Policy for the processing of personal data

  1. Area of ​​use

    1. The policy for the processing of personal data at CJSC “VIPPORT” (hereinafter referred to as the Policy) has been developed in accordance with clause 2 of part 1 of article 18.1 of the Federal Law of the Russian Federation of July 27, 2006, No. 152-ФЗ “On Personal Data” and defines the basic principles, goals, conditions and methods of processing personal data, lists of subjects and personal data processed by CJSC VIPPORT (hereinafter referred to as the Company), functions of the Company when processing personal data, rights of subjects of personal data, as well as requirements for the protection of personal data implemented in the Company.
    2. The provisions of the Policy serve as the basis for the development of local regulations governing the processing of personal data of employees of the Company and other subjects of personal data in the Company.
    3. The Policy is the basis for the development of local regulations by the Company that determine the policy for processing personal data.
    4. The policy was developed in order to implement the provisions of the legislation of the Russian Federation regarding the processing of personal data, as well as the requirements of regulatory and methodological documents on the protection of personal data.

  2. Terms and definitions

    The following terms and abbreviations are used in relation to the Policy:

    Personal data — any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);

    Information — information (messages, data) regardless of the form of their presentation;

    Operator — a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

    Processing of personal data — any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

    Automated processing of personal data — processing of personal data using computer technology;

    Provision of personal data — actions aimed at disclosing personal data to a certain person or a certain circle of persons;

    Disclosure of personal data — actions that make it possible to get acquainted with personal data processed by the Company;

    Access to personal data — the ability to obtain personal data and their use;

    Dissemination of personal data — actions aimed at disclosing personal data to an indefinite circle of persons;

    Blocking of personal data — temporary termination of the processing of personal data (except for cases when processing is necessary to clarify personal data);

    Publicly available personal data — personal data, in particular last name, first name, patronymic, place of work, position held, work phone number, e-mail address, which, with the written consent of the subject of personal data, are included in public sources of personal data (directories);

    Destruction of personal data — actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;

    Depersonalization of personal data — actions as a result of which it becomes impossible, without using additional information, to determine the ownership of personal data to a specific subject of personal data;

    Personal data information system — a set of personal data contained in databases and information technologies and technical means that ensure their processing.

  3. Principles and purposes of personal data processing

    1. The Company, being the operator of personal data, processes personal data of employees of the Company and other subjects of personal data who are not employed by the Company.
    2. The processing of personal data in the Company is carried out taking into account the need to ensure the protection of the rights and freedoms of employees of the Company and other subjects of personal data, including the protection of the right to privacy, personal and family secrets, based on the following principles:
      • processing of personal data is carried out in the Company on a legal and fair basis;
      • processing of personal data is limited to the achievement of specific, predetermined and legal purposes;
      • processing of personal data that is incompatible with the herein stated purposes of collecting personal data is not allowed;
      • it is not allowed to combine any databases containing personal data, the processing of which is carried out for any purposes incompatible with each other;
      • only personal data that meet the purposes of their processing hereunder are subject to processing;
      • the content and volume of processed personal data corresponds to the stated processing objectives. The redundancy of the processed personal data in relation to the stated purposes of their processing is not allowed;
      • when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data are ensured. The company takes the necessary care to delete and to clarify incomplete or inaccurate personal data;
      • storage of personal data is carried out in a form that allows you to determine the subject of personal data, no longer than required by the purpose of processing personal data, if the storage period for personal data is not established by the federal law, an agreement, or party to whom the subject of personal data is a beneficiary or a guarantor;
      • the processed personal data is destroyed or depersonalized upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by the federal law.
    3. Personal data is processed by the Company in order to:
      • making a decision on employment;
      • ensuring compliance with the requirements of laws and other regulatory legal acts governing the visit and stay of personal data subjects in the territory of the Company’s location: organization and coordination with the responsible services of passes and permits;
      • ensuring compliance with the requirements of laws and other regulatory legal acts and exercising due diligence in the preparation and conclusion of contracts and agreements, maintaining accounting and tax accounting, making mutual settlements, maintaining and submitting statistical statements, making contributions to any funds, disclosing public information;
      • ensuring the regulation of job relations with the Company’s employees (assistance in employment, training and promotion, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property, etc.);
      • implementation of the functions, powers and duties assigned to the Company by the applicable laws, contracts and agreements with third parties, including the provision of personal data to public authorities, the execution of judicial acts and acts of other bodies or officials that are compulsory for execution in accordance with the applicable laws;
      • assistance in the implementation of the legal rights of subjects of personal data in the field of personal data processing;
      • protection of life, health or other vital interests of the subject of personal data;
      • conducting investigations upon requests of the Company’s clients;
      • ensuring compliance with other provisions of the Constitution of the Russian Federation and other regulatory legal and local regulations;
      • for other legal purposes.

  4. Legal basis for the processing of personal data

    1. The grounds for the processing of personal data of subjects by the Company are:
      • Federal Law of the Russian Federation of November 30, 1994, No. 51-ФЗ “Civil Code of the Russian Federation (part one)”;
      • Federal Law of the Russian Federation of January 26, 1996, No. 14-ФЗ “Civil Code of the Russian Federation (Part Two)”;
      • Federal Law of the Russian Federation of July 31, 1998, No. 146-ФЗ “Tax Code of the Russian Federation”;
      • Federal Law of the Russian Federation of December 30, 2001, No. 197-ФЗ “Labor Code of the Russian Federation”;
      • Federal Law of the Russian Federation of July 27, 2006, No. 149-ФЗ “On Information, Information Technologies and Information Protection”;
      • Federal Law of August 7, 2001, No. 115-ФЗ “On Counteracting the Legalization (Laundering) of Criminally Obtained Incomes and the Financing of Terrorism”;
      • Federal Law No. 173-ФЗ of December 10, 2003, “On Currency Regulation and Currency Control”;
      • Federal Law of April 1, 1996, No. 27-ФЗ “On Individual (Personified) Accounting in the Compulsory Pension Insurance System”;
      • Federal Law No. 167-ФЗ of December 15, 2001, “On Compulsory Pension Insurance in the Russian Federation”;
      • Federal Law No. 173-ФЗ of December 17, 2001, “On Labor Pensions in the Russian Federation”;
      • Federal Law No. 402-ФЗ of December 06, 2011, “On Accounting”;
      • Federal Law of July 18, 2011, No. 223-ФЗ “On the Procurement of Goods, Works, Services by Certain Types of Legal Entities”;
      • Federal Law of February 09, 2007, No. 16-ФЗ “On Transport Safety”;
      • Federal Law of December 29, 2012, No. 273-ФЗ “On Education in the Russian Federation”;
      • Federal Law No. 109-ФЗ of July 18, 2006, “On Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation”;
      • Federal Law of July 7, 2003, No. 126-ФЗ “On Communications”;
      • Decree of the Government of the Russian Federation of September 15, 2008, No. 687 “On Approval of the Regulation on the Specifics of Personal Data Processing Carried out Without the Use of Automation Tools”;
      • Decree of the Government of the Russian Federation of November 01, 2012, No. 1119 “On Approval of Requirements for the Protection of Personal Data when Processing Them in Personal Data Information Systems”;
      • Decree of the Government of the Russian Federation of July 06, 2008, No. 512 “On Approval of Requirements for Physical Media Containing Biometric Personal Data and Technologies for Storing Such Data Outside of Personal Data Information Systems”;
      • Decree of the Government of the Russian Federation of July 28, 2018, No. 886 “On Approval of Requirements for Ensuring Transport Security, Including Requirements for Anti-Terrorist Protection of Facilities (Territories), Taking into Account the Security Levels for Various Categories of Transport Infrastructure Facilities and Air Transport Vehicles”;
      • Decree of the Government of the Russian Federation of June 18, 1998, No. 609 “On Approval of the Rules for the Investigation of Aviation Accidents and Incidents with Civil Aircraft in the Russian Federation”;
      • Decree of the Government of the Russian Federation of January 15, 2007, No. 9 “On the Procedure for the Implementation of Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation”;
      • Order of the Ministry of Transport of the Russian Federation dated November 03, 2015, No. 325 “On Approval of Documents Related to the Certification of Transport Security Forces and to Processing of Personal Data of Certain Categories of Persons, Whose Jobs Are Directly Related to Transport Security or to Performing Any Such Work, if Their Actual Certification Is Preceded by the Processing of Personal Data”;
      • Articles of Association of the Company.
    2. The Company processes personal data that have become known to the Company in connection with the implementation of the statutory objectives and goals of the Company, and also as a result of, but not limited to:
      • entering into civil contracts;
      • entering into service contracts;
      • entering into cooperation agreements;
      • registration and/or receipt of powers of attorney (including those on behalf of the Company);
      • receiving any other documents from clients and contractors of the Company, necessary for the Company for entering into agreements with such persons;
      • receipt by the Company of any written, including electronically-borne, requests, inquiries, applications, complaints, petitions;
      • correspondence by e-mail;
      • receipt by the Company of documents of visitors when they visit the premises of the Company;
      • any other actions stipulated by the applicable laws of the Russian Federation or the internal policies of the Company.

  5. List of subjects, whose personal data are processed in the Company

    • The Company, represented by the General Director, or head of the Company duly authorized under the applicable order, when processing personal data:
    • Passengers of the flights operated by the Company.
    • Members of the crews served by the Company of flights.
    • Representatives, employees, relatives of customers and contractors of the Company – individuals acting on the basis of powers of attorney.
    • Employees, dismissed employees, founders of the Company, other individuals who are in employment and civil law relations with the Company, relatives of employees, founders, relatives of dismissed employees of the Company.
    • Individuals acting under power of attorney on behalf of, at the expense and in the interests of clients and counterparties of the Company.
    • Job applicants for vacant positions in the Company, relatives of job applicants for such vacant positions.
    • Other subjects of personal data.

  6. List of personal data processed by the Company

    1. In accordance with the Decree of the Government of the Russian Federation of November 01, 2012, No. 1119 “On Approval of Requirements for the Protection of Personal Data During their Processing in Personal Data Information Systems”, the following categories of personal data are processed in the Company:
      • other categories of personal data – personal data not classified as: special, biometric and publicly available personal data;
      • special categories of personal data – personal data related to health.
    2. The Company processes the following categories of personal data without using automation tools:
      • other categories of personal data – personal data not classified as: special, biometric and publicly available personal data;
      • special categories of personal data – health conditions.
    3. The Company processes cookie data for statistical analysis of the use of services and ensuring their performance, both in general and in their individual functions.
    4. A complete list of personal data and categories of personal data subjects is specified in the Company’s Regulations on the processing of personal data at VIPPORT CJSC.