PERSONAL DATA PROCESSING POLICY
Limited Liability Company Znanie (Znanie LLC)
1. General Provisions
1.1. This Policy of Limited Liability Company “Znanie” regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in compliance with the requirements of paragraph 2 of part 1 of article 18.1 of the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Law on Personal Data) in order to ensure the protection of the rights and freedoms of an individual and citizen when processing his or her personal data, including the protection of the rights to privacy, personal and family secrets.
1.2. The Policy applies to all personal data processed by Limited Liability Company “Znanie” (hereinafter referred to as the “Operator”, “Company”).
1.3. The Policy applies to personal data obtained both before and after this Policy comes into effect.
1.4. In compliance with the requirements of Part 2 of Article 18.1 of the Law on Personal Data, this Policy is published in the public domain on the Operator’s website in the Internet information and telecommunications network.
1.5. The Policy is valid indefinitely after its approval and/or until it is replaced by a new version: the date of the last update is indicated in the heading of the Policy. The new version of the Policy comes into force on the date of its approval. The previous version of the Policy loses force from the moment of approval of the new version.
1.6. All information related to personal data that became known to the Operator in connection with the processing of such data is confidential information and is protected by the current legislation of the Russian Federation. The Operator takes appropriate measures to protect such information.
1.7. Cross-border transfer of personal data
The operator is obliged to ensure that the foreign state to whose territory the personal data is supposed to be transferred ensures adequate protection of the rights of personal data subjects, before such transfer begins.
Cross-border transfer of personal data to the territory of foreign states that do not ensure adequate protection of the rights of the personal data subject may be carried out in the following cases:
2. Terms and accepted abbreviations
Personal data (PD) – any information related to a directly or indirectly determined or determinable individual (personal data subject).
Personal data permitted for distribution by the personal data subject – personal data, access to which is granted to an unlimited number of persons by the personal data subject by giving consent to the processing of personal data permitted for distribution by the personal data subject.
Personal data operator (operator) – a state body, municipal body, legal entity or individual that independently or jointly with other persons organizes and (or) carries out the processing of personal data, and also determines the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data.
Personal data processing – any action (operation) or set of actions (operations) with personal data, performed with the use of automation tools or without their use. Personal data processing includes, among other things:
Automated processing of personal data is the processing of personal data using computer technology.
Provision of personal data is actions aimed at disclosing personal data to a specific person or a specific group of persons.
Distribution of personal data is actions aimed at disclosing personal data to an indefinite group of persons.
Blocking of personal data is a temporary cessation of the processing of personal data (except in cases where processing is necessary to clarify personal data).
Destruction of personal data is actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the tangible media of personal data are destroyed.
Depersonalization of personal data is actions that make it impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.
Personal data information system – a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign government body, a foreign individual or a foreign legal entity.
Personal data protection – activities aimed at preventing leakage of protected personal data, unauthorized and unintentional impacts on protected personal data.
3. Legal grounds for processing personal data
The legal grounds for processing personal data are:
3.1. The Constitution of the Russian Federation;
3.2. Federal laws and regulatory legal acts adopted on their basis, pursuant to which and in accordance with which the operator processes personal data, in particular:
3.4. Civil Code of the Russian Federation,
3.4. Family Code of the Russian Federation,
3.5. Labor Code of the Russian Federation,
3.6. Charter of Znanie LLC;
3.7. Agreements concluded between the Operator and the personal data subject;
3.8. Consent to the processing of personal data (in cases not expressly provided for by the legislation of the Russian Federation, but corresponding to the powers of the operator).
4. Procedure and conditions for processing and storing personal data
4.1. The Operator processes personal data in accordance with the requirements of the legislation of the Russian Federation.
4.2. The processing of personal data is carried out with the consent of personal data subjects to the processing of their personal data, as well as without such consent in cases stipulated by the legislation of the Russian Federation.
4.3. Consent to the processing of personal data permitted by the personal data subject to dissemination is drawn up separately from other consents of the personal data subject to the processing of his personal data.
4.4. Consent to the processing of personal data permitted by the personal data subject to dissemination may be provided to the operator:
4.5. The Operator processes personal data in a mixed way: with and without the use of automation tools.
4.6. The Operator’s employees whose job responsibilities include processing the relevant categories of personal data are allowed to process personal data.
4.7. Personal data shall be processed by:
4.8. Disclosure to third parties and dissemination of personal data without the consent of the personal data subject is prohibited, unless otherwise provided by the legislation of the Russian Federation.
4.9. Transfer of personal data to inquiry and investigation bodies, the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorized executive bodies and organizations shall be carried out in accordance with the requirements of the legislation of the Russian Federation.
4.10. The Operator shall take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, dissemination and other unauthorized actions, including:
4.11. The Operator stores personal data in a form that allows identifying the subject of personal data for no longer than required by the purposes of processing personal data, unless the storage period for personal data is established by federal law, contract or agreement.
4.12. When collecting personal data, including via the Internet information and telecommunications network, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.
4.13. Purposes of personal data processing:
4.13.1. Only personal data that meets the purposes of their processing may be processed.
4.13.2. The Operator processes personal data for the following purposes:
4.14. The processing of personal data of employees may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.
4.15. Categories of personal data subjects.
The personal data of the following personal data subjects is processed:
The list of categories of personal data subjects may be revised as necessary.
4.16. PD processed by the Operator:
4.17. Storage of PD.
4.17.1. PD of subjects may be received, undergo further processing and transferred for storage both on paper and in electronic form.
4.17.2. PD recorded on paper are stored in locked cabinets or in locked rooms with limited access rights.
4.17.3. PD of subjects processed using automation tools for different purposes are stored in different folders.
4.17.4. Storage and placement of documents containing PD in open electronic directories (file sharing services) in the ISPD is prohibited.
4.17.5. Storage of PD in a form that allows identifying the subject of PD is carried out no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the processing purposes or in the event of loss of the need to achieve them.
4.18. Termination of PD processing.
4.19. Destruction of PD.
4.19.1. Destruction of documents (media) containing PD is carried out by crushing (shredding) using a shredder. PD on electronic media are destroyed by erasing or formatting the media. The fact of destruction of PD is confirmed by a documented act on destruction from media.
5. Personal data protection
In accordance with the requirements of regulatory documents, the Operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data:
6. Basic rights of the personal data subject and obligations of the Operator
6.1. Basic rights of the personal data subject.
The subject has the right to access his personal data and the following information:
6.2. Obligations of the Operator.
The operator is obliged to:
7. Updating, correcting, deleting and destroying personal data, responding to requests from subjects for access to personal data
7.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of the Law on Personal Data, are provided by the Operator to the personal data subject or his representative upon request or upon receipt of a request from the personal data subject or his representative.
The Operator considers requests or inquiries from personal data subjects, provides explanations and takes measures to protect personal data. In the event of claims or complaints from personal data subjects, the Operator takes all necessary measures to eliminate possible violations, identify the perpetrators and settle disputes out of court.
The information provided does not include personal data related to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data.
The request must contain:
The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation to the email address: info@isspb.school or in writing by mail to the address of the Company: 197198, St. Petersburg, Kolpinskaya St., 9, lit. A.
If the request (appeal) of the personal data subject does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject does not have the rights to access the requested information, then a reasoned refusal is sent to him.
The response period for a written request is within seven working days.
The right of the personal data subject to access their personal data may be limited in accordance with Part 8 of Article 14 of the Law on Personal Data, including if the personal data subject’s access to their personal data violates the rights and legitimate interests of third parties.
7.2. In the event that inaccurate personal data or illegal actions with them are detected upon an appeal by the personal data subject or their representative or at their request or at the request of Roskomnadzor, the Operator blocks the personal data related to this personal data subject from the moment of such appeal or receipt of the specified request for the verification period, unless blocking the personal data violates the rights and legitimate interests of the personal data subject or third parties.
In the event that the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the personal data subject or their representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven working days from the date of submission of such information and removes the blocking of the personal data. The unblocking is carried out on the basis of an order of the General Director of the Company.
7.3. In the event of detection of unlawful processing of personal data, the Company is obliged to eliminate the violations committed within a period not exceeding three working days from the date of such detection. In the event that it is impossible to eliminate the violations committed within a period not exceeding three working days from the date of detection of the unlawfulness of the action with personal data, the Company is obliged to destroy the personal data. The Operator is obliged to notify the personal data subject or his legal representative of the elimination of the violations committed or the destruction of personal data, and if the appeal of the personal data subject or his legal representative or the request of the authorized body for the protection of the rights of personal data subjects were sent by the authorized body for the protection of the rights of personal data subjects, also the said body.
7.4. Upon achieving the goals of personal data processing, as well as in the event of the personal data subject’s withdrawal of consent to their processing, the personal data are subject to destruction within a period not exceeding 30 business days and the personal data subject or their legal representative shall be notified thereof, unless:
8. Final Provisions
8.1. Liability for violation of the requirements of the legislation of the Russian Federation and the Company’s regulatory documents in the field of personal data is determined in accordance with the legislation of the Russian Federation.
8.2. All changes and additions to this Policy must be approved by the General Director of the Company.