About

Personal data processing policy


Contents 

01 

Scope of Application

02

Normative References

03

Terms and Definitions

04

Abbreviations

05

Purposes and Principles of Personal Data Processing

06

List of Subjects Whose Personal Data Are Processed in the Company

07

List of Personal Data Processed in the Company

08

Terms and Conditions for Processing of Personal Data

09

Time Limits for Processing, Storage and Destruction of Personal Data

10

Methods of Processing Personal

11

Rights and Obligations of Personal Data Subjects and the Company

12

Measures Taken by the Company in the Processing of Personal Data

13

Liability

 

 

 

1 Scope of Application

1.1 This Personal Data Processing Policy (hereinafter referred to as the "Policy") has been developed in order to implement the legal requirements to processing and protection of personal data and is aimed at ensuring protection of human and civil rights and freedoms during processing of personal data at Ekaterinburg Non-Ferrous Metals Processing Plant Joint Stock Company (the "Company").

1.2 This Policy has been developed taking into account the principles and rules established by the Constitution of the Russian Federation, Federal Law of the Russian Federation of 27.06.2006 No. 152-FZ On Personal Data, and other laws and regulations of the Russian Federation in the field of personal data.

1.3 This Policy establishes purposes, terms and conditions, and methods of personal data processing, lists of personal data subjects and lists of personal data processed in the Company, functions of the Company in processing personal data, rights of personal data subjects, rights and obligations of the Company, as well as requirements for the protection of personal data.

1.4 The requirements of this Policy shall be binding on all employees of the Company who process and protect personal data.

1.5 The Policy serves as the basis for the development of local regulations governing personal data processing in the Company.

1.6 The Policy is a public document and shall be published on the Company's official website on the Internet.

1.7 The Policy shall be valid indefinitely upon approval and until replaced by a new version.

2 Normative References

The processing of personal data is carried out on the basis of the following federal laws and regulations:

- the Constitution of the Russian Federation;

- the Labour Code of the Russian Federation;

- Federal Law of 27.06.2006 No. 152-FZ On Personal Data;

- Federal Law of 27.07.2006 No. 149-FZ On Information, Information Technologies and Information Protection;

- Decree of the Government of the Russian Federation of 15.09.2008 No. 687 On Approval of the Regulations on the Specifics of Processing Personal Data Performed without the Use of Automation Tools;

- Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 On Approval of Requirements for the Protection of Personal Data during its Processing in Personal Data Information Systems;

- other laws and regulations of the Russian Federation and normative documents of authorised public authorities.

3 Terms and Definitions

Automated Processing of Personal Data means the processing of personal data by means of computer technology.

Blocking of Personal Data means temporary suspension of processing of personal data (unless the processing is necessary to clarify the personal data).

Personal Data Information System means a set of information technologies and technical means contained in databases of personal data and ensuring its processing.

Information means information (messages, data) regardless of the form in which it is presented.

Counterparty means any Russian or foreign legal entity or individual with whom the Company enters into contractual relationship, other than an employment relationship.

Confidentiality of Personal Data means a mandatory requirement for the operator or other person who has access to personal data not to disseminate it without the consent of the personal data subject or any other legal basis.

Non-automated Processing of Personal Data means the processing of personal data contained in or extracted from a personal data information system, carried out with direct human involvement.

Personal Data Depersonalisation means actions as a result of which it is impossible, without the use of additional information, to determine the identity of a particular personal data subject.

Processing of Personal Data means any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transmission (dissemination, provision, access), depersonalisation, blocking, removal, and/or destruction of personal data.

Operator means a public body, municipal authority, legal entity or individual, independently or together with other persons, arranging and/or performing the processing of personal data, as well as determining the purpose of personal data processing, contentof personal data to be processed, actions (operations) performed with personal data.

Personal Data means any information relating to a directly or indirectly defined or identifiable individual (personal data subject).

Provision of Personal Data means actions aimed at disclosing personal data to a certain person or a limited group of persons.

Employee means an individual who is engaged in an employment relationship with theCompany.

Dissemination of Personal Data means actions aimed at disclosing personal data to general public.

Mixed Processing of Personal Data means processing of personal data that includes both automated and non-automated processing of personal data.

Personal Data Subject means an individual who is directly or indirectly defined or identifiable by the personal data.

Cross-border transfer of Personal Data means the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

Destruction of Personal Data means actions resulting in the impossibility to restore the content of personal data in a personal data information system and/or resulting in the destruction of tangible media of personal data.

4 Abbreviations

Company means Ekaterinburg Non-Ferrous Metals Processing Plant Joint Stock Company (EZOCM JSC);

ICP means Internal Company Policy.

5 Purposes and Principles of Personal Data Processing

5.1 The processing of the personal data of personal data subjects in the Company shall be carried out for the following purposes:

- To ensure compliance with the Constitution of the Russian Federation, laws and regulations of the Russian Federation, and ICP;

- To perform the functions, exercise the powers and fulfil the duties imposed on the Company by the law of the Russian Federation, including the provision of personal data to public authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, and other public authorities;

- To govern labour relations (compliance with Russian labour law and other regulations containing norms of labour law, the Collective Agreement and other ICPs);

- To ensure that employees perform their job functions, including organising training and advanced training; providing employees with corporate communications, office door signs, business cards, powers of attorney; purchasing airline and train tickets and booking hotels for employees going on business trips;

- To provide additional guarantees and compensations to the Company's employees and their family members stipulated by law of the Russian Federation, the Collective Agreement and other ICPs, including non-state pension plan, voluntary medical insurance, medical care and other types of social security;

- To issue bank cards to employees and members of the Veterans' Organisation of EZOCM JSC;

- To submit applications for city, regional, trade union, departmental and state awards of the Russian Federation;

- To protect life, health or other vital interests of employees;

- To search and recruit employees, assist citizens in finding employment;

- To organise internships for students and conclude internship agreements with educational institutions;

- To draft, conclude, perform and terminate contracts with counterparties;

- To ensure access control and site security procedures on the Company's premises;

- To form reference materials for internal information support of the Company's activities;

- To execute judicial acts, acts of other authorities or officials subject to enforcement in accordance with the law of the Russian Federation on enforcement proceedings;

- To exercise the rights and lawful interests of the Company within the scope of the activities provided for in the Articles of Association and other Internal Policies of the Company or of third parties or to achieve socially important goals;

- for other lawful purposes.

5.2 The processing of personal data in the Company shall be based on the following principles:

- The processing of personal data shall be carried out on a legal and fair basis within the Company;

- The processing of personal data shall be limited to achieving specific, predetermined and legitimate objectives;

- Only personal data that is suitable for the purposes for which it is being processed may be processed;

- Processing of personal data that is incompatible with the purpose of personal data collection shall not be permitted;

- Databases containing personal data whose processing is incompatible with one another may not be combined;

- The processing of personal data shall not be excessive in relation to the stated purposes for which it is being processed. The content and scope of personal data processed shall correspond to the stated processing purposes;

- When processing personal data, the accuracy of personal data, its adequacy and, where necessary, relevance in relation to the purpose of personal data processing shall be ensured;

- Personal data shall be stored in a form that makes it possible to identify the personal data subject no longer than required by the purposes of personal data processing, unless the storage period of personal data is established by federal law, an agreement under which the personal data subject is a party, a beneficiary or a guarantor;

- Processed personal data shall be destroyed or depersonalised when the purposes of processing have been achieved or when it is no longer necessary to achieve those purposes, unless otherwise provided for by federal law.

6 List of Subjects Whose Personal Data Are Processed in the Company

The Company processes personal data of the following categories of personal data subjects:

- employees of the Company;

- relatives of employees;

- candidates for vacant positions/professions;

- persons sent to the Company for an internship;

- personal data subjects who are counterparties of the Company or representatives of counterparties;

- representatives of regulatory authorities;

- founders, shareholders, members of the Board of Directors of EZOCM JSC;

- other personal data subjects (to ensure that the purposes of personal data processing set out in this Policy are achieved).

7 List of Personal Data Processed in the Company

7.1 The list of personal data processed in the Company is determined in accordance with the personal data laws of the Russian Federation and is specified in the ICP in accordance with the purposes of personal data processing set out in clause 5.1. of this Policy.

7.2 No special categories of personal data relating to race, ethnicity, political opinions, religious or philosophical beliefs or intimate life shall be processed in the Company.

7.3 Processing of special categories of personal data relating to health conditions shall be carried out by the Company in accordance with the law of the Russian Federation and with the written consent of the personal data subject to process their personal data.

7.4. Processing of biometric personal data shall be carried out by the Company only with the written consent of the personal data subject to process their personal data in order to ensure access control and site security procedures on the Company's premises.

8 Terms and Conditions for Processing of Personal Data

8.1 Processing of personal data in the Company shall be carried out with the consent of the personal data subject for processing.

8.2 Processing of personal data without the subject's consent may only be possible in case provided by the law of the Russian Federation.

8.3 The Company shall not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.

8.4 The Company may delegate the processing of personal data to another person with the consent of the personal data subject on the basis of an agreement concluded with such person. The agreement shall contain a list of actions (operations) with personal data to be performed by the person processing personal data, processing purposes, the obligation of such person to maintain confidentiality of personal data and ensure security of personal data during its processing, as well as requirements for protection of processed personal data in accordance with the personal data laws of the Russian Federation.

8.5 For internal information purposes, the Company may create internal reference materials which, with the written consent of the personal data subject, unless otherwise provided by the law of the Russian Federation, may include their last name, first name, patronymic, place of employment, position, year and place of birth, address, subscriber number, e-mail address and other personal data provided by the personal data subject.

8.6 Access to personal data processed in the Company shall be allowed only to employees of the Company holding positions that require processing of personal data or access to personal data.

9 Time Limits for Processing, Storage and Destruction of Personal Data

9.1 Requirements for the timing of processing of personal data of personal data subjects processed in the Company shall be determined by the ICP in accordance with the requirements of the law of the Russian Federation.

9.2 Processing of personal data shall not begin until the legal basis for processing personal data has arisen.

9.3 Processing of personal data shall be terminated upon achievement of the processing objectives, loss of the legal basis for processing established by the law of the Russian Federation, withdrawal of consent for processing of personal data by the personal data subject.

9.4 Upon expiration of the processing period, personal data shall be destroyed or depersonalised for statistical or other research purposes.

9.5 When storing personal data, the Company shall use databases located in the Russian Federation.

9.6 Documents (media) containing personal data shall be destroyed by incineration, crushing (shredding). A shredder may be used to destroy paper documents.

9.7 Personal data on electronic media shall be destroyed by erasing or formatting the media.

10 Methods of Processing Personal Data

10.1 The processing of personal data in the Company shall be carried out in the following ways:

- non-automated processing of personal data;

- automated processing of personal data;

- mixed processing of personal data;

10.2 Processing of personal data contained in or extracted from the personal data information system shall be deemed to be carried out without the use of automation tools (non-automated) if such actions with personal data as use, clarification, dissemination, destruction of personal data regarding each of the personal data subjects are carried out with the direct human involvement.

11 Rights and Obligations of Personal Data Subjects and the Company

11.1 Personal data subjects whose personal data is processed by the Company shall have the right to:

11.1.1 Obtain information concerning the processing of their personal data, including that contains:

- confirmation of the fact of personal data processing by the Company;

- legal basis and purposes of personal data processing;

- methods of personal data processing used by the Company;

- name and location of the Company, information about persons (other than the Company's employees) who have access to personal data or to whom personal data may be disclosed under an agreement with the Company or in accordance with the federal law;

- processed personal data related to the relevant personal data subject, the source of their receipt;

- the time limits for processing personal data, including the time limits for its storage;

- the procedure for the personal data subject to exercise the rights provided for in the personal data laws;

- information about the cross-border transfer of data that has been carried out or is expected to be carried out;

- the name or last name, first name, patronymic and address of the person processing the personal data on behalf of the Company, if the processing has been or will be entrusted to such a person;

- other information provided by Federal Law of 27.07.2006 No. 152-FZ On Personal Data or other federal laws.

11.1.2 Clarify their personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing.

11.1.3 Withdraw their consent to the processing of personal data.

11.1.4 Appeal the Company's actions or omission to act that have been in violation of the requirements of the law of the Russian Federation in the field of personal data, to the competent authority for the protection of personal data subjects or to the court.

11.1.5 Defend their rights and legitimate interests, including for damages and/or compensation for non-pecuniary damage in court.

11.1.6 Exercise other rights provided for by personal data laws of the Russian Federation.

11.2 The Company shall have the right to:

11.2.1 Receive documents containing personal data from personal data subjects or from representatives of the personal data subject.

11.2.2 Require the personal data subject to clarify the personal data provided in a timely manner.

11.2.3. If the subject of personal data withdraws consent to the processing of their personal data, the Company may continue processing personal data without the consent of the personal data subject on the grounds set forth by the law of the Russian Federation.

11.3 The Company shall:

11.3.1 Process the subjects' personal data in accordance with the principles and rules stipulated in the applicable personal data laws of the Russian Federation and ICPs in the field of personal data processing.

11.3.2 Inform the personal data subject or their legal representative, at their request, of the availability of personal data in the Company relating to the relevant personal data subject.

11.3.3 On the request of the personal data subject, discontinue the processing of their personal data, except as required by the law of the Russian Federation.

11.3.4 Upon receipt of the relevant request, provide, free of charge, an opportunity for the personal data subject or their legal representative to review the personal data of the personal data subject.

11.3.5 Take measures necessary and sufficient to ensure the fulfilment of obligations stipulated by Federal Law of 27.07.2006 No. 152-FZ On Personal Data and other laws and regulations of the Russian Federation.

12 Measures Taken by the Company in the Processing of Personal Data

12.1 The Company shall take the following measures to ensure that the operator fulfils its obligations provided for by the personal data laws of the Russian Federation:

- To appoint a person responsible for the organisation of personal data processing in the Company;

- To adopt ICP governing the processing and protection of personal data;

- To publish this Policy on its official website, provide unrestricted access to it and to information on the implemented requirements to the protection personal data that is not related to confidential information;

- To apply legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, or dissemination of personal data, as well as from other unlawful actions in relation to personal data;

- To maintain internal control over compliance of personal data processing with the personal data laws of the Russian Federation, personal data protection requirements, this Policy and the ICPs;

- To assess the harm that may be caused to personal data subjects in case the Company breaches personal data laws of the Russian Federation and, based on this assessment, make a decision on the list of measures required to ensure personal data security;

- To make sure that the Company's employees directly engaged in the processing of personal data read and understand the provisions of personal data laws of the Russian Federation and ICPs on personal data processing, including the requirements for the protection of personal data, and to conduct training of these employees;

- To comply with the requirements stipulated in Decree of the Government of the Russian Federation of 15.09.2008 No. 687 On Approval of the Regulations on the Specifics of Processing Personal Data Performed without the Use of Automation Tools when processing personal data without the use of automation tools;

- To notify the competent authority for the protection of personal data subjects of the processing (intention to process) of personal data;

- To depersonalise personal data processed in personal data information systems, as well as discontinue processing and destroy personal data in cases stipulated by the personal data laws of the Russian Federation;

- To comply with the requirements stipulated in Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 On Approval of Requirements for the Protection of Personal Data during its Processing in Personal Data Information Systems when processing personal data in personal data information systems;

- To apply other measures provided for by personal data laws of the Russian Federation.

13 Liability

In the event of non-compliance with the provisions of this Policy, the Company shall be liable in accordance with the applicable laws of the Russian Federation.

Back to top