NATIONAL CENTER OF STANDARD SAMPLES PRIVATE POLICY

This Personal Data Processing Policy of the Limited Liability Company "National Center of Standard Samples" (hereinafter – the Policy) is a document defining the policy of the Limited Liability Company "National Center of Standard Samples" regarding the processing of personal data.

  • GENERAL PROVISIONS
    • This Policy has been developed in accordance with the Constitution of the Russian Federation, Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (hereinafter – the Personal Data Law) and other regulatory legal acts with the aim of ensuring the protection of the rights and freedoms of Personal Data Subjects during the processing of their personal data by the Limited Liability Company "National Center of Standard Samples", including the protection of the rights to privacy, personal and family secrets.
    • Key terms used in this Policy:
  • personal data – any information relating to a directly or indirectly identified or identifiable individual – the Personal Data Subject;
  • personal data permitted by the Personal Data Subject for dissemination – personal data, access to which by an unlimited number of persons has been provided by the Personal Data Subject by giving consent to the processing of personal data permitted for dissemination in the manner prescribed by the Personal Data Law;
  • Operator – the Limited Liability Company "National Center of Standard Samples";
  • processing of personal data – any action (operation) or a set of actions (operations) performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
  • automated processing of personal data – processing of personal data using computer technology;
  • dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons;
  • provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons;
  • blocking of personal data – temporary cessation of the processing of personal data (except for cases where processing is necessary to clarify personal data);
  • destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;
  • depersonalization of personal data – actions as a result of which it becomes impossible, without the use of additional information, to determine the belonging of personal data to a specific Personal Data Subject;
  • personal data information system – a set of personal data contained in databases and the information technologies and technical means ensuring their processing;
  • cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity.
    • Rights and Obligations of the Personal Data Subject:
      • The Personal Data Subject has the right to:
        • Receive information in an accessible form concerning the processing of their personal data (such information must not contain personal data relating to other Personal Data Subjects, except in cases where there are legal grounds for disclosing such personal data), including containing:
  • confirmation of the fact of personal data processing by the Operator;
  • the legal grounds and purposes of personal data processing;
  • the methods of personal data processing used by the Operator;
  • the name and location of the Operator, information about persons (except for the Operator's employees) who have access to personal data or to whom personal data may be disclosed under an agreement with the Operator or based on regulatory legal acts;
  • the processed personal data relating to the relevant Personal Data Subject, the source of their acquisition, unless a different procedure for presenting such data is provided by regulatory legal acts, as well as if the Personal Data Subject's right to access their personal data is not restricted in accordance with regulatory legal acts, including in the cases specified in Part 8 of Article 14 of the Personal Data Law;
  • the terms of personal data processing, including storage periods;
  • the procedure for the Personal Data Subject to exercise the rights provided for by the Personal Data Law;
  • information about the carried out or intended cross-border data transfer;
  • the name or surname, first name, patronymic, and address of the person processing personal data on behalf of the Operator, if the processing has been or will be entrusted to such a person;
  • information on the methods for the Operator to fulfill the obligations established by
    Article 18.1 of the Personal Data Law;
        • other information provided for by the Personal Data Law or other regulatory legal acts.
        • Require the Operator to clarify, block, or destroy their personal data if they are incomplete, outdated, inaccurate, illegally obtained, or are not necessary for the stated purpose of processing, and to take measures provided for by regulatory legal acts to protect their rights.
        • Challenge the actions or inaction of the Operator to the authorized body for the protection of the rights of personal data subjects or in court (including claiming compensation for damages and/or moral harm in court), if the Personal Data Subject believes that the Operator processes their personal data in violation of the requirements of the Personal Data Law or otherwise violates their rights and freedoms.
        • Exercise other rights provided for by the Personal Data Law and other regulatory legal acts.
      • Personal Data Subjects are obliged to fulfill the obligations provided for by the Personal Data Law and other regulatory legal acts.
    • Rights and Obligations of the Operator
      • The Operator has the right to:
        • Independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Personal Data Law and the regulatory legal acts adopted in accordance with it, unless otherwise provided by regulatory legal acts.
        • In the manner established by Part 3 of Article 6 of the Personal Data Law, entrust the processing of personal data to another person with the consent of the Personal Data Subject, unless otherwise provided by regulatory legal acts. The person processing personal data on behalf of the Operator is not required to obtain the consent of the Personal Data Subject for such processing.
        • In the event of the Personal Data Subject's withdrawal of consent to the processing of personal data, continue such processing without the Subject's consent if there are grounds specified in Clauses 2–11 of Part 1 of Article 6, Part 2 of Article 10, and Part 2 of Article 11 of the Personal Data Law.
        • Exercise other rights provided for by the Personal Data Law and other regulatory legal acts.
      • The Operator is obliged to:
        • Provide the Personal Data Subject, upon their request, with the information provided for by Part 7 of Article 14 of the Personal Data Law.
        • Explain to the Personal Data Subject the legal consequences of refusing to provide their personal data and/or give consent to their processing, if in accordance with regulatory legal acts the provision of personal data and/or the Operator's obtaining consent for their processing are mandatory.
        • Before starting the processing of personal data obtained not from the Personal Data Subject, provide the latter with the following information: the name or surname, first name, patronymic and address of the Operator or its representative; the purpose and legal basis for processing personal data; the list of personal data; the intended users of personal data; the rights of the Personal Data Subject established by the Personal Data Law; the source of the personal data. The Operator is exempt from the obligation to provide the Personal Data Subject with the specified information in the cases provided for in Part 4 of Article 18 of the Personal Data Law.
        • Ensure the recording, systematization, accumulation, storage, clarification (updating, modification), retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in Clauses 2, 3, 4, 8 of Part 1 of Article 6 of the Personal Data Law.
        • Take measures necessary and sufficient to ensure the fulfillment of the obligations provided for by this Policy, the Personal Data Law and the regulatory legal acts adopted in accordance with it.
        • Familiarize its employees directly involved in processing personal data with this Policy and local acts on personal data processing issues.
        • Fulfill other obligations provided for by the Personal Data Law and other regulatory legal acts.
  • PURPOSES OF PERSONAL DATA PROCESSING

The processing of personal data, including their collection, is carried out by the Operator for the following purposes:

  • carrying out labor and other relations directly related to labor between the Operator and its employees and job applicants, including maintaining personnel and accounting records, assisting in employment (personnel selection), and complying with the labor legislation of the Russian Federation;
  • filling out and submitting required reporting forms to authorized bodies, and complying with the insurance, pension, and tax legislation of the Russian Federation;
  • carrying out the Operator's business activities, including concluding, executing, and terminating contracts with the Operator's counterparties;
  • promotion of goods, works, services.
  • LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

The legal basis for processing personal data is the set of regulatory legal and local regulatory acts, as well as other legally significant documents, in execution and in accordance with which the Operator carries out such processing, including:

  • The Constitution of the Russian Federation;
  • The Civil Code of the Russian Federation;
  • The Labor Code of the Russian Federation;
  • The Tax Code of the Russian Federation;
  • The Personal Data Law;
  • Federal Law No. 402-FZ of December 6, 2011 "On Accounting";
  • Federal Law No. 167-FZ of December 15, 2001 "On Compulsory Pension Insurance in the Russian Federation";
  • Federal Law No. 14-FZ of February 8, 1998 "On Limited Liability Companies";
  • other federal laws and by-laws adopted on their basis, regulating relations related to the Operator's activities;
  • the Operator's Charter;
  • the Operator's local regulatory acts;
  • contracts, agreements, memoranda concluded between the Operator and Personal Data Subjects.
  • SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA. CATEGORIES OF PERSONAL DATA SUBJECTS
    • Personal Data Subjects covered by this Policy include the Operator's employees, their relatives (family members), job applicants (candidates for employment with the Operator), former employees of the Operator, the Operator's clients and counterparties (individuals) and representatives of the Operator's clients and counterparties (legal entities), visitors to the Operator's website.
    • Composition (scope) of personal data by categories of Personal Data Subjects:
      • Personal data of employees, including former employees, processed by the Operator for the purposes of carrying out labor and other relations directly related to labor, including maintaining personnel and accounting records and complying with the legislation of the Russian Federation, includes:
  • surname, first name, patronymic, date and place of birth, gender, citizenship details;
  • place of permanent and temporary registration, place of actual residence;
  • type, series, number of the identity document, date of issue, name of the issuing authority, division code;
  • Taxpayer Identification Number (INN);
  • Insurance Number of the Individual Ledger Account (SNILS);
  • information about social, property, and marital status, family composition, details of marriage certificate, child's birth certificate;
  • information about income;
  • compulsory medical insurance policy details;
  • bank card details;
  • account number;
  • personal account number;
  • information about work activity (profession, position, work experience);
  • information about military duty, details of military ID or other military registration document;
  • information about education, including details of education documents;
  • phone number, email address;
  • photo and video image of the face;
  • special categories of personal data, namely: information about health status, information about the presence or absence of a criminal record – which are processed only to establish the compliance of Personal Data Subjects with the requirements of the legislation of the Russian Federation.
      • Personal data of a job applicant, processed by the Operator for the purposes of assisting in employment (personnel selection) and complying with the legislation of the Russian Federation, includes:
  • surname, first name, patronymic, date and place of birth, gender, citizenship details;
  • place of permanent and temporary registration, place of actual residence;
  • type, series, number of the identity document, date of issue, name of the issuing authority, division code;
  • information about work activity;
  • information about education, including details of education documents;
  • phone number, email address;
  • photo and video image of the face;
  • special categories of personal data, namely: information about health status, information about the presence or absence of a criminal record – which are processed only to establish the compliance of Personal Data Subjects with the requirements of the legislation of the Russian Federation.
      • Personal data of relatives of employees (their family members), processed by the Operator for the purposes of carrying out labor and other relations directly related to labor between the Operator and its employees, including maintaining personnel and accounting records and complying with the legislation of the Russian Federation, includes:
  • surname, first name, patronymic, date and place of birth, gender, citizenship details;
  • place of permanent and temporary registration, place of actual residence;
  • details of marriage certificate (for spouse), birth certificate (for child);
  • phone number.
      • Personal data of the Operator's clients and counterparties (individuals) and representatives of the Operator's clients and counterparties (individuals and legal entities), processed by the Operator for the purposes of carrying out its business activities, including concluding, executing, and terminating contracts with its counterparties, as well as complying with the legislation of the Russian Federation, includes:
  • surname, first name, patronymic, date and place of birth, gender, citizenship details;
  • place of permanent and temporary registration, place of actual residence;
  • type, series, number of the identity document, date of issue, name of the issuing authority, division code;
  • Taxpayer Identification Number (INN);
  • Insurance Number of the Individual Ledger Account (SNILS);
  • information about education;
  • bank account details;
  • information about income;
  • details of the document certifying the authority to act on behalf of the client or counterparty of the Operator (for representatives of the Operator's clients and counterparties (individuals and legal entities));
  • photo and video image of the face;
  • phone number, email address.
      • Personal data of visitors to the Operator's website, processed by the Operator for the purposes of promoting the Operator's goods, works, services and receiving feedback, includes:
  • surname, first name, patronymic, date of birth, gender;
  • phone number, email address;
  • information collected via metric programs.
  • PROCEDURE AND TERMS FOR PROCESSING PERSONAL DATA
    • Processing of personal data is carried out in compliance with the following principles:
  • personal data is processed on a lawful and fair basis;
  • processing of personal data is limited to achieving specific, predetermined, and lawful purposes, to which the content and scope of the processed personal data must correspond;
  • during processing, the accuracy and sufficiency of personal data are ensured, and, where necessary, their relevance in relation to the purposes of processing;
  • - storage of personal data is carried out in a form that allows identification of the Personal Data Subject for no longer than required by the purposes of personal data processing, unless the storage period is established by regulatory legal acts or an agreement to which the Personal Data Subject is a party, beneficiary, or guarantor;
  • processed personal data is subject to destruction or depersonalization upon achieving the purposes of processing or if the need to achieve these purposes is lost, unless otherwise provided by regulatory legal acts.
    • During the processing of personal data, the following is not permitted:
  • processing of personal data incompatible with the purposes of collecting personal data;
  • merging databases containing personal data processed for incompatible purposes;
  • excessiveness of processed personal data in relation to the stated purposes of their processing.
    • Processing of personal data is carried out with the consent of the Personal Data Subject, except for cases established by the legislation of the Russian Federation.

The Personal Data Subject makes the decision to provide their personal data and gives consent to their processing freely, by their own will and in their own interest. Consent to the processing of personal data must be specific, informed, conscious, and unambiguous. Such consent may be given in any form that allows confirmation of its receipt, unless otherwise provided by regulatory legal acts.

Consent to the processing of personal data may be withdrawn by the Personal Data Subject.

In cases provided for by regulatory legal acts, processing of personal data is carried out only with the consent provided in writing by the Personal Data Subject.

Special categories of personal data are processed with the written consent of the Personal Data Subject, except for cases provided for by the Personal Data Law.

    • Personal data is processed using automation tools and without using automation tools.
    • Personal data of Personal Data Subjects is placed by the Operator in the following information systems:
  • information system of personal data of the Operator's employees, as well as persons who are not employees of the Operator but whose personal data the Operator must process in accordance with the labor legislation of the Russian Federation;
  • information system of personal data of the Operator's clients and counterparties (individuals) and representatives of the Operator's clients and counterparties (individuals and legal entities), as well as visitors to the Operator's website.
    • The Operator performs the following actions with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), including cross-border, depersonalization, blocking, deletion, destruction of personal data.
    • The Operator transfers personal data to third parties with the written consent of the Personal Data Subject, except for cases established by the legislation of the Russian Federation where such consent is not required. The Operator has the right to transfer personal data to inquiry and investigative bodies, other authorized bodies on the grounds provided for by the current legislation of the Russian Federation.
    • The Operator disseminates personal data permitted by the Personal Data Subject for dissemination, i.e., performs actions aimed at disclosing them to an indefinite circle of persons, in compliance with the prohibitions and conditions established by Article 10.1 of the Personal Data Law. Consent to the processing of personal data permitted by the Personal Data Subject for dissemination is issued separately from other consents of such a Subject to the processing of their personal data.
    • During the collection of personal data, including via the Internet, the recording, systematization, accumulation, storage, clarification (updating, modification), retrieval of personal data of citizens of the Russian Federation using databases located outside the territory of the Russian Federation is not permitted, except for the cases specified in Clauses 2, 3, 4, 8 of Part 1 of Article 6 of the Personal Data Law.
    • The Operator complies with the general rules for storing personal data, including the following:
      • Personal data is stored for the period established by the legislation of the Russian Federation.
      • Personal data, when processed without the use of automation tools, is separated from other information by fixing it on separate material carriers of personal data, in special sections, or in the fields of forms.
      • When fixing personal data on material carriers, personal data whose processing purposes are obviously incompatible are not fixed on the same material carrier.

For the purpose of processing different categories of personal data, a separate material carrier is used for each category.

The Operator ensures separate storage of personal data (material carriers) processed for different purposes.

      • During the storage of material carriers, measures have been established to ensure the security of personal data and prevent unauthorized access to them, namely: access to premises for storing material carriers with personal data is granted only to those persons included in the list of persons having access to personal data for the purpose of performing their labor (official) duties.
    • The Operator ensures the confidentiality of personal data and compliance with the following measures to protect personal data:
      • The Operator, having gained access to personal data, does not disclose it to third parties and does not disseminate personal data without the consent of the Personal Data Subject, unless otherwise provided by regulatory legal acts.
      • When processing personal data, to protect them from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as from other unlawful actions, the Operator takes the necessary legal, organizational, and technical measures or ensures their adoption, namely:
  • determining threats to the security of personal data during their processing in personal data information systems (hereinafter – information system);
  • applying organizational and technical measures to ensure the security of personal data during their processing in information systems, necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;
  • using information protection tools that have undergone the conformity assessment procedure in the prescribed manner;
  • using information protection tools (in which the information destruction function is implemented) that have undergone the conformity assessment procedure in the prescribed manner to destroy personal data;
  • assessing the effectiveness of the measures taken to ensure the security of personal data before putting the information system into operation;
  • maintaining records of machine-readable carriers of personal data;
  • ensuring the detection of facts of unauthorized access to personal data and taking measures, including to detect, prevent, and eliminate the consequences of computer attacks on information systems and to respond to computer incidents in them;
  • ensuring the restoration of personal data modified or destroyed due to unauthorized access to them;
  • establishing rules for access to personal data processed in the information system, as well as ensuring the registration and accounting of all actions performed with personal data in the information system;
  • monitoring the measures taken to ensure the security of personal data and the level of security of information systems.
      • When processing personal data in information systems, the Operator complies with the requirements established by Decree of the Government of the Russian Federation No. 1119 of November 1, 2012 "On Approval of the Requirements for the Protection of Personal Data During Their Processing in Personal Data Information Systems" and other regulatory legal acts.
      • When processing personal data without the use of automation tools, the Operator complies with the requirements established by the Regulation on the Features of Processing Personal Data Carried Out Without the Use of Automation Tools, approved by Decree of the Government of the Russian Federation No. 687 of September 15, 2008.
  • UPDATING (CLARIFICATION), DELETION AND DESTRUCTION OF PERSONAL DATA. RESPONSES TO REQUESTS FROM SUBJECTS FOR ACCESS TO PERSONAL DATA
    • If the fact of inaccuracy of personal data is confirmed, the Operator, based on information provided by the Personal Data Subject or their representative, or the authorized body for the protection of the rights of personal data subjects, or other necessary documents, clarifies the personal data or ensures their clarification (if the processing of personal data is carried out by another person acting on behalf of the Operator) within seven working days from the date of receipt of such information, after which it removes the blocking of personal data.
    • The Operator blocks personal data or ensures their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) in the following cases and within the following timeframes:
  • if unlawful processing of personal data is identified upon an appeal by the Personal Data Subject or their representative, or upon a request from the Personal Data Subject or their representative, or the authorized body for the protection of the rights of personal data subjects – from the moment of such appeal or receipt of the specified request for the period of verification;
  • if inaccurate personal data are identified upon an appeal by the Personal Data Subject or their representative, or upon their request or a request from the authorized body for the protection of the rights of personal data subjects – from the moment of such appeal or receipt of the specified request for the period of verification, if blocking personal data does not violate the rights and legitimate interests of the Personal Data Subject or third parties;
  • if it is impossible to destroy personal data within the period specified in Parts 3–5.1 of Article 21 of the Personal Data Law – until the moment of destruction.
    • The Operator ceases the processing of personal data or ensures the cessation of such processing by a person acting on behalf of the Operator in the following cases:
  • if the reasons for which the processing of special categories of personal data was carried out, as provided for in Parts 2 and 3 of Article 10 of the Personal Data Law, have been eliminated, provided that otherwise is not established by federal law;
  • if unlawful processing of personal data carried out by the Operator or a person acting on behalf of the Operator is identified – within no more than three working days from the date of this identification;
  • if the purposes of processing personal data have been achieved;
  • if the Personal Data Subject has withdrawn consent to the processing of their personal data;
  • if the Personal Data Subject has applied to the Operator with a demand to cease processing – within no more than ten working days from the date of receipt of the corresponding demand. This period may be extended, but for no more than five working days, if the Operator sends a reasoned notification to the Personal Data Subject indicating the reasons for the extension.
    • The Operator destroys personal data in compliance with the following rules:
      • The Operator destroys personal data, in particular, in the following cases and within the following timeframes:
  • if the purposes of processing personal data have been achieved or the need to achieve them has been lost – within no more than thirty days from the date of achieving the specified purposes, unless otherwise provided by an agreement to which the Personal Data Subject is a party, beneficiary, or guarantor, or another agreement between the Operator and the Personal Data Subject, or if the Operator is not entitled to process personal data without the consent of the Personal Data Subject on the grounds provided for by federal laws;
  • if the Personal Data Subject or their representative has provided information confirming that such personal data were obtained unlawfully or are not necessary for the stated purpose of processing – within no more than seven working days from the date of submission of such information;
  • if unlawful processing of personal data is identified, provided that it is impossible to ensure its lawfulness – within no more than ten working days from the date of identification of the unlawful processing;
  • if the Personal Data Subject has withdrawn consent to the processing of their personal data, provided that the retention of such data is no longer required for the purposes of their processing – within no more than thirty days from the date of receipt of the withdrawal, provided that otherwise is not provided by an agreement to which the Personal Data Subject is a party, beneficiary, or guarantor, or another agreement between the Operator and the Personal Data Subject, or in the case where the Operator is not entitled to process personal data without the consent of the Personal Data Subject on the grounds provided for by federal laws.
      • When processing personal data without the use of automation tools, the document confirming the destruction of personal data is the Act on the Destruction of Personal Data.

When processing personal data using automation tools, the documents confirming the destruction of personal data are the Act on the Destruction of Personal Data and the Extract from the Event Log of the Personal Data Information System (hereinafter – Extract from the Log).

When processing personal data simultaneously using automation tools and without using automation tools, the documents confirming the destruction of personal data are the Act on the Destruction of Personal Data and the Extract from the Log.

The Act on the Destruction of Personal Data and the Extract from the Log are subject to storage for 3 years from the moment of destruction of personal data.

    • The Operator responds to requests from Personal Data Subjects in compliance with the following rules:
      • Personal Data Subjects have the right to apply to the Operator and send it requests on the issues specified in the Personal Data Law, including requests:
  • for the provision of information specified in Part 7 of Article 14 of the Personal Data Law;
  • for information about the availability of personal data
Download print version (RUS)