POLICY

on organization of processing and ensuring security

of personal data

1.General provisions

  1. In order to comply with the norms of the current legislation of the Russian Federation in full, GARDIA, JSC considers as its most important task to comply with the principles of legality, fairness and confidentiality in personal data processing as well as ensuring the processing security.
  2. This policy on organization of processing and ensuring security of personal data (hereinafter referred to as the "Policy ") is characterized by the following features:
    1. developed in order to implement the requirements of the current legislation of the Russian Federation in the area of personal data processing and protection;
    2. discloses the methods and principles of personal data processing by GARDIA, JSC, the rights and obligations of GARDIA, JSC when processing personal data, the rights of personal data subjects, and also includes a list of measures applied by GARDIA, JSC in order to ensure personal data security during processing;
    3. this is a publicly available document declaring the conceptual foundations of the activities of GUARDIA, JSC in personal data processing and protection.
  3. Prior to the personal data processing, GARDIA, JSC has notified the authorized body for the protection of personal data subjects’ rights of its intention to process personal data. GUARDIA, JSC in good faith and in due time updates the information specified in the notification.

2.List of abbreviations and acronyms

  1. The following abbreviations and acronyms are used in this document:

ISPD

personal data information system

Operator

GUARDIA, JSC

PD

Personal data

Policy

this Policy of GARDIA, JSC on the organization processing and ensuring security of personal data

3.Legal grounds for PD processing

  1. The operator processes PD in accordance with the current legislation of the Russian Federation on PD, guided by the following legal grounds:
    1. The Constitution of the Russian Federation (Articles 23, 24)
    2. Labor Code of the Russian Federation (Articles 65, 66, 86-90, 166)
    3. Tax Code of the Russian Federation (Article 226)
    4. Civil Code of the Russian Federation (Ch. 39, 40, 52)
    5. Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (Part 1, Article 6)
    6. Federal Law No. 167-FZ of December 15, 2001 “On Compulsory Pension Insurance in the Russian Federation” (Article 11)
    7. Federal Law No. 27-FZ of April 1, 1996 “On Individual (Personalized) Accounting in the Compulsory Pension Insurance System” (Articles 6, 9, 11)
    8. Federal Law No. 326-FZ of November 29, 2010 “On Compulsory Medical Insurance in the Russian Federation” (Article 38)
    9. Federal Law No. 255-FZ of December 29, 2006 “On Compulsory Social Insurance in Case of Temporary Disability and in Connection with Motherhood” (Part 4, Article 13)
    10. Federal Law No. 426-FZ of December 28, 2013 “On Special Assessment of Working Conditions” (Part 2, Article 4, Articles 7, 8)
    11. Decree of the State Statistics Committee of the Russian Federation dated 05.01.2004 No. 1 “On approval of unified forms of primary accounting documentation for labor accounting and compensation” (clause 2)
    12. Decree of the Ministry of Labor of the Russian Federation of October 24, 2002 No. 73 "On approval of the document forms necessary for the investigation and accounting of industrial accidents, and the provisions on the industrial accidents investigation features in certain industries and organizations" (clause 2 of Appendix No. 2)
    13. Decree of the Ministry of Labor of the Russian Federation, Ministry of Education of the Russian Federation dated January 13, 2003 No. 1/29 “On approval of the Procedure for training in labor protection and testing knowledge of labor protection requirements for employees of organizations” (clause 1.2)
    14. Federal Law of November 27, 1992 No. 4015-I "On Organization of Insurance Business in the Russian Federation"
    15. Federal Law No. 326-FZ dated November 29, 2010 “On Compulsory Medical Insurance in the Russian Federation”
    16. Federal Law No. 225-FZ of July 27, 2010 “On Compulsory Insurance of Civil Liability of Hazardous Facility Owner of for Causing Harm as Result of Accident at Hazardous Facility”
    17. Federal Law No. 40-FZ of April 25, 2002 “On Compulsory Insurance of Civil Liability of Vehicle Owners
    18. Decree of the Government of the Russian Federation No. 263 dated May 7, 2003 “On Approval of the Rules for Compulsory Civil Liability Insurance of Vehicle Owners”
    19. Order of the Ministry of Finance of the Russian Federation No. 67n dated July 1, 2009 “On establishing the form of application for concluding a contract of compulsory insurance of civil liability of vehicle owners, the form of insurance policy of compulsory insurance of civil liability of vehicle owners, the form of document containing information on insurance of civil liability of vehicle owners under the contract of compulsory insurance"
    20. Decree of the Government of the Russian Federation No. 739 of December 8, 2005 "On approval of insurance rates for compulsory insurance of civil liability of vehicle owners, their structure and procedure for application by insurers when determining the insurance premium"
    21. Order of the Ministry of Internal Affairs of Russia dated April 1, 2011 No. 154 "On approval of the form of traffic accident certificate"
    22. Order of the Ministry of Internal Affairs of Russia dated May 23, 2008 No. 449 "On approval of the form of traffic accident notice "
    23. Federal Law No. 115-FZ dated 07.08.2001 “On counteracting the legalization (laundering) of proceeds from crime and financing of terrorism”
    24. Operator's Charter
    25. Consents of PD subjects (employees, applicants, participants of incentive events and other persons) to processing of their PD
    26. agreements, under which the subjects of PD are party either as beneficiary or guarantor.

4.Principles, purposes, content and methods of PD processing

  1. The Operator in its activities ensures compliance with the principles of PD processing specified in Art. 5 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data".
  2. The Operator collects and further processes PD for the following purposes:
    1. conclusion, administration, execution and termination of contracts and other transactions, including insurance and reinsurance contracts, including the process of insurance risks analysis and assessment, including conducting business negotiations;
    2. settlement of claims in case of insured events under insurance and reinsurance contracts, including the acceptance of applications and appeals, making insurance payments in case of insured events under insurance and reinsurance contracts;
    3. interaction with insurance intermediaries involved in attracting insured persons, including conducting business negotiations with the specified insurance intermediaries, conclusion, administration, amendment, termination of agency contracts, administration of claims settlement processes as well as monitoring the activities of insurance intermediaries to fulfill the obligations stipulated by the said agreements;
    4. supply of goods, performance of works and provision of services by counterparties and their subcontractors as well as implementation of procurement procedures from these counterparties and business negotiations with these counterparties;
    5. mutual settlements with clients, other contractors and beneficiaries;
    6. review and accounting of appeals (requests, instructions, statements, proposals, comments, claims, thank you letters, etc.) received from state, control, supervisory, judicial, law enforcement and other bodies as well as customers and other persons, the implementation of information service to [1]these persons as well as monitoring the quality of customers’ and other persons’ service;
    7. offering services to customers and prospects as well as participation by the Operator in the procurement procedures of the specified persons and the conduct by the Operator of business negotiations with the specified persons;
    8. organizing and conducting incentive events aimed at increasing awareness and consumer loyalty as well as promoting services;
    9. taking due diligence measures by the Operator when interacting with current and prospective customers, other counterparties, their subcontractors, insured persons, beneficiaries and other third parties, including the assessment of relevant legal, financial, reputational and other risks;
    10. execution of powers of attorney within the framework of vesting employees (hereinafter, the term "employee" includes employees, members of management bodies and other officers) and other persons with special powers to perform their labor functions and (or) represent the interests of the Operator;
    11. participation in civil, arbitration, criminal, administrative proceedings as well as execution of judicial acts;
    12. filling vacant positions of the Operator with applicants who most fully meet the requirements of the Operator;
    13. assistance to persons who are citizens of foreign states in obtaining work permits in the Russian Federation and in obtaining entry visas to the Russian Federation;
    14. compliance with labor legislation and other acts containing mandatory norms of law, accounting for labor and compensation, making managerial and personnel decisions in relation to employees, monitoring and recording working hours and labor discipline;
    15. calculation and payment of wages due to them/or other payments, compensation and bonuses, pension and tax deductions as well as settlements with accountable persons;
    16. organization and (or) implementation of training, advanced training and knowledge testing;
    17. assistance to employees in public recognition of their professional achievements and personal merits, talents, abilities as well as motivating employees;
    18. fulfillment of social obligations assumed in relation to employees and their relatives in the form of providing them with the opportunity to participate in programs of voluntary medical insurance, life insurance, accident insurance and insurance in case of critical illness;
    19. issuance of travel documents for employees as well as implementation by the Operator of the organization and management of employees’ business trips;
    20. organization by the Operator of training, briefing, testing the knowledge of employees and other persons on labor protection and safety as well as conducting special assessment of working conditions;
    21. assistance to employees in facilitating and increasing the effectiveness of communications between them;
    22. assistance by the Operator to employees in the proper performance of their labor and other functions, including through issuance of business cards and the provision of taxi services and corporate mobile phones as well as other means of communication;
    23. ensuring personal safety and protecting the life and health of employees and other persons visiting real estate objects (premises, buildings, territory) as well as ensuring safety of material and other values;
    24. provision of official vehicles to employees to ensure the current activities of the Operator, to account for and reimburse the costs of operating the vehicles provided, to control the proper use and safety of the vehicles provided;
    25. allocation (connection) of computing facilities and office equipment administered by the Operator as well as managing access to the resources of the Operator's information systems;
    26. solving problems that arise in the process of working with computer equipment and office equipment as well as when accessing information system resources;
    27. providing employees with services for the use of mobile radio communications and access to the Internet information and telecommunications network as well as ensuring effective management and cost control for the provision of these services;
    28. organization and implementation of independent audit of accounting (financial) statements of the Operator in order to express opinion on the reliability of such statements;
    29. organization and implementation by the Operator (independently or with the involvement of third parties) of external and internal control (including inspections, audits, etc.) of activities, business processes and the quality of services provided and / or labor and other duties of the Operator, its employees, officials, contractors and subcontractors, checks for their compliance with the requirements of local and global policies and procedures of the Operator, Russian and international legislation as well as applicable rules of professional activity and standards;
    30. organization and implementation of measures to prevent, detect and suppress acts related to the legalization (laundering) of proceeds from crime and financing of terrorism as well as other illegal acts in accordance with the requirements of the Russian legislation and / or internal documents, including identification and confirmation of compliance by counterparties, employees, officials, shareholders (and their beneficiaries) of GARDIA, JSC and / or clients and other counterparties of GARDIA, JSC with the requirements for business reputation and other requirements and standards;
    31. implementation of correct accounting, proper storage and destruction after the expiration of the storage periods for certain categories of material media;
    32. ensuring the security and proper functioning of information systems, databases, software and / or technical and other means as well as information and data contained in them, including those related to the information and telecommunications network.
  3. The Operator has set the following conditions for terminating PD processing:
    1. achievement of PD processing goals and maximum storage periods;
    2. cessation of the need to achieve the goals of PD processing;
    3. provision by the PD subject or his legal representative of information confirming that PD is illegally obtained or not necessary for the stated purpose of processing;
    4. impossibility to ensure the legality of PD processing;
    5. withdrawal by the PD subject of consent to PD processing, if storage of PD is no longer required for the purposes of PD processing;
    6. expiration of the limitation periods for legal relations within the framework of which PD processing is carried out or has been carried out.
  4. Processing of PD by the Operator includes collection, recording, systematization, accumulation, storage, clarification (update, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion as well as destruction of PD.
  5. Operator carries out processing of special categories of PD (information about health condition) in accordance with the requirements of the current labor legislation of the Russian Federation.
  6. Operator carries out processing of biometric PD (information that characterizes physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which are used by the Operator to identify the subject of PD).
  7. Operator performs cross-border transfer of PD (transfer of PD to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity).
  8. Operator creates publicly available PD sources (directories, address books). PD reported by the subject are included in such sources only with the written consent of the PD subject or based on the requirements of the current legislation of the Russian Federation.
  9. Operator does not make decisions that give rise to legal consequences in relation to PD subjects or otherwise affect their rights and legitimate interests, based solely on automated processing of their PD.
  10. Operator processes PD using automation tools and without using the automation tools.
  11. When collecting PD, the Operator ensures the recording, systematization, accumulation, storage, clarification (update, modification), retrieval of PD of the Russian Federation citizens using databases located on the territory of the Russian Federation, except as expressly provided for by the current legislation of the Russian Federation on PD .

5.Measures for the proper organization of processing and ensuring security of PD

  1. When processing PD, the Operator takes all necessary legal, organizational and technical measures to protect them from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution as well as from other illegal actions in relation to them. Ensuring the security of PD is achieved, in particular, in the following ways:
    1. appointment of person responsible for organizing the processing of PD;
    2. implementation of internal control and (or) audit of PD processing compliance with the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” and regulatory legal acts adopted in accordance with it, requirements for PD protection as well as Operator’s local policies;
    3. familiarization of the Operator’s employees directly involved in PD processing of with the provisions of legislation of the Russian Federation on PD, including the requirements for PD protection, local policies regarding PD processing and (or) training of these employees;
    4. determination of threats to personal data security during their processing in ISPD;
    5. application of organizational and technical measures to ensure PD security during their processing in ISPD, necessary to fulfill the requirements for PD protection;
    6. evaluation of measures taken to ensure the security of PD effectiveness prior to the ISPD commissioning;
    7. organization of security regime of the premises in which PD is processed and (or) the Operator's ISPD is located;
    8. determination of storage locations for PD material carriers as well as ensuring accounting and safety of PD material carriers;
    9. detection of facts of unauthorized access to PD and taking appropriate measures;
    10. restoration of PD modified or destroyed due to unauthorized access to them;
    11. establishing rules for access to PD processed in ISPD as well as ensuring registration and accounting of all actions performed with PD in ISPD;
    12. control over measures taken to ensure the security of PD and the level of ISPD security.
  2. The obligations of the Operator's employees involved in personal data processing and protection as well as their responsibility are determined in the Policy of the Operator On organization of processing and ensuring security of personal data.

6.Person responsible for organizing PD processing

  1. The rights, obligations and legal liability of the person responsible for organizing the personal data processing are established by Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, the Operator’s Policy On Organization of Processing and Ensuring Security of Personal Data and other local acts of the Operator in the area of personal data processing and protection.
  2. The appointment of a person responsible for organizing PD processing and release from these duties is carried out by the head of the Operator. When appointing a person responsible for organizing PD processing, the powers, competencies and personal qualities of the officer are taken into account, with the purpose to allow him to properly and fully exercise his rights and fulfill his duties.
  3. The person responsible for organizing PD processing:
    1. organizes the implementation of internal control over compliance by the Operator and its employees with the legislation of the Russian Federation on PD, including PD protection requirements;
    2. brings to the attention of the Operator's employees the provisions of the legislation of the Russian Federation on PD, local acts on PD processing, requirements for PD protection or ensures communication;
    3. exercises control over the acceptance and processing of appeals and requests from PD subjects or their representatives.
  4. Questions in regard to PD processes organization can be sent to the Operator at specially created e-mail box: personaldata @gardia.sk.

7.Rights of PD subjects

  1. PD subject has the right to receive information about processing of his PD by the Operator.
  2. PD subject has the right to require the Operator to modify these PD, block them or destroy them if they are incomplete, outdated, inaccurate, illegally obtained or cannot be deemed necessary for the stated purpose of processing as well as take measures provided by law to protect their rights.
  3. The right of PD subject to access his PD may be restricted in accordance with federal laws, including if the PD subject's access to his PD violates the rights and legitimate interests of third parties.
  4. In order to exercise and protect his rights and legitimate interests, PD subject has the right to appeal to the Operator. The Operator considers any appeals and complaints from PD subjects that comply with the requirements of the law, carefully investigates the facts of violations and takes all necessary measures to eliminate them immediately, punish the perpetrators and resolve disputes and conflict situations in pre-trial order.
  5. PD subject has the right to appeal against the actions or inaction of the Operator by contacting the authorized body for the protection of PD subjects’ rights.
  6. PD subject has the right to protect his rights and legitimate interests, including compensation for losses and / or compensation for moral damage in court.

8.Access to the Policy

  1. The current version of the Policy on paper is stored at the location of the Operator's executive body at the address: 72, Leningradsky Prospekt, bldg. 3, floor 11, room XVIII, room 1, Moscow, 125315
  2. The electronic version of the current version of the Policy is publicly available on the Operator's website on the Internet: https://www.gardia.sk/privacy-policy

9.The procedure for approval and amendments to the Policy

  1. The Policy is approved and put into effect by the order of the head of the Operator and is valid until its cancellation.
  2. The Operator has the right to make changes to the Policy. Changes are approved by order of the head of the Operator.
    1. The Policy is reviewed as necessary, but at least once every three years from the date of the previous revision of the Policy.
    2. The Policy may be revised earlier than the term specified in clause 9.2.1 of the Policy, as changes are made:
      1. in the regulatory legal acts of the Russian Federation in the area of personal data;
      2. to local regulatory and individual acts of the Operator regulating the organization of PD processing and ensuring security;
      3. into contracts and agreements regulating the legal relations of the Operator with contractors and other persons;
      4. in the order of organization by the Operator of PD processing and ensuring security.

10.Responsibility

  1. Persons guilty of violating the rules governing PD processing and protection are liable under the legislation of the Russian Federation, local acts of the Operator and agreements governing the legal relationship of the Operator with third parties.

 

  1. Cookies

When a visitor is on the website of GARDIA, JSC, cookies are stored by the visitor's browser on the hard drive, and GARDIA, JSC receives information sent by the browser and the visitor's computer to the website of GARDIA, JSC. GARDIA, JSC uses the information obtained in this way only for statistical purposes and in order to improve the website of GARDIA, JSC in accordance with the requirements of its visitors.

The information obtained in this way is not transferred or disclosed to third parties. Cookies do not contain any information that can identify visitors and they are automatically deleted a few weeks after visiting the site. Cookies can be deleted from the visitor's browser at his request.

 

[1]Information service - providing users with the necessary information, carried out by information bodies and services through the provision of information services (clause 3.2.2.1 GOST 7.0-99).