|
1. General Provisions
 1.1. This Policy on the processing of personal data (hereinafter referred to as the Policy) is drawn up in accordance with paragraph 2 of Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data" and is the fundamental internal regulatory document of the Publishing House "Medicine and Education" (hereinafter referred to as the Organization or the Operator), which defines the key areas of its activities in the processing and protection of personal data (hereinafter referred to as PD), the operator of which is the Organization.
1.2. The Policy is developed in order to implement the requirements of the legislation in the field of processing and protection of personal data and is aimed at ensuring the protection of human and civil rights and freedoms when processing personal data in the Organization, including the protection of the rights to privacy, personal, family, and medical secrets.
1.3. The provisions of the Policy apply to the processing and protection of PDs received by the Organization both before and after the approval of the Policy, except in cases where, for legal, organizational, or other reasons, the provisions of the Policy cannot be applied to the processing and protection of PDs received before its approval.
1.4. The processing of PDs in the Organization is carried out in connection with the Organization's functions, as specified in its founding documents, and determined by:
– Federal Law No. 152-FZ dated July 27, 2006, “On Personal Data”;
– Decree of the Government of the Russian Federation No. 687 dated September 15, 2008, “On Approval of the Regulations on the Peculiarities of Processing Personal Data without the Use of Automation Tools”;
– Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012, “On Approval of the Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems”;
– other regulatory legal acts of the Russian Federation.
In addition, the processing of personal data in the Organization is carried out in the course of employment and other directly related relations in which the Organization acts as an employer (Chapter 14 of the Labor Code of the Russian Federation), in connection with the implementation of the Organization's rights and obligations as a legal entity.
1.5. The Organization has the right to make changes to this Policy. When making changes, the date of the last update of the Policy is indicated in the Policy title. The new version of the Policy becomes effective as soon as it is posted on the Organization's website, unless otherwise specified in the new version of the Policy.
1.6. The current version is stored at the Organization's location at the following address: 22 Oktyabrsky Avenue, Kemerovo, 650066, Russia. The electronic version of the Policy is available at the following URL: http://mednauki.ru/
2. Terms and Abbreviations
Personal Data (PD) refers to any information that directly or indirectly identifies or defines an individual (subject of personal data).
Personal data processing is any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.
Operator – a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons;
Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons;
Blocking of personal data – temporary cessation of processing of personal data (except in cases where processing is necessary to clarify personal data);
Destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and (or) that destroy the material carriers of personal data;
De-identification of personal data – actions that make it impossible to determine the ownership of personal data to a specific personal data subject without using additional information;
Automated processing of personal data – processing of personal data using computer technology;
Personal Data Information System (PDIS) is a set of personal data contained in databases and information technologies and technical means that ensure their processing.
3. Principles of Personal Data Security
3.1. The main objective of ensuring the security of PD during their processing in the Organization is to prevent unauthorized access to them by third parties, to prevent deliberate software, technical and other influences aimed at stealing PD, destroying (annihilating) or distorting them during processing.
3.2. To ensure the security of PD, the Organization is guided by the following principles:
– legality: the protection of personal data is based on the provisions of regulatory legal acts and methodological documents of authorized state bodies in the field of processing and protection of personal data;
– systemacity: the processing of personal data in the Organization is carried out taking into account all interrelated, interacting and changing over time elements, conditions and factors significant for understanding and solving the problem of ensuring the security of personal data;
– complexity: the protection of personal data is built with the use of the functionality of information technologies implemented in the information systems of the Organization and other systems and means of protection available in the Organization;
– continuity: the protection of personal data is ensured at all stages of their processing and in all modes of operation of the personal data processing systems, including during repair and maintenance work;
– timeliness: measures that ensure an appropriate level of personal data security are taken before the processing of personal data begins;
– continuity and improvement: the modernization and enhancement of measures and tools for protecting personal data is carried out based on the results of analyzing the practice of processing personal data in the Organization, taking into account the identification of new methods and tools for implementing threats to the security of personal data, as well as domestic and foreign experience in the field of information protection.
– personal responsibility: the responsibility for ensuring the security of PD is assigned to Employees within the scope of their duties related to the processing and protection of PD;
– minimization of access rights: access to PD is granted to Employees only to the extent necessary for the performance of their official duties;
– flexibility: ensuring the implementation of PD protection functions when the characteristics of the Organization's information systems and the volume and composition of processed PD change;
– specialization and professionalism: the implementation of PD security measures is carried out by Employees who have the necessary qualifications and experience.
– the effectiveness of personnel selection procedures: the Organization's personnel policy provides for the careful selection of personnel and the motivation of Employees to exclude or minimize the possibility of their violating the security of personal data;
– observability and transparency: measures to ensure the security of personal data should be planned in such a way that the results of their implementation are clearly observable (transparent) and can be assessed by those who carry out the control;
– continuous monitoring and evaluation: procedures are established for continuous monitoring of the use of systems for processing and protecting personal data, and the results of monitoring are regularly analyzed.
3.3. The Organization does not process PDs in a manner incompatible with the purposes for which they were collected. Unless otherwise provided by federal law, upon completion of the processing of PDs by the Organization, including upon achievement of the purposes for which they were processed or upon the loss of necessity for achieving those purposes, the PDs processed by the Organization shall be destroyed or anonymized.
3.4. When processing PDs, the Organization ensures that they are accurate, sufficient, and, if necessary, relevant to the purposes of processing. The Organization takes necessary measures to remove or clarify incomplete or inaccurate PDs.
4. Processing of personal data
4.1. Obtaining PD
4.1.1. All PD should be obtained from the subject itself. If the subject's PD can only be obtained from a third party, the subject must be notified of this or consent must be obtained from them.
4.1.2. The operator must inform the subject about the purposes, intended sources, and methods of obtaining PD, the nature of the PD to be obtained, the list of actions to be performed with PD, the period during which the consent is valid, and the procedure for revoking it, as well as the consequences of the subject's refusal to give written consent to their receipt.
4.1.3. Documents containing PD are created by:
a) copying the original documents (passport, educational document, TIN certificate, pension certificate, etc.);
b) employees of the editorial office entering the information received from the authors and users of the Organization's website into the registration forms;
c) obtaining the originals of the necessary documents (work book, medical report, characterization, etc.);
d) the authors and users of the Organization's website independently entering the information into the electronic forms.
The procedure for the subject's access to their personal data processed by the Organization is determined in accordance with the legislation and is specified in the Organization's internal regulatory documents.
4.2. Processing of Personal Data
4.2.1. Processing of personal data is carried out:
– with the consent of the subject of personal data to the processing of his personal data;
– in cases where the processing of personal data is necessary for the implementation and performance of the functions, powers and duties assigned by the legislation of the Russian Federation;
– in cases where the processing of personal data is carried out, access to which is granted to an unlimited number of persons by the subject of personal data or at his request (hereinafter referred to as personal data made publicly available by the subject of personal data).
Employees' access to processed PDs is carried out in accordance with their official duties and the requirements of the Organization's internal regulatory documents.
Employees who are allowed to process PDs are required to sign a document that outlines the organization's procedures for processing PDs, including the rights and responsibilities of individual Employees.
The Organization takes measures to address any violations of the legislation regarding the processing and protection of PDs.
4.2.2. The purposes of processing PD:
– providing users (including subscription) with access to scientific and information materials published on the website of the journal Politravma;
– providing the organization with the publication of scientific and information materials provided by the authors in the journals Medicine in Kuzbass and Mother and Child in Kuzbass, published by the Organization;
– the implementation of labor relations;
– the implementation of civil law relations.
4.2.3. Categories of subjects of personal data
The Organization processes the personal data of the following subjects:
– individuals who are in employment relations with the institution;
– individuals who have left the institution;
– individuals who are candidates for employment;
– individuals who are in civil law relations with the institution.
4.2.4. Personal data processed by the Organization:
– data obtained during employment relations;
– data obtained for the selection of candidates for employment in the organization;
– data obtained in the course of civil law relations.
4.2.5. Personal data processing is carried out:
– using automation tools;
– without using automation tools.
4.3. Storage of PD
4.3.1. PD of subjects can be obtained, further processed, and stored both on paper and in electronic form.
4.3.2. Personal data recorded on paper media is stored in locked cabinets or in locked rooms with limited access (registrar's office).
4.3.3. Personal data of subjects processed using automation tools for different purposes is stored in different folders (tabs).
4.3.4. It is not allowed to store or place documents containing personal data in open electronic directories (file sharing services) in the ISPD.
4.3.5. Personal data is stored in a form that allows the personal data subject to be identified for no longer than is necessary for the purposes of processing, and it is destroyed when the purposes of processing are achieved or when it is no longer necessary to achieve them.
4.4. Destruction of Personal Data
4.4.1. Documents (media) containing personal data are destroyed by burning, crushing (grinding), chemical decomposition, or transformation into a shapeless mass or powder. A shredder may be used to destroy paper documents.
4.4.2. Personal data on electronic media is destroyed by erasing or formatting the media.
4.4.3. The destruction is carried out by a commission. The fact of destruction of personal data is confirmed by a document on the destruction of media signed by the members of the commission.
4.5. Transfer of personal data
4.5.1. The organization transfers personal data to third parties in the following cases:
– the subject has expressed his consent to such actions;
– transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by the legislation.
4.5.2. List of persons to whom PDs are transferred
Third parties to whom PDs are transferred:
– Pension Fund of the Russian Federation for registration (on legal grounds);
– Tax authorities of the Russian Federation (on legal grounds);
– Social Insurance Fund (on legal grounds);
– Territorial Fund of Mandatory Medical Insurance (on legal grounds);
– banks for payroll (based on the contract);
– judicial and law enforcement agencies in cases established by law;
– credit bureau (with the subject’s consent);
– law firms operating within the framework of the Russian Federation legislation, in case of non-performance of obligations under the loan agreement (with the subject’s consent).
5. Personal Data Protection
5.1. In accordance with the requirements of regulatory documents, the Organization has established a personal data protection system (PDPS), consisting of legal, organizational, and technical protection subsystems.
5.2. The legal protection subsystem is a set of legal, organizational, administrative, and regulatory documents that ensure the creation, operation, and improvement of the SZPD.
5.3. The organizational protection subsystem includes the organization of the SZPD management structure, the authorization system, information protection when working with employees, partners, and third parties, information protection in the open press, publishing and advertising activities, and analytical work.
5.4. The technical protection subsystem includes a set of technical, software, and hardware tools that ensure the protection of personal data.
5.5. The main measures for protecting personal data used by the Organization are:
5.5.1. Designation of a person responsible for the processing of personal data, who organizes the processing of personal data, provides training and instructions, and conducts internal control over compliance with the requirements for protecting personal data by the organization and its employees;
5.5.2. Identification of current security threats to PD during their processing in the ISPD, and development of measures and activities to protect PD;
5.5.3. Development of a policy regarding the processing of personal data;
5.5.4. Establishment of rules for access to PD processed in the ISPD, as well as ensuring the registration and accounting of all actions performed with PD in the ISPD;
5.5.5. Establishing individual passwords for employees' access to the information system in accordance with their work duties;
5.5.6. Using information protection tools that have passed the established conformity assessment procedure, accounting for machine media containing personal data, and ensuring their safety;
5.5.7. Using certified antivirus software with regularly updated databases;
5.5.8. Using certified software to protect information from unauthorized access;
5.5.9. Certified firewall and intrusion detection tool;
5.5.10. Compliance with the conditions that ensure the safety of PD and prevent unauthorized access to them, as well as the assessment of the effectiveness of the measures taken and implemented to ensure the security of PD
5.5.11. Establishing access rules for the processed PD, ensuring the registration and accounting of actions performed with PD, as well as detecting unauthorized access to personal data and taking appropriate measures;
5.5.12. Restoration of PDs modified or destroyed as a result of unauthorized access to them;
5.5.13. Training of the Organization's employees directly involved in the processing of personal data, the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, documents defining the Organization's policy regarding the processing of personal data, local acts on the processing of personal data;
5.5.14. Implementation of internal control and audit.
6. The main rights of the PD subject and the obligations of the Organization
6.1. Basic rights of the PD subject
The PD subject has the right to receive information concerning the processing of his personal data, including:
– confirmation of the fact of processing of personal data by the operator;
– legal grounds and purposes of processing of personal data;
– purposes and methods of processing of personal data used by the operator;
– name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the operator or on the basis of a federal law;
– processed personal data related to the relevant personal data subject, the source of their acquisition, unless otherwise provided for by federal law;
– the terms of processing personal data, including the terms of their storage;
– the procedure for the personal data subject to exercise the rights provided for by the Federal Law “On Personal Data”;
– information on the actual or intended cross-border transfer of data;
– the name or surname, first name, patronymic, and address of the person who processes personal data on behalf of the operator, if the processing is or will be entrusted to such a person;
– other information provided for by this Federal Law or other federal laws.
The subject of personal data has the right to request the operator to clarify his personal data, block it, or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, and to take legal measures to protect his rights.
6.2. Obligations of the Organization
The Organization is obliged to:
– provide information about the processing of personal data when collecting it;
– in cases where the PDN was not obtained from the PDN subject, notify the subject;
– if the PDN is refused, explain the consequences of such refusal to the subject;
– publish or otherwise provide unlimited access to the document defining its policy regarding the processing of PDN, as well as information about the implemented requirements for the protection of PDN;
– to take the necessary legal, organizational, and technical measures or ensure that they are taken to protect PDAs from unauthorized or accidental access, destruction, modification, blocking, copying, provision, and dissemination of PDAs, as well as from other unauthorized actions in relation to PDAs;
– to respond to requests and appeals from PDAs, their representatives, and the authorized body for protecting the rights of PDAs.
|
