems where personal data is processed;
– detecting malicious software (using anti-virus programs) on all nodes of the Company's information network with the respective technical capabilities;
– secure inter-network interactions (using inter-network shielding);
– detecting intrusions into the Company's information system that violate or create prerequisites for violating the established requirements for ensuring the security of personal data;
– recovering personal data that was modified or destroyed due to unauthorized access (creating a backup and recovery system for personal data);
– periodically monitoring user actions, and investigating violations of personal data security requirements;
– verifying the implementation of these requirements (independently or with the involvement of legal entities and individual entrepreneurs licensed in technical protection of confidential information, on a contractual basis) at least once every 3 years.
10. Final provisions
10.1. Other responsibilities and rights of the Company as a personal data operator and as a party that processes data on behalf of other operators are regulated by the laws of the Russian Federation in the sphere of personal data.
10.2. Officials and Employees of the Company responsible for the violation of terms regulating personal data processing and protection shall bear material, disciplinary, administrative, civil and criminal liability in accordance with the laws of the Russian Federation.
10.3. The terms of this Policy shall be revised as necessary. Mandatory Policy review shall be conducted in the event of significant changes in international or Russian Federation law in the sphere of personal data.
The following are considered when introducing changes to the terms of the Policy:
– changes in the information infrastructure and/or technologies used by the Company;
– established practice of enforcement of law in the sphere of personal data in the Russian Federation;
– Changes to the conditions and nature of the Company's personal data processing in connection with the introduction of new information systems, processes and technologies into the Company's operation.