1. General provisions

1.1. This Personal Data Processing Policy (hereinafter referred to as the Policy) has been drawn up in accordance with paragraph 2 of Article 18.1 of the Federal Law "On Personal Data" No. 152–FZ of July 27, 2006, as well as other regulatory legal acts of the Russian Federation in the field of personal data protection and processing and applies to all personal data (hereinafter referred to as data) that an Organization (hereinafter referred to as the Operator, Company) may receive from a personal data subject who is a party to a civil law agreement, from an Internet user (hereinafter referred to as – The User) during the use of any of the sites, services, services, programs, products or services of the EAEU, as well as from the personal data subject who is in a relationship with the Operator regulated by labor law (hereinafter referred to as the Employee). 1.2. The Operator ensures the protection of the processed personal data from unauthorized access and disclosure, misuse or loss in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".

1.3. The Operator has the right to make changes to this Policy. When making changes, the date of the last revision update is indicated in the Policy header. The new version of the Policy comes into force from the moment it is posted on the website, unless otherwise provided by the new version of the Policy.

2. Terms and accepted abbreviations

Personal data is any information related directly or indirectly to a specific or identifiable natural person (personal data subject).

Personal data processing is any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Automated personal data processing is the processing of personal data using computer technology.

The Personal Data Information System (ISPS) is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

Personal data made publicly available by a personal data subject is personal data to which an unlimited number of persons have access provided by the personal data subject or at his request.

Blocking of personal data is the temporary termination of the processing of personal data (except in cases where the processing is necessary to clarify personal data).

Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.

Operator is an organization that independently or jointly with other persons organizes the processing of personal data, as well as determines the purposes of processing personal data to be processed, actions (operations) performed with personal data. The operator is the EAAU, located at: 119435, Moscow, Bolshaya Pirogovskaya str., 2, building 1;

3. Personal data processing

3.1. Receiving personal data.

3.1.1. All personal data should be obtained from the subject himself. If the subject's personal data can only be obtained from a third party, then the subject must be notified of this or consent must be obtained from him.

3.1.2. The operator must inform the subject about the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which consent is valid, and the procedure for revoking it, as well as the consequences of the subject's refusal to give written consent to receive them.

3.1.3. Documents containing personal data are created by:

• copying of original documents (passport, educational document, TIN certificate, pension certificate, etc.);
• entering information into accounting forms;
• obtaining the originals of the necessary documents (work record, medical report, characteristics, etc.).

3.2. Processing of personal data.

3.2.1. Personal data is processed by:

• with the consent of the personal data subject to the processing of his personal data;
• in cases where the processing of personal data is necessary for the exercise and fulfillment of the functions, powers and duties assigned by the legislation of the Russian Federation;
• in cases where personal data is being processed, access to an unlimited number of persons is provided by the personal data subject or at his request (hereinafter referred to as personal data made publicly available by the personal data subject).

3.2.2. Purposes of personal data processing:

• implementation of labor relations;
• implementation of civil law relations;
• to contact the user in connection with filling out the feedback form on the website, including sending notifications, requests and information regarding the use of the website, processing, registration for events and the issuance of electronic certificates;
• depersonalization of personal data in order to obtain depersonalized statistical data that is transferred to a third party for conducting research, performing work or providing services.

3.2.3. Categories of subjects of personal data.

Personal data of the following personal data subjects is processed:

• individuals who have an employment relationship with the Company;
• individuals who quit the Company;
• individuals who are job candidates;
• individuals who have civil relations with the Company;
• individuals who are Users of the Site.

3.2.4. Personal data processed by the Operator:

• data obtained during the implementation of the employment relationship;
• data obtained for the selection of job candidates;
• data obtained during the implementation of civil law relations;
• data received from the Users of the Site.

3.2.5. Personal data is processed by:

• using automation tools;
• without using automation tools.

3.3. Storage of personal data.

3.3.1. Personal data of subjects may be obtained, further processed and stored both on paper and electronically.

3.3.2. Personal data recorded on paper is stored in lockable cabinets or in lockable rooms with limited access rights.

3.3.3. Personal data of subjects processed using automation tools for different purposes are stored in different folders.

3.3.4. It is not allowed to store and post documents containing personal data in open electronic catalogs (file sharing sites) in ISPs.

3.3.5. Personal data is stored in a form that makes it possible to identify the subject of personal data for no longer than the purposes of their processing require, and they are subject to destruction upon achievement of the processing objectives or in case of loss of the need to achieve them.

3.4. Destruction of personal data.

3.4.1. The destruction of documents (media) containing personal data is carried out by burning, crushing (crushing), chemical decomposition, transformation into a shapeless mass or powder. Shredders may be used to destroy paper documents.

3.4.2. Personal data on electronic media is destroyed by erasing or formatting the media.

3.4.3. The fact of destruction of personal data is documented by the act of destruction of media.

3.5. Transfer of personal data.

3.5.1. The Operator transfers personal data to third parties in the following cases:

• the subject has expressed his consent to such actions;
• The transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by law.

3.5.2. The list of persons to whom personal data is transferred.

• Pension Fund of the Russian Federation for accounting (legally);
• tax authorities of the Russian Federation (legally);
• Social Insurance Fund of the Russian Federation (legally);
• territorial compulsory medical insurance fund (legally);
• medical insurance organizations for compulsory and voluntary medical insurance (legally);
• payroll banks (based on a contract);
• the bodies of the Ministry of Internal Affairs of Russia in cases established by law;

4. Personal data protection

4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system, consisting of subsystems of legal, organizational and technical protection.

4.2. The subsystem of legal protection is a complex of legal, organizational, administrative and regulatory documents that ensure the creation, functioning and improvement of the NWFPS.

4.3. The subsystem of organizational protection includes the organization of the management structure of the NWFPS, the licensing system, and information protection when working with employees, partners, and third parties.

4.4. The subsystem of technical protection includes a set of technical, software, hardware and software tools that ensure the protection of personal data.

4.4. The main personal data protection measures used by the Operator are:

4.5.1. Appointment of a person responsible for processing personal data, who organizes the processing of personal data, training and instruction, and internal control over compliance by the institution and its employees with personal data protection requirements.

4.5.2. Identification of current threats to the security of personal data during their processing in the ISPS and development of measures and measures to protect personal data.

4.5.3. Development of a personal data processing policy.

4.5.4. Establishment of rules for access to personal data processed in the ISPS, as well as ensuring registration and accounting of all actions performed with personal data in the ISPS.

4.5.5. Establishment of individual passwords for employees' access to the information system in accordance with their work responsibilities.

4.5.6. The use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure.

4.5.7. Certified antivirus software with regularly updated databases.

4.5.8. Compliance with the conditions that ensure the safety of personal data and exclude unauthorized access to them.

4.5.9. Detection of unauthorized access to personal data and taking measures.

4.5.10. Recovery of personal data that has been modified or destroyed due to unauthorized access to it.

4.5.11. Training of the Operator's employees who directly process personal data in the provisions of the legislation of the Russian Federation on personal data, including requirements for personal data protection, documents defining the Operator's policy regarding personal data processing, and local acts on personal data processing.

4.5.12. Implementation of internal control and audit.

5. The basic rights of the personal data subject and the duties of the Operator

5.1. Basic rights of the personal data subject.

The subject has the right to access his personal data and the following information:

• confirmation of the fact of personal data processing by the Operator;
• legal grounds and purposes of personal data processing;
• purposes and methods of personal data processing used by the Operator;
• the name and location of the Operator, information about persons (with the exception of the Operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
• terms of personal data processing, including the terms of their storage;
• the procedure for exercising the rights provided for by Federal Law by the subject of personal data;
• the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the Operator, if the processing is or will be entrusted to such a person;
• contacting the Operator and sending requests to him;
• appeal against the actions or omissions of the Operator.

5.2. Duties of the Operator.

The operator must:

• when collecting personal data, provide information about the processing of personal data;
• in cases where personal data was not received from the personal data subject, notify the subject;
• in case of refusal to provide personal data to the subject, the consequences of such refusal are explained.;
• to publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data;
• take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions with respect to personal data;
• provide answers to requests and requests from personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.