Рersonal Data Processing Policy of TCH, JSC in Personal Data Information Systems of TCH, JSC
1 General provisions
1.1 "TCH" Joint Stock Company (hereinafter referred to as JSC TCH, the Company), within the framework of its activities, carries out the processing of personal data and acts as an operator of personal data with the respective rights and obligations established by Federal Law “On Personal Data” No.152-FZ of 27.07.2006 and other regulatory legal acts of the Russian Federation.
1.2 The TCH’s policy on personal data processing (hereinafter referred to as the Policy) is developed in accordance with the requirements of Federal Law “On Personal Data” No.152-FZ of 27.07.2006 and establishes the main principles of the processing and protection of personal data in the Company.
1.3 The present Policy is applicable to all processes of personal data processing in the Company and to all employees of the Company who participate in those processes.
1.4 This Policy is published on the Company’s official website on the Internet .
1.5 The terms and definitions used in this Policy are listed in Table 1.
Table 1 - Terms and definitions
Automated personal data processing
| Processing of personal data means of computer technology |
| Personal data blocking | Temporary termination of the processing of personal data (except for the cases when processing is needed to rectify personal data) |
| Access to personal data | The possibility to obtain personal data and to use them |
| Personal Data Information System | The totality of personal data contained in databases, together with information technologies and tools that enable their processing. |
| Depersonalization of personal data | The action of making it impossible to establish a connection between personal data and a specific data subject without using additional information. |
| Processing of personal data | Any action (operation) or a combination of actions (operations) performed on personal data (by using automated tools or without such tools) including collecting, recording, systematizing, accumulating, storing, rectifying (updating and altering), retrieving, using, transmitting (disseminating, providing, accessing), depersonalizing, blocking, deleting and destroying personal data |
| Publicly available personal data | The personal data the access to which is provided to an indefinite circle of persons by the data subject |
| Operator | A governmental body, a municipal body, a legal entity or a natural person who on their own or jointly with other persons organize and (or) carry out the processing of personal data, as well as define the goals of personal data processing, the extent of personal data subject to processing, the actions (operations) with respect to personal data. |
| Personal data | Any information that directly or indirectly relates to an identified or identifiable living individual (the subject of personal data) |
| Provision of personal data | Actions aimed at the obtaining of personal data by a certain circle of persons or the transfer of personal data to a certain circle of persons |
| Dissemination of personal data | Actions aimed at disclosing personal data to an indefinite circle of persons |
| Internet Site | The combination of programs for computers and other information contained in the information system, the access to which is enabled through the Internet Information and Telecommunication Network (the Internet) using domain names and (or) network addresses that allow to identify sites on the Internet |
| Cross-border transfer of personal data | The transfer of personal data to the territory of foreign countries to the governmental bodies of foreign countries, foreign natural persons or foreign legal entities |
| Destruction of personal data | The activities as a result of which the content of personal data cannot be restored in Personal Data Information Systems and (or) as a result of which the material carriers of personal data are destroyed
|
2 Rules and principles for personal data processing
2.1 The processing of personal data is carried out by the Company in a lawful and fair manner and is limited by the achievement of the specific, predetermined and legitimate purposes. It is not allowed for the Company to process personal data for the purposes incompatible with the purposes for which they were collected, and it is not permitted to merge databases containing personal data that are processed for the purposes that are incompatible with each other.
2.2 Only personal data which are necessary for each specific purpose of processing are processed. The content and scope of personal data processed by the Company should not be excessive or irrelevant to the declared purposes of processing.
2.3 The Company ensures that the personal data it is processing are correct, sufficient, and, where necessary, have a rational link to the purposes of processing. The Company takes necessary measures (makes sure they are taken) to delete or rectify incomplete or inaccurate personal data.
2.4 Personal data are stored by the Company in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed, unless a more specific storage period has been specified by federal law, by an agreement to which the subject of personal data is a party, beneficiary or surety. The processed personal data are destroyed or depersonalized upon achievement of the processing goals or if the need to achieve these goals is lost, unless otherwise provided by federal law.
2.5 The processing of personal data in carried out in accordance with the goals predetermined and declared at the time of personal data collection, as well as in accordance with the powers of the Company determined by the Russian Federation applicable laws and contractual relations with the Company.
2.6 The processing of personal data is carried out in the Company both through the use of automated tools in the Personal Data Information System and without the use of such tools.
2.7 Special categories of personal data are not processed by the Company.
2.8 The Company can process publicly available personal data obtained from publicly accessible sources or upon written consent of the data subject.
2.9 The Company can create the publicly available sources of personal data (including reference books, address books) in order to ensure informational support. Upon written consent of the subject of personal data, his/her last name, first name, middle name, job title, email address and other personal data communicated by the data subject can be entered into those publicly available sources of personal data.
2.10 Biometric personal data are not processed by the Company.
2.11 The list of the categories of the data subjects whose personal data are processed by the Company, the extent of such data, goals and legal basis for processing are governed by local acts of the Company.
2.12 The Company can transfer personal data to third parties for the purposes of processing to which the data subject gave his/her consent, and in the cases stipulated by the law of the Russian Federation.
2.13 The cross-border transfer of personal data, including to Kazakhstan, is carried out by the Company.
2.14 The decision-making based solely on automated processing of personal data ,when it produces legal effects, is not carried out in the Company.
2.15 The Company can delegate personal data processing to other persons, the consent of the data subject is required, in accordance with Article 6 of Federal Law “On Personal Data” No.152-FZ of 27.07.2006.
2.16 The Company is entitled to carry out the processing of personal data at the instruction of the Operator, if such processing is permitted to the Company in accordance with Article 6 of Federal Law “On Personal Data” No.152-FZ of 27.07.2006.
3 Personal data protection implemented measures
3.1 When processing personal data, the Company takes the necessary legal, organizational and technical measures, or makes sure they are taken, in order to protect personal data against unauthorized or accidental access, destruction, alteration, blocking, copying, provision and dissemination as well as against other illegal activities in relation to personal data.
3.2 Such measures, in particular, include:
– the assignment of a person responsible for the organization of personal data processing;
– internal control over the observance of the Russian Federation law on personal data, including the requirements to personal data protection;
– making sure that the employees of the Company are familiar with the provisions of the Russian Federation law on personal data and local acts in relation to personal data processing, data protection requirements;
– the issuance of local acts on personal data processing and the local acts establishing the procedures aimed at preventing and detecting violations of the Russian Federation law;
– detecting threats to the safety of personal data and the necessary levels of the protection of personal data, when they are processed in the Personal Data Information System;
– applying organizational and technical measures to ensure the security of personal data at the time they are processed in the Personal Data Information System;
– using the tools of information protection, which have duly passed the procedure of the assessment of compliance with the requirements of the Russian Federation law on information security;
– the assessment of the efficiency of the applied measures of personal data protection.
4 Interaction with data subjects
4.1 In the course of the Company's operation, different requests and applications from the subjects of personal data may be submitted to the Company. In accordance with the law, the data subject is entitled to obtain different information related to the processing of his/her personal data.
4.2 The Company establishes the procedure for registration and handling of the requests of data subjects with the aim to meet the legislated procedures and time limits of responding to requests.
4.3 Should you have any questions or comments to this Policy, or requests about personal data processing in the Company, please write to JSC TCH by email to info@tch.ru or by post to: 123056, Moscow, B. Grouzinskaya St., 59/1.
5 Personal data processing on the Site and in the Mobile Application
5.1 The Company obtains the personal data of the visitors of the Site and the Mobile Application at the time of completing different forms (both when using a personal computer and the Mobile Application) on its official Internet page https://www.tch.ru and in the Mobile Application https://play.google.com/store/apps/details?id=com.ru.tch.mobile https://www.apple.com/ru/app-store/
5.2 As an Internet user, by using the sites of the Company or services, by obtaining access to the Site, by providing personal information by means of the mentioned Site, by registering an account on the Site, the visitor agrees with "Users' Personal Information Use Policy" and the terms&conditions of personal information processing contained therein. If the visitor does not agree to any term or provision of "Users' Personal Information Use Policy", such visitor does not have the right to use the Site.
5.3 The Company processes the User's personal information for the specific purposes and only to the extent required to achieve these purposes:
– The provision of access to the Site and the visitor's account, if the visitor is registered on the corresponding Site;
– Visitor identification to the extent of the provision of the Company's services;
– Providing informational support for the visitor on the services and activities connected with the execution of the powers of the Company;
– Communication with visitors for sending them notifications, requests and information about the operation of the Site, executing agreements with visitors and handling their requests and applications.
– Improving the means and methods of how information in represented on the Site, improving site user experience, identifying the most visited Internet-pages (interactive services) of the Site, as well as for statistics and research purposes.
5.4 The Site of the Company applies such technologies as "cookies" that allow to facilitate the navigation of the Site and make it more efficient. The Mobile Application supports FCM. FCM is a cross-platform messaging solution that lets you reliably send messages at no cost.
5.5 The visitor may view the most parts of the Site without accepting cookies, however, some features of the Site may be unavailable if cookies are disabled. For other webpages of the Operator, in particular, those that require login and password, cookies are necessary: such pages cannot be used of the User deactivated cookies in his/her browser.
5.6 The Operator may process cookie files by itself or using Yandex.Metrika for above said purposes.
5.7 In most cases, cookies include the following information:
– information about visited pages;
– information about the number of visits to pages;
– information about user's session duration;
– information about entry points (third party Sites from which the User may have linked to the Site);
– information about exit points (links on the Site that take the User to third party Sites);
– information about user's country;
– information about user's region;
– information about user's browser;
– information about user's operating system;
– information about user's screen resolution.
5.8 If the visitors of the Site prefer not to receive cookies when browsing the Site of the Company, they can adjust their browser settings to warn them before accepting cookies, or block cookies when their browser warns about cookies used. The visitor can refuse all cookies by disabling them in his/her browser.
5.9 The Visitor is solely responsible before third parties for his/her actions connected with the use of the Site, including, if such actions result in violation of the rights and legitimate interest of third parties, as well as for observing applicable law when using the Site.
