PERSONAL DATA PROCESSING POLICY

Limited Liability Company Znanie (Znanie LLC)

 

1. General Provisions

1.1. This Policy of Limited Liability Company “Znanie” regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in compliance with the requirements of paragraph 2 of part 1 of article 18.1 of the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Law on Personal Data) in order to ensure the protection of the rights and freedoms of an individual and citizen when processing his or her personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. The Policy applies to all personal data processed by Limited Liability Company “Znanie” (hereinafter referred to as the “Operator”, “Company”).

1.3. The Policy applies to personal data obtained both before and after this Policy comes into effect.

1.4. In compliance with the requirements of Part 2 of Article 18.1 of the Law on Personal Data, this Policy is published in the public domain on the Operator’s website in the Internet information and telecommunications network.

1.5. The Policy is valid indefinitely after its approval and/or until it is replaced by a new version: the date of the last update is indicated in the heading of the Policy. The new version of the Policy comes into force on the date of its approval. The previous version of the Policy loses force from the moment of approval of the new version.

1.6. All information related to personal data that became known to the Operator in connection with the processing of such data is confidential information and is protected by the current legislation of the Russian Federation. The Operator takes appropriate measures to protect such information.

1.7. Cross-border transfer of personal data

The operator is obliged to ensure that the foreign state to whose territory the personal data is supposed to be transferred ensures adequate protection of the rights of personal data subjects, before such transfer begins.

Cross-border transfer of personal data to the territory of foreign states that do not ensure adequate protection of the rights of the personal data subject may be carried out in the following cases:

  • The presence of written consent of the personal data subject to the cross-border transfer of his personal data;
  • Performance of an agreement to which the personal data subject is a party.

2. Terms and accepted abbreviations

Personal data (PD) – any information related to a directly or indirectly determined or determinable individual (personal data subject).

Personal data permitted for distribution by the personal data subject – personal data, access to which is granted to an unlimited number of persons by the personal data subject by giving consent to the processing of personal data permitted for distribution by the personal data subject.

Personal data operator (operator) – a state body, municipal body, legal entity or individual that independently or jointly with other persons organizes and (or) carries out the processing of personal data, and also determines the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data.

Personal data processing – any action (operation) or set of actions (operations) with personal data, performed with the use of automation tools or without their use. Personal data processing includes, among other things:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (update, change);
  • retrieval;
  • use;
  • transfer (provision, access);
  • distribution;
  • depersonalization;
  • blocking;
  • deletion;
  •  

Automated processing of personal data is the processing of personal data using computer technology.

Provision of personal data is actions aimed at disclosing personal data to a specific person or a specific group of persons.

Distribution of personal data is actions aimed at disclosing personal data to an indefinite group of persons.

Blocking of personal data is a temporary cessation of the processing of personal data (except in cases where processing is necessary to clarify personal data).

Destruction of personal data is actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the tangible media of personal data are destroyed.

Depersonalization of personal data is actions that make it impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.

Personal data information system – a set of personal data contained in databases and the information technologies and technical means that ensure their processing.

Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign government body, a foreign individual or a foreign legal entity.

Personal data protection – activities aimed at preventing leakage of protected personal data, unauthorized and unintentional impacts on protected personal data.

3. Legal grounds for processing personal data

The legal grounds for processing personal data are:

3.1. The Constitution of the Russian Federation;

3.2. Federal laws and regulatory legal acts adopted on their basis, pursuant to which and in accordance with which the operator processes personal data, in particular:

  • Federal Law of 29.12.2012 No. 273-FZ “On Education in the Russian Federation”,
  • Federal Law of 27.07.2006 No. 152-FZ “On Personal Data”.

3.4. Civil Code of the Russian Federation,

3.4. Family Code of the Russian Federation,

3.5. Labor Code of the Russian Federation,

3.6. Charter of Znanie LLC;

3.7. Agreements concluded between the Operator and the personal data subject;

3.8. Consent to the processing of personal data (in cases not expressly provided for by the legislation of the Russian Federation, but corresponding to the powers of the operator).

4. Procedure and conditions for processing and storing personal data

4.1. The Operator processes personal data in accordance with the requirements of the legislation of the Russian Federation.

4.2. The processing of personal data is carried out with the consent of personal data subjects to the processing of their personal data, as well as without such consent in cases stipulated by the legislation of the Russian Federation.

4.3. Consent to the processing of personal data permitted by the personal data subject to dissemination is drawn up separately from other consents of the personal data subject to the processing of his personal data.

4.4. Consent to the processing of personal data permitted by the personal data subject to dissemination may be provided to the operator:

  • directly;
  • using the information system of the authorized body for the protection of the rights of personal data subjects.

4.5. The Operator processes personal data in a mixed way: with and without the use of automation tools.

4.6. The Operator’s employees whose job responsibilities include processing the relevant categories of personal data are allowed to process personal data.

4.7. Personal data shall be processed by:

  • obtaining personal data in oral and written form directly with the consent of the personal data subject to the processing or dissemination of his personal data;
  • entering personal data into the Operator’s journals, registers and information systems;
  • using other methods of processing personal data.

4.8. Disclosure to third parties and dissemination of personal data without the consent of the personal data subject is prohibited, unless otherwise provided by the legislation of the Russian Federation.

4.9. Transfer of personal data to inquiry and investigation bodies, the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorized executive bodies and organizations shall be carried out in accordance with the requirements of the legislation of the Russian Federation.

4.10. The Operator shall take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, dissemination and other unauthorized actions, including:

  • identifying threats to the security of personal data during their processing;
  • adopts local regulations and other documents governing relations in the sphere of processing and protection of personal data;
  • appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
  • creates the necessary conditions for working with personal data;
  • organizes the accounting of documents containing personal data;
  • organizes work with information systems in which personal data are processed;
  • stores personal data under conditions that ensure their safety and exclude unauthorized access to them;
  • organizes training for the Operator’s employees processing personal data.

4.11. The Operator stores personal data in a form that allows identifying the subject of personal data for no longer than required by the purposes of processing personal data, unless the storage period for personal data is established by federal law, contract or agreement.

4.12. When collecting personal data, including via the Internet information and telecommunications network, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

4.13. Purposes of personal data processing:

4.13.1. Only personal data that meets the purposes of their processing may be processed.

4.13.2. The Operator processes personal data for the following purposes:

  • ensuring compliance with the Constitution, federal laws and other regulatory legal acts of the Russian Federation;
  • carrying out its activities in accordance with the Charter of Znanie LLC;
  • maintaining personnel records;
  • assisting employees in finding employment, obtaining education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property;
  • attracting and selecting candidates for employment with the Operator;
  • organizing the registration of employees for individual (personalized) records in the compulsory pension insurance system;
  • filling out and submitting required reporting forms to executive authorities and other authorized organizations;
  • execution of the contract for the provision of educational services and the implementation of civil law relations;
  • accounting;
  • filling out primary statistical documentation in accordance with labor, tax legislation and other federal laws.
  • implementation of the access control system.

4.14. The processing of personal data of employees may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

4.15. Categories of personal data subjects.

The personal data of the following personal data subjects is processed:

  • individuals who are in employment relations with Znanie LLC;
  • individuals who have resigned from Znanie LLC;
  • individuals who are relatives of Znanie LLC employees;
  • individuals who are job candidates;
  • individuals who are visitors to the websites: https://isspb.school/ and https://ru.isspb.school/;
  • individuals who are students, legal representatives of students;
  • individuals who are in civil law relations with Znanie LLC;
  • individuals who are representatives/employees of the Operator’s counterparties (legal entities);
  • other subjects of personal data processing in accordance with the processing purposes specified in Section 3 of the Policy.

The list of categories of personal data subjects may be revised as necessary.

4.16. PD processed by the Operator:

  • data obtained in the course of employment relations;
  • data obtained for the selection of job candidates;
  • data obtained in the course of civil law relations.

4.17. Storage of PD.

4.17.1. PD of subjects may be received, undergo further processing and transferred for storage both on paper and in electronic form.

4.17.2. PD recorded on paper are stored in locked cabinets or in locked rooms with limited access rights.

4.17.3. PD of subjects processed using automation tools for different purposes are stored in different folders.

4.17.4. Storage and placement of documents containing PD in open electronic directories (file sharing services) in the ISPD is prohibited.

4.17.5. Storage of PD in a form that allows identifying the subject of PD is carried out no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the processing purposes or in the event of loss of the need to achieve them.

4.18. Termination of PD processing.

  • Achievement of the purposes of PD processing in accordance with Section 3 of the Policy;
  • Expiry of consent or revocation of consent of the subject of PD to the processing of his PD;
  • Detection of illegal processing of PD.

4.19. Destruction of PD.

4.19.1. Destruction of documents (media) containing PD is carried out by crushing (shredding) using a shredder. PD on electronic media are destroyed by erasing or formatting the media. The fact of destruction of PD is confirmed by a documented act on destruction from media.

5. Personal data protection

In accordance with the requirements of regulatory documents, the Operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data:

  • Establishing individual passwords for employee access to the information system in accordance with their work responsibilities;
  • Using information security tools that have undergone the established procedure for assessing the compliance of information;
  • Certified anti-virus software with regularly updated databases;
  • Determining current threats to the security of personal data when processing them in the ISPD and developing measures and activities to protect personal data;
  • Appointing a person responsible for processing personal data;
  • Developing local regulations and other documents in the field of processing and protecting personal data;
  • Implementing internal control and audit over the processing and protection of personal data.

6. Basic rights of the personal data subject and obligations of the Operator

6.1. Basic rights of the personal data subject.

The subject has the right to access his personal data and the following information:

  • confirmation of the fact of personal data processing by the Operator;
  • legal grounds and purposes of personal data processing;
  • purposes and methods of personal data processing used by the Operator;
  • name and location of the Operator, information about persons (except for the Operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
  • terms of personal data processing, including the terms of their storage;
  • the procedure for exercising the rights provided for by this Federal Law by the personal data subject;
  • name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if the processing is or will be entrusted to such person;
  • contacting the Operator and sending him requests;
  • appealing the actions or inactions of the Operator.

6.2. Obligations of the Operator.

The operator is obliged to:

  • provide information on the processing of PD when collecting PD;
  • notify the subject if the PD was not received from the subject of the PD;
  • explain the consequences of such refusal to the subject in case of refusal to provide PD;
  • publish or otherwise provide unlimited access to the document defining its policy regarding the processing of PD, to information on the implemented requirements for the protection of PD;
  • take the necessary legal, organizational and technical measures or ensure their adoption to protect PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions in relation to PD;
  • respond to requests and appeals from subjects of PD, their representatives and the authorized body for the protection of the rights of subjects of PD.

7. Updating, correcting, deleting and destroying personal data, responding to requests from subjects for access to personal data

7.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of the Law on Personal Data, are provided by the Operator to the personal data subject or his representative upon request or upon receipt of a request from the personal data subject or his representative.

The Operator considers requests or inquiries from personal data subjects, provides explanations and takes measures to protect personal data. In the event of claims or complaints from personal data subjects, the Operator takes all necessary measures to eliminate possible violations, identify the perpetrators and settle disputes out of court.

The information provided does not include personal data related to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data.

The request must contain:

  • the last name, first name, patronymic of the personal data subject or his representative;
  • the number of the main document certifying the identity of the personal data subject or his representative, information on the date of issue of the said document and the issuing authority;
  • information confirming the participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;
  • signature of the personal data subject or his representative.

The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation to the email address: info@isspb.school or in writing by mail to the address of the Company: 197198, St. Petersburg, Kolpinskaya St., 9, lit. A.

If the request (appeal) of the personal data subject does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject does not have the rights to access the requested information, then a reasoned refusal is sent to him.

The response period for a written request is within seven working days.

The right of the personal data subject to access their personal data may be limited in accordance with Part 8 of Article 14 of the Law on Personal Data, including if the personal data subject’s access to their personal data violates the rights and legitimate interests of third parties.

7.2. In the event that inaccurate personal data or illegal actions with them are detected upon an appeal by the personal data subject or their representative or at their request or at the request of Roskomnadzor, the Operator blocks the personal data related to this personal data subject from the moment of such appeal or receipt of the specified request for the verification period, unless blocking the personal data violates the rights and legitimate interests of the personal data subject or third parties.

In the event that the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the personal data subject or their representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven working days from the date of submission of such information and removes the blocking of the personal data. The unblocking is carried out on the basis of an order of the General Director of the Company.

7.3. In the event of detection of unlawful processing of personal data, the Company is obliged to eliminate the violations committed within a period not exceeding three working days from the date of such detection. In the event that it is impossible to eliminate the violations committed within a period not exceeding three working days from the date of detection of the unlawfulness of the action with personal data, the Company is obliged to destroy the personal data. The Operator is obliged to notify the personal data subject or his legal representative of the elimination of the violations committed or the destruction of personal data, and if the appeal of the personal data subject or his legal representative or the request of the authorized body for the protection of the rights of personal data subjects were sent by the authorized body for the protection of the rights of personal data subjects, also the said body.

7.4. Upon achieving the goals of personal data processing, as well as in the event of the personal data subject’s withdrawal of consent to their processing, the personal data are subject to destruction within a period not exceeding 30 business days and the personal data subject or their legal representative shall be notified thereof, unless:

  • otherwise provided by the agreement to which the personal data subject is a party, beneficiary or guarantor;
  • the operator has no right to carry out processing without the consent of the personal data subject on the grounds stipulated by the Personal Data Law or other federal laws;
  • otherwise provided by another agreement between the Operator and the personal data subject.

8. Final Provisions

8.1. Liability for violation of the requirements of the legislation of the Russian Federation and the Company’s regulatory documents in the field of personal data is determined in accordance with the legislation of the Russian Federation.

8.2. All changes and additions to this Policy must be approved by the General Director of the Company.