1. Purpose scope
This Policy in the field of personal data processing (hereinafter referred to as the Policy) has been developed on the basis of Article 18.1 of Federal Law No. 152-FZ "On Personal Data", taking into account the requirements of the Constitution of the Russian Federation, the Council of Europe Convention on the Protection of Individuals with Automated Processing of Personal Data, international treaties of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation in the field of personal data.
This Policy applies to relations for processing and ensuring the security of information related to personal data in accordance with the legislation of the Russian Federation (hereinafter - PD).
This Policy defines the principles, goals, procedure and conditions of processing by an Individual Entrepreneur Klimanova Victoria Anatolyevna (PSRN 304770000191888, registration address: 117624 Moscow, Admiral Ushakov Boulevard 9-192), hereinafter - the PD Operator of employees, customers, and other third parties (entities), whose PD is processed by the Operator. This Policy contains provisions on the responsibility of the Operator and its employees in the event of violations of PD processing.
This Policy is a publicly available document and is published on the official website of the Operator on the Internet.
All employees of the Operator are guided by the provisions of this Policy.
2. Symbols and abbreviations
PD Personal Information
ISPDN Information system of personal data
3. Principles of processing personal data
PD processing is carried out by the Operator on the basis of the following principles:
-PD processing is carried out on a legal and fair basis;
-PD processing is limited to the achievement of specific, predetermined and legitimate purposes;
-The operator does not process PD that are incompatible with the purposes of collecting personal data and processes only PD that meet the purposes of their processing;
-The operator shares the databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
-processed PD are not redundant in relation to the stated purposes of their processing, and the content and volume of processed PD correspond to the stated purposes of processing;
when processing PD, the accuracy and sufficiency of PD are ensured;
PD storage is carried out no longer than the purpose of PD processing requires, if the storage period for PD is not established by federal law, an agreement to which the PD subject is a party, beneficiary or guarantor.
4. Purposes of personal data processing
The Operator processes PD for the purpose of carrying out the Operator's activities in accordance with the legislation of the Russian Federation
5. Categories of subjects of personal data
The subjects whose personal data is processed by the Operator with or without the use of automation tools are:
-employees and job candidates for the Operator and their family members (spouses and close relatives);
- persons who previously had an employment relationship with the Operator;
-Operator's clients and other persons having contractual relations of a civil law nature & nbsp; with the Operator;
-other persons whose personal data processing is required by the Operator in order to fulfill the goals of the Operator's activities.
6. Personal data categories
The operator processes the following categories of personal data:
PD of the general category (other PD), which cannot be attributed to special categories of personal data, to biometric-personal data or to publicly available PD;
publicly available PD.
7. The composition of the persons organizing and participating in the processing and security of personal data
The operator is the person responsible for organizing the processing of PD.
Employees are involved in PD processing as part of their job duties.
8. Processing and ensuring the security of personal data
8.1 Processing and the procedure for terminating the processing of personal data
PD processing by the Operator is carried out in the following cases:
- with the consent of the PD subject to the processing of his PD.
-PD processing is necessary for the execution of an agreement, the party to which is either a beneficiary or a guarantor of which the PD subject is, including if the operator exercises his right to assign rights (claims) under such an agreement, as well as to conclude an agreement on the initiative of the PD subject or an agreement under which the PD subject will be the beneficiary or guarantor.
-PD processing is necessary to exercise the rights and legitimate interests of the operator or third parties, or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the PD subject.
- PD processing is carried out, access to unlimited circles to which is provided by the PD subject, or at his request.
- as well as in other cases stipulated by federal legislation.
The operator can carry out cross-border transmission of personal data only & nbsp; on the territory of foreign states that are parties to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as other foreign states that ensure adequate protection of the rights of subjects of personal data.
The operator has the right to entrust the processing of PD to another person only with the consent of the PD subject, unless otherwise provided by federal law, on the basis of the operator's instructions. At the same time, the Operator bears responsibility to the PD subject of the action of the specified person, and the person who processes PD on behalf of the Operator is responsible to the Operator.
The operator undertakes not to disclose to third parties and not to distribute PD without the consent of the PD subject, unless otherwise provided by federal law.
PD processing is terminated by the Operator in the following cases:
-achieving the goals of PD processing;
-the expiration of the PD processing period provided for by federal legislation, the agreement or consent of the PD subject to the processing of his PD;
-when the subject of PD revokes consent to the processing of his PD, in cases that do not contradict the requirements of federal legislation.
9. Information on the implemented requirements for the protection of personal data
The operator takes all the necessary legal, organizational and technical measures when processing PD to protect PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to PD.
Measures are being taken to organize the processing and ensure the security of PD processed without automation tools, including:
-separate storage of personal data (material carriers) is provided, the processing of which is carried out for various purposes;
-the conditions are observed to ensure the safety of PDs, excluding unauthorized access to them when storing material carriers.
Measures are being taken to protect PD during their processing in PD information systems, including:
-the level of protection of PD is determined during their processing in information systems;
-the requirements for PD protection in PD information systems are fulfilled in accordance with certain levels of PD security;
-the necessary information protection means are applied;
-detection of the facts of unauthorized access to personal data and the adoption of the necessary measures;
-the measures taken to ensure the safety of the PDS and the level of protection of the PDIS are controlled.
10. Policy violation and liability
The operator is responsible for the compliance of processing and ensuring the security of personal data with legislation. All employees of the Operator who process personal data are responsible for compliance with this Policy and other local acts of the Operator on the processing and security of personal data.
Each employee of the Operator who becomes aware of a violation of this Policy or who suspects the existence of such a violation must inform the person responsible for organizing the processing of personal data about it..
11. Final provisions
11.1. This Policy is subject to change, addition in the event of the emergence of new legislative acts and special regulatory documents on the processing and protection of personal data..
12.2. This Policy is published by the operator on the website dostavka-tsvetov.com in accordance with the requirements of Article 18.1. FZ «About personal data».