on processing personal data

  1. General

    1. The Regulation on processing of personal data (hereinafter — Regulation) has been developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the Labor Code of the Russian Federation (hereinafter — RF LC), Federal law dated 27.07.2006 No. 149-FZ «On Information, Information Technologies and Information Protection», Federal law dated 27.07.2006 No. 152-FZ «On Personal Data», other statutes and regulations in force in the Russian Federation (hereinafter — RF).

    2. This Regulation determines the procedure for collection, storage, combining, transmission and any other use of personal data of JSC Arkhangelsk PPM (hereinafter — company, employer) employees in accordance with the laws of the Russian Federation.

    3. This Regulation shall apply to the company employees who have access to personal data.

  2. Basic definitions. Scope of employee personal data.

    1. The following basic definitions are used in this Regulation:

        a. personal data means information necessary to the employer for an employment and relevant to a specific employee, as well as details about facts, events and circumstances of the employee’s life that allow the employee’s identity to be established;

        b. processing of employee personal data means any action (operation) or a set of actions (operations) carried out on personal data, with or without the use of automation, including collecting, recording, systematization, accumulation, storage, revision (update, modification), retrieval, use, transfer (distribution, disclosure, access), anonymization, blocking, removal, and disposal of personal data;

        c. distribution of personal data means actions aimed to disclose employees' personal data to unidentified persons;

        d. disclosure of personal data means actions aimed to disclose employees' personal data to a specific person or specific persons;

        e. personal data information system means the combination of personal data stored in databases and the information technologies and equipment which facilitate the processing of such personal data;

        f. disposal of personal data means actions that make it impossible to recover the contents of personal data in an employee personal data information system and/or which result in the destruction of the physical media containing employee personal data;

        g. information means details (messages, data), which may be presented in any form;

        h. documented information means information recorded on a physical medium by documenting, which includes details allowing such information or the physical medium containing it to be identified;

        i. questionnaire means a document containing a list of questions regarding an employee’s personal data.

    2. Employee personal data is used by the Company in order to meet the following requirements:

        a. requirements of the labor laws, at the time of hiring and entering into the employment contract, throughout the course of employment, as well as when benefits and compensations are provided;

        b. requirements of the military duty and military service laws, for employees registered for military service purposes and for inactive duty;

        c. requirements of the laws related to the taxation and the payment of the individual income tax, as well as insurance contributions for optional and mandatory medical, pension and social insurance;

        d. requirements of the pension laws for personalized data generated and provided on each earner of income, which is subject to the insurance contributions for optional and mandatory pension insurance and coverage;

        e. completion of primary statistic documentation in accordance with the Russian Statistics Agency Resolution No.1 of 05.01.2004 «On approval of standardized forms of primary records for employment and remuneration».

    3. Information about employees' personal data is confidential. The Company’s employees who have access to personal data shall not disclose such data to third parties or distribute personal data without the employee’s consent.

    4. Information provided by an employee at the commencement of employment with the Company shall have a documented form. When entering into the employment contract, the person being hired shall provide the following documents containing personal data:

        a. passport or other identity document;

        b. employment record book, except when the contract is made for the first time or the employee is hired for a second job, or does not have the employment record book due to loss or for other reasons;

        c. state pension insurance certificate (SNILS);

        d. military records for individuals subject to military registration;

        e. document certifying the education background, qualification or any special knowledge, when hired for a job that requires special knowledge or special training;

        f. individual taxpayer’s number (INN) certificate (if the employee has such a certificate);

        g. medical examination report;

        h. driver’s license, if required for the employee’s work duties;

        i. certificate issued by the Russian Ministry of Interior stating that the person has or does not have any record of prior convictions and/or is or is not subject to ongoing criminal proceedings or has been exonerated from criminal proceedings (when hired for a position that according to the RF LC or other federal laws prohibits the hiring of individuals who have or had a record of prior convictions or either are or have been subject to criminal proceedings).

    5. The employer shall enter information containing the following personal data of an employee into the personnel record documents and information systems:

        a. general details (last name, first name, patronymic, date and place of birth, citizenship, education background, profession, employment history, marital status, passport data);

        b. military service details;

        c. employment data;

        d. certification details;

        e. details of any qualification improvement training;

        f. details of any professional retraining;

        g. details of any rewards/merits, honorary titles;

        h. details of any leaves;

        i. details of social benefits;

        j. details of domicile (as stated in the passport and actual place of residence) and contact telephone numbers;

        k. biometric personal data (photos).

    6. The documents containing employee personal data include the following personal record documents:

        a. employment contracts and supplements thereto;

        b. training/apprenticeship/probationary period documents;

        c. qualification improvement documents (records, statements, certificates, etc.);

        d. documents regarding any disciplinary action in relation to the employee (memos, internal reports, explanatory statements, etc.);

        e. documents regarding the employee’s family members necessary for the provision of benefits related to the family duties;

        f. documents on the condition of health of children and other close relatives, where required for any benefits or compensations to such employee;

        g. documents confirming the entitlement to any additional benefits and compensations provided for in the RF laws;

        h. documents regarding the employee’s pregnancy and age of children for certain work conditions, benefits and compensations to be provided to the mother (father or other relatives) as required by the law;

        i. personal account number and the name of the bank for salary payments;

        j. other personal records relating to the employee’s personal data.

    7. The employee personal data are contained in the following documents:

        a. documents which support the employment process at the time of hiring, transfer or dismissal;

        b. questionnaire and candidate interview records;

        c. original copies and duplicate copies of orders and directives related to personnel;

        d. documents containing the basis for a personnel-related order;

        e. reference information on personnel (card indices, logbooks)

        f. original copies and duplicates of reports, analytical and reference records provided to the Company’s management and business unit managers;

        g. copies of reports submitted to the state statistics authorities, tax agencies and other institutions;

        h. individual income statements;

        i. registers of insurance contributions levied and paid for mandatory pension insurance and the length of pensionable service of the insured;

        j. calculations of insurance contributions levied and paid for optional and mandatory medical and social insurance for temporary incapacity and maternity as well as mandatory social insurance against accidents at work and occupational diseases, as well as the amount of insurance benefit payments;

        k. registers of insurance contributions withheld from salary based on a request and personal non-state pension agreements;

        l. payroll records;

        m. statements issued to whom it may concern;

        n. payment orders for amounts withheld from salary

  3. Acquisition of personal data.

    1. Personal data of employees shall be provided by the employees themselves.

    2. The employer shall inform the employee about the purpose, proposed sources and methods of personal data acquisition, as well as the nature of personal data to be acquired and the consequences of the employee’s refusal to grant a written consent for such acquisition.работника дать письменное согласие на их получение.

    3. The employee shall provide the employer with valid information on himself or herself. The employer shall make sure that such information is valid by comparing the data provided by the employee with the documents held by the employee. Submission of forged documents or false information at the commencement of employment is a reason for employment contract termination.

    4. If personal data can only be acquired from a third party, the employer shall:

        1) notify the employee at least 5 working prior to the date of submitting a request to the third party to provide personal data and inform the employee on the purpose, proposed sources and methods of acquiring personal data, as well as the nature of personal data to be acquired and the consequences of the employee’s refusal to grant a written consent for such acquisition;

        2) obtain a written consent of the employee;

        3) acquire the necessary information, provided that a written consent was provided.

    5. When changing any personal data, the employee shall provide the employer with a copy of the document confirming the change of personal data within 14 calendar days. The employer may ask the employee to submit additional data and documents to confirm the validity of personal data.

    6. Upon receiving personal data or changed personal data of an employee, the employee collecting the information shall:

        1) make sure that such information is valid by comparing the data provided by the employee with the documents held by the employee.

        2) make copies of the any documents submitted;

        3) add the copies of the documents to the employee’s personnel file;

        4) introduce the necessary changes to the staff documents;

        5) if necessary, prepare and sign the documents to reflect any changes made.

    7. At the commencement of employment, the employee shall fill in the «Employee personal data» questionnaire. The questionnaire form is given in Appendix No. 1.

    8. The employee shall fill in the questionnaire on his or her own. In the questionnaire, the employee shall fill in all fields, give full answers to all questions, avoid corrections and strike-outs, dashes and blots, and provide information in strict compliance with the records contained in his or her personal documents.

    9. The questionnaire shall be stored in the employee’s personnel file. Also, the personnel file shall include other personal records relating to the employee’s personal data.

    10. All the documents of the personnel file shall be stored in a folder (a file folder). The folder shall be marked with the employee’s last name, first name, patronymic, and employee ID.

    11. The employee personnel file shall include one picture measuring 3×4 cm.

    12. All the documents to be added into the personnel file shall be bound together in chronological order.

    13. The personnel file shall be maintained until the employment is terminated. Any changes introduced into the personnel file shall be confirmed by the respective documents

    14. Any information containing the employee’s personal data shall be entered into the personnel record database of R/3 automated system (module HR) and into the unified form T-2 «Employee’s personal card».

  4. Processing and transfer of personal data.

    1. General requirements to the processing of employee personal data and protection guarantees for such data are defined in Article 86 of the RF LC.

    2. Any processing of employee personal data shall only be performed for the purposes of ensuring compliance with laws and other regulations, assisting employees in employment, training, and professional advancement, ensuring personal safety of employees, monitoring the quality and quantity of the work performed, and safeguarding personal possessions.

    3. Personal data of employees can be acquired, further processed and stored both in hard copies (on paper) and soft copies (via an information system).

    4. To be able to process personal data, the employer shall obtain the employee’s consent for processing such data in written form. The form of consent to personal data processing is given in Appendix No. 2.

    5. To transfer any employee personal data, the employer shall meet the following requirements:

        a. do not communicate any employee personal data to a third party without a written consent by the employee, except where this is required to prevent any harm to the employee’s health and life, and in other cases stipulated by the RF laws;

        b. do not communicate any employee personal data for commercial purposes without a written consent by the employee;

        c. warn the employees in charge of personal data collection, processing, storage, and transfer that such data can only be used for the intended purposes; require confirmation of compliance with this rule from such employees. Any persons receiving employee personal data shall keep such data confidential;

        d. grant access to personal data only to the employees authorized to collect, store and transfer such data; furthermore, such employees shall have a right to acquire only those employee personal data that are necessary to perform specific functions;

        e. do not request to provide information on the employee’s health, except those data that determine the employee’s capability for perform the work;

        f. transfer employee personal data to employee representatives in accordance with the procedure established by the RF LC and restrict this information to those personal data that are necessary for these representative to perform their functions.

  5. Storage and protection of personal data.

    1. All operations on the preparation, creation, maintenance and storage of information containing personal data shall only be performed by employees who carry out this work in accordance with their responsibilities specified in their respective job descriptions.

    2. The employee responsible for processing of personal data shall be appointed by an order of the General Director.

    3. Access to personal data shall only be allowed to employees who require the personal data to perform specific work functions. The list of the persons who have the right of access to employees' personal data shall be approved by the General Director.

    4. The following persons have the right of access to employees' personal data:

        a. General Director;

        b. Administrative Director;

        c. Manager and employees of the Human Resources Department, HR inspectors, and engineers for organization and standardization of the work of structural divisions;

        d. Chief Accountant and employees of the general accounting office — when preparing documents required for carrying out of specific functions;

        e. Security Director, Manager and employees of the Security Department — within their authority;

        f. Manager and employees of the Legal Department — within their responsibilities;

        g. Manager and employees of Secretariat, (documentation) technicians of structural divisions — during circulation, approval and registration of documents, as well as their preparation and placement into archive for storage;

        h. Managers of structural divisions (access to personal data of the employees in their division and employees being hired);

        i. Managers and employees of the Automatized Enterprise Control System Department and Automation Department — when processing information in automated information systems and performing associated operations;

        j. the employees themselves (access to their own personal data);

        k. other employees who require access to personal data due to their work responsibilities.

    5. Employees carrying out collection, processing, storage and transfer of personal data, shall read this Regulation and sign a personal data non-disclosure agreement. The form of the agreement is provided in Appendix No. 3.

    6. The non-disclosure agreement shall be drawn up in writing and signed by the employee and serves as a supplement to the employment contract between the employee and the employer.

    7. Personal data may be provided to state authorities upon a written request: to tax offices, law enforcement, security agencies, courts, Ministry of Emergency Situations, Federal Migration Service, statistical authorities, military enlistment offices, social insurance agencies, pension funds, municipal authorities etc.

    8. Transferring information that contains personal data of company employees by phone, fax, email, in soft or hard copies, without a written consent of the employee is prohibited, except for information disclosure in accordance with the RF laws.

    9. Responses to written requests from other organizations and institutions within their competence and granted authority shall be given in writing on the company letterhead and in the scope that allows not to disclose an excessive amount of employee’s personal data.

    10. An employee’s personal data shall be stored as both soft and hard copies.

    11. The access to personal data on electronic media is password-protected. The access to the personnel record database of the automated system R/3 (module HR) and any other automated information systems is provided only via private access — password.

    12. Documents containing personal data shall be stored in offices of the divisions responsible for maintenance and storage of such documents.

    13. Entrance doors of the offices where personal data of employees are stored shall be equipped with locks ensuring their secure closing outside working hours and with a fire alarm system.

    14. Documents that contain personal data and are subject to placement for storage into archive shall be divided into permanent and temporary storage packages and transferred for storage into the Secretariat archive. The documents shall be kept at the divisions for not more than three years before being sent for storage.

  6. Disposal of personal data

    1. Documents containing personal data shall be stored and disposed of in accordance with the procedure specified in the archival legislation of the Russian Federation.

    2. Personal data of employees are subject to disposal once the objectives of the processing have been achieved or in case the necessity to achieve such objectives has been lost.

  7. Employee’s rights to protect their personal data.

    1. Employees have the right to:

        a. full information about their personal data and the processing of such data;

        b. free and open access to their personal data, including the right to acquire copies of any record containing personal data of the employee, except for the cases provided for by the RF laws;

        c. appoint representatives for protection of their personal data;

        d. demand removal or correction of incorrect or incomplete personal data, as well as of the data processed with a violation of the RF laws;

        e. require the employer to notify all the parties that have received incorrect or incomplete personal data of the employee, of all the deletions, corrections and addenda thereto;

        f. appeal to courts against any illegal actions of omissions of the employer in processing and protecting their personal data.

  8. Duties and responsibilities of the employer relating to violations of the rules governing processing and protection of personal data.

    1. Persons guilty of violating the rules governing acquisition, processing, storage, transfer, and protection of personal data are liable under the RF laws to disciplinary, material, civil or administrative action or criminal prosecution.

    2. Submission of forged documents by an employee shall serve as the reason for disciplinary penalties, including termination of employment.