Privacy Policy

POLICY

processing of personal data and implemented requirements for the protection of personal data of the Federal State Budgetary Educational Institution of Higher Professional Education " Derzhavin Tambov State University"

1. General position

1.1. This Policy for the processing of personal data and the implemented requirements for the protection of personal data (hereinafter referred to as the Policy) of the Federal State Budgetary Educational Institution of Higher Professional Education " Derzhavin Tambov State University" (hereinafter referred to as the Operator) was developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Civil Code of the Russian Federation, the Federal Law "On Information, Information Technologies and Information Protection", the Federal Law "On Personal Data", Internal Labor Regulations Institutions.

1.2. This Policy defines the main issues related to the processing of personal data at "Derzhavin Tambov State University" using automation tools, including in information and telecommunication networks, or without the use of such tools, if the processing of personal data without the use of such tools corresponds to the nature of the actions (operations) performed with personal data using automation tools, that is, it allows in accordance with a given algorithm, search for personal data recorded on a tangible medium and contained in file cabinets or other systematized collections of personal data, and (or) access to such personal data.

1.3. This Policy does not apply to relationships arising from:

– organizing the storage, acquisition, recording and use of archival documents containing personal data in accordance with the legislation on archival affairs in the Russian Federation;

– processing of personal data classified in accordance with the established procedure as information constituting a state secret.

 1.4. The purpose of this Policy is to ensure the protection of the rights and freedoms of man and citizen when processing his personal data, including the protection of the rights to privacy, personal and family secrets.


2. Principles and conditions for processing personal data

2.1. Principles for processing personal data:

– the processing of personal data must be carried out on a legal and fair basis;

– the processing of personal data must be limited to the achievement of specific, predetermined and legitimate purposes;

– it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other;

– only personal data that meets the purposes of their processing are subject to processing;

– the content and volume of personal data processed must correspond to the stated purposes of processing;

– when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data must be ensured;

– storage of personal data must be carried out in a form that makes it possible to identify the subject of personal data, no longer than required by the purposes of processing personal data, unless the period for storing personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor.

– processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in the event of loss of the need to achieve these goals, unless otherwise provided by federal law.

2.2. Conditions for processing personal data:

– processing of personal data must be carried out in compliance with the principles and rules provided for in this Policy;

– processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;

– processing of personal data is necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor;

– processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;

– the processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated;

– the processing of personal data is necessary for carrying out scientific, literary or other creative activities, provided that the rights and legitimate interests of the subject of personal data are not violated;

– the processing of personal data is carried out for statistical or other research purposes, subject to the mandatory anonymization of personal data;

– processing of personal data is carried out, access to an unlimited number of persons is provided by the subject of personal data or at his request;

– processing of personal data is subject to publication or mandatory disclosure in accordance with federal law is carried out.

2.3. A person processing personal data on behalf of an operator is not required to obtain the consent of the subject of personal data to process his personal data.

2.4. The person processing personal data on behalf of the operator is responsible to the operator.

1. Confidentiality of personal data

3.1. The operator and other people who have access to personal data are obliged not to disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.

1. Public sources of personal data

4.1. For the purpose of information support, publicly available sources of personal data (including directories, address books) may be created. To publicly available sources of personal data with the written consent of the subject personal data may include his last name, first name, patronymic, year and place of birth, address, subscriber number, information about profession and other personal data reported by the subject of personal data.

4.2. Information about the subject of personal data must be excluded at any time from publicly available sources of personal data at the request of the subject of personal data or by decision of a court or other authorized government bodies.

1. Consent of the subject of personal data to the processing of his personal data

5.1. The subject of personal data decides to provide his personal data and consents to their processing freely, of his own free will and in his own interest. Consent to the processing of personal data must be specific, informed and conscious. Consent to the processing of personal data can be given by the subject of personal data or his representative in any form that allows confirmation of the fact of its receipt, unless otherwise provided by federal law.

5.2. The written consent of the personal data subject to the processing of his personal data must include, in particular:

– last name, first name, patronymic, address of the subject of personal data, number of the main document proving his identity, information about the date of issue of the specified document and the issuing authority;

– last name, first name, patronymic, address of the representative of the subject of personal data, number of the main document proving his identity, information about the date of issue of the specified document and the issuing authority, details of the power of attorney or other document confirming the powers of this representative (upon obtaining consent from the representative of the subject of personal data data);

– name or surname, first name, patronymic and address of the operator receiving the consent of the subject of personal data;

– purpose of processing personal data;

– a list of personal data for the processing of which the consent of the subject of personal data is given;

– name or surname, first name, patronymic and address of the person processing personal data on behalf of the operator, if processing will be entrusted to such a person;

– a list of actions with personal data for which consent is given, a general description of the methods used by the operator for processing personal data;

– the period during which the consent of the subject of personal data is valid, as well as the method of its withdrawal, unless otherwise established by federal law;

– signature of the subject of personal data.

5.3. In case of incapacity of the subject of personal data, consent to the processing of his personal data is given by the legal representative of the subject of personal data.

1. The right of the subject of personal data to access his personal data

6.1. The subject of personal data has the right to demand that the operator clarify his personal data, block it or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not are necessary for the stated purpose of processing, as well as take measures provided by law to protect their rights.

6.2. The information must be provided to the subject of personal data by the operator in an accessible form, and it should not contain personal data relating to other subjects of personal data, unless there are legal grounds for the disclosure of such personal data.

6.3. Information is provided to the subject of personal data or his representative by the operator upon contact or upon receipt of a request from the subject of personal data or his representative. The request must contain the number of the main document identifying the subject of personal data or his representative, information about the date of issue of the specified document and the issuing authority, information confirming the participation of the subject of personal data in relations with the operator (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the operator, the signature of the subject of personal data or his representative. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

6.4. The operator has the right to refuse the subject of personal data to make a repeated request. Such refusal must be motivated. The obligation to provide evidence of the validity of the refusal to fulfill a repeated request lies with the operator.

6.5. The subject of personal data has the right to receive information regarding the processing of his personal data, including containing:

– confirmation of the fact of processing of personal data by the operator;

– legal grounds and purposes of processing personal data;

– the purposes and methods of processing personal data used by the operator;

– name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;

– processed personal data related to the relevant subject of personal data, the source of their receipt, unless a different procedure for the presentation of such data is provided for by federal law;

– terms of processing of personal data, including periods of their storage;

– the procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law "On Personal Data";

– information about completed or intended cross-border data transfers;

– name or surname, first name, patronymic and address of the person processing personal data on behalf of the operator, if the processing has been or will be entrusted to such a person.

6.6. If the subject of personal data believes that the operator is processing his personal data in violation of the requirements of the Federal Law "On Personal Data or "otherwise violates his rights and freedoms, the subject of personal data has the right to appeal the actions or inaction of the operator to the authorized body for the protection of the rights of personal data subjects or in court. 6.7. The subject of personal data has the right to protect his rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.

1. Operator responsibilities

7.1. The operator is obliged to take measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Federal Law "On Personal Data" and the regulatory legal acts adopted in accordance with it. The operator independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Federal Law "On Personal Data" and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Federal Law "On Personal Data" or other federal laws. Such measures may include, in particular: – appointment by the operator of a person responsible for organizing the processing of personal data; – publication by the operator of documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data, as well as local acts establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations;

– application of legal, organizational and technical measures to ensure the security of personal data;

– implementation of internal control and (or) audit of compliance of the processing of personal data with this Federal Law and the regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, the operator’s policy regarding the processing of personal data, local acts of the operator;

– assessment of the harm that may be caused to subjects of personal data in the event of a violation of the Federal Law "On Personal Data", the relationship between this harm and the measures taken by the operator aimed at ensuring the fulfillment of the obligations provided for by the Federal Law "On Personal Data";

– familiarization of the operator’s employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data, and ( or) training of said employees.

7.2. The operator is obliged to publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data.

7.3. The Government of the Russian Federation establishes a list of measures aimed at ensuring the fulfillment of the obligations provided for by the Federal Law "On Personal Data" and the regulatory legal acts adopted in accordance with it, by operators that are state or municipal bodies.

7.4. When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data.

7.5. Ensuring the security of personal data is achieved, in particular:

– identifying threats to the security of personal data during their processing in personal data information systems;

– application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;

– the use of information security means that have passed the compliance assessment procedure in accordance with the established procedure;

– assessing the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system;

– taking into account computer storage media of personal data;

– detecting facts of unauthorized access to personal data and taking measures;

– restoration of personal data modified or destroyed due to unauthorized access to it;

– establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;

– control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.

7.6. Control and supervision over the implementation of organizational and technical measures to ensure the security of personal data established in accordance with this article when processing personal data in state personal data information systems is carried out by the federal executive body authorized in the field of security and the federal executive body authorized in the field of countering technical intelligence and technical protection of information, within the limits of their powers and without the right to familiarize themselves with personal data processed in personal data information systems.

7.7. The use and storage of biometric personal data outside personal data information systems can only be carried out on such tangible media and using such storage technology that ensure the protection of this data from unauthorized or accidental access to it, its destruction, modification, blocking, copying, provision , distribution.

7.8. The operator is obliged to provide, free of charge, the subject of personal data or his representative with the opportunity to familiarize himself with personal data relating to this subject of personal data. Within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that the personal data is incomplete, inaccurate or irrelevant, the operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that such personal data was illegally obtained or is not necessary for the stated purpose of processing, the operator is obliged to destroy such personal data. The operator is obliged to notify the subject of personal data or his representative about the changes made and measures taken and take reasonable measures to notify third parties to whom the personal data of this subject have been transferred.

7.9. If unlawful processing of personal data is detected upon application by the subject of personal data or his representative or at the request of the subject of personal data or his representative or the authorized body for the protection of the rights of personal data subjects, the operator is obliged to block unlawfully processed personal data relating to this subject of personal data, or ensure their blocking (if the processing of personal data is carried out by another person acting on behalf of the operator) from the moment of such an appeal or receipt of the specified request for the period of verification. If inaccurate personal data is identified when contacting the subject of personal data or his representative or at their request or at the request of the authorized body for the protection of the rights of subjects of personal data, the operator is obliged to block personal data relating to this subject of personal data or ensure their blocking (if processing personal data is carried out by another person acting on behalf of the operator) from the moment of such application or receipt of the specified request for the period of verification, if blocking of personal data does not violate the rights and legitimate interests of the subject of personal data or third parties.

7.10. If the fact of inaccuracy of personal data is confirmed, the operator, on the basis of information provided by the subject of personal data or his representative or an authorized body for the protection of the rights of personal data subjects, or other necessary documents, is obliged to clarify the personal data or ensure their clarification (if the processing of personal data is carried out by another person, acting on behalf of the operator) within seven working days from the date of submission of such information and remove the blocking of personal data. If unlawful processing of personal data is detected, carried out by an operator or a person acting on behalf of the operator, the operator, within a period not exceeding three working days from the date of this detection, is obliged to stop the unlawful processing of personal data or ensure the cessation of unlawful processing of personal data by a person acting on behalf of operator.

7.11. If it is impossible to ensure the legality of the processing of personal data, the operator, within a period not exceeding ten working days from the date of detection of unlawful processing of personal data, is obliged to destroy such personal data or ensure its destruction. The operator is obliged to notify the subject of personal data or his representative about the elimination of violations or the destruction of personal data, and in the event that the appeal of the subject of personal data or his representative or the request of the authorized body for the protection of the rights of personal data subjects was sent by the authorized body for the protection of the rights of personal data subjects data, also the specified authority.

7.12. If the purpose of processing personal data is achieved, the operator is obliged to stop processing personal data or ensure its termination (if the processing of personal data is carried out by another person acting on behalf of the operator) and destroy personal data or ensure its destruction (if the processing of personal data is carried out by another person acting on behalf of the operator). on behalf of the operator) within a period not exceeding thirty days from the date of achieving the purpose of processing personal data, unless otherwise provided by an agreement to which the subject of personal data is a party, beneficiary or guarantor, another agreement between the operator and the subject of personal data, or if the operator does not have the right carry out the processing of personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law "On Personal Data" or other federal laws.

7.13. If the subject of personal data withdraws consent to the processing of his personal data, the operator is obliged to stop processing them or ensure the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the operator) and in the event that the storage of personal data is no longer required for the purposes of processing personal data, destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the operator) within a period not exceeding thirty days from the date of receipt of the said response, unless otherwise provided by the agreement to which the beneficiary or guarantor is a party to which the subject of personal data is, another agreement between the operator and the subject of personal data, or if the operator does not have the right to process personal data without the consent of the subject of personal data on the grounds provided for by Federal Law "On Personal Data" or other federal laws.

7.14. If it is not possible to destroy personal data within the period, the operator blocks such personal data or ensures their blocking (if the processing of personal data is carried out by another person acting on behalf of the operator) and ensures the destruction of personal data within a period of no more than six months, unless otherwise the deadline is not established by federal laws.

7.15. The operator, being a legal entity, appoints a person responsible for organizing the processing of personal data.

7.16. The person responsible for organizing the processing of personal data receives instructions directly from the executive body of the organization that is the operator and is accountable to it. The person responsible for organizing the processing of personal data is, in particular, obliged to:

– exercise internal control over compliance by the operator and its employees with the legislation of the Russian Federation on personal data, including requirements for the protection of personal data;

– bring to the attention of the operator’s employees the provisions of the legislation of the Russian Federation on personal data, local acts on the processing of personal data, requirements for the protection of personal data;

– organize the reception and processing of requests and requests from personal data subjects or their representatives and (or) exercise control over the reception and processing of such requests and requests.

1. Liability for violation of the requirements of the Federal Law "On Personal Data"

8.1. Persons guilty of violating the requirements of the Federal Law "On Personal Data" bear responsibility as provided for by the legislation of the Russian Federation.

8.2. Moral damage caused to the subject of personal data as a result of violation of his rights, violation of the rules for processing personal data established by the Federal Law "On Personal Data", as well as requirements for the protection of personal data established in accordance with the Federal Law "On Personal Data", is subject to compensation in in accordance with the legislation of the Russian Federation. Compensation for moral damage is carried out regardless of compensation for property damage and losses incurred by the subject of personal data.