Individual entrepreneur Ekaterina Shamarina
1. Basic terms and definitions The following basic concepts are used in this policy:
Personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);
Operator - Individual entrepreneur Ekaterina Shamarina, independently organizing and processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Personal data processing - any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Automated processing of personal data - processing of personal data using computer technology;
Dissemination of personal data - actions aimed at disclosure of personal data to an indefinite range of people;
Provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain range of people;
Blocking of personal data - temporary termination of the processing of personal data (except in cases where processing is necessary to clarify personal data);
Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;
Depersonalization of personal data - actions as a result of which it becomes impossible to determine the identity of personal data to a specific personal data subject without the use of additional information;
Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;
Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.
2. General provisions The operator, based on the goals of unconditional compliance with the requirements of the legislation of the Russian Federation and maintaining its business reputation, considers its tasks to comply with the principles of fairness, legality, confidentiality, and security when processing personal data.
This policy regarding the processing of personal data:
developed considering the requirements of the Constitution of the Russian Federation, the legislation of the Russian Federation, regulatory legal acts of the Russian Federation in the field of personal data;
defines the basic principles, goals and methods of personal data processing, the composition of personal data subjects and their rights, the actions of the Operator when processing personal data, the measures taken by the Operator to protect personal data, as well as measures to monitor compliance with the requirements of legislation and this policy;
is a publicly available document that regulates the Operator's activities in the processing of personal data.
3. Information about the operator Individual entrepreneur Ekaterina Shamarina
ITN (INN): 366521580541
PSRN (OGRN): 316366800121160
TRRC (KPP):
Acc. at AO Tinkoff Bank 40802810400001461830
Corr. acc. 30101810145250000974
RCBIC: 044525974
Address: Voronezh, ul. January 9, 36/1, office 62.
E-mail:
Kate2452@mail.ru 4. Legal grounds for processing personal data This policy regarding the processing of personal data is compiled in accordance with the requirements of the following regulatory legal acts of the Russian Federation:
Constitution of the Russian Federation;
The Labor Code of the Russian Federation;
Federal Law No. 152-FZ of July 27, 2006 "On Personal Data";
Decree of the President of the Russian Federation No. 188 dated March 06, 1997 "On approval of the List of confidential information";
Decree of the Government of the Russian Federation No. 687 of September 13, 2008 "On Approval of the Regulation on the Specifics of Personal Data Processing Carried out without the Use of Automation tools";
Decree of the Government of the Russian Federation No. 512 dated July 06, 2008 "On Approval of Requirements for Material Carriers of Biometric Personal Data and Technologies for Storing Such Data outside of Personal Data Information Systems";
Decree of the Government of the Russian Federation No. 1119 of November 01, 2012 "On Approval of requirements for the protection of personal data during their Processing in Personal Data information Systems";
Order No. 21 of the Federal Office for Technical and Export Control Russia dated February 18, 2013 "On Approval of the Composition and Content of organizational and Technical measures to ensure the security of personal data during their Processing in Personal Data Information Systems";
Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (ROSCOMNADZOR) Decree No. 996 dated September 05, 2013 "On approval of requirements and methods for depersonalization of personal data";
other regulatory legal acts of the Russian Federation and regulatory documents of authorized state authorities.
5. Purposes of personal data processing The Operator processes personal data for the purposes of:
carrying out economic activities, both non-profit-making and profit-making (including, but not limited to, the statutory activities of the Operator);
execution of the contract, one of the parties (or beneficiary) of which is the subject of personal data (including employment relations with employees of the Operator, relations with contractors / suppliers and with buyers / customers of the Operator).
Processing of personal data that does not meet the purposes of processing is not allowed.
6. Subjects and categories of personal data In personal data information systems, the Operator processes the personal data of the following personal data subjects:
regular and non-regular employees who are in an employment/contractual relationship with the Operator;
individuals - customers of the Operator;
individuals - contractors under contracts concluded by the Operator
The operator processes the following categories of general personal data: surname, first name, patronymic, date of birth, month of birth, year of birth, data of identity documents, address (registration at the place of residence and actual residence), contact details (phone numbers, email addresses), details of a power of attorney or other document confirming credentials, site user metadata (cookies, IP address and location data).
7. Basic principles of personal data processing The processing of personal data by the Operator is carried out considering the protection of the rights and freedoms of both the Operator's employees and other persons when processing their personal data, including the rights to privacy, personal and family secrets based on the principles of:
legality and fairness of personal data processing;
restrictions on the processing of personal data to achieve specific, predetermined and legitimate goals;
compliance of the purposes and methods of personal data processing with the purposes that were stated during data collection;
the inadmissibility of combining databases created for different purposes for the processing of personal data;
compliance with the necessity and sufficiency of the volume, nature and methods of personal data processing with the stated purposes of their processing;
ensuring accuracy, reliability and, if necessary, relevance in relation to the purposes of processing;
storing personal data in a form that allows you to identify the subject of personal data for no longer than required by the purposes of processing, the requirements of legislation or the contract under which the beneficiary is the subject of personal data;
destruction or depersonalization of personal data upon achievement of goals or loss of the need to achieve these goals, unless otherwise provided by the requirements of legislation.
8. Actions with personal data The Operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distribution, provision, access), depersonalizes, blocks, deletes, and destroys personal data.
The operator processes personal data in the following ways:
automated processing of personal data;
non-automated processing of personal data;
mixed processing of personal data.
9. Measures to fulfill the obligations of the Operator in ensuring the security of personal data during their processing Data carriers containing personal data are stored in special strictly controlled premises located within the boundaries of controlled and protected zones.
Information access to the technical means by which personal data is processed is implemented through automated workstations protected from unauthorized access. Depending on the degree of criticality of the information, the differentiation (restriction) of access is carried out by software and hardware means of user identification and authentication.
Access of personnel and unauthorized persons to the protected premises and premises where the means of informatization and communication are located, as well as where personal data carriers are stored, is delimited (restricted).
Information is available only to strictly defined employees. The entry/exit of employees to/from the operating system(s), work in automated workplaces, access to databases is recorded (logged).
Implemented information protection against hardware failures and malicious software. An information recovery system is used.
When working in networks, information security is ensured by means of inter-network shielding, the creation of demilitarized zones, virtual private networks, secure communication channels, the use of secure information transmission protocols and hardware and software encryption of information.
10. Responsibility and control over compliance with the requirements of this policy and legislation in the field of personal data The Operator is responsible for compliance with the requirements of the legislation in the field of personal data and this policy.
By order of the Operator, a person responsible for organizing the processing and ensuring the security of personal data is appointed.
The person responsible for organizing and ensuring the security of personal data, within the implementing the provisions of this policy and legal acts of the Russian Federation in the field of personal data, is authorized:
identify threats to the security of personal data during their processing in personal data information systems;
plan the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to counter threats to the security of personal data and meet the requirements for the protection of personal data;
organize control and/or audit of compliance of the protection measures taken in the processing of personal data with Federal Law No. 152-FLof 27.07.2006 "On Personal Data", regulatory legal acts, requirements of regulatory acts for the protection of personal data, local acts;
evaluate the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system and organize monitoring of the level of personal data security during the operation of the personal data information system;
conduct an analysis on the facts of violation of the provisions of this policy;
develop and take appropriate measures to maintain the necessary level of personal data security;
organize the reception and processing of appeals and requests from the regulatory authorities of the Russian Federation, personal data subjects or their representatives.
Persons guilty of violating the norms of the current legislation of the Russian Federation in the field of personal data may be brought to disciplinary, administrative, civil and criminal liability in accordance with the procedure established by the current legislation of the Russian Federation.
11. Rights of personal data subjects The subject of personal data has the right to receive information about the processing of his personal data by the Operator, including information containing:
confirmation of the fact of personal data processing;
legal basis, purposes and terms of personal data processing;
methods of processing personal data;
other information provided by the legislation of the Russian Federation.
The right of the subject of personal data to access his personal data may be limited:
if the processing of personal data, including those obtained as a result of operational investigative activities, is carried out in order to strengthen the country's defense, ensure state security and law enforcement;
if the processing of personal data is carried out in accordance with the legislation on countering the legalization (laundering) of proceeds from crime and the financing of terrorism;
if the access of the personal data subject violates the rights and legitimate interests of third parties;
provided that the processing of personal data is carried out by the persons that detain the subject of personal data on suspicion of committing a crime, or have charged the subject of personal data in a criminal case, or have applied a preventive measure to the subject of personal data before the indictment, except for cases provided for by the criminal procedure legislation of the Russian Federation, when the suspect or the accused with such personal data;
if the processing of personal data is carried out in cases provided for by the legislation of the Russian Federation on transport security, in order to ensure the stable and safe functioning of the transport complex, to protect the interests of the individual, society and the state in the field of transport complex from acts of unlawful interference.
The subject of personal data has the right to:
clarification of their personal data, their blocking or destruction, if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing:
refusion of permission to the processing of personal data;
exercise of other rights provided for by the legislation of the Russian Federation in the field of personal data.
In order to exercise their rights and legitimate interests, the subject of personal data may contact the Operator or his authorized employees.
The authorized employee of the Operator considers appeals and complaints from personal data subjects, thoroughly investigates the facts of violations and takes all necessary measures to eliminate them immediately, punish the perpetrators and settle disputes and conflict situations in a pre-trial manner.
The subject of personal data has the right to appeal against the actions or inaction of the Operator by contacting the authorized body for the protection of the rights of personal data subjects.
The subject of personal data has the right to protect his rights and legitimate interests, including in court.
12. Final provisions This policy has been developed and approved by the order of the Operator.
This Policy is an internal document of the Operator, publicly available and subject to posting on the Operator's official website.
This Policy is subject to change, addition in the event of new legislative acts and special regulatory documents on the processing and protection of personal data
Compliance with the requirements of this Policy is monitored by those responsible for ensuring the security of personal data.
The responsibility of the Operator's officials with access to personal data for non-compliance with the requirements of the norms governing the processing and protection of personal data is determined in accordance with the legislation of the Russian Federation and internal documents of the Operator.