POLICY LLC "CAPSULA" (Website www.qapsula.com) REGARDING THE PROCESSING OF PERSONAL DATA
1. General Provisions
1.1. Appointment
This document defines the policy of KAPSULA LLC (INN 7721350396, PSRN 1157746824905, location - Moscow, Novy Arbat, 21, 119019, hereinafter - SOCIETY, Operator) in relation to the processing of personal data (hereinafter - the Policy).
The SOCIETY, being the Operator carrying out the processing of personal data, ensures the protection of the rights and freedoms of subjects when processing their personal data and takes measures to ensure the fulfillment of the obligations stipulated by the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" and adopted in accordance with with him normative legal acts.
This document is publicly available and must be posted on the official website www.qapsula.com.
Local regulations and other documents regulating the processing of personal data in the Company are developed taking into account the provisions of this Policy.
The company carries out all actions with personal data on a confidential basis.
1.2. Basic concepts used in the Policy
The following terms are used in this document:
- personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);
- subject of personal data - an individual who is directly or indirectly defined or determined using personal data;
- operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations), committed with personal data;
- processing of personal data - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction , use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
- automated processing of personal data - processing of personal data using computer technology;
- distribution of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
- provision of personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;
- blocking of personal data - a temporary suspension of the processing of personal data (except for cases where processing is necessary to clarify personal data);
- destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
- depersonalization of personal data - actions, as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without using additional information;
- personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;
- cross-border transfer of personal data - the transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual or a foreign legal entity.
1.3. Basic rights and obligations of the Operator and personal data subjects
1.3.1. Rights and obligations of personal data subjects
Subjects whose personal data is processed in the COMPANY have the right:
1) for free familiarization with their personal data, except for the cases provided for by the Federal Law of July 27, 2006 N 152-FZ "On Personal Data";
2) to receive information regarding the processing of their personal data, including those containing:
- confirmation of the fact of personal data processing by the COMPANY;
- legal grounds and purposes of personal data processing;
- the purposes and methods of processing personal data used by the COMPANY;
- name and location of the COMPANY, information about persons (except for employees of the COMPANY) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the COMPANY or on the basis of federal law;
- the processed personal data related to the relevant subject of personal data, the source of their receipt, unless another procedure for submitting such data is provided for by federal law;
- terms of processing personal data, including the terms of their storage;
- the procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law "On Personal Data";
- information about the absence of cross-border data transfer;
- name or surname, first name, patronymic and address of the person who processes personal data on behalf of the COMPANY, if the processing is entrusted or will be entrusted to such a person;
- other information provided by the legislation of the Russian Federation;
3) demand from the SOCIETY to clarify its personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights;
4) to appeal against actions or inaction of the COMPANY to the authorized body for the protection of the rights of subjects of personal data or in court;
5) to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
Subjects whose personal data is processed in the COMPANY are obliged to:
- comply with the current legislation in the field of providing and processing personal data.
1.3.2. Rights and obligations of the SOCIETY employees processing personal data of personal data subjects:
The SOCIETY employees processing personal data, depending on the processing purposes specified in section 2 of this Policy, are entitled to:
- receive documents containing personal data;
- require the subject of personal data to timely clarify the provided personal data.
The SOCIETY employees who process personal data of personal data subjects are obliged to:
- process personal data received in accordance with the procedure established by the current legislation;
- consider applications of the subject of personal data (the legal representative of the subject of personal data, the authorized body for the protection of the rights of subjects of personal data) on the processing of his personal data and give reasoned answers within a period not exceeding 7 (seven) working days from the date of receipt of the request (request) ;
- provide the subject of personal data (the legal representative of the subject of personal data) with the possibility of free access to their personal data processed in the COMPANY;
- take measures to clarify, destroy the personal data of the personal data subject in connection with his (legal representative) treatment with legal and reasonable requirements;
- organize the operational and archival storage of the SOCIETY documents containing the personal data of the subjects of personal data, in accordance with the requirements of the legislation of the Russian Federation.
2. Purpose of collecting personal data
The processing of personal data by the SOCIETY is carried out for the following purposes:
- ensuring compliance with the Constitution of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation;
- registering and providing the Users of the site with access to the site, the services provided on the site, including the storage of the User's personal registration data voluntarily specified by him during registration, exchange of information and communication between Users-patients and Users-doctors, providing Users with access to additional functionality services of the site, mailing information and other materials to Users in the areas of the SOCIETY's activities, communicating between the User, concluding contracts with Users - Doctors, transferring funds for their payment.
- assistance to candidates in employment, employees in obtaining education and career advancement, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property;
- maintaining personnel records and personal files of employees, providing employees with vacations and sending them on business trips, organizing and issuing awards and incentives for employees, organizing individual (personified) registration of employees in the mandatory pension insurance system, providing employees and their families with additional guarantees and compensations, including non-state pension provision, voluntary medical insurance, medical care and other types of social security, filling out and transferring the required reporting forms to the executive authorities and other authorized organizations;
- preparation, conclusion, execution and termination of civil contracts;
- formation of reference materials for the internal information support of the SOCIETY's activities;
3. Legal basis for the processing of personal data
The legal basis for the processing of personal data is a set of regulatory legal acts, in pursuance of which and in accordance with which the SOCIETY processes personal data, including:
- The Constitution of the Russian Federation;
- Civil Code of the Russian Federation;
- Labor Code of the Russian Federation;
- Tax Code of the Russian Federation;
- Federal Law of July 27, 2006 N 149-FZ "On Information, Information Technologies and Information Protection";
- the charter of the COMPANY and other local normative acts of the COMPANY;
- other regulatory legal acts of the Russian Federation and regulatory documents of authorized government bodies;
- the consent of the subjects to the processing of their personal data.
4. The volume and categories of processed personal data, categories of personal data subjects
Depending on the purposes provided for in section 2 of this Policy, the SOCIETY may process personal data of the following categories of subjects:
1. Applicants for positions in the SOCIETY:
- Full Name;
- year and place of birth;
- Contact details;
- information about the profession and other personal data provided by the applicant in the resume and cover letters.
2. Employees of the COMPANY:
Full Name;
Place, year and date of birth;
Registration address;
Passport data (series, passport number, by whom and when issued);
Information on education (name of the educational Society, information on documents confirming education: name, number, date of issue, specialty);
Employment information prior to employment;
Information about work experience (place of work, position, period of work, period of work, reasons for dismissal);
Residence address (real);
Phone number (home, work, mobile);
Marital status and family composition (husband / wife, children);
Information about knowledge of foreign languages;
Admission form;
Salary;
Information about the employment contract (No. of the employment contract, the date of its conclusion, the start and end date of the contract, the type of work, the duration of the contract, the existence of a probationary period, the working regime, the duration of the main vacation, the duration of the additional vacation, the duration of the additional vacation for irregular working days employee responsibilities, additional social benefits and guarantees, number and number of changes to the employment contract, nature of work, form of payment, category of personnel, working conditions, working week, payment system);
Information on military registration (category of reserve, military rank, category of fitness for military service, information on removal from military registration);
TIN;
Employee certification data;
Data on professional development;
Data on awards, medals, incentives, honorary titles;
Information about employment, relocation, dismissal;
Vacation information;
Information about business trips;
Information about diseases;
Information about non-state pension provision.
3. Persons included in the management bodies and public formations SOCIETY, as well as in the management bodies of organizations created with the participation of the SOCIETY:
- Full Name;
- information about labor activity;
- education;
- individual taxpayer number;
- residential address;
- the photo;
- phone number;
- E-mail address.
4.) Site users - patients:
- Full Name;
- registration data entered during Registration on the site, including login, password, e-mail address;
- gender;
- age;
- - image (photograph);
- place of residence;
Anchor - health information
5.) Site users - doctors:
- Full Name;
- registration data entered during Registration on the site, including login, password, e-mail address;
- gender;
- age;
- image (photograph);
- place of residence;
- education;
- specialty;
- INN
- SNILS
- Bank details (when concluding a civil contract)
- information about labor activity
The processing in the SOCIETY of biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity) is carried out in accordance with the legislation of the Russian Federation.
Processing of special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, health status, intimate life is not allowed, except for the following cases:
1) the subject of personal data has given written consent to the processing of his personal data;
2) personal data is made publicly available by the subject of personal data;
2.1) processing of personal data is necessary in connection with the implementation of international agreements of the Russian Federation on readmission;
2.2) the processing of personal data is carried out in accordance with the Federal Law of January 25, 2002 N 8-ФЗ "On the All-Russian Population Census";
2.3) processing of personal data is carried out in accordance with the legislation on state social assistance, labor legislation, pension legislation of the Russian Federation;
3) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data or the life, health or other vital interests of others and it is impossible to obtain the consent of the subject of personal data;
(Clause 3 as amended by Federal Law of 25.07.2011 N 261-FZ)
4) the processing of personal data is carried out for medico-prophylactic purposes, in order to establish a medical diagnosis, the provision of medical and medico-social services, provided that the processing of personal data is carried out by a person who is professionally engaged in medical activities and is obliged in accordance with the legislation of the Russian Federation to keep medical secrets ;
5) the processing of personal data of members (participants) of a public association or religious organization is carried out by the relevant public association or religious organization acting in accordance with the legislation of the Russian Federation in order to achieve the legitimate goals provided for by their constituent documents, provided that personal data will not be disseminated without written consent of the subjects of personal data;
6) the processing of personal data is necessary to establish or exercise the rights of the subject of personal data or third parties, as well as in connection with the administration of justice;
7) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on defense, on security, on countering terrorism, on transport security, on combating corruption, on operational search activities, on enforcement proceedings, and the penal legislation of the Russian Federation;
7.1) the processing of personal data received in cases established by the legislation of the Russian Federation is carried out by the prosecution authorities in connection with the exercise of prosecutorial supervision by them;
8) the processing of personal data is carried out in accordance with the legislation on compulsory types of insurance, with insurance legislation;
9) the processing of personal data is carried out in the cases provided for by the legislation of the Russian Federation, by state bodies, municipal bodies or organizations for the purpose of placing children left without parental care to be raised in families of citizens;
10) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on the citizenship of the Russian Federation.
5. The procedure and conditions for the processing of personal data
The processing of personal data is carried out with the consent of the subjects of personal data, unless otherwise provided by the legislation of the Russian Federation.
The processing of personal data can be carried out using computer technology (automated processing) or with the direct participation of a person without the use of computer technology (non-automated processing).
Only those employees of the SOCIETY are allowed to process personal data, whose job responsibilities include processing personal data.
These employees have the right to receive only those personal data that they need to perform their job duties.
The processing of personal data is carried out by:
- receiving information containing personal data, orally and in writing, directly from the subjects of personal data;
- provision by subjects of personal data of the originals of the necessary documents;
- receipt of duly certified copies of documents containing personal data or copying of original documents;
- receiving personal data when sending requests to government bodies, government extra-budgetary funds, other government bodies, local government bodies, commercial and non-commercial organizations, individuals in the cases and in the manner prescribed by the legislation of the Russian Federation;
- obtaining personal data from publicly available sources;
- fixation (registration) of personal data in magazines, books, registers and other accounting forms;
- entering personal data into the information systems of the COMPANY;
- use of other means and methods of recording personal data obtained in the framework of the activities carried out by the COMPANY.
Transfer of personal data to third parties (including cross-border transfer) is allowed with the written consent of the subjects of personal data, except for cases when it is necessary in order to prevent threats to the life and health of subjects of personal data, as well as in other cases established by the legislation of the Russian Federation.
When transferring personal data to third parties in accordance with the concluded agreements, the SOCIETY ensures the mandatory fulfillment of the requirements of the legislation of the Russian Federation and the SOCIETY normative acts in the field of personal data.
The transfer of personal data to authorized executive bodies and organizations (the Ministry of Internal Affairs of the Russian Federation, the Ministry of Foreign Affairs of the Russian Federation, the Federal Tax Service, the Pension Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund of the Russian Federation and others) is carried out in accordance with the requirements of the legislation of the Russian Federation ...
The SOCIETY has the right to entrust the processing of personal data to another legal entity or individual entrepreneur with the consent of the subjects of personal data on the basis of the concluded agreement. A legal entity or an individual entrepreneur processing personal data on behalf of the COMPANY must comply with the principles and rules for processing personal data provided for by the legislation of the Russian Federation in the field of personal data.
In the event that the SOCIETY, on the basis of an agreement, transfers or entrusts the processing of personal data to another legal entity or individual entrepreneur, an essential condition of the agreement should be the obligation to provide the specified person with conditions of confidentiality and ensuring the security of personal data during their transfer or processing.
The storage of personal data in the SOCIETY is carried out in a form that makes it possible to determine the subject of personal data no longer than the purpose of their processing requires. Upon achievement of the goals of processing personal data, as well as in the event that the subject of personal data revokes consent to their processing, personal data are subject to destruction if:
- otherwise is not provided for by the contract, the party to which, the beneficiary or the guarantor of which is the subject of personal data, by another agreement between the COMPANY and the subject of personal data;
- THE SOCIETY is not entitled to carry out processing without the consent of the subject of personal data on the grounds provided for by the Federal Law "On Personal Data" or other federal laws.
The terms of storage of personal data in the SOCIETY are determined in accordance with the legislation of the Russian Federation and the SOCIETY normative acts in the field of document flow.
The COMPANY provides separate storage and processing of data of various categories of subjects.
6. Answers to requests of subjects for access to personal data. Updating, rectification, deletion and destruction of personal data
6.1. The information specified in part 7 of Article 14 of the Federal Law "On Personal Data" is provided to the subject of personal data or his representative by the Operator when contacting or upon receiving a request from the subject of personal data or his representative.
The information is provided in an accessible form, it does not include personal data relating to other subjects of personal data, unless there are legal grounds for disclosing such personal data.
If the request (request) of the subject of personal data does not reflect all the necessary information in accordance with the requirements of the Federal Law "On Personal Data" or the subject does not have the right to access the requested information, then a reasoned refusal is sent to him.
The request must contain the data of the main document proving the identity of the subject of personal data or his representative, information confirming the participation of the subject of personal data in relations with the SOCIETY (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information, otherwise in a way confirming the fact of processing of personal data by the COMPANY, the signature (including electronic) of the subject of personal data or his representative, registration data entered by the User during registration.
The information specified in part 7 of Article 14 of the Federal Law "On Personal Data" is provided to the subject of personal data or his representative by the Operator when contacting or upon receiving a request from the subject of personal data or his representative. The request must contain the number of the main document proving the identity of the subject of personal data or his representative, information about the date of issue of the said document and the issuing authority, information confirming the participation of the subject of personal data in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of processing personal data by the Operator, the signature of the subject of personal data or his representative. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
The right of the subject of personal data to access his personal data may be limited in accordance with Part 8 of Article 14 of the Federal Law "On Personal Data", including if the subject's access to his personal data violates the rights and legitimate interests of third parties.
6.2. Within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that the personal data is incomplete, inaccurate or irrelevant, the SOCIETY makes the necessary changes to them.
Within a period not exceeding seven working days from the date the subject of personal data or his representative submits information confirming that such personal data is illegally obtained or is not necessary for the stated purpose of processing, the SOCIETY destroys such personal data.
The SOCIETY notifies the subject of personal data or his representative about the changes made and the measures taken and takes reasonable measures to notify third parties to whom the personal data of this subject was transferred.
The SOCIETY is obliged to inform the authorized body for the protection of the rights of subjects of personal data at the request of this body the necessary information within thirty days from the date of receipt of such a request.
6.3. Consent to the processing of personal data can be revoked by the subject of personal data. The application for withdrawal of consent is sent to the location of the Company or to the email address support@qapsula.com.
In the event that the subject of personal data withdraws consent to the processing of his personal data, the SOCIETY stops processing them or ensures the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator) and if the storage of personal data is no longer required for the purposes of processing personal data. data, destroys personal data or ensures their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the said revocation, unless otherwise provided by the contract, the party to which, the beneficiary or the guarantor under which is the subject of personal data, another agreement between the Operator and the subject of personal data, or if the SOCIETY is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law "On pers. data "or other federal laws.
If the subject of personal data withdraws consent to the processing of personal data, the SOCIETY has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in Part 2 of Article 9 of the Federal Law "On Personal Data".
7. Requirements for the protection of personal data implemented by the COMPANY
Ensuring the security of personal data during their processing in the SOCIETY is carried out in accordance with the legislation of the Russian Federation and the requirements of the authorized body of state power for the protection of the rights of subjects of personal data, the federal executive body authorized in the field of security, and the federal executive body authorized in the field of countering technical intelligence and technical protection of information.
The SOCIETY takes the necessary organizational and technical measures to protect personal data from accidental or unauthorized access, destruction, alteration, blocking of access and other unauthorized actions.
Protection measures implemented by the COMPANY when processing personal data include:
- adoption of local regulations and other documents in the field of processing and protection of personal data;
- appointment of officials responsible for ensuring the security of personal data in the divisions and information systems of the COMPANY;
- organizing training and conducting methodological work with employees who process personal data in the SOCIETY;
- creation of the necessary conditions for working with material carriers and information systems in which personal data are processed;
- organization of accounting for material carriers of personal data and information systems in which personal data are processed;
- storage of material carriers of personal data in compliance with the conditions ensuring the safety of personal data and excluding unauthorized access to them;
- separation of personal data processed without using automation tools from other information;
- ensuring the separate storage of material carriers of personal data, which contain personal data of different categories or contain personal data, the processing of which is carried out for different purposes;
- ensuring the protection of documents containing personal data on paper and other material carriers when they are transferred to third parties using postal services;
- implementation of internal control over the observance in the SOCIETY of the legislation of the Russian Federation and local regulations of the SOCIETY when processing personal data.
Ensuring the security of personal data is also achieved:
1) determination of threats to the security of personal data during their processing in personal data information systems;
2) the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary to meet the requirements for the protection of personal data, the implementation of which is ensured by the levels of personal data protection established by the Government of the Russian Federation;
3) the application of the procedure for assessing the conformity of information protection means that have passed in the prescribed manner;
4) an assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
5) taking into account the machine carriers of personal data;
6) detection of facts of unauthorized access to personal data and taking measures;
7) restoration of personal data modified or destroyed due to unauthorized access to them;
8) establishment of rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;
9) control over the measures taken to ensure the security of personal data and the level of protection of information systems of personal data.
A condition for the termination of the processing of personal data may be the achievement of the goals of processing personal data, the expiration of the consent or withdrawal of the consent of the subject of personal data to the processing of his personal data, as well as the identification of illegal processing of personal data.
Upon achievement of the goals of processing personal data, as well as in the event that the subject of personal data revokes consent to their processing, personal data are subject to destruction if:
- otherwise is not provided for by the contract, the party to which, the beneficiary or the guarantor of which is the subject of personal data;
- the operator is not entitled to carry out processing without the consent of the subject of personal data on the grounds provided for by the Federal Law "On Personal Data" or other federal laws;
- otherwise is not provided by another agreement between the operator and the subject of personal data.
In case of confirmation of the fact of inaccuracy of personal data or the illegality of their processing, the personal data are subject to their actualization by the operator, and the processing must be stopped, respectively.
Responsibility for violation of the requirements of the legislation of the Russian Federation and normative acts of the COMPANY in the field of processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.
When storing personal data, the operator of personal data is obliged to use databases located on the territory of the Russian Federation, in accordance with Part 5 of Art. 18 of the Federal Law "On Personal Data". The personal data of the subjects are stored in electronic databases and on paper in the premises of the personnel department. For this purpose, specially equipped cabinets and safes are used.
In what is not provided for in this Policy, the current legislation in the field of processing and protecting personal data applies.
The operator is obliged to inform the subject of personal data or his representative information about the processing of personal data of such a subject at the request of the latter
Persons guilty of violating the rules governing the receipt, processing and protection of an employee's personal data are subject to disciplinary, administrative, civil or criminal liability in accordance with the current Russian legislation.
The Company reserves the right to unilaterally amend this Policy, provided that the changes do not contradict the current legislation of the Russian Federation. Changes come into force after they are posted on the Site.