Regulation on the Protection, Storage, Processing and Transfer of Personal Data of Employees of the Gaz Service Consulting Limited Liability Company

1. General Provisions

1.1. This Regulation on the processing of personal data (hereinafter referred to as the Regulation) of GSC LLC (the name of the Organization) has been developed in accordance with the Labor Code of the Russian Federation, the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the Federal Law On Information, Information Technologies and Information Protection, the Federal Law On Personal Data and the Rules of the Internal Labor Regulations of the Organization.

1.2. The purpose of the development of the Regulation is to determine the procedure for processing personal data of employees of the Organization and other subjects of personal data, whose personal data is subject to processing, based on the authority of the operator; ensuring the protection of human and civil rights and freedoms, including those of the employee of the Organization, when processing their personal data, including the protection of the rights to privacy, personal and family secrets as well as the establishment of responsibility of officials with access to personal data for non-compliance with the requirements of the norms governing the processing and protection of personal data.

1.3. The procedure for putting into effect and changing the Regulation.

1.3.1. This Regulation comes into force from the moment of its approval by the Director of the Organization and is valid indefinitely until it is replaced by a new Regulation.

1.3.2. All changes to the Regulation are made by order.

1.4. All employees of the Organization must be familiar with this Regulation under signature.

1.5. The confidentiality regime of personal data is lifted in cases of depersonalization and after 75 years of their storage period or extended on the basis of the conclusion of the expert commission of the Organization unless otherwise determined by law.

2. Basic Concepts and Composition of Personal Data of Employees

2.1. For the purposes of this Regulation, the following basic concepts are used:

— employee’s personal data — any information related to an employee defined or determined on the basis of such information, including their last name, first name, patronymic, year, month, date and place of birth, address, family, social and property status, education, profession, income and other information required by the employer in connection with labor relations

— processing of personal data — collection, systematization, accumulation, storage, clarification (updating and modification), use, dissemination (including transfer), depersonalization, blocking and destruction of personal data of employees of the Organization

— confidentiality of personal data — a mandatory requirement for compliance with the appointed responsible person who has access to the personal data of employees not to allow their dissemination without the consent of the employee or other legal basis

— dissemination of personal data — actions aimed at transferring the personal data of employees to a certain circle of persons (transfer of personal data) or at familiarizing with personal data of an unlimited number of persons, including the publication of personal data of employees in the media, posting in information and telecommunications networks or providing access to personal data of employees in any other way

— use of personal data — actions (operations) with personal data performed by an official of an Organization for the purpose of making decisions or performing other actions that generate legal consequences for employees or otherwise affect their rights and freedoms or the rights and freedoms of others

— blocking of personal data — temporary cessation of the collection, systematization, accumulation, use and dissemination of personal data of employees, including its transfer

— destruction of personal data — actions as a result of which it is impossible to restore the content of personal data in the information system of personal data of employees or as a result of which the material carriers of personal data of employees are destroyed

— depersonalization of personal data — actions as a result of which it is impossible to determine the identity of personal data to a specific employee

— publicly available personal data — the personal data that an unlimited number of people have access to with the consent of an employee or that, in accordance with federal laws, is not subject to the requirement of confidentiality

— information — information (messages or data) regardless of the form of their presentation

— documented information — information recorded on a tangible medium by documenting information with details that allow you to identify such information or its tangible medium

2.2. The personal data of the Organization’s employees includes documents containing the following information: surname, first name, patronymic; date of birth; citizenship; insurance certificate number; INN; education data (details of diplomas/other documents); data on acquired specialties; data on previous jobs; marital status; data on family members (degree of kinship, full name, year of birth and passport data, including place of residence and place of birth); actual place of residence; contact information (phone number and e-mail address); data on military duty; data on current employment (date of commencement of employment, personnel movements, salaries and their changes, information on incentives, data on professional development, etc.).

2.3. A set of documents accompanying the process of registration of an employee’s employment relationship in the Organization during their admission, transfer and dismissal.

2.3.1. The information provided by an employee when applying for a job in the Organization must be in documentary form. When concluding an employment contract in accordance with Article 65 of the Labor Code of the Russian Federation, a person applying for a job presents to the employer:

— passport or another identification document

— work record, except in cases when an employment contract is concluded for the first time, an employee enters into work on a part-time basis or the employee does not have a work record due to its loss or for other reasons

— insurance certificate of state pension insurance

— military registration documents — for persons subject to military service and military registration

— document on education, qualifications or the availability of special knowledge — when applying for a job that requires special knowledge or special training

— certificate of assignment of the INN (if the employee has it).

2.3.2. When registering an employee with the Organization, the employer fills in the unified form T-2 Personal Employee Card, which reflects the following personal and biographical data of the employee: general information (full name of the employee, date of birth, place of birth, citizenship, education, profession, work experience, marital status, passport data, INN and SNILS); information about military registration and data on employment.

In the future, the following information will be entered into the personal card: about transfers to another job; certification; professional development; professional retraining; awards (incentives); honorary titles; vacations; social guarantees; place of residence and contact phone numbers.

2.3.3. The following groups of documents are created and stored in the Organization, containing data on employees in a single or consolidated form:

2.3.3.1. Documents containing personal data of employees (sets of documents accompanying the process of registration of employment relations when hiring, transferring and firing; a set of materials on questionnaires and testing; conducting interviews with a candidate for a position; originals and copies of personnel orders; personal files and workbooks of employees; cases containing grounds for personnel orders; cases containing materials of employee certification; official investigations; reference and information database on personnel (card files and magazines); originals and copies of accounting, analytical and reference materials transmitted to the management of the Organization and heads of structural divisions; copies of reports sent to state statistical bodies, tax inspections, higher management bodies and other institutions).

2.3.3.2. Documentation on the organization of work of structural divisions (regulations on structural divisions, job descriptions of employees and orders and instructions, including the instructions from the management of the Organization); documents on planning, accounting, analysis and reporting in terms of work with the Organization’s personnel.

3. Collection, Processing and Protection of Personal Data

3.1. The procedure for obtaining personal data.

3.1.1. All personal data of an employee of the Organization should be obtained from them personally. If the employee’s personal data can only be obtained from a third party, the employee must be notified of this in advance and provide written consent. The official of the employer must inform the employee of the Organization about the purposes, intended sources and methods of obtaining personal data as well as about the nature of the personal data to be obtained and the consequences of the employee’s refusal to give written consent to receive it.

3.1.2. The employer has no right to receive and process personal data of an employee of the Organization about their race, nationality, political views, religious or philosophical beliefs, state of health and intimate life. In cases directly related to issues of labor relations, in accordance with Article 24 of the Constitution of the Russian Federation, the employer has the right to receive and process data on the employee’s private life only with their written consent.

The processing of the specified personal data of employees by the employer is possible only with their consent or without their consent in the following cases:

— personal data is publicly available

— personal data relates to the employee’s health status and its processing is necessary to protect their life, health or other vital interests or their life or health or other vital interests of other persons and it is impossible to obtain the employee’s consent

— at the request of authorized state bodies in cases provided for by federal law.

3.1.3. The employer has the right to process the personal data of employees only with their written consent.

3.1.4. The employee’s written consent to the processing of their personal data must include:

— surname, first name, patronymic, address of the subject of personal data, number of the main document certifying their identity and information on the date of issue of the specified document and the issuing authority

— name (surname, first name and patronymic) and address of the operator receiving the consent of the personal data subject

— purpose of personal data processing

— list of personal data for the processing of which the consent of the personal data subject is given

— list of actions with personal data for which consent is given and a general description of the methods used by the operator for processing personal data

— period during which the consent is valid and the procedure for revoking it.

3.1.5. The employee’s consent is not required in the following cases:

1) personal data processing is carried out on the basis of the Labor Code of the Russian Federation or another federal law establishing its purpose, conditions for obtaining personal data and the range of subjects whose personal data is subject to processing as well as defining the powers of the employer

2) the processing of personal data is carried out for the purpose of fulfilling an employment contract

3) the processing of personal data is carried out for statistical or other scientific purposes, subject to mandatory depersonalization of personal data

4) the processing of personal data is necessary to protect the life, health or other vital interests of the employee if obtaining his consent is impossible.

3.2. The procedure for processing, transferring and storing personal data.

3.2.1. An employee of the Organization provides the employer with reliable information about themselves. The employer verifies the accuracy of the information by comparing the data provided by the employee with the documents available to the employee.

3.2.2. In accordance with Article 86, Chapter 14 of the Labor Code of the Russian Federation, in order to ensure the rights and freedoms of man and citizen, the employer and their representatives must comply with the following general requirements when processing employee’s personal data:

3.2.2.1. Personal data processing may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts, assistance to employees in employment, training and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed and ensuring the safety of property.

3.2.2.2. When determining the volume and content of personal data to be processed, the Employer must be guided by the Constitution of the Russian Federation, the Labor Code of the Russian Federation and other federal laws.

3.2.2.3. When making decisions affecting the interests of an employee, the Employer has no right to rely on the employee’s personal data obtained solely as a result of their automated processing or electronic receipt.

3.2.2.4. The protection of employee’s personal data from misuse or loss is provided by the Employer at their expense in accordance with the procedure established by federal law.

3.2.2.5. Employees and their representatives must be acquainted with the documents of the Organization establishing the procedure for processing personal data of employees as well as their rights and obligations in this area.

3.2.2.6. In all cases, the employee’s waiver of their rights to preserve and protect the secret is invalid.

4. Transfer and Storage of Personal Data

4.1. When transferring personal data of an employee, the employer must comply with the following requirements:

4.1.1. Not to disclose the employee’s personal data to a third party without the written consent of the employee, except in cases where this is necessary in order to prevent threats to the life and health of the employee as well as in cases established by federal law.

4.1.2. Not to disclose the employee’s personal data for commercial purposes without their written consent. The processing of personal data of employees in order to promote goods, works and services on the market by making direct contacts with a potential consumer using means of communication is allowed only with their prior consent.

4.1.3. Warn the persons who have received the employee’s personal data that this data can only be used for the purposes for which it was reported and require these persons to confirm that this rule has been observed. Persons who have received the employee’s personal data are required to comply with the secrecy (confidentiality) regime. This Provision does not apply to the exchange of personal data of employees in accordance with the procedure established by federal laws.

4.1.4. Transfer personal data of employees within the Organization in accordance with this Regulation.

4.1.5. Allow access to the personal data of employees only to specially authorized persons, while these persons should have the right to receive only that personal data of the employee that is necessary to perform a specific function.

4.1.6. Not to request information about the employee’s health status, except for the information that relates to the issue of the employee’s ability to perform a work function.

4.1.7. Transfer employee’s personal data to employee representatives in accordance with the procedure established by the Labor Code of the Russian Federation and limit this information only to the personal data of the employee that is necessary for these representatives to perform their functions.

4.2. Storage and use of personal data of employees:

4.2.1. Personal data of employees is processed and stored in the accounting department of the Organization.

4.2.2. Personal data of employees can be obtained, further processed and transferred to storage both on paper and in electronic form — a local computer network and a computer program 1C: Enterprise.

4.3. Upon receipt of personal data not from an employee (except in cases where personal data was provided to the employer on the basis of federal law or if personal data is publicly available), the employer is obliged to provide the employee with the following information before processing such personal data:

— name (surname, first name and patronymic) and address of the operator or their representative

— purpose of personal data processing and its legal basis

— intended users of personal data

— rights of the personal data subject established by this Federal Law.

5. Access to Personal Data of Employees

5.1. The following people and organizations have the right to access employees’ personal data:

— Director of the Organization

— accountant

— external organization that conducts accounting and tax accounting

— other employees on the basis of the Director’s order.

5.2. An employee of the Organization has the right to:

5.2.1. Gain access to and familiarize themselves with their personal data, including the right to receive copies of any record containing personal data of the employee free of charge.

5.2.2. Require the employer to clarify, exclude or correct incomplete, incorrect, outdated, unreliable or illegally obtained data or personal data that is not necessary for the Employer.

5.2.3. Receive from the employer:

— information about persons who have access to personal data or who may be granted such access

— list of processed personal data and the source of its receipt

— terms of processing personal data, including the terms of its storage

— information about what legal consequences the processing of personal data may entail for the subject of personal data.

5.2.3. Require the employer to notify all persons who have previously been informed of incorrect or incomplete personal data about all exceptions, corrections or additions made to it.

Appeal to the authorized body for the protection of the rights of personal data subjects or in court against unlawful actions or omissions of the employer in the processing and protection of their personal data.

5.3. Copying and making extracts of personal data of an employee is allowed solely for official purposes with the written permission of the director of the Organization.

5.4. The transfer of information to a third party is possible only with the written consent of the employees.

6. Obligations of the Employer to Protect the Employee’s Personal Data

6.1. The employer is obliged, at their own expense, to ensure the protection of the employee’s personal data from misuse or loss in accordance with the procedure established by the legislation of the Russian Federation.

6.2. The employer is obliged to take measures necessary and sufficient to ensure the fulfillment of obligations provided for by federal laws in the field of personal data protection and other regulatory legal acts:

– appoint employees responsible for the organization of personal data processing

– issue documents defining the policy regarding the processing of personal data and local acts on the processing and protection of personal data

– apply legal, organizational and technical measures to ensure the security of personal data

– carry out internal control and (or) audit of compliance of personal data processing with federal laws in the field of personal data protection and other regulatory legal acts, requirements for personal data protection, operator’s policy regarding personal data processing and operator’s local acts

– assess the harm that may be caused to personal data subjects in case of violation of legislation in the field of personal data protection, the ratio of this harm and the measures taken by the operator aimed at ensuring the fulfillment of obligations provided for by law

– acquaint employees directly involved in the processing of personal data with the provisions of legislation in the field of personal data protection, including documents defining the operator’s policy regarding the processing of personal data and local acts on the processing of personal data and (or) train these employees.

6.3. Employees of the Organization who are guilty of violating the norms governing the receipt, processing and protection of personal data of an employee are subject to disciplinary administrative, civil or criminal liability in accordance with federal laws.

6.4. Damage caused to an employee as a result of a violation of their rights and violation of the rules for processing personal data is subject to compensation in accordance with the legislation of the Russian Federation.

7. Procedure for the Destruction and Blocking of Personal Data

7.1. In case of detecting unlawful processing of personal data when contacting an employee, the employer is obliged to block the unlawfully processed personal data related to this employee from the moment of such request.

7.2. In case of identification of inaccurate personal data at the appeal of an employee, the employer is obliged to block personal data related to this employee from the moment of such request if the blocking of personal data does not violate the rights and legitimate interests of the employee or third parties.

7.3. In case of confirmation of the fact of inaccuracy of personal data, the employer, based on the information provided by the employee or other necessary documents, is obliged to clarify personal data within seven working days from the date of submission of such information and remove the blocking of personal data.

7.4. In case of detection of unlawful processing of personal data carried out by the employer, the employer is obliged to stop the unlawful processing of personal data within a period not exceeding three working days from the date of this detection.

7.5. If it is impossible to ensure the legality of the processing of personal data, the employer is obliged to destroy such personal data within a period not exceeding ten working days from the date of detection of unlawful processing of personal data.

7.6. The employer is obliged to notify the employee about the elimination of violations or the destruction of personal data.

7.7. In case of achievement of the purpose of personal data processing, the employer is obliged to stop processing personal data and destroy personal data within a period not exceeding thirty days from the date of achievement of the purpose of personal data processing, unless otherwise provided by the employment contract.

7.8. If the employee withdraws consent to the processing of their personal data, the employer is obliged to stop processing it and, if the storage of personal data is no longer required for the purposes of processing personal data, destroy personal data within a period not exceeding thirty days from the date of receipt of the specified recall, unless otherwise provided by the employment contract.

7.9. In the absence of the possibility of destruction of personal data within the period specified in paragraphs 7.7-6.8 of this Regulation, the employer shall block such personal data and ensure the destruction of personal data within a period of no more than six months, unless another period is established by federal laws.