Approved by
Order of Marvel KT LLC Director General
Kuznetsov I.A.
dated 30 July 2017
1. General provisions
1.1. This policy (hereinafter "the Policy") is generated in accordance with the Federal law dated 27.07.2006 No. 152-ФЗ "Concerning personal data" (hereinafter No. 152-ФЗ) and is an internal document of Marvel KT LLC (hereinafter "the Company") specifying the procedure for handling and protection of personal data operated by the Company.
1.2. The purpose of this Policy is to meet the requirements of legislation about personal data handling and protection and protect the civil and political rights when handling personal data by the Company.
1.3. The provisions of the Policy apply to handling and protection of the personal data received by the Company both before and after this Policy was approved, except for the cases when the provisions of the Policy are not applicable to handling and protection of the personal data received before it was approved for legal, organizational and other reasons.
1.4. The provisions of the Policy apply to handling and protection of personal data of legal successors and (or) personal data subject representatives, even if these persons are not directly mentioned in the internal regulatory documents, but in fact participate in the legal relations with the Company.
2. Principles, handling procedure and scope of the personal data handled by the Company
2.1. According to the provisions of this Policy the Company handles the personal data due to enforcement of its rights and responsibilities as a legal entity in the course of its business activity.
2.2. Due to enforcement of its rights and responsibilities as a legal entity the Company handles the personal data of its contractors (potential contractors) under civil law contracts, personal data of the leaders, members of the collective executive bodies and representatives of the legal entities, personal data of the citizens that refer to the Company in the written form to discuss its activities as well as the personal data of other individuals, if this is required for the business activity of the Company.
2.3. The personal data are received and handled by the Company in accordance with federal laws and other laws and regulation of the Russian Federation and, if necessary, with the written consent of the personal data subject.
2.4. In order to enforce its functions the Company can entrust personal data handling to the third parties under the established procedure.
The contracts concluded with the individuals entrusted for the personal data handling include the terms that oblige them to observe the legal requirements for personal data handling and protection.
2.5. The Company provides the handled personal data to the public authorities and organizations that, according to the federal law, have the right to receive the respective personal data.
2.6. The Company handles the personal data exclusively for the purpose they are collected. Unless otherwise stated in the federal law, when the Company completes the personal data handling, also when the handling objectives are achieved or these objectives are no longer pursued, the personal data handled by the Company are eliminated or depersonalized.
2.7. During the handling personal data become accurate, sufficient and, if necessary, relevant to the handling objectives. The Company takes the necessary actions to delete or clarify the incomplete or inaccurate personal data.
2.8. The major task to protect the personal data handled by the Company is to prevent unauthorized access by the third parties, prevent deliberate software, hardware and other impacts aimed at personal data theft, damage (destroy) or corruption during the handling procedure.
2.9. To protect the personal data the Company refers to the following guidelines:
1) legality: personal data protection is based on the provisions of the laws and regulations and guidance documents issued by the authorized public authorities in the field of personal data handling and protection;
2) comprehensiveness: when the Company handles the personal data it considers all the related, interactive and time-varying elements, conditions and factors crucial to understand and solve the issue of personal data protection;
3) complexity: personal data protection is built with IT capabilities implemented in the Comapany's information systems (hereinafter IS) and other systems and protective means available in the Company;
4) continuity: personal data protection is provided at every handling stage and in all the operation modes of the personal data handling systems also during the repair and maintenance;
5) actuality: the actions to ensure the appropriate level of the personal data protection are taken before the handling is started;
6) continuous improvement: modernization and improvement of the means and measures for personal data protection is based on the results of the Company's personal data handling analysis considering the new ways and means of personal data protection from threats as well as domestic and foreign experience in the field of data protection;
7) personal responsibility: responsibility for the personal data security rests upon the Employees within their duties related to personal data handling and protection;
8) minimization of the access rights: Employees receive the access to the personal data only as required for their duties;
9) flexibility: execution of the personal data protection functions in case of a change in the performance of the Company's personal data information systems (hereinafter – personal data IS) as well as in the scope and composition of the personal data being handled;
10) opened protection algorithms and mechanisms: structure, technologies and operation algorithms of the Company's personal data protection system (hereinafter – personal data PS) prevent the potential personal data security offenders from overriding the existing Company's protection systems;
11) scientific validity and technical feasibility: status of the actions to be taken in order to protect the personal data depends on the maturity of the current IT and data protection means;
12) profile and professional competence: the Employees with the respective competence and experience take the necessary actions to protect the personal data and operate the personal data PSs;
13) efficiency of selecting the staff and contractors: the Company's HR policy stands for careful staff selection and Employees motivation to prevent or minimize the chance of personal data security breach; to minimize the chance of personal data security threat due to human factor the most complete information about the Company's contractors is collected before signing the contract;
14) visibility and transparency: the actions to be taken to provide the personal data security must be planned in such a way that the results would be obviously visible (transparent) and could be estimated by the monitoring staff;
15) continuity of monitoring and evaluation: the use of the personal data handling and protection systems is continuously monitored according to the established procedures and the monitoring results are regularly analyzed.
3. Access to personal data being handled
3.1. The access to the personal data handled by the Company is granted to the persons authorized by the Company's order, persons entrusted by the Company to handle the personal data as stated in the concluded contract and persons whose personal data are to be handled.
3.2. The Employees can access the personal data being handled as dictated by their job duties and the requirements of the Company's internal regulatory documents.
3.3. The procedure for the personal data subject to access his/her personal data being handled by the Company is determined in accordance with the law.
4. Personal data protection measures
4.1. The Company takes legal, organizational and operational actions (or provides for them to be taken) required and sufficient to perform the duties stipulated in No. 152-ФЗ and laws and regulations accepted in accordance with it for personal data protection from unauthorized or accidental access, elimination, alteration, blocking, copying, reporting, distribution and other illegal actions related to personal data.
4.2. The measures specified in this Policy, including their content and selection of the personal data protection means, are determined based on the requirements of the No. 152-ФЗ and laws and regulations accepted in accordance with it.
4.3. Where the law permits, the Company handles the personal data with the consent of the personal data subjects.
The Company eliminates the detected violations from the personal data handling and protection law.
4.4. The personal data are stored in the form that allows to identify the personal data subject for no longer than it is required by the purpose of the personal data handling, if the storage period is not specified by the federal law or contract under which the personal data subject is the party, beneficiary or guarantee.
4.5. The Company introduces its employees directly involved in the personal data processing to the provisions of the personal data law, including the requirements to the personal data protection, the current Policy and other internal regulatory documents related to the personal data handling.
4.6. When handling the personal data in the personal data IS their security is achieved, for example, in the following way:
1) identification of the personal data security threats. The type of the actual personal data security threat and the required personal data protection level are determined in accordance with the legal requirements;
2) determination of the composition and content of the personal data security measures, selection of the data protection means.
3) taking organizational and operational actions aimed at providing the security of the personal data necessary to meet the requirements for the personal data protection.