Personal Data Processing Policy at JSC Meditsina

1. Purpose of the Policy

This Policy is intended to define the conceptual framework for Medicina JSC operations to ensure protection of human and civil rights and freedoms at personal data processing, including protection of the rights to privacy, personal and family secrets.

2. This Policy is enacted to replace Personal Data Processing Policy of 19.12.2024 No. 01.02-14/490.

3. Scope of application

3.1. This Policy shall be applied to the activities of all Medicina JSC departments (including the Institute of Nuclear Medicine, a separate division, Khimki) involved in the processing of personal data.

3.2. This Policy, according to the requirements of Clause 2 of Article 18.1 of Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data”, shall be publicated on the official website http://www.medicina.ru/. The current hard copy version of the Policy is kept at the address: 10, 2nd Tverskoy-Yamskoy pereulok, Moscow, 125047.

3.3. If certain provisions of this Policy conflict with the current legislation of the Russian Federation, provisions of the current legislation of the Russian Federation shall prevail.

4. Validity Term

4.1. This Policy shall be effective for a period of 1 year.

4.2. This Policy may be reviewed and re-approved as changes are made to:

• regulatory legal acts in the field of personal data;
• local regulations of Medicina JSC governing organization of processing and ensuring security of personal data.

5.Terms and Definitions

Personal Data (PD) is any information related directly or indirectly to an identified or identifiable natural person (personal data subject).

Personal Data Processing is any action (operation) or a series of actions (operations) performed with or without using automation tools for personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, submission, access), depersonalization, blocking, deletion, destruction of personal data.

Automated Personal Data Processing is the processing of personal data using computer technology.

Submission of Personal Data is an action aimed at disclosing personal data to a certain person or a certain group of people.

Distribution of Personal Data is an action aimed at disclosing personal data to an unspecified group of people.

Destruction of Personal Data is the actions as a result of which restoration of the personal data contents becomes impossible in the personal data information system and/or as a result of which physical carriers of personal data become destroyed.

Depersonalization of Personal Data is an action that makes it impossible to determine the relevant personal data subject the relevant personal data belong to without using additional information.

Personal Data Information System is a combination of personal data contained in the databases and information technologies and equipment that ensure their processing.

Cross-Border Transfer of Personal Data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

Personal Data Subject is an individual who is directly or indirectly identified or identifiable using personal data.

6.Referenced Codes and Standards

6.1. This Policy was developed in accordance with the provisions of the following regulatory legal acts:

• Constitution of the Russian Federation (adopted by the nation-wide vote on December 12, 1993);
• Labor Code of the Russian Federation No. 197-FZ dated December 30, 2001;
• Code of Administrative Offences of the Russian Federation No. 195-FZ dated December 30, 2001;
• Federal Law No. 323-FZ dated November 21, 2011 “On Fundamental Healthcare Principles in the Russian Federation”;
• Federal Law No. 149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”;
• Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”;
• Requirements for the protection of personal data at their processing in personal data information systems (approved by Decree of the Government of the Russian Federation No. 1119 dated November 01, 2012);
• Regulation concerning certain details of personal data processing carried out without the use of automation tools (approved by Decree of the Government of the Russian Federation No. 687 dated September 15, 2008);
• Composition and content of organizational and technical actions to ensure personal data security during their processing in personal data information systems (approved by Order of the Federal Service for Technical and Export Control of the Russian Federation No. 21 dated February 18, 2013);
• Composition and content of organizational and technical actions to ensure personal data security during their processing in personal data information systems using cryptographic information protection tools as required to comply with the personal data protection requirements established by the Government of the Russian Federation for each of the security levels (approved by Order of the Federal Security Service of the Russian Federation No. 378 dated July 10, 2014);
• Decree of the Government of the Russian Federation No. 2526 dated December 29, 2022 “On Approval of the List of Cases when Operators Carrying out Cross-Border Transfer of Personal Data to Fulfill the Functions, Powers and Duties Assigned to the Government Bodies, Municipal Bodies by the International Treaty of the Russian Federation and the Legislation of the Russian Federation shall be Exempt from the Requirements of Parts 3–6, 8–11 of Article 12 of the Federal Law “On Personal Data”;
• Decree of the Government of the Russian Federation No. 6 dated January 10, 2023 “On Approval of the Rules for Making a Decision by an Authorized Body to Prohibit or Restrict the Cross-Border Transfer of Personal Data for the Protection of Rights of Personal Data Subjects and Inform Operators of the Decision”;
• Decree of the Government of the Russian Federation No. 24 dated January 16, 2023 “On Approval of the Rules for Making a Decision by an Authorized Body to Prohibit or Restrict the Cross-Border Transfer of Personal Data for the Protection of Morals, Health, Rights and Legitimate Interests of the Citizens”;
• Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No. 128 dated August 05, 2022 “On Approval of the List of Foreign States Providing Relevant Protection of Rights of Personal Data Subjects”;
• Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No. 187 dated November 14, 2022 “On Approval of the Procedure and Conditions for Interaction of the Federal Service for Supervision of Communications, Information Technology and Mass Media with Operators within the Framework of Maintaining a Register of Personal Data Incidents”;
• Order of the Federal Security Service of Russia No. 77 dated February 13, 2023 “On Approval of the Procedure for Interaction of Operators with the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks on Information Resources of the Russian Federation, including Reports to the Federal Security Service of Russia about Computer Incidents that Resulted in the Illegal Transfer (Provision, Distribution, Access) of Personal Data”;
• Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No. 178 dated October 27, 2022 “On Approval of Requirements for Assessing the Harm that may be Caused to the Personal Data Subjects as a Result of a Breach of the Federal Law “On Personal Data”;
• Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No. 179 dated October 28, 2022 “On Approval of the Requirements for Confirming Personal Data Destruction”;
• Regulation of the European Parliament and of the Council of the European Union 2016/679 dated April 27, 2016 on the protection of natural persons relevant to the personal data processing and on the free movement of such data, and on the repealing Directive 95/46/EC (General Regulation on Personal Data Protection / GeneralDataProtectionRegulation).

6.2. For the purposes of this Policy, Medicina JSC approved Regulation on the Procedure to Arrange and Perform Activities for Personal Data Protection, Regulation on the Personal Data Protection of Medicina JSC Employees, Regulation on the Personal Data Protection of Job Seekers, Patients and Other Personal Data Subjects, and other local regulations related to the personal data processing and protection.

7. Policy Description

7.1. Principles, Objectives, Content and Methods of Personal Data Processing

7.1.1. Medicina JSC in its activities ensures compliance with the principles of personal data processing referred to in Article 5 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”:

• personal data are processed in accordance with the laws, fairly and openly with respect to the personal data subject;
• personal data shall be collected for specific, pre-determined and legitimate purposes and shall not be subjected to any further processing contrary to these purposes;
• personal data subject to processing shall be sufficient, current and relevant for the purposes of processing;
• personal data shall be accurate and, if necessary, updated in a timely manner;
• personal data shall be stored no longer than is necessary for processing purposes;
• method of personal data processing shall ensure personal data protection, including protection against unauthorized or illegal processing, protection against accidental loss, destruction or damage, using appropriate technical and organizational measures.

7.1.2. When processing personal data, Medicina JSC ensures the exercise of the rights of the personal data subjects provided for by the laws of the Russian Federation, including:

• the right to access own personal data;
• the right to receive information regarding personal data processing;
• the right to require Medicina JSC to clarify personal data, block or destroy them if personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;
• the right to revoke consent to the personal data processing by the relevant request sent to Medicina JSC or by personal visit;
• the right to appeal in court against any illegal actions or omissions of Medicina JSC in the personal data processing and protection.

7.1.3. Before personal data processing starts, personal data subjects, composition of the personal data subject to processing and specific purposes of personal data processing are determined, which are documented in the “List of Processed Personal Data”

7.1.4. Access to the personal data is limited in accordance with the requirements of the legislation and internal regulatory documents of Medicina JSC.

7.1.5. Medicina JSC never discloses personal data received by it as a result of its professional activity, except for the cases provided for by the laws.

7.1.6. Medicina JSC employees who have received access to personal data assume obligations to ensure confidentiality of the processed personal data.

7.1.7. Medicina JSC undertakes any required technical and organizational actions within the frames of information security for the protection of personal data from unauthorized access, modification, disclosure or destruction, through internal checks of the processes of collection, storage and processing of personal data and security measures, and through implementation of the procedures that ensure physical security of personal data to prevent unauthorized access to the systems used by Medicina JSC for personal data processing.

7.2. Measures for Proper Organization of Personal Data Processing and Security

7.2.1. Personal data security in Medicina JSC is achieved, in particular, by the following:

• appointment of a person responsible for the organization of personal data processing, whose rights and obligations are determined by local regulations of Medicina JSC;
• implementation of internal control and/or audit of compliance of personal data processing with Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” and regulatory legal acts adopted thereunder, requirements for personal data protection, local regulations of Medicina JSC;
• briefing Medicina JSC employees directly involved in the personal data processing with the provisions of the laws of the Russian Federation on personal data, including requirements for personal data protection, local regulations regarding personal data processing and/or training of these employees;
• identification of threats to personal data security while their processing in the personal data information systems;
• implementation of organizational and technical procedures to ensure personal data security during their processing in the personal data information systems necessary to meet the requirements for personal data protection;
• assessment of the efficiency of the measures taken to ensure personal data security prior to the commissioning of the personal data information system;
• keeping records of machine (physical) personal data carriers;
• identification of cases of unauthorized access to personal data and implementation of the relevant actions;
• recovery of personal data modified or destroyed due to unauthorized access to them;
• establishing rules for access to the personal data processed in the personal data information system, and ensuring registration and accounting of all actions performed with personal data in the personal data information system;
• control over compliance with the requirements in the field of personal data security and security levels of personal data information systems.

7.2.2. In cases where purposes of PD processing require that Medicina JSC transfer personal data to third parties such transfer is carried out based on a concluded agreement containing provisions on confidentiality and ensuring personal data security or based on a contract for personal data processing.

7.2.3. Job responsibilities of Medicina JSC employees directly involved in the personal data processing, including their liability, are defined in the local regulations of Medicina JSC.

7.3. Rights of Personal Data Subjects

7.3.1. Personal data subject may receive information about processing of his personal data in Medicina JSC, including information containing:

• information about Medicina JSC as an operator processing personal data (name and location);
• personal data possessed by Medicina JSC;
• confirmation that personal data are processed by Medicina JSC, statement of legal grounds and established purposes for personal data processing;
• methods of personal data processing used in Medicina JSC;
• information about persons who have access to personal data or to whom personal data may be disclosed based on an agreement with Medicina JSC (including instructions from the operator) or based on the federal law(s), with the exception of employees who were provided with an access to the personal data within the frames of their official (functional) responsibilities;
• a list of processed personal data related to a specific personal data subject and the source of their origin;
• periods for personal data processing, including duration of their storage;
• procedure for exercising the rights of personal data subjects provided for by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”;
• information about any ongoing or proposed cross-border transfer of personal data, including country;
• other information provided by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”, which may include compliance with the conditions and principles of personal data processing, information on compliance with the requirements to ensure security of personal data, possible restrictions on the access of personal data subjects to their personal data.

7.3.2. Personal data subject may request to clarify these personal data, to block or destroy them if they are incomplete, outdated, inaccurate, illegally obtained or cannot be considered necessary for the stated purpose of processing, and take any measures to protect own rights provided for by the law.

7.3.3. The right of a personal data subject to access own personal data may be restricted based on the federal laws, including the cases where access of a personal data subject to own personal data infringes the rights and legitimate interests of third parties.

7.3.4. To exercise and protect own rights and legitimate interests, a personal data subject may send a request to Medicina JSC. This request shall contain the number of the main personal identity document of the personal data subject, his legal representative, date of the document issue, issuing authority and a handwritten signature of the personal data subject. The request can be sent in electronic form and signed with an electronic signature as provided for by the current laws of the Russian Federation.

7.3.5. If in the opinion of a personal data subject, Medicina JSC while processing his personal data violates requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” or otherwise infringes his rights and freedoms, the personal data subject may file an appeal against the actions or omissions of Medicina JSC with the relevant body authorized for protection of rights of personal data subjects or with a court.

7.3.6. Personal data subject may protect his rights and legitimate interests, including claim for compensation of losses and/or moral damage through court proceedings.

7.3.7. . Regulation for responding to requests from personal data subjects / authorized body for the protection of rights of personal data subjects and actions of Medicina JSC employees are detailed in Appendix.

8. Feedback

8.1. In cases where a personal data subject wants to know what personal data Medicina JSC has about him, or to supplement, correct, depersonalize or delete any incomplete, inaccurate or outdated personal data, or wants to terminate the processing of his personal data by Medicina JSC, or has other legal requirements he may in accordance with the established procedure and the laws exercise such a right and send the relevant request to Medicina JSC.

8.2. However, in some cases (for instance, if a personal data subject wants to delete own personal data or stop processing it), this request may also mean that Medicina JSC will no longer be able to provide services to the personal data subject.

8.3. To fulfill requests of personal data subjects, Medicina JSC may require to establish identity of the personal data subject and request additional information evidencing his involvement in the relations with Medicina JSC, or any details that otherwise confirm that personal data are processed by Medicina JSC.

8.4. In addition, current legislation may impose restrictions and other conditions regarding the rights of personal data subjects referred to above.

8.5. The procedure for sending information requests by a personal data subject is determined by the requirements of Federal Law No. 152-FZ dated July 27 “On Personal Data”. In particular, in accordance with the above requirements, an information request to Medicina JSC shall contain:

• series and number of personal identity document of the personal data subject (his representative), date of issue of the specified document and its issuing authority;
• information evidencing involvement of the personal data subject in relations with Medicina JSC (contract number, date of the contract conclusion, conventional word designation and/or other information), or any details that otherwise confirm that personal data are processed by Medicina JSC;
• signature of the personal data subject (his representative).

8.6. If the request is sent by a representative of the personal data subject, the request shall contain a document (a copy of the document) confirming the powers of this representative.

8.7. PD subjects may use the following contacts to address their submissions regarding personal data processing to Medicina JSC: 10, 2nd Tverskoy-Yamskoy pereulok, Moscow, 125047, tel.: (499) 250-91-90, e-mail: contact@medicina.ru.

9. Liability

9.1. Persons that commit a breach of any rules governing personal data processing and protection shall be subject to the disciplinary, material, civil, administrative and criminal liability in accordance with the procedure established by federal laws, local regulations of Medicina JSC and agreements regulating legal relations with third parties.