Protection of personal data

1. TERMINES AND DEFINITIONS

The following terms and their definitions are used in this document:

1) personal data (PD) - any information relating directly or indirectly to an identified or identifiable natural person (data subject);

2) operator - a state body, municipal body, legal entity, or individual who, independently or jointly with others, organizes and/or carries out the processing of personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data;

3) processing of personal data - any action (operation) or set of actions (operations) performed with or without the use of automation tools, with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data;

4) automated processing of personal data - processing of personal data with the help of computer facilities;

5) dissemination of personal data - actions aimed at disclosure of personal data to an indefinite number of persons;

6) provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons;

7) blocking of personal data - temporary suspension of personal data processing (except in cases where processing is necessary to clarify personal data);

8) destruction of personal data - actions that make it impossible to restore the content of personal data in the personal data information system and/or that destroy the physical media containing personal data;

9) depersonalization of personal data - actions, as a result of which it becomes impossible to determine the belonging of personal data to a particular subject of personal data without using additional information;

10) personal data information system (PDIS) - a collection of personal data contained in databases and the information technologies and technical means that enable their processing;

11) cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to a foreign authority, a foreign natural person or a foreign legal entity.

2. GENERAL PROVISIONS

2.1 These Regulations have been developed in accordance with Russian Federation legislation on personal data and regulatory and methodological documents issued by executive government bodies on personal data security issues when processing personal data in personal data information systems.

2.2. The main regulatory and methodological documents on which these Regulations are based are:

• — Federal Law No. 152-FZ dated July 27, 2006 «О personal data» (further – federal law «About personal data»), establishing the basic principles and conditions for the processing of personal data, the rights, obligations, and responsibilities of participants in relationships related to the processing of personal data;
• — ТRequirements for the protection of personal data when processing it in personal data information systems, approved by Resolution of the Government of the Russian Federation No. 1119 of November 1, 2012.;
• — «Regulation on the peculiarities of personal data processing carried out without the use of automation tools», approved by Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008;
• — The composition and content of organizational and technical measures to ensure the security of personal data when processing it in personal data information systems were approved by Order No. 21 of the Federal Service for Technical and Export Control of the Russian Federation dated February 18, 2013.
• — Regulatory and methodological documents of the Federal Service for Technical and Export Control of the Russian Federation (hereinafter referred to as FSTEC of Russia) on ensuring the security of PDn when processing them in ISPDn:

• Recommendations for ensuring the security of personal data when processing it in personal data information systems, approved by the Deputy Director of the Federal Service for Technical and Export Control of Russia on February 15, 2008.;
• Key measures for organizing and providing technical support for the security of personal data processed in personal data information systems, approved by the Deputy Director of the Federal Service for Technical and Export Control of Russia on February 15, 2008.;
• Basic model of threats to personal data security during its processing in personal data information systems, approved by the Deputy Director of the Federal Service for Technical and Export Control of Russia on February 15, 2008.;
• Methodology for identifying current threats to the security of personal data when processing it in personal data information systems, approved by the Deputy Director of the Federal Service for Technical and Export Control of Russia 14.2.8 г.

2.3. сThis Regulation defines the procedure and conditions for processing personal data in «Spatial.su», including the procedure for transferring PD to third parties, cases of obtaining consent from PD subjects and notifying the authority for the protection of PD subjects' rights, features of automated and non-automated PD processing, the procedure for accessing PD, the PD protection system, the procedure for organizing internal control and liability for violations in PD processing, and other issues.

2.4. These Regulations apply to all processes involving the collection, systematization, accumulation, storage, clarification, use, distribution (including transfer), depersonalization, blocking, and destruction of personal data, whether carried out using automated means or not.

2.5. Procedure for enacting and amending the Regulations.

2.5.1. These Regulations shall come into force from the date of their approval by the General Director «Spatial.su» and shall remain in force indefinitely until replaced by a new Regulation.

2.5.2. All amendments to the Regulations shall be made by order.

2.5.3. In accordance with Article 18.1 (paragraph 1) of the Federal Law «About personal data» employees «Spatial.su», Those directly involved in the processing of personal data must be familiarized with these Regulations and sign to confirm this. The fact of familiarization is recorded in the Commitment (Appendix 4 to these Regulations).

Position on the processing and protection of personal data «Spatial.su» published on the Company's website in accordance with clause 2 of Article 18.1 of the Federal Law «About personal data».

3. PURPOSES OF PROCESSING PERSONAL DATA

3.1. The processing of personal data must be limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data incompatible with the purposes of processing is not allowed.

3.2. It is not allowed to merge databases containing personal data processed for incompatible purposes.

3.3. The content and scope of processed personal data must correspond to the stated purposes of processing. Processed personal data must not be redundant in relation to the stated purposes of their processing.

3.4. The purposes of personal data processing are:

• personnel administration;
• accounting;
• Ensuring interaction between the Company's subdivisions in the course of implementation of the declared

activities;

• reception of appeals and requests from the personal data subject;
• informing about new products, special promotions and offers;
• mailing of online versions of magazines and newspapers;
• holding contests, promotions;
• Accepting subscriptions, organizing media delivery;
• conclusion and fulfillment of contractual terms and conditions with counterparties.

3.5. Processing of employees' personal data «Spatial.su» may be carried out solely to ensure compliance with laws and other regulatory legal acts, to assist employees in employment, training and promotion, to ensure the personal safety of employees, to control the quantity and quality of work performed and to ensure the safety of property «Spatial.su».

4. PERSONAL DATA PROCESSED IN «Spatial.su»

4.1. В «Spatial.su» The personal data of the following subjects is processed:

• — employees «Spatial.su»,
• — job applicants,
• — founders (participants) «Spatial.su», persons related to employees, founders (participants) (children for whom alimony is paid, spouses, etc.),
• — contact persons and persons responsible for fulfillment of contracts of counterparties «Spatial.su» (consumers and suppliers of products and services, partners, representatives of),
• — other individuals whose personal data is processed in «Spatial.su».

 This list may be revised as necessary.

4.2. Composition of personal data processed in «Spatial.su», set out in Annex 1.

5. NOTICE TO ROSKOMNADZOR ON PROCESSING OF PERSONAL DATA, CASES AND REFERRAL PROCEDURE

5.1. In accordance with the Law of the Russian Federation «About personal data» «Spatial.su» is an operator of personal data.

5.2. In accordance with paragraph 1 of Article 22 of the Federal Law «About personal data» In such cases, the PD operator is obliged to notify the authorized body for the protection of PD subjects' rights (currently Roskomnadzor) about the processing of PD.

5.3. In case of incompleteness or changes in the information specified in the notification, the operator shall notify the authorized body for the protection of the rights of personal data subjects (Roskomnadzor) of the changes in accordance with the procedure established by Roskomnadzor.

5.4. «Spatial.su» has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects:

1) processed in accordance with labor laws;

2) received by the operator in connection with the conclusion of an agreement to which the personal data subject is a party, if the personal data are not disseminated or provided to third parties without the consent of the personal data subject and are used by the operator exclusively for the execution of the said agreement and conclusion of contracts with the personal data subject;

3) made publicly available by the subject of personal data;

4) which include only the surnames, first names and patronymics of the personal data subjects; 5) necessary for the purposes of a single entry of the personal data subject to the territory where the operator is located, or for other similar purposes;

6) processed without the use of automation in accordance with federal laws or other regulatory legal acts of the Russian Federation establishing requirements to ensure the security of personal data during their processing and to respect the rights of personal data subjects.

6. AGREEMENT TO processing of personal data, incidents И CONSENT PROCEDURE

6.1. Processing of personal data in «Spatial.su» is made with the consent of the personal data subject, except for the cases specified in clause 6.2. of the Regulation.

6.2. Processing of personal data in «Spatial.su» is allowed without the consent of the data subject in the following cases:

1) processing of personal data is necessary for the execution of a contract (civil or labor), to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor;

2) processing of personal data is necessary for the protection of life, health or other vital interests of the personal data subject, if it is impossible to obtain the consent of the personal data subject;

3) processing of personal data is necessary for the exercise of the rights and legitimate interests of the operator or third parties or for the achievement of socially important purposes, provided that the rights and freedoms of the personal data subject are not infringed thereby;

4) processing of publicly available personal data;

5) in other cases established by the Law «About personal data» cases (Article 6, paragraph 1, subparagraphs 2-11 of the Federal Law «About personal data»).

6.3. Processing of personal data received from other operators, on behalf of these operators, is carried out in accordance with agreements between the companies «Spatial.su» and operators only for the purpose of executing these agreements. The responsibility for obtaining consent to the processing of personal data in this case lies with the operators.

6.4. Job applicants «Spatial.su» when filling out the questionnaires, must provide consent to the processing of personal data indicated in the questionnaires, since at the time of the interview and filling out the questionnaire, labor relations between «Spatial.su» and the applicant have not yet.

6.5. If it is necessary to process the personal data of a subject prior to concluding a civil law contract with them, it is necessary to obtain the subject's consent to the processing of their personal data..

6.6. Procedure for obtaining, revoking, and storing consent for the processing of personal data:

6.6.1. The personal data subject decides to provide his/her personal data and consents to its processing freely, of his/her own free will and in his/her own interest. Consent to the processing of personal data must be specific, informed and conscious. Consent to the processing of personal data may be given by the subject of personal data or his/her representative in any form allowing to confirm the fact of its receipt, unless otherwise established by federal law. In case of obtaining consent for personal data processing from the representative of the personal data subject, the authority of this representative to give consent on behalf of the personal data subject shall be verified by the operator.

6.6.2. Consent to the processing of personal data may be withdrawn by the data subject. If the data subject withdraws their consent to the processing of personal data, the operator has the right to continue processing personal data without the consent of the personal data subject if this is necessary for the purposes of performing a contract concluded with the personal data subject, as well as in other cases established in paragraphs 2-11 of part 1 of Article 6, part 2 of Article 10, and part 2 of Article 11 of the Law of the Russian Federation. «About personal data».

6.6.3. Job applicants «Spatial.su» give consent to the processing of personal data on the questionnaires they fill out. In this case, at the end of the questionnaire, the subject of personal data makes a note: «Я  (Full name, passport details) agrees to the processing of their personal data «Spatial.su» and acknowledge that the personal data I have provided in this document is publicly available personal data.».

6.6.4. Withdrawal of consent to the processing of personal data in cases where written consent is not required by law must contain the same information that was provided when consent was given..

6.6.5. The form of written consent to the processing of personal data for the purpose of organizing interaction between employees in the course of performing their official duties is provided in Appendix 2..

In general, written consent should include:

• — surname, name, patronymic, address of the personal data subject, number of the main personal identification document, information on the date of issue of the said document and issuing authority;
• — surname, first name, patronymic, address of the representative of the personal data subject (when consent is obtained from the representative of the personal data subject), number of the main document proving his identity, information about the date of issue of the specified document and the issuing authority, details of the power of attorney or other document confirming the authority of this representative;
• — name of the operator receiving the consent of the personal data subject («Spatial.su»);
• — purpose of personal data processing;
• — list of personal data, for the processing of which the consent of the personal data subject is given;
• — list of actions with personal data for which consent is given, general description of personal data processing methods used by the operator;
• — the period during which the consent of the personal data subject is valid, as well as the method of its withdrawal, unless otherwise provided for by the federal law;
• — signature of the personal data subject.

6.6.6.   To revoke written consent, the PD subject or their legal representative shall send a written request addressed to the head of the organization. «Spatial.su». The request must contain:

• — Full name of the data subject or their legal representative;
• — number of the main document certifying the identity of the personal data subject or their legal representative;
• — information about the date of issuance of the document and the issuing authority;
• — address of the PD subject;
• — handwritten signature of the personal data subject or his/her legal representative.

The form for withdrawing written consent to the processing of personal data is provided in Appendix 2..

6.6.7.      Written consent for the processing of personal data is obtained by an employee. «Spatial.su», upon receipt of PD from the PD subject.

6.6.8.   ПWritten consent to the processing of personal data, as well as withdrawal of consent, are stored in the personal file of the data subject..

6.7. In the event of creating and submitting an application for products and services «Spatial.su» through his website «Spatial.su» obtains the client's consent by pressing the confirmation button on the registration form, which contains a consent clause.

6.8.2. Sample consent form when submitting an application via the website:

«By registering, you give «Spatial.su» consent to the processing of the transferred personal data for the purpose of providing the requested services».

7. ОPROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

7.1. Processing of special categories of personal data concerning racial, national origin, political opinions, religious or philosophical beliefs, health status, intimate life, biometric personal data в «Spatial.su», ex cluding data, processed in in accordance with labor legislation, is not permitted.

8. TRANSFER OF PERSONAL DATA TO THIRD PARTIES

8.1.   «Spatial.su» transfers employees' personal data to third parties for processing in the following cases:

• — Transfer of personal data of contact persons and persons responsible for the performance of contracts for the purpose of organizing the performance of these contracts. In this case, only publicly available personal data made available by such employees in accordance with their written consent shall be transferred. In this case, the transfer of personal data shall be carried out on the basis of a contract.;
• — Transfer of personal data in cases stipulated by federal laws and regulations.

8.2. В «Spatial.su» no trans-border transfer of personal data is allowed during the processing of personal data.

9. RIGHTS OF THE SUBJECT AND THE DUTIES OF AN OPERATOR IN REGARDING PERSONAL DATA PROCESSED IN «Spatial.su»

9.1. The personal data subject has the right to receive information (hereinafter referred to as – information), concerning the processing of his/her personal data, including those containing:

• — confirmation of the fact of personal data processing by the operator;
• — legal grounds and purposes of personal data processing;
• — Methods of personal data processing applied by the operator;
• — name and location of the operator, information about persons (except for the operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the operator or on the basis of federal law;
• — processed personal data related to the respective personal data subject, the source of their obtaining, unless another procedure for providing such data is provided for by the federal law;
• — terms of personal data processing, including the terms of their storage;
• — the procedure for exercising by the personal data subject of the rights provided by the Federal Law «About personal data»;
• — name or surname, first name, patronymic and address of the person who processes personal data on behalf of the operator, if the processing will be entrusted to such a person;
• — other information stipulated by the Federal Law «About personal data» or other federal laws.

9.2. The subject of personal data has the right to demand from the operator to clarify his/her personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his/her rights.

9.3. Information shall be provided to the subject of personal data by the operator in an accessible form and shall not contain personal data relating to other subjects of personal data, unless there are legitimate grounds for disclosure of such personal data.

9.4. Information shall be provided to the personal data subject or his/her representative by the operator upon application or upon receipt of a request of the personal data subject or his/her representative. The request shall contain the number of the main identity document of the personal data subject or his/her representative, information on the date of issue of the said document and the issuing authority, information confirming the participation of the personal data subject in relations with the operator (contract number, date of the contract, conventional word designation and (or) other information), or information otherwise confirming the fact of personal data processing by the operator, signature of the personal data subject or his/her representative. The request may be sent in the form of an electronic document and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. Deadline for responding to the request – 30 days.

9.5. In case the information, as well as the processed personal data were provided for familiarization to the personal data subject upon his/her request, the personal data subject has the right to reapply to the operator or to send him/her a repeated request in order to obtain the information referred to in item 9.1 of the Regulation and familiarization with such personal data not earlier than thirty days after the initial application or sending the initial request, unless a shorter term is established by the federal law, adopted in accordance with n.

9.6. The operator is obliged to provide free of charge to the personal data subject or his/her representative the opportunity to familiarize with personal data related to this personal data subject. Within a period not exceeding seven working days from the date of submission by the subject of personal data or his/her representative of information confirming that personal data are incomplete, inaccurate or irrelevant, the operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date of submission by the subject of personal data or his/her representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the operator shall destroy such personal data.  The operator is obliged to notify the personal data subject or his/her representative of the changes made and measures taken, and to take reasonable measures to notify third parties to whom the personal data of this subject have been transferred.

9.7. The operator is obliged to inform the authorized body for the protection of the rights of personal data subjects at the request of this body of the necessary information within thirty days from the date of receipt of such a request.

9.8. If the personal data was not obtained from the personal data subject, unless the personal data was provided by the «Spatial.su» on the basis of federal law or if the personal data is publicly available, «Spatial.su», except for the cases provided for by item 9.9 of the Regulation, prior to the processing of such personal data, is obliged to provide the following information to the personal data subject:

• — name and address of the operator («Spatial.su»);
• — purpose of personal data processing and its legal basis;
• — intended users of personal data;
• — established by the Federal Law «About personal data» rights of the personal data subject;
• — source of personal data.

9.9. If the personal data was not obtained from the personal data subject, «Spatial.su» is not obliged to provide the subject of personal data with information under clause 9.8 of the Regulations if the personal data was obtained on the basis of federal law or a contract, as well as if the personal data is publicly available and obtained from a publicly available source.

9.10. If the obligation to provide personal data is established by federal law, «Spatial.su» is obliged to explain to the personal data subject the legal consequences of refusal to provide his/her personal data.

10. PROCESSING AND PERSONAL DATA PROTECTION

10.1. «Spatial.su» is obliged to take necessary organizational and technical measures or ensure their adoption to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions in relation to personal data.

10.2. To develop security requirements and implement a personal data security system in«Spatial.su» A standard threat model is being developed based on the regulatory and methodological document of the Federal Service for Technical and Export Control of Russia. «Basic model of threats to the security of personal data during their processing in personal data information systems».

A set of measures to protect and ensure the security of personal data includes organizational measures and software and hardware protection means.

10.3. Access to personal data.

10.3.1. В «Spatial.su» an authorization procedure for access to personal data has been established. Employees «Spatial.su» are granted access to work with Personal Data only to the extent and scope necessary for the performance of their job duties based on the decision of their manager. List of Personal Data processed in «Spatial.su», established by Appendix 1 to these Regulations.

10.3.2. Employees «Spatial.su», who, due to their job responsibilities, constantly work with personal data, shall have access to the necessary categories of personal data for the duration of their relevant job responsibilities based on the list of persons authorized to work with personal data, which is approved by the head of the organization. The list shall be compiled in accordance with the form provided in Appendix 3 to the Regulations.

10.3.3. The list of persons having access to personal data shall be kept up to date. Responsibility for keeping the list of persons up to date shall be borne by the person responsible for organizing the processing of personal data.

10.3.4. Temporary or one-time access to work with personal data due to business necessity may be obtained by an employee «Spatial.su» By decision of the head of the organization.

10.3.5. Access to personal data of third parties who are not employees «Spatial.su», without the consent of the subject of personal data is prohibited, except for access by employees of executive authorities as part of measures to control and supervise the implementation of legislation, exercise the functions and powers of the relevant government authorities, and in other cases permitted by law. Provision of information at the request or demand of a government authority is made with the knowledge of the General Director «Spatial.su».

In case of access to personal data by persons other than employees «Spatial.su», дhe consent of the subjects of Personal Data must be obtained for the disclosure of their Personal Data to third parties. Such consent is not required if the Personal Data  are provided for the purpose of civil law fulfillment  дa contract entered into by the company with the subject of the data subject.

10.3.6. Employee access «Spatial.su» access to Personal Data is terminated as of the date of termination of the employment relationship, or the date of change in the employee's job duties and/or exclusion of the employee from the list of persons authorized to access Personal Data. In the event of termination of employment, all media containing Personal Data that, in accordance with the job description, were at the employee's disposal during his or her employment with the Company shall be deleted from the list of persons authorized to access Personal Data. «Spatial.su», should be given to the head of the unit.

10.4. Requirements to employees in connection with processing of personal data and their responsibility.

10.4.1. The job responsibilities of employees involved in the processing of personal data are set out in job descriptions and user manuals.

10.4.2. Ensuring the confidentiality of personal data processed in the «Spatial.su», is a mandatory requirement for all employees «Spatial.su», to whom the personal data became known.

10.4.3. All persons admitted to work with personal data shall be familiarized with the requirements of these Regulations and sign a signature «Obligation to ensure confidentiality of personal data by employees «Spatial.su». ПThe employee shall sign his/her familiarization with the Regulation at the same time as signing the commitment set forth in Annex 4 to this Regulation. The commitment shall be kept in the personal file.

10.4.4. Persons with permanent access to personal data and persons operating technical and software programs.  means  defenses   should  pass  training  in  «Spatial.su».

10.4.5. In case of violation of the established procedure for processing personal data, employees «Spatial.su» shall be liable in accordance with Section 12 of these Regulations.

10.5. Obtaining Personal Data.

10.5.1. Personal data is received by the company when hiring new employees, conducting interviews, concluding and executing contracts, and in other cases.

Employees «Spatial.su», Those who execute documents are obliged to obtain the consent of the subjects of personal data for processing in the prescribed cases (Section 6 of the Regulation).

10.6. When personal data is received by an employee «Spatial.su» in accordance with their job responsibilities, the verification of the accuracy of personal data must be conducted on a mandatory basis.

10.7. Procedure for handling media containing personal data.

10.7.1. Subjects' Personal Data processed by the Company on paper and other media shall be stored in the departments (employees) that have access to the processing of the respective Personal Data. The right of access of employees shall be determined in accordance with clause 10.4 of these Regulations.

10.7.2. Personal Data carriers shall not be left unattended during work. When leaving the workplace, employees processing personal data shall put the media in a safe, lockable cabinet or otherwise restrict unauthorized access to the media.

10.7.3. Data carriers are stored in the rooms where they are processed, in cabinets or safes.

10.7.4. Responsibility for storage of carriers containing personal data is assigned to the head of the organization.

10.7.5. The carriers containing personal data shall be issued for familiarization to persons authorized to access the relevant information for the purpose of performing their official duties, for a period not exceeding one working day.

10.7.6. Employees are required to immediately report to their department head any loss or shortage of media containing PD, as well as the reasons and circumstances of a possible PD leak or any attempts by unauthorized persons to obtain PD from an employee that is being processed in «Spatial.su».

10.7.7. When working with personal data in «Spatial.su» зThe transfer of personal data carriers, as well as demonstration of screen forms containing personal data to unauthorized persons is prohibited.

10.8. ОThe specifics of processing personal data contained on paper media without the use of automation tools (no computers are used when compiling documents) are established in accordance with Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008. "Об Approval of the Regulation on peculiarities of personal data processing carried out without the use of automation means".

10.8.1. В «Spatial.su» Records and systematization of documents containing personal data are kept; registers of contracts, personnel files, etc. are kept. If personal data is lost or damaged, it is restored where possible.

10.8.2. В «Spatial.su» when keeping the logs necessary for a single admission of the personal data subject to the territory where the personal data subject is located «Spatial.su», or for other similar purposes, only the surname, first name and patronymic of the data subject shall be indicated.

10.9. Personal data shall be stored for no longer than required for the purposes of personal data processing, unless the period of personal data storage is established by federal law, contract to which the subject of personal data is a party, beneficiary or guarantor. Processed personal data shall be destroyed or depersonalized upon achievement of the purposes of processing or in case of loss of necessity to achieve these purposes, unless otherwise provided for by federal law.

10.10. Destruction, blocking and clarification of personal data.

10.10.1. В in case of detection of inaccurate personal data at the request of the personal data subject or his/her legal representative or the authorized body for the protection of the rights of personal data subjects «Spatial.su» is obliged to block personal data related to the respective personal data subject from the moment of such request or receipt of such request for the period of verification. Blocking shall be carried out on the basis of the order of the General Director «Spatial.su» by stopping any actions with the Personal Data.

In case of confirmation of the fact of inaccuracy of personal data «Spatial.su» on the basis of documents submitted by the personal data subject or his/her legal representative or by the authorized body for the protection of the rights of personal data subjects, or other necessary documents, is obliged to clarify the personal data (make changes) and remove their blocking. The unblocking is carried out on the basis of the order of the General Director «Spatial.su».

10.10.2. In case of detection of unlawful actions with personal data «Spatial.su» within a period not exceeding three working days from the date of such detection, is obliged to eliminate the admitted violations. In case of impossibility to eliminate the admitted violations within a period not exceeding three working days from the date of detection of unlawfulness of actions with personal data, is obliged to destroy personal data. On elimination of the admitted violations or destruction of personal data «Spatial.su» shall notify the data subject or his or her legal representative, and if the request or inquiry was sent by an authorized body for the protection of the rights of data subjects, it shall also notify that body..

10.10.3. If the purpose of personal data processing is achieved or if the data subject revokes the personal data  personal  data  consents  on  processing  their  personal  data,  «Spatial.su» is obliged to immediately stop processing personal data and destroy the relevant personal data within a period not exceeding 30 business days from the date when the purpose of personal data processing is achieved, unless otherwise provided for by the contract with the subject of personal data, federal law and regulatory legal act, and notify the subject of personal data or his/her legal representative thereof.

10.10.4. Clarification of personal data during their processing without the use of means of automation is performed by updating or changing the data on a tangible medium, and if this is not allowed by the technical features of the tangible medium - by fixing on the same tangible medium information about the changes made in them or by producing a new tangible medium with the clarified personal data.

10.10.5. The destruction of Personal Data shall be carried out in the following order:

• — Destruction or depersonalization of a part of personal data on paper may be carried out in a way that excludes further processing of these personal data while preserving the possibility of processing other data recorded on a tangible medium (deletion, erasure).;
• — Personal data in hard copy shall be destroyed by burning, processing in a paper recycling machine, or manually cutting into small fragments;
• — Personal data placed in the computer memory are destroyed by software erasure with no possibility of recovery;
• — Personal data stored on a flash card, CD-disk, or other removable storage medium shall be destroyed by software erasure without the possibility of recovery or by destroying the medium.

10.12. Organization of internal control over processing and security of personal data.

10.12.1. Organization of internal control over the process of processing personal data in «Spatial.su» is carried out for the purpose of studying and assessing the actual state of protection of personal data, timely response to violations of the established procedure for their processing, as well as for the purpose of improving this procedure and ensuring compliance with it.

10.12.2. Measures to implement internal control over the processing and security of personal data are aimed at accomplishing the following tasks:

• — Ensuring compliance by employees «Spatial.su» requirements of this Regulation and normative legal acts regulating the personal data field;
• — Assessment of the competence of personnel involved in processing of personal data;
• — Ensuring the operability and effectiveness of ISPD technical means and PD protection means, their compliance with the requirements of authorized executive authorities on PD security issues;
• — ВDetection of violations of the established procedure for processing personal data and timely prevention of negative consequences of such violations;
• — Taking corrective measures aimed at eliminating identified violations, as in the order of processing Personal Data;
• — Development of recommendations on improving the procedure for processing and ensuring the security of personal data based on the results of control measures;
• — Internal control over the implementation of recommendations and instructions for the elimination of violations.

10.12.3. Control over the process of processing of personal data in subdivisions «Spatial.su» is organized by the person responsible for organizing the processing of personal data on an annual basis.

10.13. Requirements for ISPDN administrators.

10.13.1. To ensure processing and protection of personal data в «Spatial.su» An administrator shall be appointed, whose duties shall include:

• — management of user accounts for ISPDN users;
• — maintaining regular operation of ISPDNs;
• — data backup;
• — installation and configuration of hardware, system-wide and application software of ISPDNs;
• — Ensuring that the procedure for processing and ensuring the security of personal data in an ISPDN complies with the requirements for confidentiality, integrity and availability of personal data applicable to a particular ISPDN and general requirements for personal data security established by federal legislation;
• — installing, configuring and administering hardware and software means of information protection of ISPDNs;
• — accounting and storage of machine-readable data carriers;
• — periodic audit of security logs and analysis of the security of ISPDNs;
• — participation in  internal affairs investigations  фактов  violations  established  procedures for processing and ensuring the security of personal data.

11. PECULIARITIES OF EMPLOYEES' PDN PROCESSING «Spatial.su»

This section establishes additional rights and responsibilities of employees «Spatial.su» when processing employees' personal data in «Spatial.su».

11.1. Employee's personal data - information necessary to «Spatial.su» in connection with the employment relationship and relating to a particular employee. «Spatial.su» obtains the personal data required by labor law from the employee himself/herself. If personal data can only be obtained from a third party, then it can only be obtained by with the written consent работника.

11.2. Employees' personal data may be processed solely to ensure compliance with laws and other regulatory acts, to assist employees in employment, training and promotion, to ensure personal safety of employees, to control the quantity and quality of work performed and to ensure the safety of property.

11.3. «Spatial.su» has no right to receive and process special personal data of an employee, including on his membership in public associations or his trade union activities,  политических,  religious  beliefs  and  private  lives,  with the exception of cases stipulated by the legislation.

11.4. When making decisions affecting the interests of the employee, «Spatial.su» has no right to base on employee's personal data obtained exclusively in electronic form or as a result of their only automated processing.

11.5. «Spatial.su» undertakes not to disclose employee's personal data to third parties for commercial and other purposes without written consent transfer of personal data, if the transfer of personal data is not provided for by federal laws and other regulatory legal acts or contracts (transfer of publicly available personal data under a contract).

11.6. Доступ к персональным данным работников предоставляется сотрудникам «Spatial.su» на основании утвержденного списка (Приложение 3 к настоящему Положению) в целях исполнения ими должностных обязанностей по ведению кадрового делопроизводства, выполнения административно-хозяйственных и организационно-распорядительных функций.

11.7. «Spatial.su» обязуется не запрашивать информацию о состоянии здоровья работника, за исключением тех сведений, которые относятся к вопросу о возможности выполнения работником трудовой функции;

11.8. If necessary, transfer PII to the employee's representative, «Spatial.su» undertakes to transfer the employee's personal data in accordance with the procedure established by the Labor Code of the Russian Federation and other federal laws, and to limit the transferred information to only those employee's personal data that are necessary for the said representatives to perform their functions.

11.9. Employees have the right to identify their representatives for the protection of their personal data.

11.10. «Spatial.su» shall be obliged to transfer personal data of employees within the limits of the «Spatial.su» in accordance with the requirements of these Regulations.

11.11. In accordance with Articles 86 and 88 of the Labor Code of the Russian Federation, an employee shall «Spatial.su» must be familiarized under signature with this Regulation, which establishes the procedure for processing personal data, rights and obligations in this area. The employee shall sign the Consent to the processing of Personal Data, which he/she gives in order to organize interaction between employees in the course of performing their job duties (Annex 2)..

12. RESPONSIBILITY FOR VIOLATION OF THIS PROVISION

12.1. Management «Spatial.su» bears responsibility for failure to ensure confidentiality of Personal Data and failure to observe the rights and freedoms of Personal Data subjects in relation to their Personal Data, including the rights to privacy, personal and family secrecy.

12.2. Employees «Spatial.su» are personally liable for non-compliance with the requirements for processing and ensuring the security of personal data set forth in these Regulations, in accordance with the laws of the Russian Federation.

12.3. Employee «Spatial.su» may be held liable in cases of:

• — willful or reckless disclosure of personal data;
• — loss of tangible data carriers;
• — violations of the requirements of these Regulations and other regulatory documents «Spatial.su» in terms of access to and work with PII.

12.4.   In cases of violation of the established procedure for processing and ensuring the security of Personal Data, unauthorized access to Personal Data, disclosure of Personal Data and infliction of «Spatial.su», The guilty persons shall bear civil, criminal, administrative, disciplinary and other liability stipulated by the legislation of the Russian Federation.

LIST OF PERSONAL DATA PROCESSED IN «Spatial.su»