The Regulation on Personal Data Processing and Protection
1. General Provisions
1.1. The Regulation on Personal Data Processing and Protection (hereinafter, the “Regulation”) has been developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, Federal Law No. 149-FZ On Information, Information Technologies, and Protection of Information, Federal Law No. 152-FZ On Personal Data, and other regulations of the Russian Federation in the field of personal data protection.
1.2. This Regulation determines the procedure for working with the personal data of the following individuals, being processed by the NITA-FARM, Limited Liability Company (NITA-FARM, LLC) (hereinafter, referred to as the “Operator,” the “Company”) in connection with its activities:
• Individuals who are applicants for vacant positions;
• Individuals, employees who have concluded employment contracts with the Operator/former employees;
• Individuals who have concluded civil contracts;
• Other individuals who have consented to the processing of their personal data by the Operator (visitors to the Company’s website, proxies of the Company, etc.),
hereinafter, referred to as the “Personal Data Subjects.”
1.3. Objectives of this Regulation:
• Ensuring the legality of the collection and determining the procedure for processing personal data of Personal Data Subjects;
• Regulation of labor relations with the Operator employees (registration of labor relations, training, and promotion, formation of an employee pool, ensuring personal safety, control of the amount and quality of work performed, implementation of the labor function, and remuneration);
• Ensuring the protection of rights and freedoms of Personal Data Subjects when processing their personal data;
• Establishment of responsibility of officers having access to personal data for failure to ensure the implementation of requirements of the legislation of the Russian Federation in the field of personal data processing;
• Ensuring access and internal security policy implementation at the Operator’s facilities;
• Operator carrying out its activities;
• Performance of terms and conditions of the contracts with counterparties.
Tasks to be solved in the course of personal data processing:
• Documented support for personal data processing;
• Providing sufficient and effective measures to protect the documented information containing personal data from unauthorized access, distortion, destruction as well as ensuring that owners are able to access their personal data;
• Ensuring timely preventing violations of the legislation of the Russian Federation in the field of personal data protection, promptly identifying violations, and eliminating their consequences.
1.4. This Regulation is binding on all Operator employees working under an employment contract, directly processing and having access to personal data of Personal Data Subjects or on other legal grounds in the manner and on the conditions provided for by this Regulation.
1.5. Personal Data Subjects have to familiarize themselves with this Regulation: applicants for vacant positions, employees/former employees of the Operator, individuals who have entered into civil contracts — with signature confirmation, other persons — on the Company’s website.
1.6 The matters related to processing and protection of personal data of Personal Data Subjects, not considered in this Regulation, shall be regulated by the current legislation or local acts of the Employer.
2. Terms and Definitions
2.1. In this Regulation the following terms and definitions are used:
• Personal data shall mean any information relating to an individual who has been or is being identified based thereon (Personal Data Subject);
• Operator shall mean an entity carrying out independently processing of personal data and identifying the objectives of personal data processing, composition of personal data to be processed, and actions (operations) to be performed to personal data;
• Personal data confidentiality shall mean a mandatory requirement for Employees who have access to personal data to avoid their distribution without notification of the personal data subject or other legal grounds;
• Processing of personal data shall mean collection, arrangement, accumulation, storage, clarification (update, change), use, distribution (including transfer), depersonalization, blocking, destruction of personal data;
• Protection of personal data shall mean activities of authorized persons to ensure regulation of the procedure for processing personal data and ensuring organizational and technical measures to protect information from unauthorized access, destruction, modification, blocking, copying, provision, distribution;
• Distribution of personal data shall mean actions to transfer personal data of Personal Data Subjects to a certain group of persons or familiarization with the personal data of an unlimited number of persons, including disclosure of personal data of Personal Data Subjects in the media, posting on information and telecommunication networks, or otherwise providing access to employees’ personal data;
• Use of personal data shall mean actions (operations) with personal data, performed by an authorized officer of the Company to make decisions or perform other actions that generate legal consequences for employees or otherwise impact their rights and freedoms or the rights and freedoms of others;
• Blocking personal data shall mean temporary cessation of collection, arrangement, accumulation, use, distribution of personal data, including their transfer;
• Destruction of personal data shall mean actions which result in the impossibility of restoring the content of personal data or in the destruction of tangible mediums with personal data;
• Depersonalization of personal data shall mean actions which result in the impossibility to determine the belonging of personal data to a specific Personal Data Subject;
• Publicly available personal data shall mean personal data, access to which for an unlimited range of people is provided with the consent of the Personal Data Subject or to which, in accordance with federal laws, the requirement of confidentiality does not apply;
• Personal data information system shall mean an information system which is a collection of personal data contained in a database, as well as information technologies and technical means that allow processing such personal data, either using (or not) automation tools or not;
• Biometric personal data shall mean information that designates the physiological characteristics of a person and based on which it is possible to establish the person’s identity, including photographs, fingerprints, retinal scans, features of the body structure, and other similar information.
3. Scope of Personal Data
3.1. For the purposes specified in Clause 1.3 of this Regulation, the Operator processes the following personal data of the following Personal Data Subjects:
Personal data to be processed |
Personal Data Subjects |
|
||
Applicants for vacant positions |
Employees / former employees |
Persons who have concluded civil contracts |
Other persons |
|
|
|
|||
Application form and data for interviewing an applicant for a vacant position |
+ |
|
|
|
Name, patronymic, surname |
+ |
+ |
+ |
+ |
Name, patronymic, surname given at birth, if changed |
+ |
+ |
|
|
Day, month, and year of birth |
+ |
+ |
|
|
Passport data or data of another identity document (series, number, date of issue, name of the issuing authority) |
+ |
+ |
+ |
+ |
Nationality |
+ |
+ |
|
|
Gender |
+ |
+ |
|
|
Address and date of registration of the place of residence according to the passport |
+ |
+ |
+ (no registration date) |
|
Actual residence address |
+ |
+ |
|
|
Mobile and home telephone numbers, email address |
+ |
+ |
+ |
+ |
Data on education, qualifications, expert knowledge, or special training (series, number and date of diploma, certificate or another document on graduation from an educational institution, name and location of the educational institution, training commencement and completion dates, faculty or department, qualification, and specialty after graduation, academic degree) |
+ |
+ |
|
|
Foreign language proficiency |
+ |
+ |
|
|
Data on advanced training and retraining (series, number, date of issue of a document on advanced training or retraining, name and location of the educational institution, training commencement and completion dates, qualifications and specialty after graduation, and other information) |
+ |
+ |
|
|
Data on professional experience (data on employment periods, name of organization, name of position/occupation, job duties, reason for dismissal) |
+ |
+ |
|
|
Data on the military registration of persons liable for military service and persons subject to recruitment (series, number, date of issue, name of the authority that issued the military ID, military registration specialty, military rank, data on the registration/deregistration(s), and other information) |
+ |
+ |
|
|
Data on the marital status and members of the family (marriage status, copy of marriage certificate, name, patronymic, surname, year of birth, place of employment, position, residence address of the spouse, children) |
+ |
+ |
|
|
Data on the number of the state pension insurance certificate (SNILS) |
+ |
+ |
+ |
|
Certificate or information on the assignment of a taxpayer identification number (TIN), if any |
+ |
+ |
+ |
|
Data on the employment contract (No. of the employment contract, its conclusion (expiration) date, type of work, term of the employment contract, probation period (if any), work schedule, duration of the annual main (if any additional) paid leave(s), rights and obligations of the parties to the employment contracts, additional social benefits and guarantees, number and date of the amendment to the employment contract, nature of work, wages, working conditions, workweek period |
|
+ |
|
|
Record of service and additional data thereto, information on the number, series, and date of issue of the record of service (additional data), and entries therein |
|
+ |
|
|
T-2 card – Employee Data Card |
|
+ |
|
|
Personal files of employees in print format |
|
+ |
|
|
Data in the originals and copies of orders for the Company personnel and those orders’ materials, including information on vacations, business trips, etc. |
|
+ |
|
|
Data on state and departmental awards, honorary and special titles, incentives (including the name of the award, title, and incentive, the date and type of the regulatory document on awarding, or the date of incentive) for the Company employees |
+ |
+ |
|
|
Data on wages (account numbers for settlements with employees, including their bank card numbers) |
|
+ |
|
|
Data on the amounts paid under civil contracts |
|
|
+ |
|
Data on certification, questionnaire survey, testing, and assessment of the Company’s employees |
|
+ |
|
|
Data on internal official investigations in respect of the Company’s employees |
|
+ |
|
|
Data on temporary disability of the Personal Data Subject of the Company |
|
+ |
|
|
Employee ID of the Personal Data Subject of the Company |
|
+ |
|
|
Data on social benefits and social status (series, number, date of issue, name of the authority that issued the document that is the grounds for granting benefits and status, and other information) |
+ |
+ |
|
|
Data on work in civil service positions |
+ |
+ |
|
|
NDFL-2 statement |
|
+ |
|
|
Statement for calculation of temporary disability benefits |
|
+ |
|
|
Results of medical examinations pursuant to the requirements of the current legislation |
+ |
+ |
|
|
Biometric personal data |
|
|||
Photograph |
+ |
+ |
|
|
Video surveillance |
+ |
+ |
|
|
Note: “+” to be processed
3.2. Before signing the employment contract, the Employee is notified in writing of the video surveillance on the territory of the Company. In cases where the video surveillance system allows tracking employee activities in the workplace or in other areas closed to public access, such surveillance shall be considered the processing of personal data.
4. Confidentiality of Personal Data
4.1 All personal data are confidential, except for the publicly available personal data. Distribution of confidential personal data without the consent of the Personal Data Subject is not allowed.
4.2 All confidentiality measures for collection, processing, and storage of personal data of Personal Data Subjects shall apply to both print-format and electronic (automated) media.
4.3 The confidentiality requirement for personal data does not apply in cases of their depersonalization and after seventy-five (75) years of their storage period, and in other cases provided for by the legislation.
5. Requirements for Personal Data Processing
5.1. The Operator shall obtain all personal data of the Personal Data Subject from the Subject himself/herself. The Personal Data Subject shall decide independently on the provision of his/her personal data and give consent to their processing. Consent to personal data processing shall be given in writing.
The forms of consent of the Personal Data Subjects to processing personal data are given in Annexes No. 1, 2, 3 to this Regulation:
• Annex No. 1 — Consent to processing job applicants’ data;
• Annex No. 2 — Consent to processing employees’ data when hiring;
• Annex No. 3 — Consent to processing partners’ (contractors’) personal data.
5.2. The Operator is not entitled to obtain and process personal data of the Personal Data Subject on his/her race, ethnic origin, political views, religious or philosophical beliefs, health status, private life. In accordance with Article 24 of the Constitution of the Russian Federation, in cases directly related to labor relations, the Operator is entitled to obtain and process data on the private life of the employee — only with his/her written consent.
5.3. Consent to personal data processing can be revoked by the Personal Data Subject in writing (Annex No. 4).
5.4. In case of disability or minority of the Personal Data Subject, all personal data shall be obtained from his/her legal representatives: parents, guardians, trustees.
5.5. If personal data of the Personal Data Subject can only be obtained from a third party, then the Personal Data Subject must be notified thereof at least three (3) business days in advance (Annex No. 5) and he/she must give written consent/refusal (Annex No. 6) within five (5) business days from the date of receipt of the relevant notification.
5.6. It is allowed to process personal data of Personal Data Subjects without their consent in the following cases:
• Personal data are publicly available (e.g., registration and sending correspondence via mail communications, issue of one-time passes);
• Processing personal data of the Personal Data Subject is required to protect the life, health, or other vital interests of the employee and/or other persons — when it is impossible to obtain the consent of the Personal Data Subject;
• At the request of authorized state agencies in cases stipulated by federal laws;
• Processing of personal data is carried out for statistical or other scientific purposes, subject to the mandatory depersonalization of personal data;
• Personal data processing is carried out in cases stipulated by the employment contract, internal labor regulations, and local acts of the Operator, adopted in the manner prescribed by Articles 5, 8, 12 of the Labor Code of the Russian Federation;
• Processing of personal data of close relatives of Personal Data Subjects (Company employees) is carried out in the amount provided for by unified form No. T-2 approved by Order No. 11/odk of the Deputy Director General of NITA-FARM, LLC dated December 29, 2011, or in cases provided for by the legislation of the Russian Federation (receipt of alimony, registration of social payments). In other cases, obtaining the consent of close relatives of the Personal Data Subject is a prerequisite for processing their data;
• If the processing of personal data of Personal Data Subjects is carried out during the implementation of access control to the territory of buildings and premises of the Operator, provided that the Operator arranges independently the access control or the specified processing complies with the procedure provided for by the local acts of the Operator.
5.7. The Operator shall provide Personal Data Subject or his/her legal representative with access to his/her personal data upon receipt of a written request from the Personal Data Subject or his/her legal representative. A written request must be addressed to the head of the Company or a person authorized by him/her (Annex No. 7).
5.8. The Personal Data Subject is entitled to appeal to an authorized agency to seek the protection of rights of personal data subjects or appeal to a court on the matter of the Operator’s illegal actions or inaction when processing and protecting his/her personal data.
6. The Procedure for Obtaining and Processing Personal Data
6.1. The receipt of personal data is carried out in accordance with the regulations of the Russian Federation in the field of labor relations, the Regulation on the Processing and Protection of Personal Data and orders of the Operator, on the grounds of the Subjects’ consent to processing their personal data.
6.2. Documents containing personal data of Personal Data Subjects are drawn up by:
• Selecting applicants for vacant positions;
• Drawing up a set of documents accompanying the process of registration of labor relations with the Personal Data Subject upon acceptance, transfer, or dismissal, by entering information into accounting forms;
• Copying the original documents of the Personal Data Subjects;
• Obtaining originals of documents of the Personal Data Subjects;
• Executing civil contracts;
• Filling out electronic/print-format forms containing personal data.
6.3. Personal data of Personal Data Subjects can be obtained, further processed, and transferred for storage in both print and electronic format.
6.4. Personal Data Subject is an applicant for a vacant position. During the selection for a vacant position, he/she fills out an application-consent to processing personal data and an applicant’s questionnaire. The applicant’s questionnaire is a list of questions, and it contains the personal data of the Personal Data Subject. If clarification or additional data on the information provided in the questionnaire are required, then with the written consent of the Candidate, the Operator is entitled to send inquiries to his/her previous places of employment.
6.4.1. The Operator is entitled to process personal data of job applicants without their consent in the following cases:
• If a recruiting agency acts on behalf of the applicant with which the Personal Data Subject has concluded into an appropriate agreement;
• When the applicant posted his/her resume on the Internet independently, and it became available to an unlimited range of people.
6.4.2. If the Operator receives a resume prepared in free form, because of which it is not possible to determine unambiguously the individual who sent it, such resume is destroyed on the day of receipt.
6.4.3. In case of a positive decision on the employment of an applicant for a vacant position, the original of the questionnaire, test results, and other documents obtained as a result of selection are transferred to the HR department and stored in the personal file of the Personal Data Subject.
6.4.4. The questionnaires of applicants who did not pass the selection are destroyed after ninety (90) calendar days from the date the vacancy was closed.
6.5. When applying for a job, the Employee Personal Data Subject shall present the following documents:
• Passport or another identity document;
• Record of service, except for cases when an employment contract is concluded for the first time or an employee takes a part-time job, or the employee does not have a record of service due to its loss or for other reasons;
• State pension insurance certificate;
• Military registration documents (for persons liable for military service and persons subject to military registration);
• Document on education, qualifications, or special knowledge — when applying for a job that requires special knowledge or special training;
• TIN assignment certificate (if any);
• Other documents in accordance with the requirements of the current legislation and an application-consent filled out for the processing of personal data.
6.5.1. For each Operator Employee, a print-format personal file is set up and maintained, whereto the originals/copies of documents regulating his labor activity are filed in the course of the Employee’s labor activities. All documents added to a personal file are arranged in chronological order.
6.5.2. Personal data of the Employee are entered into electronic directories of the program 1C:Enterprise 8.2 and are stored in electronic form in the local computer network, in the personal computers of the Operator employees who have access to processing personal data.
6.5.3. After the Employee is dismissed, his/her print-format personal file shall be stored in the archives of the Operator’s HR department for the period specified by the current legislation.
6.6. In the process of carrying out economic activities, the Operator draws up civil contracts with the Contractor Personal Data Subjects:
• Before signing a civil contract, the Contractor fills out an application-consent to the processing of personal data. To conclude a civil contract, he/she provides the original passport, SNILS, TIN (if any), data on the registration address, contact telephone number.
6.7. Other persons (visitors to the Company’s website, proxies, etc.) submit personal data in ways that do not contradict the legislation of the Russian Federation, local acts of the Operator, and the requirements of international legislation on personal data protection.
7. Access to Personal Data
7.1 Procedure for access to personal data of Personal Data Subjects (internal access):
The Operator employees duly authorized in the prescribed manner, with whom the Obligation of Nondisclosure of Employees’ Personal Data (Annex No. 8) or a supplementary agreement to the employment contract permitting the processing of personal data has been concluded, are allowed to process personal data.
7.2. A specific list of persons who have access to personal data and carry out their processing is approved by the order of the Deputy Director General and stored in the HR department.
7.3. Only those employees of the Operator who need personal data for the performance of their labor functions have access to the personal data of the Personal Data Subjects.
7.4 In case of accidental receipt of personal data by an unauthorized person, a nondisclosure obligation must also be concluded with him/her.
Deliberate receipt of personal data by unauthorized persons shall serve as the grounds for prosecution provided for by the legislation of the Russian Federation.
7.5. The Operator employees who have access to the personal data of the Personal Data Subjects:
• Shall ensure storage of information containing personal data of Personal Data Subjects and exclude third-party access thereto. In the absence of the Operator employee at his/her workplace, there shall be no documents containing personal data of the Personal Data Subjects (“Clean Table Policy”);
• In case of long-term absence from his/her workplace, the Operator employee shall transfer documents and other media containing personal data of the Personal Data Subjects to the person who will be entrusted with the performance of his/her job duties.
7.6. Access to the automated information system of the Operator is regulated by the security policy of that system implemented using technical and organizational measures.
7.7. Each user has an individual account that defines his/her rights and powers in the automated information system. It is not allowed to share account information with others. The user is personally liable for the confidentiality of his/her own account information.
It is prohibited to use other users’ accounts to access the automated information system of the Operator.
Authorized system administrators are responsible for creating, deleting, and changing user accounts in an automated information system in accordance with their job duties.
7.8. The following state and nonstate functional institutions have external access to the personal data of Personal Data Subjects:
• Tax inspectorates;
• Law-enforcement agencies;
• Statistical agencies;
• Insurance agencies;
• Military commissariats;
• Social insurance agencies;
• Pension funds;
• Subdivisions of municipal authorities.
8. Procedure for Storage and Protection of Personal Data
8.1 Documents containing personal data are subject to storage and destruction in the manner prescribed by the archival legislation of the Russian Federation.
8.2 Personal data shall be stored in a form that allows determining the Personal Data Subject (for not longer than the purpose of their processing requires), and they are subject to destruction upon achievement of the processing objective or in case achieving it is no longer needed.
8.3. The procedure for storing personal data in print format:
8.3.1 All print-format personal data are stored in places not available to unauthorized persons, in specially designated safes, iron or other lockable cabinets.
Keys to safes and cabinets are kept by the heads of structural subdivisions and, in their absence, by their deputies.
8.4. The procedure for storing personal data in electronic form:
8.4.1. Personal data in electronic form are stored in the Operator’s local computer network, using specialized software compliant with the security requirements, in archive copies in electronic folders and files on personal computers of the Company employees who are allowed to process personal data.
8.4.2. Protection of access to electronic databases containing personal data is ensured by:
• The use of licensed anti-virus and anti-hacker programs that prevent unauthorized access to the Company’s local network;
• The restriction of access rights when using an account.
8.4.3. All electronic folders and files containing personal data are protected by a password set by the Company employee responsible for the personal computer.
8.5. Protection of Personal Data
8.5.1 Protection of personal data is understood as a set of measures (organizational, administrative, technical, legal) aimed at preventing unauthorized or accidental access to, destruction, modification, blocking, copying, distribution of personal data of Subjects as well as protection against other illegal actions.
8.5.2. Operator employees who have access to personal data shall take the organizational and technical measures required to protect personal data from unauthorized or accidental access to, destruction, modification, blocking, copying, distribution of them as well as from other illegal actions regarding this information.
8.5.3 The premises in which tangible media containing personal data of the Personal Data Subjects are stored shall be equipped with reliable locks and alarms, and the premises must be locked during business hours, in absence of persons authorized to receive, process, store, transfer, etc. personal data.
8.6. External Protection
To protect information related to personal data, the Company creates targeted unfavorable conditions and difficult obstacles for persons who try to gain unauthorized access to the information and take possession of it.
Personal data protection is a strictly regulated and dynamically technological process that prevents violation of access, integrity, reliability, and confidentiality of personal data and, ultimately, ensures sufficiently reliable security of information in the course of managerial and production activities of the Operator.
8.7. Protection of personal data of Personal Data Subjects from unlawful use or loss is provided by the Operator at its expense in the manner prescribed by the Labor Code of the Russian Federation.
9. Transfer of Personal Data
9.2. When transferring personal data of the Personal Data Subject within the Company, to other organizations, state authorities, or individuals, the Operator must comply with the following requirements:
• Not disclose personal data of the Personal Data Subject to a third party without the Personal Data Subject’s written consent, except in cases when it is required to prevent a threat to life and health of the Personal Data Subject as well as in cases provided for by the legislation of the Russian Federation;
• Not to disclose personal data of the Personal Data Subject for commercial purposes without his/her written consent;
• Warn the persons obtaining personal data of the Personal Data Subject that these data can be used only for the purposes for which they are communicated and demand confirmation from these persons that these rules have been observed. Persons obtaining personal data of the Personal Data Subject are required to comply with the confidentiality policy.
9.4. Protection of access to electronic databases containing personal data is ensured by:
• The use of licensed anti-virus and anti-hacker programs that prevent unauthorized access to the Company’s local network;
• The restriction of access rights when using an account.
9.5. Authorized officers of the Operator have are entitled to transfer Employee’s data to employee representatives in the manner prescribed by the Labor Code and other federal laws and restrict this information only to those Employee’s data required for these representatives to perform their functions.
10. Rights and Obligations of the Operator
10.1. The Operator is entitled to:
• Transfer personal data within one organization in accordance with this Regulation with which Personal Data Subjects are familiarized with signature confirmation;
• Transfer personal data of the Personal Data Subject to his/her representative in the manner prescribed by the Labor Code of the Russian Federation and limit this information only to those personal data required for the specified representative to perform his/her functions.
10.2. The Operator shall:
• Protect personal data of Personal Data Subjects;
• Ensure storage of primary accounting documentation concerning labor and its payment, which, in particular, includes documents for personnel accounting, documents for recording the use of work hours and settlements with employees on remuneration, etc. Therewith, personal data shall not be stored longer than is justified by the completion of tasks for which they were collected, or longer than is required in the interests of persons whom the data concern;
• Fill out documentation containing personal data of Personal Data Subjects in accordance with the forms of primary accounting documentation for labor accounting and payment, approved by the order of the Operator;
• upon the Employee’s / former Employee’s written request, provide the latter with copies of documents related to the job (copies of the order on employment, orders on transfer to another job, orders on employment termination, extracts from the record of service, wage statements, period of work for this employer, etc.) — not later than three (3) days from the date of request. Copies of documents related to work shall be duly certified and provided to the employee free of charge.
11. Rights and Obligations of the Personal Data Subject
11.1. To ensure the protection of personal data stored by the Operator, the Personal Data Subject is entitled to:
• Obtain information on the Operator, its location, personal data in the Operator’s possession, related to the respective Personal Data Subject;
• Access all the information on his/her personal data, know who and for which purposes has used or is using his/her personal data;
• Free access to his/her personal data, including the right to obtain copies of any record containing personal data, except for cases provided for by federal law. Information on the availability of personal data shall be provided to the Personal Data Subject in an accessible form and shall not contain personal data relating to other Personal Data Subjects;
• Obtain information confirming the fact of personal data processing, information on processing methods, persons who have access to personal data, timing of personal data processing, and legal consequences thereof;
• Appoint representatives to protect his/her personal data;
• Demand exclusion or correction of incorrect or incomplete personal data as well as data processed in violation of the requirements of the Labor Code of the Russian Federation or another federal law;
• Require that the Operator clarify his/her personal data, block or destroy them if the personal data are incomplete, outdated, unreliable, has been obtained illegally, or is not required for the stated objective of processing as well as take measures provided by law to protect his/her rights;
• Require that the Operator notify all persons who have previously been provided with incorrect or incomplete personal data of the Personal Data Subject of all exceptions, corrections, or supplements thereto;
• Appeal to court against any illegal actions or inaction of the Operator when processing and protecting his/her personal data;
• Keep and protect his/her personal and family secrets, protect his/her rights and legitimate interests, including compensation for damages and/or compensation for moral damage in court.
11.2. To ensure the accuracy of personal data, the Personal Data Subject shall:
• Transfer to the Operator or its representative a set of reliable documented personal data, which composition is established by the Labor Code of the Russian Federation, this Regulation, and the Internal Labor Regulations adopted by the Company;
• Promptly, within a time frame not exceeding three (3) business days, notify the Operator of changes in his/her personal data.
12. Procedure for Destruction or Blocking of Personal Data
12.1. As provided for by the Federal Law on Personal Data, in case of unlawful processing of personal data, when dealing with the Subject or his/her representative, or at the request of the Subject or his/her representative, or an authorized agency for the protection of rights of Personal Data Subjects, the Operator shall block the unlawfully processed personal data relating to this Subject upon receipt of the said appeal or request.
12.2. As provided for by the Federal Law on Personal Data, the Operator shall cease processing personal data and destroy them (depersonalize) in case:
• The objective of processing personal data is achieved;
• Achieving the objective of personal data processing is no longer needed;
• The Subject revokes its consent to the processing of his/her personal data.
12.3. The Employer must notify the Employee of the elimination of violations or destruction of personal data.
13. Liability for Violation of Rules Regulating Personal Data Processing
13.1. Violation of requirements of this Regulation may entail civil, criminal, administrative, disciplinary, and other liability provided for by the legislation of the Russian Federation.
14. Changes, Updating, and Archiving
14.1 Upon expiration, the original of this Regulation shall be stored for three (3) years. This Regulation shall be updated as and when required but at least once every five (5) years.
14.2 This Regulation is subject to change and revision in case of changes in the current legislation.