Personal data processing policy of the Sverdlovsk Regional Business Support Foundation (microcredit company)

1. General provisions

1.1. Document objective

1.1.1. The most important condition for achieving the goals of SRBSF activities is to ensure the required level of personal data security.
1.1.2. The personal data processing policy (hereinafter referred to as the policy) is the fundamental regulatory document on personal data processing in the Foundation.
1.1.3. The Policy provisions shall be considered as the basis for development of the local legal documents related to personal data processing.

1.2. General definitions

1.2.1. For the purposes of the Policy the following definitions are used:
– personal data – any information directly or indirectly related to a certain or uncertain individual (personal data owner);
– operator – Sverdlovsk Regional Business Support Foundation (microcredit company), hereinafter referred to as the Foundation, organizes and (or) undertakes any actions related to personal data whether individually or collectively, determines the objectives for the personal data processing ,;
– Foundation official webpage -a combination of programs for electronic computers and other information in the information system, access to which is provided through the information and telecommunications "Internet" network (hereinafter referred to as the "Internet") under the domain name www.sofp.ru
– personal data processing – any action (operation) or their combination performed with automation or without it, including collection, recording, systematization, accumulation, storage, verification (update, change), extraction, use, transfer (distribution, sharing, access), anonymization, blocking, removal, destruction of personal data;
– automated personal data processing – personal data processing with computational equipment;
– personal data distribution – any actions aimed at disclosure of the personal data to an indefinite number of persons;
– personal data sharing – actions on disclosure of the personal data to a limited or an unlimited number of persons. ;
– blocking of personal data– temporary termination of personal data processing (except for the cases when data processing is required for personal data verification);
– personal data verification – any actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which material media of personal data are destroyed;
– personal data anonymization –any action that make it impossible to determine the ownership of personal data by a specific object of personal data without the use of additional information;
– personal data information system (hereinafter referred to as – PDIS) – combination of personal data contained in the database and information technologies and technical means that ensure their processing;
– personal data confidentiality – The Foundation having access to personal data shall not disclose or distribute personal data to the third parties without the consent of the object of the personal data, unless otherwise provided by federal law;
– cross-border data transfer – transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

1.3. Legal references

1.3.1. Federal Law №152–ФЗ dated 27.07.2006 «About Personal Data».
1.3.2. RF Government Decree dated 01.11.2012 № 1119 «Requirements to personal data protection in processing through personal data information systems».

1.4. Personal data owners

1.4.1. Employees – candidates for vacant positions and their close relatives, spouses; Foundation employees (including former employees) and their close relatives, spouses.
1.4.2. Clients – individuals being or have been in contractual and other civil legal relations with the Foundations or who are in pre-contractual relations with the Foundation and their representatives, guarantors, collateral providers, close relatives, spouses; beneficial owners, employees, managers and chief accountants of legal entities having contractual relations with the Foundation or being in pre-contractual relations, Foundation visitors.

1.5. Approval and revision

1.5.1. This Policy shall be effective on the day of approval by the Director of the Foundation and is valid until the new Policy of personal data processing shall be effective.
1.5.2. The Foundation shall revise the provisions of the Policy and update it when necessary, but at least once every three years:
- if any changes in the legislation of the Russian Federation in respect to personal data occur (the Policy is valid until changes are implemented)to the extent that does not contradict the current legislation of the Russian Federation;
- in case of any no-conformities affecting the processing and (or) protection of personal data;
- based on the results of monitoring compliance with requirements for the processing and (or) protection of personal data;
- in the process of changing the business processes of the Foundation affecting the personal data processing.
1.5.3. Provision of unrestricted access to the Policy is achieved by publishing it on the Foundation’s official website on the Internet.

2. Objectives and principles in personal data processing

2.1. Processing of the personal data in the Foundation is performed for the following purposes:
- ensure compliance with legislation and other regulatory legal acts of the Russian Federation;
- inform the population and small and medium-sized businesses about the services provided by the Foundation;
- implement microfinance activities provided for by the Articles of Association and procedures of the Foundation, current legislation;
- development, conclusion, execution and termination of civil contracts with the contractors and partners of the Foundation;
- monitoring the fulfillment of the terms of contracts with the Foundation by small and medium-sized businesses;
- maintain a register of small and medium-sized recipients of support;
- report on measures of support for small and medium-sized businesses;
- register participants for the events of the Foundation;
- develop lists of the participants in Foundation events;
- process support applications from small and medium-sized businesses and individuals;
- quality control of services;
- organize the Foundation HR record keeping, ensuring compliance with laws and other regulations, sign and fulfill obligations under labor and civil contracts; manage personnel files, assist in employment, training and promotion with different types of benefits and incentives, follow tax legislation in connection with the calculation and payment of personal income tax and the unified social tax, pension legislation, submit statistics of HR department of the Foundation to corresponding agencies

2.2. Personal data storage is carried out in a form that makes it possible to identify the personal data owner, no longer than required by the purposes of personal data processing, unless the storage period for personal data is established by the validity period of the order of the Ministry of Culture of the Russian Federation dated August 25, 2010 No. 558 “On approval of the List of management of archival documents generated in the course of the activities of government bodies, local governments and organizations,providing the information on the documentation storage periods”, Resolution of the Federal Commission for the Securities Market dated July 16, 2003 No. 03-33/p “On approval of the Regulations on the procedure and periods of storage of joint stock documents companies”, or other requirements of the legislation of the Russian Federation, or an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or if the need to achieve these goals is no longer necessary.

2.3. The condition for terminating the processing of personal data may be the achievement of the personal data objectives, the expiration of the consent period or the withdrawal of the consent of the personal data owner for personal data processing, as well as the identification of unlawful processing of personal data.

2.4. The processing of the personal data in the Foundation is carried out on the basis of the following principles:
- validity of objectives and methods of the personal data processing and integrity;
- compliance with the volume and nature of the personal data processing, methods of processing for the purposes identified for the personal data collection, as well as the authority of the operator;
- the reliability of personal data, their sufficiency for the purposes of processing;
- inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data;
- the inadmissibility of combining databases of personal data information systems created for incompatible purposes.

3. Legal grounds for personal data processing.

3.1. The legal grounds for the Foundation for personal data processing are:
- “Constitution of the Russian Federation” (adopted by national vote on December 12, 1993);
- “Tax Code of the Russian Federation”;
- “Civil Code of the Russian Federation”;
- “Labor Code of the Russian Federation” dated December 30, 2001 No. 197-FZ;
- Federal Law of July 2, 2010 N151-FZ “On microfinance activities and microfinance organizations”;
- Federal Law of 07.08.2001 No. 115-FZ “On control of legalization (laundering) of criminal proceeds and the financing of terrorism”;
- Federal Law of December 30, 2004 No. 218-FZ “On Credit Histories”;
- Federal Law of April 1, 1996 No. 27-FZ “On individual (personalized) registration in the compulsory pension insurance system”;
- Federal Law of December 15, 2001 No. 167-FZ “On Compulsory Pension Insurance in the Russian Federation”;
- Federal Law of November 29, 2010 No. 326-FZ “On Compulsory Health Insurance in the Russian Federation”;
- Decree of the Government of the Russian Federation of November 27, 2006 No. 719 “On approval of the Regulations on military registration”;
- Federal Law of July 27, 2006 No. 149-FZ “On information, information technologies and information protection”;
- Federal Law of April 6, 2011 No. 63-FZ “On Electronic Signature”;
- Sverdlovsk Regional Business Support Foundation Articles of Association;
- Agreements between the Foundation and the personal data owner;
- applications from individuals and small and medium-sized businesses and consent for the personal data processing (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the powers of the Foundation).

4. Volume and categories of data for processing

4.1. The Foundation processes the following personal data: last name, first name, patronymic, year of birth, month of birth, date of birth, place of birth, address, marital status, social status, property status, education, profession, income, gender, passport details (civil, official, diplomatic, foreign) or data of another identity document (series, number, date of issue, name of the authority that issued the document) and citizenship, address of residence (passport and actual residence) and date of registration at residence location or place of permanent stay. Telephone number (mobile and home), if it is registered with the personal data owner or at his place of residence (according to his passport). Information about education, qualifications and information on special of diploma, graduation document, certificate). A document that confirms completion of an educational institution, including the name and location of the educational institution, date of start and completion of education, faculty or department, qualifications and background upon graduation from the educational institution, academic degree, academic title, proficiency in foreign languages and other information. Information about previous work activity. Information about the total work experience, expertise. Information on advanced training and retraining (series, number, date of issue of the document on advanced training or retraining, name and location of the educational institution, date of start and completion of training, qualification and specialty upon graduation from the educational institution and other information).
Information on salaries (account number for payments, data on salary contracts with clients, including their account info, wages, allowances, taxes and other information). Information on military registration of persons subject to military service and persons subject to conscription service (series, number, date of issue, name of the authority that issued the military ID, military speciality, military rank, data on acceptance/deregistration and other information). Information about marital status (marriage status, marriage certificate data, last name, first name, patronymic of the spouse, degree of relationship, last names, first names, patronymics and dates of birth of other family members, dependents and other information).

Information about property (property status): motor vehicles (state license plates and other data from vehicle registration certificates and vehicle passports); real estate (type, method of receipt, general description, cost, full addresses of real estate and other information); loans (mortgage), credit history codes, addresses of purchased real estate, amount and currency of the loan or loan, purpose of lending, lending conditions, information about the collateral, information about the acquired object, data on securities, balances and amounts of transactions, type of bank cards, limits and other information). Information about the number and series of the state pension insurance certificate. Taxpayer identification number information. Information from compulsory (voluntary) health insurance policies (including data from relevant health insurance cards). Information specified in the originals and copies of the Foundation enrollment orders, info from personal files. Information about temporary disability of the Foundation employees. Information about health status and job relevance. Employee’s number in HR file. Information on presence/absence of a criminal record (hard copy). Information about social benefits and social status (series, number, date of issue, name of the authority that issued the document for benefits and status). A facial image (photo or video devices, a voice recorded with sound recording devices.

4.2. The Foundation shall not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, intimate life.

5. Procedure and terms for personal data processing

5.1. The personal data processing shall be performed with the consent of the personal data owner, unless otherwise provided by the legislation of the Russian Federation.

5.2. The personal data owner shall approve the provision of the personal data and its processing on his|her own volition and for his own benefit. Consent for personal data processing shall be given by the personal data owner or his/her representative in any form that allows confirmation of the fact of its receipt, unless otherwise provided by federal law. If consent for the personal data processing is received from the data owner representative, the authority of this representative for consent on behalf of the personal data owner shall be verified by the Foundation.

5.3. Consent for personal data processing may be withdrawn by the data owner. If the data owner withdraws consent for the personal data processing, the Foundation shall have the right to continue personal data processing without the owner’s consent if provided for by the legislation of the Russian Federation.

5.4. Personal data received by the Foundation shall be stored in hard copy and in electronic form. Electronic personal data shall be stored in the Foundation Personal Data Information System.

5.5. Employees with access to personal data shall receive only the personal data they need for their specific jobs.

5.6. The Foundation, at its own expense, provides the necessary organizational and technical measures to protect personal data from unauthorized or accidental access, destruction,
changing, blocking, copying, distribution, as well as from other unlawful actions.

5.7. The Foundation shall not disclose or distribute personal data without the consent of the owner to the third parties, except for cases provided for by the legislation of the Russian Federation or upon receipt of a request from authorized government bodies.

5.8. Automated personal data processing shall be done in the Information personal data storage system in accordance with current legislation. All such databases are located on the territory of the Russian Federation.

6. Rights of personal data owners and processing of the personal data owners requests

6.1.1. The personal data owner shall have the right to obtain information related to processing of the personal data of the respective personal data owner, among other things containing;
- confirmation of the fact of the personal data processing;
- legal grounds for the personal data processing and purposes thereof;
- purposes and methods of the personal data processing;
- name and location of the Foundation, information on the persons (excepting the Foundation employees) who have access to the personal data or to whom such personal data are disclosed on the strength of the agreement concluded with the Foundation or Federal law No.152-FZ dd 27.07.2006 «On Personal Data»;
- processed personal data, which refer to the respective personal data owner, the source for obtaining personal data, if not otherwise stipulated by Federal law No.152-FZ dd 27.07.2006 «On Personal Data»;
- period of personal data processing, including storage period;
- order of implementation by the personal data owner of the rights, as specified of Federal law No.152-FZ dd 27.07.2006 «On Personal Data»;
- information on the transborder data transfers which are being effected or those in prospect;
- name or surname, first name, patronymic and address of the person (entity) engaged in the personal data processing on behalf of the Foundation if such person (entity) is or will be charged with such task;
- additional information, as specified of Federal law No.152-FZ dd 27.07.2006 «On Personal Data» or other federal laws;

6.1.2. The personal data owner shall have the right to check and update the personal data, to block or destroy them, in case such personal data appear to be incomplete, obsolete, inaccurate, illegally obtained or which are not essential for the declared processing purpose, and to pursue measures aimed at protection of his/her respective rights as specified by the legislation of the Russian Federation.

6.1.3. The Foundation shall have the right to refuse from delivery of the above information to the personal data owner in the cases specified of Federal law No.152-FZ dd 27.07.2006 «On Personal Data» or other federal laws;

6.2. The rights of the personal data owners when processing their personal data aimed at promotion of the services.

6.2.1. The personal data processing aimed at promotion of the services at the market by making direct contacts with the potential customers using the communication means shall be allowed only if there is a preliminary consent of the personal data owner. The said processing shall be considered possible without prior consent of the personal data owner only if the operator proves that such consent was obtained.

6.2.2. On demand of the personal data owner the Foundation shall immediately stop processing of his/her personal data, stated in par.6.2.1.

6.3. The right to appeal against the actions or absence of actions of the operator.

6.3.1. If the personal data owner is of opinion that the Foundation performs processing of his/her personal data with violation of the provisions of the stated Federal law or otherwise violates his/her rights and freedoms, then the personal data owner shall have the right to appeal such actions or absence of actions by the Foundation, applying to the authorized body engaged in protection of the rights of the personal data owners , namely the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) or through a judicial proceeding.

6.3.2. The personal data owner shall have the right to protect his/her rights and legal interests, including compensation for losses and (or) of moral harm through a judicial proceeding.

7. Processing of appeals and requests from the personal data owner

7.1. To ensure observance of the rights of the personal data owners as specified by the laws, the Foundation has developed the internal regulations which specify the operating procedure with such appeals and requests of the personal data owners.

7.2. The request shall be made in the free form, however, it shall contain the number of the basic document, certifying the identity of the personal data owner or of his/her representative ; information on the date of issue of the stated document and on the issuing authority; information confirming involvement of the personal data owner in the relations with the Foundation ( agreement number, date of conclusion, conventional word and (or) other data),or data which otherwise confirm the fact of processing of data by the Foundation, the signature of the personal data owner or his/her representative. The request shall be transmitted to the addresses of location of the Foundation. The request may be sent in the form of the electronic document and signed by the electronic signature in accordance with the legislation of the Russian Federation.

8. Provision for the safety of the personal data

8.1. The Foundation shall take all possible legal, organizational and technical measures to ensure safety of the personal data from the unauthorized access, accidental destruction, modification, access denial, other unauthorized actions.

8.2. The measures to ensure the safety of the personal data shall include, but are not limited to:
- appointment of the persons in charge of organizing of the personal data processing and protection;
- development of the Policy relating to the personal data processing and other normative documents, establishing the procedures aimed at prevention and detection of violations of the legislation of the Russian Federation, elimination of the consequences of such violations;
- detection of the security threats in the course of processing in the Personal Data Information Systems;
- discovering facts of the unauthorized access and taking proper measures;
- restoration of personal data which are modified or destroyed by the unauthorized access;
- supervising the measures aimed at protection of the personal data in the course of processing in the Personal Data Information Systems;
-application of the organizational and technical measures aimed at the personal data protection in the course of processing in the Personal Data Information Systems, required for observance of the requirements for the personal data protection, adherence to which provides protection of the personal data at the levels specified by the Government of the Russian Federation;
- evaluation of the damage which may be caused to the personal data owners in case of violation of the current legislation, of the ratio of the harm caused and the benefit from the measures by the operator, aimed at execution of its obligations, as specified of Federal law No.152-FZ dd 27.07.2006 «On Personal Data»;
- familiarization of the employees of the Foundation, which are directly involved in the personal data processing, with the provisions of the legislation of the Russian Federation on personal data, including the requirements on protection of the personal data, the documents, which specify the Policy of the Foundation in respect to personal data processing, and (or) training of the said employees;
- implementation of the password protection when accessing to the resources;
- use of the network segmentation means;
- provision for protection of the personal data resources from the malicious code attack.

9. Responsibility for implementation of the Policy provisions

9.1. The Foundation employees who are engaged in the personal data processing and the persons who are in charge of organization and ensuring the personal data protection in the Foundation shall be brought to account under disciplinary and administrative procedures in accordance with the legislation of the Russian Federation in case of violation of the provisions of the said Policy , normative documents of the Foundation, other requirements as specified by the legislation of the Russian Federation in relation to the personal data.