1. General provisions


1.1. This Policy of the JSC «Glavkosmos» in respect of personal data processing (hereinafter referred to as “Policy”) developed in order to implement the requirements of paragraph 2 part 1 of article 18.1 of the Federal Law № 152-FZ from 27 July 2006 «On personal data» (hereinafter referred to as “Law on Personal Data”) in order to ensure the protection of the rights and freedoms of a person and citizen in the processing of his/her personal data, including the protection of the rights to privacy, personal and family privacy.

1.2. The Policy applies to all personal data that is processed by the JSC «Glavkosmos» (hereinafter referred to as “Operator”).

1.3. The Policy applies to relations in the field of personal data processing that have arisen for the Operator before and after the approval of this Policy.

1.4. In order to implement requirements of paragraph 2 part 1 of article 18.1 of the Law on Personal Data, the Policy is published in free access by posting it on the information and telecommunication Internet network on the Operator’s websites: glavkosmos.com and trade.glavkosmos.com.

1.5. Basic terms used in the Policy:

personal data – any information related directly or indirectly to determined or specified natural person (personal data subject);

personal data operator (operator) – public authority, municipal body, entity or individual, independently or jointly with other bodies organizing and (or) carrying out the processing of personal data, as well as defining the purposes of processing personal data, composition of personal data to be processed, actions (operations) accomplished with the personal data;

personal data processing – any action (operation) or set of actions (operations), performed with the use of automation tools or without the use of such tools with personal data, including:

-   collection;

-   recording;

-   systematization;

-   accumulation;

-   storage;

-   refinement (update, change);

-   retrieval;

-   use;

-   transfer (distribution, provision, access);

-   depersonalization;

-   blocking;

-   deletion;

-   destruction;

automatic processing of personal data - personal data processing by means of computer equipment;

provision of personal data - actions aimed at the disclosure of personal data to a certain person or a certain group of persons;

dissemination of personal data - actions aimed at disclosing personal data to an indefinite group of persons;

blocking of personal data - temporary termination of the processing of personal data (unless it is necessary to refine personal data);

destruction of personal data - actions as a result of which it becomes impossible to restore the contents of personal data in the information system of personal data and (or) as a result of which material data carriers are destroyed;

depersonalization of personal data - actions as a result of which it becomes impossible to determine the identity of personal data to a specific personal data subject without the use of an additional information;

information system of personal data - set of personal data contained in databases and information technologies and technical means ensuring their processing;

cross-border transfer of data - transfer of personal data into the territory of a foreign state to the authority of a foreign state, foreign natural person or foreign legal entity.

1.6. The fundamental rights and obligations of the Operator.

1.6.1. The Operator has the right:

-     to independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of duties stipulated by the Law on Personal Data and regulations adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;

-     to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement with this person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided by the Law on Personal Data;

-     in case of withdrawal of consent by personal data subject to continue the processing of personal data without the consent of personal data subject, if there are grounds specified in the Law on Personal Data.

1.6.2. The Operator is obliged:

-     to organize the processing of personal data in accordance with the requirements of the Law on Personal Data;

-     to respond to requests and inquiries of personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;

-     to report to the authorized body for the protection of personal data subjects (Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)) upon request of this body, the necessary information within 30 days from the date of receipt of such a request.

1.7. The fundamental rights of personal data subject. The personal data subject has the right:

-     to receive information relating to the processing of his/her personal data, except as provided by federal laws. Information is provided to the personal data subject by the Operator in an accessible form, and it should not contain personal data relating to other personal data subjects unless there are legal grounds for disclosing such personal data. The list of information and the procedure for its receipt is established by the Law on Personal Data;

-     require the Operator to clarify his/her personal data, to block or destroy it if the personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing as well as take legal measures to protect their rights;

-     set forth a condition of prior consent when processing personal data in order to promote goods, works and services on the market;

-     to appeal in Roskomnadzor or in a court of law illegal actions or inaction of the Operator in the processing of his/her personal data.

1.8. Control over compliance with the requirements of this Policy is carried out by an authorized person responsible for organizing the processing of personal data from the Operator.

1.9. Responsibility for violation of the requirements of the laws of the Russian Federation and the regulations of the Operator in the field of processing and protection of personal data is determined in accordance with the laws of the Russian Federation.

 

2. The purposes of collecting personal data


2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate goals. It is not allowed to process personal data incompatible with the purposes of collecting personal data.

2.2. Only personal data are processed that meets the purposes of their processing.

2.3. The processing by the Operator of personal data is carried out for the following purposes:

-   ensuring compliance with the Constitution of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation;

-   implementation of its activities in accordance with the Charter of JSC "Glavkosmos";

-   maintenance of personnel documents;

-   assistance to employees in employment, education and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property;

-   recruitment and selection of candidates for employment with the Operator;

-   organization of individual (personified) registration of employees in the system of mandatory pension insurance;

-   filling out and submitting to the executive authorities and other authorized organizations the required reporting forms;

-   the implementation of civil law relations;

-   accounting management;

-   implementation of permit regime.

2.4. The processing of personal data of employees may be carried out solely in order to ensure compliance with laws and other regulatory legal acts.


3. Legal basis of personal data processing


3.1. The legal basis of personal data processing is a set of regulatory legal acts, pursuant to and in accordance with which the Operator processes personal data, including:

-   Constitution of the Russian Federation;

-   Civil Code of the Russian Federation;

-   Labour Code of the Russian Federation;

-   Tax Code of the Russian Federation;

-   Federal Law № 152-FZ from 27 July 2006 «On personal data»;

-   Federal Law № 167-FZ from 15 December 2001 «About mandatory pension insurance in the Russian Federation»;

-   Federal Law № 208-FZ from 26 December 1995 «About joint-stock companies»;

-   Federal Law № 402-FZ from 6 December 2011 «On accounting»;

-   other normative legislative acts governing relations connected with the activities of the Operator and regulating the processing of personal data.

3.2. Legal basis of personal data processing are also:

-   Charter of JSC «Glavkosmos»;

-   this Policy;

-   internal normative documents of the Operator;

-   agreements concluded between the Operator and personal data subjects;

-   consent of personal data subjects to the processing of their personal data.


4. Volume and categories of processed personal data,

categories of personal data subjects


4.1. The content and volume of processed personal data should comply with the stated purposes of processing provided for in Section 2 of this Policy. Processed personal data should not be redundant in relation to the stated purpose of their processing.

4.2. The Operator can process personal data of the following categories of personal data subjects:

4.2.1. Candidates for employment with the Operator:

-   last name, first name, middle name;

-   gender;

-   nationality:

-   date and place of birth;

-   contact details;

-   Information on education, work experience, skills;

-   other personal data provided by candidates in resumes and cover letters.

4.2.2. Employees and former employees of the Operator:

-   last name, first name, middle name;

-   gender;

-   nationality:

-   date and place of birth;

-   photo;

-   passport details;

-   registered home address;

-   actual home address;

-   contact details;

-   Taxpayer Identification Number;

-   personal insurance account number (PIAN);

-   Information on education, skills, vocational training and advanced training;

-   family status, children and relatives;

-   Information on employment, including incentives, awards and/or disciplinary sanctions;

-   marriage registration data;

-   information on military records;

-   information on disability;

-   information on alimony;

-   information on income earned at the previous job;

-   other personal data provided by employees in accordance with the requirements of labor laws.

4.2.3. Family members of the Operator's employees:

-   last name, first name, middle name;

-   relationship;

-   year of birth;

-   other personal data provided by employees in accordance with the requirements of labor laws.

4.2.4. Customers and counterparties of the Operator (individuals):

-   last name, first name, middle name;

-   date and place of birth;

-   passport details;

-   registered home address;

-   contact details;

-   position to be filled;

-   Taxpayer Identification Number;

-   current account number;

-   other personal data provided by customers and counterparties (individuals), which are required in order to execute and implement contracts.

4.2.5. Representatives (employees) of the Operator's customers and counterparties (legal entities):

-   last name, first name, middle name;

-   passport details;

-   contact details;

-   position to be filled;

-   other personal data provided by representatives (employees) of clients and counterparties, which are required for execution and implementation of contracts.

4.3. Processing by the Operator of biometric personal data (data that provide physiological and biological characteristics of a person, on the basis of which a person’s identity may be established) is carried out in accordance with applicable laws of the Russian Federation.

4.4. The Operator may not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except for cases provided for by applicable laws of the Russian Federation.


5. Procedure and terms of personal data processing


5.1. The Operator shall process personal data in accordance with the requirements of applicable laws of the Russian Federation.

5.2. Personal data shall be processed with the consent of personal data subjects for processing of their personal data, as well as without such consent in cases provided for by the applicable laws of the Russian Federation.

5.3. The operator carries out both automated and non-automated processing of personal data.

5.4. The Operator's employees, whose official duties include personal data processing, are allowed to process personal data.

5.5. Processing of personal data is carried out by way of:

-   obtaining of personal data in oral and written form directly from personal data subjects;

-   obtaining of personal data from public sources;

-   entering personal data into the Operator's logs, registers and information systems;

-   use of other ways of personal data processing.

5.6. Disclosure to third parties and distribution of personal data without consent of the personal data subject is not allowed, unless federal laws specify otherwise.

5.7. Disclosure of personal data to bodies of inquiry and investigation, the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other authorized bodies of executive power and organizations is carried out in accordance with the requirements of applicable laws of the Russian Federation.

5.8. The Operator shall take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions; in particular, the Operator shall:

-   determine threats to the security of personal data during its processing;

-   adopt local regulations and other documents governing relations in the area of personal data processing and protection;

-   appoint persons responsible for ensuring security of personal data in the Operator’s structural subdivisions and information systems;

-   create the necessary conditions for working with personal data;

-   arrange accounting for documents containing personal data;

-   organize work with information systems where personal data is processed;

-   store personal data in a manner that preserves it and prevents it from being accessed inappropriately;

-   organize training of the Operator's employees involved in personal data processing.

5.9. The Operator shall store personal data in a form that allows determining the personal data subject not longer than it is required by the purpose of personal data processing, unless the term of storage of personal data is established by the federal law or contract.

5.10. When collecting personal data, particularly by means of the Internet, the Operator shall ensure recording, systematization, accumulation, storage, clarification (updating, change), retrieval of personal data of citizens of the Russian Federation using databases located in the Russian Federation, except for cases specified in the Law on Personal Data.

5.11. Conditions for termination of personal data processing include:

-      achieving the goals of personal data processing;

-      expiration or withdrawal of the personal data subject's consent to processing of his or her personal data;

-      discovery of illegal processing of personal data.

 

6. Updating, correction, deletion and destruction of

personal data, responses to subjects’ requests

for access to personal data


6.1. Confirmation of the fact of personal data processing by the Operator, legal grounds and purposes of personal data processing, as well as other information specified in paragraph 7 of Article 14 of the Law on Personal Data shall be provided by the Operator to the personal data subject or his or her representative upon inquiry or upon receipt of the request of the personal data subject or his or her representative.

6.2. The provided information does not include personal data related to other personal data subjects, unless there are legal grounds for disclosure of such personal data.

6.3. The request shall contain:

-   number of the main identity document of the personal data subject or his or her representative, information on the date of issue of the said document and the issuing authority;

-   information confirming participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract, verbal notation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;

-   signature of the personal data subject or his or her representative.

6.4. The request may be sent in the form of an electronic document and signed with a digital signature in accordance with applicable laws of the Russian Federation.

6.5. If the personal data subject's inquiry (request) does not include all the necessary information, in accordance with the requirements of the Law on Personal Data, or the subject does not have the right of access to the requested information, he or she shall receive a reasoned refusal.

6.6. The right of the personal data subject to access to his or her personal data may be restricted in accordance with paragraph 8, Article 14 of the Law on Personal Data, particularly if the access of the personal data subject to his or her personal data violates the rights and legitimate interests of third parties.

6.7. If inaccurate personal data is discovered in case of inquiry of the personal data subject or his or her representative, or upon their request, or upon request of Roskomnadzor, the Operator shall block personal data related to this personal data subject from the moment of such inquiry or receipt of such request for the period of verification if blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

6.8. In case of confirmation of inaccuracy of personal data, the Operator shall correct the personal data within seven working days from the date of submission of such data and unblock personal data on the basis of information provided by the personal data subject or his or her representative or Roskomnadzor, or other necessary documents.

6.9. If illegal processing of personal data is revealed during the inquiry (request) of the personal data subject, his or her representative or Roskomnadzor, the Operator shall block the illegally processed personal data concerning this personal data subject, from the moment of such inquiry or receipt of request.

6.10. In case of achieving the goals of personal data processing, as well as in case of revocation of the personal data subject’s consent to their processing, personal data shall be subject to destruction:

·    unless otherwise provided for in the contract, to which the personal data subject is a party, beneficiary or guarantor, provides for otherwise;

·    The Operator may not process personal data without the consent of the personal data subject on the grounds provided for by the Law on Personal Data or other federal laws;

·    unless otherwise provided for by another agreement between the Operator and the personal data subject.