1. Purpose
1.1. This Personal Data Policy (hereinafter, the Policy) is developed in accordance with Federal Law No. 152-FZ of July 27, 2006, "On Personal Data" (hereinafter, "FZ-152"), its bylaws and Roskomnadzor's recommendations on drafting a document defining the Controller's policy regarding personal data processing, in accordance with the procedure established by FZ-152 and the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter, the "GDPR")
1.2. This Policy shall define general purposes and principles of personal data processing and measures to ensure the security of personal data in JSC BIOCAD to protect the rights and freedoms of an individual and citizen when processing his/her personal data and establish the intents and obligations officially declared by the management of JSC BIOCAD in this area.
1.3. This Policy shall be effective for three (3) years and may be revised when reaching this deadline or earlier in case of changes in the applicable law in the area of personal data protection and processing.
2. Scope
2.1. This Policy shall be used by all employees of JSC BIOCAD regardless of their position, including full-time and part-time employees, from the time when this Policy comes into effect. Other local regulations on ensuring the protection of personal data in JSC BIOCAD shall not contradict this Policy.
3. Terms and Definitions
3.1. Automated processing of personal data – shall mean personal data processing by using computers.
3.2. Blocking of personal data - shall mean temporary termination of personal data processing (except in cases when such processing is necessary to clarify personal data).
3.3. Pseudonymization of personal data - shall mean actions that make it impossible to determine, without the use of additional information, whether personal data refers to a specific data subject.
3.4. Personal data processing - " shall mean any action (operation) or a set of actions (operations) on personal data performed with or without the use of automation tools. Personal data processing shall include the following:
- collecting;
- recording;
- systematizing;
- accumulating;
- retaining;
- clarifying (updating, modifying);
- retrieving;
- using;
- transmitting (disseminating, providing, accessing);
- pseudonymizing;
- blocking;
- erasing;
- destroying personal data.
3.5. Controller - shall mean Joint-Stock Company BIOCAD (JSC BIOCAD).
3.6. Personal data – shall mean any information relating directly or indirectly to an identified or identifiable natural person (data subject).
3.7. Identified (or identifiable) person – shall mean a person who can be identified directly or indirectly, such as by name, passport details, telephone number, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a person.
3.8. Provision of personal data – shall mean actions aimed at disclosure of personal data to a certain person or a certain range of persons.
3.9. Dissemination of personal data shall mean actions aimed at disclosure of personal data to unlimited range of parties (personal data transmission).
3.10. Cross-border transfer of personal data - shall mean personal data transmission to the territory of a foreign state for the authority of a foreign state, foreign natural person or foreign legal entity.
3.11. Destruction of personal data - shall mean actions, which result in making it impossible to restore the content of personal data in a personal data information system and/or which result in the destruction of physical media with personal data.
3.12. Personal data information system – shall mean a set of information technologies and technical tools that are contained in personal data databases and ensure personal data processing.
4. Liability / Process Owner
4.1. The employees of the Controller, who are guilty of violating the requirements of this Policy, may be held liable, including the financial liability, in connection with the material damage to Controller caused by bringing the Controller to administrative or criminal liability in the form of a fine, or compensation made by the Controller with regard to material and/or non-material damage caused by the misconduct of such employees of the Controller.
4.2. The compliance with the requirements of this Policy shall be monitored by the Information Security Department.
5. Main Provisions
5.1. Principles and terms of personal data processing
5.1.1. At the Controller, the personal data processing shall be based on the following principles:
5.1.1.1. Ensuring legitimacy, fairness and transparency.
5.1.1.2. Restricting personal data processing to achieving specific, pre-defined and legitimate purposes.
5.1.1.3. Preventing personal data processing incompatible with the purposes of personal data collection.
5.1.1.4. Preventing the integration of databases that contain personal data which is being processed for incompatible purposes.
5.1.1.5. Processing only personal data that meets the purposes of its processing.
5.1.1.6. Ensuring the conformity of the content and volume of processed personal data with the stated purposes of processing.
5.1.1.7. Preventing the personal data processing that is excessive in relation to the stated purposes of its processing.
5.1.1.8. Ensuring the accuracy, adequacy and relevance of personal data in relation to the purposes of personal data processing.
5.1.1.9. Destroying or pseudonymizing personal data when the purposes of its processing have been achieved or when it is no longer necessary to achieve these purposes, if the Controller is unable to eliminate the breaches of personal data, unless otherwise provided by federal law and/or the GDPR.
5.1.1.10. Personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction or damage, through appropriate technical and organizational measures.
5.1.2. Terms of personal data processing:
5.1.2.1. The categories of data subjects, list of processed personal data, and purposes and legal grounds for its processing shall be defined in the Regulation on Personal Data Processing of the Controller.
5.1.2.2. In the absence of other legal grounds for personal data processing, the Controller shall obtain the explicit consent of data subjects to the processing of their personal data at the time of personal data collection. If the Controller intends to process personal data for a purpose incompatible with the initial purpose of personal data processing, the Controller must obtain a separate consent from the data subjects for the intended purpose. If the personal data is received by Controller other than from the data subject, the Controller shall notify the data subject of such processing.
5.1.3. Confidentiality of personal data
5.1.3.1. The Controller and other parties with access to personal data shall not disclose or disseminate personal data to third parties without the consent of the data subject, unless otherwise required by federal law and/or the GDPR.
5.1.4. Assigning personal data processing to another party
5.1.4.1. The Controller may assign the processing of personal data to other parties with the consent of the data subject, unless otherwise stipulated by federal law and/or the GDPR, under the agreements to be concluded with such parties. A party processing personal data on behalf of the Controller shall comply with the principles and rules of personal data processing stipulated by FZ-152, GDPR, and this Policy.
5.1.5. Cross-border transfer of personal data
5.1.5.1. In the course of its activities, the Controller may carry out cross-border transfer of personal data to the territory of foreign states for the authorities of a foreign state, foreign natural persons or legal entities. Prior to such transmission, the Controller must ensure that the foreign state, to the territory of which the personal data is expected to be transmitted, provides adequate protection of the data subject rights.
5.1.5.2. Cross-border transfer of personal data to the territories of foreign states, which fail to ensure adequate protection of the data subject rights, may be carried out only in cases of written consent from the data subject for such cross-border transfer of his/her personal data or for the performance of an agreement to which the data subject is a party, as well as in other cases stipulated by applicable law in the area of personal data processing and security.
5.1.5.3. For personal data processing covered by the GDPR, the cross-border transfer of personal data to the territories of foreign states that fail to ensure adequate protection of the data subject rights may be carried out in cases stipulated by the GDPR.
5.2. The data subject shall have the right to:
5.2.1. Protect his/her rights and legitimate interests, including the reimbursement of losses and/or compensation for non-material damage.
5.2.2. Receive notifications from the Controller about the obligation to provide reliable personal data, as well as on the potential implications of providing unreliable data.
5.2.3. Exercise his/her rights of the data subject both independently or through a representative. In this case, the Controller shall retain the right to request such representative to provide information necessary to confirm the legitimacy of the request (e.g., power of attorney, decision of the court or guardianship authorities, etc.)
5.3. The data subject of the Controller shall have the right to:
5.3.1. Receive information about the Controller, including the Controller's location, availability of personal data relating to the data subject and held by the Controller, and review such personal data, as well as other information in accordance with Articles 12-14 of the GDPR.
5.3.2. Request the Controller to clarify his/her personal data, restrict its processing, block or destroy it if his/her personal data is incomplete, outdated, unreliable, illegally obtained or unnecessary for the Controller's stated purpose of processing.
5.3.3. Take measures provided by law to protect his/her rights.
5.3.4. Withdraw consent to the personal data processing, with subsequent destruction (erasure) of personal data.
5.3.5. File a complaint with supervisory authorities in the event of a breach of applicable laws in the area of personal data processing and security.
5.3.6. If the data subject is a subject under European Union law (Article 3 of the GDPR), the Controller shall ensure compliance with the following rights under the GDPR:
5.3.6.1. Right to withdraw consent to the personal data processing with subsequent destruction of personal data (Article 7 of the GDPR).
5.3.6.2. Right to obtain information relating to the personal data processed (Articles 12-14 of the GDPR).
5.3.6.3. Right to obtain a copy of processed personal data (Article 15 of the GDPR).
5.3.6.4. Right to rectify personal data if it is incomplete or incorrect (Article 16 of the GDPR).
5.3.6.5. Right to erase personal data (Article 17 of the GDPR).
5.3.6.6. Right to restrict personal data processing (Article 18 of the GDPR).
5.3.6.7. Right to obtain personal data provided to us in a structured format and to transmit this data to other organizations (Article 20 of the GDPR).
5.3.6.8. Right to object against personal data processing (Article 21 of the GDPR).
5.3.6.9. Right to obtain information on breaches of personal data security (Article 34 of the GDPR).
5.3.6.10. Right to lodge a complaint with a supervisory authority, if the rights of data subject were violated (Article 77 of the GDPR).
5.3.6.11. Right for compensation of material or non-material damage (Article 82 of the GDPR).
5.4. Ensuring personal data security
5.4.1. The security of personal data processed by Controller shall be ensured by implementing the legal, organizational and technical measures necessary to meet the requirements of federal laws in the area of personal data protection, as well as those of the GDPR.
5.4.2. The following organizational and technical measures shall be applied by the Controller to prevent unauthorized access to the personal data:
5.4.2.1. Designating officials responsible for organizing the processing and ensuring the security of personal data.
5.4.2.2. Restricting the range of parties authorized to process personal data.
5.4.2.3. Familiarizing employees with the requirements of federal laws and regulations for processing and protecting personal data.
5.4.2.4. Organizing the record-keeping, storage and circulation of media containing information with personal data.
5.4.2.5. Identifying threats to the security of personal data during its processing and building threat models based on such threats.
5.4.2.6. Developing a personal data protection system based on a threat model.
5.4.2.7. Developing local regulations in the area of personal data protection.
5.4.2.8. Implementing internal controls over the compliance of personal data processing with applicable laws in the area of personal data processing and security.
5.4.2.9. Maintaining and keeping up-to-date the Record of Processing Activities (RoPA).
5.4.2.10. Monitoring and tracking the deadlines for processing communications and requests for exercising the data subject rights.
5.4.2.11. Performing Data Protection Impact Assessment (DPIA) for processes that pose high risks to the rights and freedoms of data subjects due to their characteristics (nature, volume, and type of data) and taking necessary measures with respect to such processes.
5.4.2.12. Using the Privacy by Design and Privacy by Default principles when designing systems or introducing changes that affect personal data processing.
5.4.2.13. Taking measures to ensure the security of personal data processing by third parties with access to personal data (by concluding special agreements and issuing orders for such processing).
5.4.2.14. Tracking security incidents (if any) and their effects, investigating them, and, if necessary, notifying the supervisory authority, as well as data subjects (if necessary) within 72 hours.
5.4.2.15. Conducting regular audits of processes related to personal data processing.
5.4.2.16. Taking other measures stipulated by the Controller's local regulations.
5.5. Rights and obligations of the Controller in personal data processing
5.5.1. The Controller may:
5.5.1.1. Assign the personal data processing to other parties with the consent of the data subject, on the basis of agreements concluded with such parties.
5.5.1.2. Define the purposes, grounds and list of personal data to be processed.
5.5.1.3. Monitor the legitimacy of personal data processing to avoid risks associated with administrative liability for violations of procedures for personal data processing.
5.5.2. The Controller shall:
5.5.2.1. When collecting personal data, provide the data subject, at his/her request, with information relating to the processing of his/her personal data.
5.5.2.2. Ensure the accuracy of personal data, its adequacy and, where necessary, its relevance in relation to the purposes of personal data processing.
5.5.2.3. Ensure the collection of consents to the processing of personal data authorized by the data subject for dissemination in the case of providing access to data subject's personal data to an unlimited range of parties.
5.5.2.4. Take necessary measures or ensure the adoption of measures to erase or clarify incomplete or inaccurate data.
5.5.2.5. Avoid disclosing or disseminating personal data to third parties without the consent of the data subject, unless otherwise required by law.
5.5.2.6. At the request of the data subject, immediately terminate processing his/her personal data, if there are no legitimate grounds for continuing personal data processing without the consent of the data subject.
5.5.2.7. Explain to the data subject the procedure for adopting a decision based solely on the automated processing of his/her personal data and the potential legal implications of such decision, provide an opportunity to object to such decision, as well as explain the procedure that can be used by the data subject to protect his/her rights and legitimate interests.
5.5.2.8. Ensure that the personal data of citizens of the Russian Federation is recorded, systematized, accumulated, retained, clarified (updated, modified), and retrieved using databases located within the Russian Federation.
5.5.2.9. Take the necessary legal, organizational and technical measures or ensure the adoption of such measures to protect personal data against unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as against other illegal actions with regard to personal data.
5.5.2.10. Provide the data subject or his/her representative with an opportunity to review, free of charge, the personal data relating to the data subject.
5.5.2.11. Terminate processing personal data or ensure that it is stopped being processed when the purpose of personal data processing is achieved.
5.5.2.12. Perform other duties as required by federal laws and other regulations governing the processing and protection of personal data.
5.5.3. The employees of the Controller involved in processing the personal data of data subjects shall:
5.5.3.1. Process the personal data of data subjects only as part of their job duties.
5.5.3.2. Avoid disclosing the personal data of data subjects obtained as a result of their job duties, as well as the personal data of data subjects that has become known to them in the course of their work.
5.5.3.3. Interfere with the actions of third parties that could lead to the disclosure (destruction, distortion) of personal data of the data subjects.
5.5.3.4. Identify the facts of disclosure, destruction, distortion of the personal data of data subjects and inform the Information Security Department of the Controller.
5.5.3.5. Designate a Data Protection Officer (DPO).
6. Information about DPO:
6.1. The Controller designated VeraSafe as its Data Protection Officer (DPO) responsible for processing the personal data of patients within the European Union.
Contact details of DPO:
Klimentská 46 Prague 1, 11002 Czech Republic
+420 228 881 031, +1 617 398 7067Email: [email protected] Web: https://www.verasafe.com/about-verasafe/contact-us/