JSC GENERIUM personal data policy
1. General Provisions
This Policy regarding the processing of personal data (hereinafter referred to as the Policy) is drafted in accordance with clause 2, part 1, art. 18.1 of the Federal Law “On Personal Data” No. 152-FZ of July 27, 2006 (hereinafter referred to as 152-FZ “On Personal Data”), and defines the cases and features of the processing of personal data at JSC GENERIUM (hereinafter referred to as the Company) with the purpose to ensure the legal rights and freedoms of personal data subjects.
This Policy takes into account the recommendations of Roskomnadzor for drawing up a document defining the operator’s policy regarding the processing of personal data, in the manner established by 152-FZ “On Personal Data”.
2. Terms used in the Policy
Automated processing of personal data – processing of personal data via computer technology;
Blocking of personal data – temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);
Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material media of personal data are destroyed;
Personal data information system – a set of personal data stored in databases and information technologies and technical means that ensure their processing;
Depersonalization of personal data – actions as a result of which it becomes impossible, without the use of additional information, to determine the ownership of personal data to a specific subject of personal data;
Processing of personal data is any action (operation) or a set of actions (operations) with personal data performed with or without the use of automation tools.
Personal data operator – a state body, municipal body, legal entity or individual who, independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) transactions performed with personal data;
Personal data – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data);
Providing personal data – actions aimed at disclosing personal data to a certain person or a certain circle of persons;
Personal data subject – an individual who is directly or indirectly identified or determined using personal data;
Dissemination of personal data – actions aimed at disclosing personal data to an indefinite number of persons;
Cross-border transfer of personal data s the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.
3. Rights and obligations of the subject of personal data
The subject of personal data has the right:
- to provide freely, of his own free will and in his own interest, his personal data and consent to their processing;
- to withdraw his consent to the processing of personal data;
- to receive information regarding the processing of his personal data in the manner, form and within the time limits established by the legislation on personal data;
- to demand clarification of his personal data, its blocking or destruction if the personal data is incomplete, outdated, unreliable, illegally obtained, is not necessary for the stated purpose of processing or is used for purposes not previously stated;
- to object to a decision made solely on the basis of automated processing of personal data;
- o appeal the actions or omissions of the Company to the authorized body for the protection of the rights of personal data subjects or in court if it believes that the Company is processing its personal data in violation of the requirements of 152-FZ “On Personal Data” or otherwise violates its rights and freedoms;
- other rights provided for by legislation on personal data.
The subject of personal data is obliged to:
- provide the Company with reliable information about himself;
- inform the Company about changes in his personal data.
4. Rights and obligations of the Company when processing personal data
The company is obliged:
- not to disclose or distribute personal data without the consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation;
- to provide the subject of personal data or his representative with the opportunity to familiarize himself with the processed personal data of the subject;
- to explain to the subject of personal data the legal consequences of refusal to provide personal data, if the provision of personal data is mandatory in accordance with the legislation of the Russian Federation;
- if personal data is not received from the subject of personal data, except for the cases provided for by 152-FZ “On Personal Data”, before processing such personal data, the Company is obliged to provide the subject of personal data with the following information:
- name and address of the location of the Company;
- the purpose of processing personal data and its legal basis;
- intended users of personal data;
- rights of the subject of personal data;
- source of personal data.
- to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation, except for the cases specified in 152-FZ “On Personal Data”;
- to explain to the subject of personal data the procedure for making a decision based solely on automated processing of his personal data and the possible legal consequences of such a decision, provide the opportunity to object to such a decision;
- to take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data;
- to report to the authorized body for the protection of the rights of personal data subjects, at the request of this body, the necessary information within thirty days from the date of receipt of such a request;
- to process requests from personal data subjects in accordance with the procedure established in clause 8.4 of this Policy;
- eliminate violations of the law committed during the processing of personal data by clarifying, blocking and destroying personal data.
The society has the right:
- in the event that the subject of personal data withdraws consent to the processing of personal data, continue their processing without the consent of the subject of personal data if there are legal grounds established by the legislation of the Russian Federation;
- to receive personal data from a person who is not the subject of personal data, subject to providing confirmation of the existence of legal grounds established by the legislation of the Russian Federation.
5. General conditions for the processing of personal data
The Company processes personal data of personal data subjects for the following purposes:
- compliance with the current legislation of the Russian Federation;
- conducting the activities carried out by the Company as provided for by the constituent documents of the Company;
- assistance to employees in finding employment, performing job duties and training.
6. Legal grounds for processing personal data
The legal grounds for processing the Company’s personal data are:
- “GOST R 52379-2005. National standard of the Russian Federation. Good Clinical Practice";
- Federal Law of July 27, 2006 No. 149-FZ “On Information, Information Technologies and Information Protection”;
- Federal Law of December 25, 2008 No. 273-FZ “On Combating Corruption”;
- Federal Law of December 6, 2011 No. 402-FZ “On Accounting”;
- Federal Law of December 15, 2001 No. 167-FZ “On Compulsory Pension Insurance in the Russian Federation”;
- Federal Law of April 12, 2010 No. 61-FZ “On the Circulation of Medicines”;
- Civil Code of the Russian Federation;
- Labor Code of the Russian Federation;
- Tax Code of the Russian Federation;
- Resolution of the State Statistics Committee of the Russian Federation dated January 05, 2004 No. 1 “On approval of unified forms of primary accounting documentation for recording labor and its payment”;
- Rules of good pharmacovigilance practice of the EAEU, approved by the decision of the Council of the Eurasian Economic Commission dated November 3, 2016 No. 87 (as amended by the Decision of the Council of the Eurasian Economic Commission dated May 19, 2022 No. 81);
- Constituent documents of the Company;
- Agreements concluded between the Company and personal data subjects;
- Agreements concluded between the Company and counterparties.
7. Categories and composition of personal data processed, categories of personal data subjects
Depending on the purposes provided for in section 5 of this Policy, the Company may process personal data of the following categories of personal data subjects:
7.1. Candidates for vacant positions (citizens of the Russian Federation)
In order to carry out the selection process, the following personal data is processed: last name, first name, patronymic; information about the change of surname, name, patronymic (when, where and for what reason it was changed); date of birth; age; sex; citizenship; contact phone numbers; E-mail address; received professional and additional education, availability of special training, specialty and qualifications; information about academic degrees and titles; awards and incentives; information about the current/desired level of income; information about previous work activities; duration of total work experience; information about knowledge of foreign languages; information about military registration and military service; number of the state pension insurance certificate; individual taxpayer number; photo.
7.2. Employees
- In order to formalize labor relations with a citizen of the Russian Federation, the following personal data is processed: last name, first name, patronymic; information about the change of surname, name, patronymic; date of birth; place of birth; sex; citizenship; information about the identity document (series, number, date of issue, by whom); registration at the place of residence (registration at the place of stay); actual place of residence; contact phone numbers; E-mail address; family status; information about close relatives (including degree of relationship, full name, year of birth); received professional and additional education, availability of special training, specialty and qualifications; information about academic degrees and titles; awards and incentives; information about previous work activities; duration of total work experience; information about knowledge of foreign languages; information about military registration and military service; number of the state pension insurance certificate; individual taxpayer number; photo; information confirming the right to receive benefits; job title; structural subdivision; employment date.
- In order to interact with employees within the framework of labor relations, the following personal data is processed: last name, first name, patronymic; information about the change of surname, name, patronymic; date of birth; place of birth; sex; citizenship; information about the identity document (series, number, date of issue, by whom); registration at the place of residence (registration at the place of stay); updated information about the actual place of residence (in case of change during the performance of work duties at GENERIUM JSC); contact phone number; E-mail address; family status; information about the birth of children; information about close relatives (including degree of relationship, full name, year of birth); driver's license information; received professional and additional education, availability of special training, specialty and qualifications; information about academic degrees and titles; awards and incentives; information about previous work activities; duration of total work experience; information about knowledge of foreign languages; information about military registration and military service; information on advanced training, certification tests and professional retraining; number of the state pension insurance certificate; individual taxpayer number; photo; information confirming the right to receive benefits; job title; updated information about the position; structural subdivision; employment date; bank details; information about the amount of wages; information from sick leave certificates; a copy of the child’s birth certificate (if applicable); a copy of the child’s birth certificate (if applicable); a copy of a certificate of non-receipt of child care benefits/child birth benefits (if applicable); copy of birth/death certificate (if applicable); a copy of the death certificate of a relative (if applicable); donor certificate confirming the donation of blood and its components (if applicable); certificate of summons from an educational institution (if applicable); pregnancy certificate (if applicable).
- In order to issue electronic passes for authorized access to the territory of the Company, the following personal data is processed: last name, first name, patronymic; photo.
- In order to issue a bank salary card and payroll, the following personal data is processed: last name, first name, patronymic; date of birth; information about the identity document (series, number, date of issue, by whom); registration at the place of residence (registration at the place of stay); actual place of residence; contact phone numbers; employer's name; E-mail address; salary information; information from the resolution on the collection of funds in favor of third parties at the request of the employee, court decision, etc. (if applicable); bank details; job title; structural subdivision.
- For the purpose of insuring employees against accidents, the following personal data is processed: last name, first name, patronymic; information about the change of surname, name, patronymic; date of birth; sex; the amount of the insurance premium; employer's name; insurance premium amount; employment date; date of dismissal.
- In order to support the process of insuring employees under the voluntary health insurance program, the following personal data is processed: last name, first name, patronymic; information about the change of surname, name, patronymic; date of birth; actual place of residence; information about changes in actual place of residence; contact phone number; name of the insurance program; information about changes in the insurance program; attachment date; detachment date; E-mail address; employer's name.
- In order to provide employees with vehicles within the framework of concluded employment contracts, the following personal data is processed: last name, first name, patronymic; date of birth; place of birth; sex; citizenship; information about the identity document; driver's license information; registration at place of residence; contact phone number; E-mail address; employer's name.
- In order to post information about employees on the internal website of JSC GENERIUM and internal electronic directories and magazines, the following personal data is processed: last name, first name, patronymic; photo; date of birth; contact phone numbers; work phone number; internal corporate email address; job title; name of the structural unit; employment date; employer's name.
- In order to improve the qualifications of employees and provide them with additional training, the following personal data is processed: last name, first name, patronymic; date of birth; place of birth; sex; citizenship; information about the identity document (series, number, date of issue, by whom); registration at the place of residence (registration at the place of stay); contact phone numbers; E-mail address; job title; employer's name; photo.
- For the purpose of holding corporate events and employee participation in bonus programs of partner companies, the following personal data is processed: last name, first name, patronymic; date of birth; contact phone numbers; E-mail address; job title; employer's name.
- In order to provide the interests of the Company, employees within the framework of contractual relations process the following personal data: last name, first name, patronymic; date of birth; contact phone numbers; E-mail address; job title; employer's name; information about the identity document (series, number, date of issue, by whom it was issued, code); registration at place of residence.
7.3. Dismissed workers
In order to comply with the requirements of the current legislation of the Russian Federation, the following personal data is processed: last name, first name, patronymic; date of birth; place of birth; sex; citizenship; photo; information about the identity document (series, standard, date of issue, by whom); actual place of residence; registration at the place of residence (registration at the place of stay); contact phone number; family status; received professional and additional education, availability of special training, specialty and qualifications; information on advanced training, certification tests and professional retraining; information about registration degrees and titles; information about previous work activities; duration of total work experience; information about knowledge of foreign languages; number of the state pension insurance certificate; information about military registration and military service; information confirming the right to receive benefits; individual taxpayer number; job title; name of the structural unit; employment date; date of dismissal; voluntary health insurance policy number; marriage certificate; child's birth certificate; employer's name; information about the change of surname, name, patronymic; information about changes in citizenship; information about changes in information in the identity document; information about changes in registration at the place of residence; information about changes in actual place of residence; information about changes in contact phone numbers; information about changes in marital status; information about receiving additional education; information about changes in position; information about changes in the name of a structural unit; salary information; Bank details.
7.4. Individuals providing services under a civil law contract
For the purpose of concluding contracts with individuals performing work under GPC contracts and fulfilling the requirements of these contracts, the following personal data is processed: last name, first name, patronymic; date of birth; information about the identity document (series, standard, date of issue, by whom); registration at the place of residence (registration at the place of stay); actual place of residence; number of the state pension insurance certificate (SNILS); individual taxpayer number (TIN); bank details; information about the amount of remuneration; contact phone number.
7.5. Individuals who are medical or scientific workers
For the purpose of concluding contracts with individuals who are medical or scientific workers, and fulfilling their obligations under the contract, the following personal data is processed: last name, first name, patronymic; date of birth; sex; citizenship; information about the identity document (series, standard, date of issue, by whom); actual place of residence; number of the state pension insurance certificate (SNILS); individual taxpayer number (TIN); email address; contact phone number; name of the employing organization; job title; information about professional experience; information about education; medical specialist certificate number and certificate validity period; number and date of the specialist’s accreditation certificate; information about the academic degree/academic title received; information about membership in the RAS/RAMS; number and date of issue of the diploma awarding the degree; number and date of issue of the certificate of assignment of the title; information about scientific and educational works published over the previous 3 (three) years; information about speeches at scientific events; information on presentations at international conferences over the previous 3 (three) years; information about participation in clinical/preclinical studies; information about teaching activities; information about the award of a medical category; information about membership in scientific societies; Bank details; information about the amount of remuneration; photo; video materials of performances.
7.6. Individuals who reported adverse reactions that occurred when using the medication
In order to carry out accurate reports, interpretation and verification of data when processing individual reports of adverse reactions arising from the use of drugs, and/or for the purpose of answering medical questions that may subsequently serve as a reason for sending reports of adverse reactions, the following personal data is:
Patient details:
- Patient's initials
- Address (particularly country)
- Date of birth/age group, sex, weight, height
-
Health information, in particular
- Patient's history and current health status.
- Indications for therapy.
- Description of an adverse reaction, including symptoms and their treatment, and any potential long-term effects that the adverse reaction may have on the patient's health; where appropriate, documents such as laboratory results and lists of medications taken.
- Details of the medications and treatments the patient was using concurrently or at the time the adverse reaction occurred, including dosage, duration of use, reason for taking the medication, and any subsequent changes in your therapy.
Details of the person reporting the adverse reaction or making the request:
- Full Name
- Address (particularly country)
- Contact information (phone number and email address)
- If applicable, profession, name of medical institution, position, specialization, department
- If applicable, the relationship to the person named in the report.
7.7. Researchers/Co-researchers - individuals performing research functions
In order to conclude contracts with individuals performing research functions, fulfill the requirements of these contracts and document the process of conducting a clinical trial, the following personal data is processed: last name, first name, patronymic; date of birth; sex; citizenship; information about the identity document (series, number, date of issue, by whom); actual place of residence; number of the state pension insurance certificate (SNILS); individual taxpayer number (TIN); sex; email address; contact phone number; registration at the place of residence (registration at the place of stay); photo; received professional and additional education, availability of special training, specialty and qualifications; information on advanced training, certification tests and professional retraining; certificates of completion of training; information about previous work activities; duration of total work experience; information about knowledge of foreign languages, information about academic degrees or titles, awards and incentives.
7.8. Individuals who are participants in clinical trials
- For participation of individuals in pre-selection for a clinical trial, the following personal data is processed: last name, first name, patronymic; information about the diagnosis; information about the treatment prescribed/received.
- For participation of individuals in a clinical trial and monitoring the progress and results of a clinical trial, the following personal data is processed: anonymized individual identification code; sex; health information; information about the diagnosis; information from medical record; information about the prescribed treatment; information about identified negative revisions (if any); information from medical documentation provided/generated during the clinical trial.
7.9. Premises visitors
In order to organize authorized access of visitors to the premises of the Company, the following personal data is processed: last name, first name, patronymic; information about the identity document (series, number, date of issue, by whom); name of the employing organization.
7.10. Insured relatives of the Company's employees
In order to include close relatives of the company's employees in the voluntary health insurance program, the following personal data is processed: last name, first name, patronymic; sex; information about the identity document (series, number, date of issue, by whom); SNILS; date of birth; relation degree; contact phone number; e-mail; address of the actual residence; name of the insurance program.
7.11. Beneficiaries
In order to support the process of receiving the insurance amount upon the occurrence of an insured event, the beneficiaries of the Company process the following personal data: last name, first name, patronymic; sex; information about the identity document (series, number, date of issue, by whom); SNILS; e-mail; percentage of the sum insured.
7.12. Individual entrepreneurs
In order to conclude contracts and carry out communications with individual entrepreneurs, the following personal data is processed: last name, first name, patronymic; information about the identity document (series, number, date of issue, by whom); individual taxpayer number (TIN).
8. Procedure and conditions for processing personal data
The Company collects, records, systematizes, accumulates, stores, clarifies (updating, changing), extracting, using, transferring (distributing, providing, accessing), blocking, deleting and destroying personal data.
Personal data is processed in the following ways:
- non-automated processing of personal data;
- automated processing of personal data;
- mixed processing of personal data.
A decision that gives rise to legal consequences in relation to the subject of personal data or otherwise affects his rights and legitimate interests can be made on the basis of exclusively automated processing of his personal data only upon written consent of the subject of personal data or in cases provided for by federal laws establishing also measures to ensure compliance with the rights and legitimate interests of the subject of personal data.
8.1. Storage of personal data
Personal data of personal data subjects is stored both on electronic and paper storages.
Paper storage of personal data is carried out only in the places specified in the list of places for paper storage of personal data in the Company.
Paper documents are stored in folders in securely locked safes/cabinets on the Company's premises; electronic data is stored in specially designated rooms, access to which is provided to employees in accordance with their job duties.
The terms for processing personal data are set forth in accordance with:
- purposes of processing personal data;
- the order of the Federal Archive of December 20, 2019 No. 236 “On approval of the List of standard management archival documents generated in the course of the activities of state bodies, local governments and organizations, indicating their storage periods”;
- an agreement to which the subject of personal data is a party, beneficiary or guarantor;
- limitation period.
The terms for processing personal data for each of the personal data subjects in the Company are shown in Table 1.
| Personal data subject | Terms for processing personal data |
|---|---|
| Candidates for vacant positions (citizens of the Russian Federation) | 30 calendar days from the date of the decision on employing a candidate for a vacant position/a negative decision on employing a candidate for a vacant position. |
| Employees | During the term of the employment contract. |
| Employees dismissed | In accordance with the limits established by legislation on archives. |
| Individuals providing services under a civil law contract | Five years after the date of obligation performance. |
| Individuals who are medical or scientific workers | Five years from the date of execution/expiration of the contract with an individual who is a medical or scientific worker. |
| Individuals who reported adverse reactions that occurred when using the drug | For at least 10 years after the termination of validity of certificates of state registration of medicinal products. |
| Researchers / Co-researchers - individuals performing research functions | At least 15 years after completion of clinical studies. |
| Individuals who are participants in clinical trials | Data is not stored by the Company. |
| Premises visitors | Data is not stored by the Company. |
| Insured relatives of the Company's employees | Validity of the voluntary health insurance contract, as well as for five years after its termination. |
| Beneficiaries | The validity period of the voluntary health insurance contract, as well as for five years after its termination. |
| Individual entrepreneurs | Five years after execution of the contract. |
The termination of the processing of personal data is carried out upon expiration of the established terms for the processing of personal data, upon withdrawal of the consent of the subject of personal data to processing of his personal data (except for cases where the Company has the right to continue processing personal data on another legal basis), upon achieving the purpose of processing personal data or a lost need to achieve the goal, as well as when identifying unlawful processing of personal data.
8.2. Conditions for the transfer of personal data
The Company has the right to entrust the processing of personal data to another person upon written consent of the subject of personal data, unless otherwise provided by federal law, on the basis of a concluded agreement.
A person processing personal data on behalf of the Company is obliged to comply with the principles and rules for processing personal data provided for by 152-FZ “On Personal Data” and this Policy.
In accordance with the requirements of 152-FZ “On Personal Data”, contracts with persons processing personal data on behalf of the Company define a list of actions (operations) with personal data that will be performed by the person processing personal data, and the purposes of processing are established the obligations of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, the requirements for the protection of processed personal data are specified in accordance with 152-FZ “On Personal Data”.
In case of cross-border transfer of personal data to countries that do not provide adequate protection of the rights of personal data subjects, with the exception of cases provided for by the legislation of the Russian Federation, cross-border transfer is carried out on the basis of separate consent in writing.
8.3. Ensuring the confidentiality and security of personal data during their processing
The security of personal data processed by the Company is ensured by the adoption of legal, organizational and technical measures determined by the current legislation of the Russian Federation, as well as the Company’s internal regulatory documents in the field of information security.
The Company's provision of protection of personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data is reached, in particular, by the following measures taken:
- appointment of a person responsible for organizing the processing of personal data;
- appointment of a person responsible for ensuring the security of personal data processed in personal data information systems;
- determining the list of employees who have access to personal data;
- development and approval of organizational and administrative documents defining the procedure for processing personal data;
- determination of the list of storage locations for physical storage of personal data;
- organizing the procedures for destruction of personal data after the expiration of their processing period;
- accounting of computer storage of personal data;
- identification of threats to the security of personal data during their processing, formation of a threat model based thereof;
- performing internal audits to ensure compliance with requirements for ensuring the security of personal data;
- familiarization of the Company's employees processing personal data with the requirements of the legislation of the Russian Federation, organizational and administrative documents of the Company defining the procedure for processing and ensuring the security of personal data;
- increasing the level of awareness of employees about the requirements for ensuring the security of personal data;
- conducting an assessment of the harm that may be caused to subjects of personal data in the event of a violation of 152-FZ “On Personal Data”, the relationship between this harm and the measures taken aimed at ensuring the fulfillment of the obligations provided for by 152-FZ “On Personal Data”;
- determining the procedure for responding to information security incidents;
- conducting external access testing;
- use of information security means that have passed the compliance assessment procedure in accordance with the established procedure;
- assessing the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system.
Ensuring the confidentiality of personal data processed by the Company is a mandatory requirement for all employees of the Company authorized to process personal data in connection with the performance of their job duties. All employees who have a valid employment relationship, whose activities are related to the receipt, processing and protection of personal data, sign a confidentiality agreement, undergo instructions on ensuring information security under signature and are personally responsible for compliance with the requirements for processing and ensuring the security of personal data.
8.4. Procedure for processing requests from personal data subjects
The subject of personal data may contact the Company regarding the processing of his personal data in the following cases:
- to obtain information regarding the processing of his (the subject’s) personal data;
- to clarify your personal data, block or destroy it if it is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;
- to file a complaint about the Company’s unlawful processing of his (the subject’s) personal data;
- to withdraw your consent to the processing of personal data.
According to the requirements of 152-FZ “On Personal Data”, the request must contain, in particular:
- series, number of the document identifying the subject of personal data (his representative), information about the date of issue of the specified document and the issuing authority;
- information confirming the participation of the subject of personal data in relations with the Company (agreement number, date of conclusion of the agreement, symbolic verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Company;
- signature of the subject of personal data (his representative);
- if the request is sent by a representative of the subject of personal data, it must contain a document (copy of the document) confirming the authority of this representative.
If the subject of personal data withdraws his consent to the processing of personal data, the corresponding request must comply with the conditions specified in such consent.
Requests from personal data subjects or their representatives are accepted at the address: Moscow, st. Testovskaya, 10, entrance 2.
A request signed with an electronic signature can be sent to the email address: generium@generium.ru.
The response to the request is sent to the subject of personal data or his representative within a period not exceeding 30 (thirty) days from the date of application.
If there is a refusal to provide information or carry out an action reflected in the request, the subject is sent a reasoned response containing a reference to the provision of Part 8 of Article 14 152-FZ “On Personal Data” or other federal law, which is the basis for such refusal, within a period not exceeding 30 (thirty) days from the date of application by the subject of personal data or his representative.
The subject of personal data may contact the Company again to obtain information regarding the processing of his (the subject's) personal data no earlier than 30 (thirty) days after the initial contact or sending of the initial request. If the subject of personal data was not provided with complete information based on the results of consideration of the initial request, the subject may re-apply to the Company before the established deadline, indicating the reason for sending the repeated request.
The Company has the right to refuse the subject of personal data to fulfill a repeated request if there is evidence of the validity of the refusal.
In case of detection of unlawful processing of personal data or inaccurate personal data, the Company ensures blocking of personal data (including when personal data is processed by another person acting on behalf of the Company) for the period of inspection.
If the fact of inaccuracy of personal data is confirmed, the Company ensures clarification of personal data (including when processing personal data by another person acting on behalf of the Company) within 7 (seven) business days from the date of submission of such information and removes the blocking of personal data.
If unlawful processing of personal data is detected, the Company, within a period not exceeding 3 (three) working days from the date of this detection, ensures the cessation of unlawful processing of personal data (including when processing personal data by another person acting on behalf of the Company). If it is impossible to ensure the legality of the processing of personal data, the Company, within a period not exceeding 10 (ten) working days from the date of detection of unlawful processing of personal data, is obliged to destroy such personal data or ensure its destruction. The Company is obliged to notify the subject of personal data or his representative, or the authorized body for the protection of the rights of personal data subjects (if the request was sent by the specified body) about the elimination of violations or the destruction of personal data.
If the subject of personal data withdraws consent to the processing of his personal data, the Company ensures the destruction of personal data (including when processing personal data by a third party acting on behalf of the Company) within a period not exceeding 30 (thirty) days from the date of receipt of the said withdrawal (except for cases of motivated refusal to withdraw consent established by the legislation of the Russian Federation).
Upon expiration of the storage period for personal data established in clause 8.1 of this Policy, the Company ensures the destruction of personal data (including when processing personal data by a third party acting on behalf of the Company) within a period not exceeding 30 (thirty) days.
If it is not possible to destroy personal data within the established period, the Company ensures blocking of such personal data (including when processing personal data by a third party acting on behalf of the Company) and ensures the destruction of personal data within a period of no more than 6 (six) months, unless another period is established by the legislation of the Russian Federation.
The responsibility of the Company's officials who have access to personal data for failure to comply with the requirements of the standards governing the processing and protection of personal data is determined in accordance with the legislation of the Russian Federation and the internal regulatory and organizational documents of the Company.