CSC-IT Personal Data Processing and Protection Policy
744466754-IT-001-2021[1]
[1] This Policy will be available on the public website of CSC-IT LLC.
Functional area: IT. Information Security.
Description: This Personal Data Processing and Protection Policy (the “Policy”) of CSC Information Technologies Limited Liability Company (“CSC-IT”) is an underlying paper outlining the legal basis of the CSC-IT activities while processing and protecting personal data (“personal data”). This Policy sets out the legal basis, principles, and purposes for processing personal data, information regarding steps taken to protect personal data and information about the data subject rights.
Scope of application: The provisions of this Policy are binding upon all CSC-IT employees processing personal data.
1. REGULATORY REFERENCES
1.1. In this Policy, the following laws and regulations are referenced:
1.1.1. the Labour Code of the Russian Federation of 30 December 2001 No. 197-FZ;
1.1.2. the Federal Law On the Personal Data of 27 July 2006 No. 152-FZ;
1.1.3. the Resolution of the Government of the Russian Federation of 15 September 2008 No. 687 On the Approval of the Regulation on the Special Aspects of Personal Data Processing Without Software;
1.1.4. the Resolution of the Government of the Russian Federation of 1 November 2012 No. 1119 On the Approval of Requirements for the Protection of Personal Data in the Case of Processing in Personal Data Information Systems;
1.1.5. the Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) of 15 March 2013 No. 274 On the Approval of the List of Foreign States Not Being Parties to the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and Ensuring Adequate Protection of the Data Subject Rights;
1.1.6. the General Data Protection Regulation of 27 April 2016.
2. PURPOSES OF THE PROCESSING OF PERSONAL DATA
CSC-IT processes personal data for the following purposes:
- labour relationship as set out in the employment agreement and the Labour Code of the Russian Federation (the “Russian Federation”) (Clause 1.1.1. hereof);
- contractual arrangements under agreements made with contractors and as part of preparations to enter into and perform agreements;
- social programmes relating to current and former employees and other persons, including veterans, in order to secure their benefits;
- staff training programmes in partnership with educational establishments, including training programmes relating to employees of the company and other persons;
- access to the CSC-IT grounds;
- military registration and exemption of reservists of the Russian Armed Forces from active duty during mobilisation and in times of war;
- cooperation with government bodies and local authorities;
- communications with employees, suppliers, and buyers of CSC-IT and client companies;
- raising awareness of employees of the CSC-IT corporate life;
- assisting employees in organising internal communications;
- ensuring that employees and contractors have access to the IT infrastructure of CSC-IT and client companies;
- employment assistance;
- other activities allowed by the legislation of the Russian Federation subject to mandatory compliance with the Russian and EU statutory requirements for the processing and protection of personal data.
3. SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA
3.1. The content and scope of processed personal data is compatible with the purposes for processing of such data. No processing of personal data in excess of what is necessary in relation to the purposes for which such data is processed shall be allowed.
3.2. The CSC-IT information systems can process personal data of over 100,000 data subjects.
3.3. The CSC-IT information systems process personal data of the following data subject categories:
- CSC-IT employees;
- employees of client companies located in the Russian Federation;
- relatives of CSC-IT employees;
- relatives of employees of client companies located in the Russian Federation;
- CSC-IT job applicants;
- representatives of contractors located in the Russian Federation;
- contractors located in the Russian Federation;
- former CSC-IT employees;
- former employees of client companies located in the Russian Federation;
- students, interns undertaking internships at CSC-IT or client companies;
- persons receiving training at client companies under an apprenticeship agreement;
- visitors.
3.4. As part of its efforts to process personal data, CSC-IT collects, records, arranges, accumulates, stores, refines (updates, changes), uses, transfers (disseminates, provides, makes available to the limited audience in accordance with the legislation of the Russian Federation), anonymises, blocks, deletes, destroys personal data with and without the use of automation tools.
4. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
For data processing procedures to operate efficiently, CSC-IT shall apply and observe the following fundamental principles:
- lawfulness – personal data shall be processed lawfully;
- fairness and transparency – personal data shall be processed fairly and in a transparent manner in relation to the data subject;
- purpose limitation – personal data shall be processed for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. No further processing of personal data in a manner that is incompatible with the purposes for which it is collected shall be allowed. No databases containing personal data which is processed for incompatible purposes may be merged. Only personal data which is compatible with the purposes of its processing may be processed;
- data minimisation – personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. No processing of personal data in excess of what is necessary in relation to the purposes for which such data is processed shall be allowed;
- accuracy – CSC-IT takes every reasonable step to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
- storage limitation – personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, unless a retention period is established by federal law or a contract to which the data subject is party, beneficiary or guarantor. Processed personal data must be destroyed or anonymised once the purposes for which it is processed have been achieved or there is no further need to achieve such purposes, unless otherwise provided by federal law;
- integrity and confidentiality – personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- continuous knowledge advancement of CSC-IT employees in protection of personal data during its processing;
- commitment to continuous improvement of the integrated information security system designed among other things to safeguard personal data.
5. BASIS FOR PROCESSING OF PERSONAL DATA
CSC-IT processes personal data only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary to achieve the purposes stipulated by the international treaty of the Russian Federation or law, to perform and fulfil the functions, powers and duties imposed on the Controller by the legislation of the Russian Federation;
- processing is necessary for the performance of a contract to which the data subject is party, beneficiary or guarantor or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with the Union law or Member State law to which the Controller is subject;
- processing is necessary in order to protect life, health or other vital interests of the data subject, where the data subject is physically or legally incapable of giving consent;
- processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject;
- processing is necessary for the execution of a court order, an order of a different authority or public official subject to execution in accordance with the enforcement legislation of the Russian Federation;
- personal data made public by the data subject or at his or her request (personal data made available by the data subject) is processed;
- personal data subject to publication or mandatory disclosure as required by federal law is processed.
6. 6. MEANS OF PROCESSING OF PERSONAL DATA
6.1. CSC-IT processes personal data whether or not by automated means.
6.1.1. The processing of personal data in information systems by automated means is carried out in accordance with requirements of the Resolution of the Government of the Russian Federation No. 1119 (Clause 1.1.4. hereof).
6.1.2. The processing of personal data other than by automated means (the “manual processing”) may be carried out in the form of electronic and hard copy documents (files, databases) on electronic media.
6.1.3. The manual processing of personal data is carried out in accordance with requirements of the Resolution of the Government of the Russian Federation No. 687 (Clause 1.1.3. hereof).
6.2. The processing of personal data shall be subject to data confidentiality.
6.3. Personal data may be accessed as set out by the CSC-IT internal policies and procedures. The access to personal data shall be granted only to employees, who need personal data for the performance of their employment duties.
6.4. CSC-IT does not take any decisions which produce legal effects concerning the data subjects or otherwise affect their rights and legitimate interests based solely on automated processing of their personal data.
6.5. CSC-IT may entrust a third party (a processor) with processing of personal data with the data subject’s consent, unless otherwise provided by federal law, based on a contract to be entered into with this person.
7. CROSS-BORDER TRANSFER
7.1. CSC-IT carries out the cross-border transfer of personal data (transfer of personal data to a foreign state, a foreign government body, a foreign natural person or a foreign legal entity). Such transfer can be carried out subject only to one of the following conditions:
- the data subject has given written consent to the cross-border transfer of his or her personal data;
- the cross-border transfer is carried out in pursuance of a contract to which the data subject is party;
- the cross-border transfer is carried out in foreign states being parties to the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and other foreign states ensuring adequate protection of the data subject rights according to the Roskomnadzor Order No. 274 (Clause 1.1.5. hereof).
7.2. In the case of the cross-border transfer of personal data relating to nationals of the European Union, the Controller shall comply with the cross-border transfer requirements set forth in the General Data Protection Regulation (“GDPR”) (Clause 1.1.6. hereof).
7.3. The cross-border transfer of personal data may be carried out in foreign states not ensuring adequate protection of the data subject rights where:
- the data subject has given written consent to the cross-border transfer of his or her personal data;
- the contract to which the data subject is party is performed.
8. CONDITIONS FOR TERMINATION OF PROCESSING OF PERSONAL DATA
CSC-IT terminates the processing of personal data under the following conditions:
- once the purposes for which personal data is processed have been achieved or there is no further need to achieve such purposes;
- upon receipt of the data subject request, provided that such request is consistent with the statutory requirements of the Russian Federation;
- upon withdrawal of the data subject consent to the processing of his or her personal data (if such withdrawal of consent gives rise to destruction of personal data);
- upon receipt of the order of the privacy authority.
9. SPECIAL CATEGORIES OF PERSONAL DATA
9.1. Processing by the Controller of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or data concerning health or sex life shall be allowed if one of the following applies:
- the data subject has given written consent to the processing of his or her personal data;
- personal data is manifestly made public by the data subject;
- processing is carried out in accordance with the government social assistance, labour, state-provided pension, labour pension legislation of the Russian Federation;
- processing is necessary in order to protect life, health or other vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- processing is carried out for the purposes of preventive medicine, medical diagnosis, the provision of health or social care or treatment, provided that personal data is processed by or under the responsibility of a health professional subject to the obligation of professional secrecy by the legislation of the Russian Federation;
- processing is necessary for the establishment or exercise of rights of the data subject or third parties and the delivery of justice;
- processing is carried out in accordance with the legislation on types of compulsory insurance, insurance legislation;
- processing is carried out for the performance of obligations under voluntary personal insurance agreements (VHI, accidents and diseases).
9.2. Processing of special categories of personal data must be terminated without delay, if the reasons for which personal data has been processed are no longer in force, unless otherwise provided by federal law.
9.3. Criminal records may be processed by the Controller solely when and as required by federal laws.
10. PUBLIC SOURCES OF PERSONAL DATA
10.1. For the purposes of information support, the Controller may create publicly available sources of personal data of data subjects, including directories and address books. The data subject may give written consent for publicly available sources of personal data to include his or her full name, date and place of birth, job title, contact numbers, email and other personal data communicated by the data subject.
10.2. Information about the data subject must at any time be removed from publicly available sources of personal data upon request of the data subject or by court order or by the decision of other government bodies.
11. ORGANISATION OF PERSONAL DATA PROTECTION
11.1. The Controller and other persons having access to personal data shall neither disclose to third parties, nor disseminate personal data without the data subject’s consent, unless otherwise provided by federal law.
11.2. The Controller may entrust another person with processing of personal data with the data subject’s consent, unless otherwise provided by federal law, based on a contract to be entered into with this person. The person commissioned by the Controller to process personal data shall comply with the principles and rules for the processing of personal data set forth by the Federal Law No. 152-FZ (Clause 1.1.2. hereof).
11.3. CSC-IT ensures complex protection of personal data in reliance on:
- the Russian and international personal data protection laws;
- the nature, context and purposes of processing of personal data;
- privacy by default – CSC-IT shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed;
- procedures and scale of the processing of personal data;
- economic evaluation of the implementation of personal data protection means and methods;
- assessment of the risks of likelihood and severity of the potential impact for the data subjects (risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed);
- privacy by design – Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, CSC-IT shall at the time of the determination of the means for processing implement appropriate technical and organisational measures which are designed to implement data-protection principles.
11.4 While processing personal data, CSC-IT shall implement all appropriate legal, technical and organisational measures to protect such data against unauthorised or accidental access, destruction, alteration, blocking, copying, provision, dissemination of personal data or other unlawful actions in relation to personal data.
11.5. The protection of personal data is ensured, inter alia, by the following technical and organisational measures:
- limiting the number of persons having access to personal data;
- ensuring confidentiality, integrity, availability and stability of data processing systems;
- recovering personal data modified or destroyed by unauthorized access;
- controlling user access to websites and software and hardware for processing information by establishing rules of access to personal data processed in the information system ensuring registration and accounting of all personal data manipulations in the information system;
- identifying unauthorised access to personal data and taking appropriate protection measures;
- identifying personal data security threats during its processing in information systems;
- adopting internal policies and procedures and other documents governing the processing and protection of personal data;
- registering machine-readable media of personal data;
- assessing efficiency of measures taken to ensure security of personal data prior to the launch of the information system;
- designating the data protection officer;
- conducting regular tests, assessing efficiency of appropriate technical or organisational measures to ensure security of personal data;
- exercising internal control and/or compliance audit of the processing of personal data subject to the Russian and European Union personal data processing and protection laws;
- introduction of employees directly engaged in the processing of personal data to the Russian and European Union personal data laws, including personal data protection requirements, documents defining the personal data processing policy, internal personal data processing policies and procedures;
- using anti-virus software and personal data protection recovery systems;
- using, where necessary, firewalls, intrusion detection, security analysis and data encryption tools;
- organising security clearance on the Controller’s grounds and protection of premises with technical means of personal data processing.
12. DATA SUBJECT RIGHTS
12.1. The data subject confirms his or her consent to the data processing by taking a specific action that explicitly indicates that the data subject, in the said context, gives consent to the expected processing of his or her personal data.
12.2. The data subject decides to provide his or her personal data and gives consent to its processing of his or her own free will and volition and for his or her own benefit. Consent to the processing of personal data may be granted by the data subject or his or her representative in any form that can verify its receiving, unless otherwise provided by federal law.
12.3. The data subject may demand that CSC-IT update, block or destroy his or her personal data, if such personal data is incomplete, outdated, inaccurate, obtained unlawfully or is not necessary for the purpose of processing for which it is collected and take steps to protect his or her rights as may be allowed by law.
12.4. The data subject’s right of access to his or her personal data may be restricted in accordance with federal laws of the Russian Federation, including, where the data subject’s access to his or her personal data is in violation with the third-party rights and legitimate interests.
12.5. The data subject may file a complaint against CSC-IT actions or omission as the Controller with the privacy authority or a court of law.
12.6. The data subject is entitled to protection of his or her rights and legitimate interests, including indemnification and/or emotional damages in a court of law.
12.7. In accordance with the legislation of the Russian Federation, the data subject has the right to receive information about the processing of his or her personal data, including information containing:
- confirmation of the processing of personal data;
- legal basis and purposes for the processing of personal data;
- purposes and means of processing of personal data employed by CSC-IT;
- the Controller name and location, information about persons (other than employees of the Controller), who have access to personal data and/or to whom personal data may be disclosed under a contract with CSC-IT and/or on the basis of the legislation of the Russian Federation;
- processed personal data in relation to the respective data subject, its source, unless a different procedure for provision of such data is stipulated by federal law;
- terms for the processing of personal data, including its storage and retention periods;
- exercise by the data subject of the rights provided by the legislation of the Russian Federation;
- information about the accomplished or expected cross-border transfer;
- company name or full name and address of an entity or a person, who processed personal data on behalf of CSC-IT, if the processing is or will be entrusted to such entity or person.
12.8. Information is provided to the data subject or his or her representative by CSC-IT legal representatives upon receipt of the written request from the data subject or his or her representative.
12.9. Should the processing of personal data fall under the GDPR, the data subject, apart from the above, has the right:
- restriction of processing – the data subject shall have the right to obtain from the controller restriction of processing in relation to all or part of his or her personal data (subject to the conditions defined in GDPR);
- data portability – the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to CSC-IT, in a structured, commonly used and machine-readable format and have the right to direct CSC-IT to transmit such data to a third party if technically feasible. In which case, CSC-IT shall not be responsible for further third-party actions with personal data;
- object to processing – the data subject shall have the right to object to processing of all or part of his or her personal data for the purposes specified when the data subject provided his or her personal data to CSC-IT, except where legitimate grounds for the processing override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
12.10. The data subject may approach CSC-IT to exercise and protect his or her rights and legitimate interests.
12.11. The Controller may not take any decisions which produce legal effects concerning the data subject or otherwise affect his or her rights and legitimate interests based solely on automated processing, except as otherwise provided by federal laws or with the written consent of the data subject.
12.12. Where the data subject believes that the Controller processes his or her personal data in violation with the Federal Law No. 152-FZ (Clause 1.1.2. hereof) or otherwise infringes his or her rights and freedoms, the data subject may file a complaint against the Controller’s actions or omission with the privacy authority or a court of law.
12.13. The data subject is entitled to protection of his or her rights and legitimate interests, including indemnification and/or emotional damages in a court of law.
13. DATA PROTECTION OFFICER
The data protection officer is appointed from among CSC-IT division managers. The data protection officer shall be designated on the basis of powers, expertise and personal qualities of a public official meant to allow him or her to exercise his or her rights and perform his or her obligations of the data protection officer fully and appropriately.
14. DOCUMENTS AND RECORDS STORAGE REQUIREMENTS
Any and all documents and records are stored in accordance with the CSC-IT internal policies and procedures. Also, this Policy shall be available on the official website of CSC-IT LLC or any other public website.
15. RESPONSIBILITY
15.1. Any and all persons failing to observe provisions governing the processing and protection of personal data shall be subject to disciplinary action and bear financial and administrative responsibility in accordance with the laws in force from time to time and internal policies and procedures.
15.2. The General Director shall be responsible for ensuring compliance with requirements set forth herein.
