Personal Data Processing Policy at JSC Meditsina

1. PURPOSE OF THE POLICY

The present Policy is intended to establish the conceptual principles for the activities of JSC Meditsina for ensuring the human and civilian rights and freedoms when processing personal data including protection of the rights for privacy, personal and family secret.

2. THE PRESENT POLICY REPLACES PERSONAL DATA PROCESSING POLICY DATED 22.02.2018 No. 01.02-14/75.

3. SCOPE

3.1. The present Policy is applicable to activities of all divisions of JSC Meditsina involved in personal data processing.

3.2. The present Policy should be published on the official website https://www.medicina.ru/. in accordance with the requirements of Art. 18.1(2) of the Federal law “On Personal Data”. The current version of the Policy in the form of a hard copy is kept on file at: 10, 2nd Tverskoy-Yamskoy pereulok, City of Moscow, 125047.

4. VALIDITY PERIOD

4.1 The present Policy is put into effect for 1 year.

4.2. The present Policy can be reviewed and approved again as changes are made:

- in regulatory legal acts in the field of personal data;

- local acts of JSC Meditsina regulating personal data management and safety.

5. TERMS AND DEFINITIONS

Personal data − is any information concerning directly or indirectly a certain or identifiable natural person (subject of personal data).

Personal data processing − is any action (operation) or complex of actions (operations) carried out with personal data including collection, recording, systematization, accumulation, storage, detailing (renewal, change), retrieval, use, transfer (dissemination, presentation, access), depersonalization, blocking, deletion, elimination of personal data using automation technologies or not using such technologies.

Automated personal data processing − is personal data processing with the help of computer equipment.

Presentation of personal data − involves actions aimed at disclosing personal data to a certain person or a certain group of persons

Elimination of personal data − involves actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which physical storage media of personal data are destroyed.

Personal data depersonalization − involves actions as a result of which it becomes impossible to establish personal data ownership to a subject of personal data without use of additional information.

Personal data information system − is a complex of personal data contained in the databases and information technologies and technical means providing for its processing.

Cross-border personal data transfer − is personal data transfer to the territory of a foreign state to an authority of the foreign state, a foreign natural person or a foreign legal entity.

6. REGULATORY REFERENCES

6.1. The present Policy has been developed in accordance with provisions of the following regulatory legal acts:

- The Constitution of the Russian Federation (adopted by a nationwide vote on 12.12.1993);

- Labor Code of the Russian Federation dated 30.12.2001, No. 197-FZ;

- Code of Administrative Violations of the Russian Federation dated 30.12.2001, No. 195-FZ;

- Federal Law No. 323-FZ dated 21.11.2011 “On Protection of Citizens’ Health in the Russian Federation”;
- Federal Law No. 149-FZ dated 27.07.2006 “On Information, Information Technologies and Information Protection”; ;

- Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data”;

- Requirements of Personal Data Protection during its Processing in Personal Data Information Systems (approved by the Resolution of the Government of the Russian Federation No. 1119 dated 01.11.2012);

- Regulations on Peculiarities of Personal Date Processing Carried out without the Use of Automation Technologies (approved by the Resolution of the Government of the Russian Federation No. 687 dated 15.09.2008);

- Administrative Regulations of the Federal Service for Supervision of Communications, Information Technology and Mass Media on Implementation of the State Function “Maintaining a Register of Operators Performing Personal Data Processing” (approved by Order of the Ministry of Communications and Mass Media of the Russian Federation No. 346 dated 21.12.2011);

- Administrative Regulations on Implementation by the Federal Service for Supervision of Communications, Information Technology and Mass Media of the State Function for State Control (Supervision) of Compliance of the Personal Data Processing with the Requirements of the Russian Federation in the Field of Personal Data (approved by Order of the Ministry of Communications and Mass Media of the Russian Federation No. 312 dated 14.11.2011);
- Composition and Content of Organizational and Technical Measures for Ensuring Personal Data Security during its Processing in the Personal Data Information Systems (approved by Order of the Federal Service for Technical and Export Control of the Russian Federation No. 21 dated 18.02.2013);

- Composition and Content of Organizational and Technical Measures for Ensuring Personal Data Security during its Processing in the Personal Data Information Systems Using Cryptographic Information Protection Means Required for Fulfillment of the Requirement to Personal Data Protection for each of Protection Levels established by the Government of the Russian Federation (approved by Order of the Federal Security Department of the Russian federation No. 378 dated 10.07.2014).

6.2. In order to implement the present Policy, JSC Meditsina has approved Regulations on the Procedure for Organizing and Performing the Works for Personal Data Protection, Regulation on Personal Data Protection of the Staff Member of JSC Meditsina, Regulation on Personal Data Protection of Job Applicants, Patients and Other Subjects of Personal Data and other local acts in the field of personal data processing and protection.

7. DESCRIPTION OF THE POLICY

7.1. Principles, objectives, content and methods for personal data processing

7.1.1. JSC Meditsina observes in its activities the principles of personal data processing as stated in Art. 5 of Federal law No. 152-FZ dated 27.07.2006 “On Personal Data”.

7.1.2. Personal data protection at JSC Meditsina includes collection, recording, systematization, accumulation, storage, detailing (renewal, change), retrieval, use, transfer (dissemination, presentation, access), depersonalization, blocking, deletion, elimination of personal data. JSC Meditsina carries out personal data processing using automation technologies and without using automation technologies.

7.1.3. JSC Meditsina carries out collection and further processing of personal data for the following categories of subjects of personal data:

- current patients of JSC Meditsina;

- potential patients of the JSC Meditsina;

- family members and other relatives of current and potential patients of JSC Meditsina;

- representatives (by force of law and under power of attorney) of current and potential patients of JSC Meditsina;

- staff workers and representatives of external healthcare providers;

- staff members and representatives of current partners of JSC Meditsina (legal entities) including insurance and assistance companies;

- natural persons purchasing drugs, medical devices, lenses and spectacle frames from JSC Meditsina according to a prescription;

- persons who are job applicants at JSC Meditsina;

- current and potential partners of JSC Meditsina (natural persons);

- staff members and representatives of current and potential partners of JSC Meditsina (legal entities);br>
- visitors of private and public events organized by JSC Meditsina;

- staff members (representatives, contact persons) of JSC Meditsina;

- staff members of JSC Meditsina who are citizens of foreign states;

- family members of staff members of JSC Meditsina;

- recipients of alimony payments from staff members of JSC Meditsina;

- staff members of legal entities and natural persons acting for and on behalf of JSC Meditsina;
- persons involved in civil, arbitration, criminal, administrative processes and enforcement proceedings (in which JSC Meditsina participates);

- visitors of rooms, buildings and the territory of JSC Meditsina;

- visitors of the website of JSC Meditsina

7.1.4 JSC Meditsina carries out collection and further processing of personal data for the following purposes:

-    organization and implementation of a complex of measures aimed at health maintenance and(or) recovery and including providing medical services, in particular prevention, diagnostics and treatment of diseases and medical rehabilitation;

-     sale of drugs, medical devices, lenses and spectacle frames by JSC Meditsina;

-     implementation of remote interaction between JSC Meditsina and patients and other
interested persons within the limits of information servicing using the telephonic communication, messengers, IP-telephony, E-mail;

-     implementation of remote interaction between JSC Meditsina and patients and other
interested persons by means of the website of the JSC Meditsina;

-     providing electronic services through Mobile Applications, bot in Telegram;

-     organizing and conducting events aimed at enhancing awareness of and loyalty to JSAC Meditsina as well as service promotion of JSC Meditsina;

-    conducting tenders, fulfilling contractual work not associated with the main activities of JSC Meditsina within the limits of initiating, amending and discontinuing legal relations between JSC Meditsina and third parties as well as execution of powers of attorney for representing JSC Meditsina;

-     involving JSC Meditsina in civil, arbitration, criminal, administrative processes and execution of judgements;

-     filling vacancies at JSC Meditsina by job applicants who fully meet the requirements of JSC Meditsina;

-     providing assistance to staff members of JSC Meditsina who are citizens of foreign states in obtaining work permits and executing of work entrance visas in the Russian Federation;

-     fulfillment of requirements of labor legislation and legislation on labor cost accounting by JSC Meditsina;

-     life and health preservation of staff members of JSC Meditsina in the process of labor activities and revealing health problems and medical contraindications in staff members of JSC Meditsina (including examination for detecting medical contraindications for driving) as well as fulfillment of the requirements of the current legislation regarding investigation and registration of accidents involving staff members of JSC Meditsina;

-     implementation by JSC Meditsina as an employer of the functions stipulated by the Labor Code of the Russian Federation concerning payment of salaries, compensations and bonuses to the staff members, making pension and tax contributions as well as settlements with partners and patients;

-     organization of instruction, advanced training and check of knowledge of staff members of
JSC Meditsina, assessment of business proficiency, personal qualities of staff members of JSC Meditsina and results of their work as well as assessment of satisfaction of members of JSC Meditsina with their working conditions;

-     execution of business trip documents for staff members of JSC Meditsina and
making reservations and payment for hotel accommodation and transport tickets
for staff members of JSC Meditsina traveling on business;

-     facilitation of communications between staff members of JSC Meditsina by keeping the contact data directory of staff members of JSC Meditsina;

-     implementation of access control into the rooms, buildings of JSC Meditsina;

-    providing for personal safety of the staff members of JSC Meditsina, other persons visiting its real property (rooms, buildings, territory of JSC Meditsina) and also preservation of material and other valuables falling under the responsibility of JSC Meditsina;

-     assignment/connection of computers, creation of new users in information systems of JSC Meditsina, providing access to resources of information systems at JSC Meditsina and also solving user problems with computers (hardware and software) and office equipment;

-     recording information on the use of services of the corporate stationary and mobile communication by staff members of JSC Meditsina;

-     conducting independent inspections of book (financial) accounting at JSC Meditsina with the purpose to express the opinion on confidence of such accounting;

-    organizing and implementing internal quality control of medical aid and in-house production processes at JSC Meditsina;

-     analysis of traffic and work optimization of the website of JSC Meditsina.

7.1.5 JSC Meditsina has set the following conditions for stopping personal data processing:

-     achievement of the purposes of personal data processing and reaching the maximum retention periods of personal data set by the legislation of the Russian Federation;

-    no further need to achieve the purposes of personal data processing;

-    submitting by a subject of personal data or his(her) legal representative the documented evidence that the personal data is illegally obtained or is not necessary for claimed purpose of processing;

-    impossibility to ensure lawfulness of personal data processing;

-    withdrawal of the consent for personal data processing by a subject of personal data if retention of personal data is not further required for the purposes of personal data processing;

-     withdrawal of the consent for presentation of personal data in a generally available source by a subject of personal data;

-     expiration of the time allowed for claims for legal relations within the limits of which personal data processing is or was carried out.

7.1.6 JSC Meditsina carries out processing of biometrical personal data (information which characterizes human physiologic and biologic features which can be used to identify the individual) with written consent of subjects of personal data (staff members and patients).

7.1.7 JSC Meditsina carries out processing of special personal data categories on health condition in accordance with the requirements of the labor legislation and legislation regarding health care in the Russian Federation.

7.1.8 JSC Meditsina carries out cross-border (to the territory of a foreign state to an authority of the foreign state, foreign natural person or foreign legal entity) personal data transfer to foreign insurance companies with the written consent of subjects of personal data (patients).

7.1.9 JSC Meditsina does not make decisions causing legal consequences regarding subjects of personal data or otherwise affecting their rights and legal interests due to exclusively automated processing of their personal data.

7.1.10 JSC Meditsina has informed the competent authority for protection of the rights of subjects of personal data about its intention to carry out personal data processing.

7.1.11 The personal data of staff members and patients may be placed on the website of JSC Meditsina with their written consent.

            7.2. Measures for proper organization of personal data processing and ensuring its security

7.2.1 The personal data security is ensured at JSC Meditsina, in particular, by the following methods:

-     designation of a person who is responsible for organizing personal data processing and whose rights and functions are established by local acts of JSC Meditsina;

-     carrying out internal control and/or audit of the compliance of personal data processing with Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data” and regulatory legal acts adopted in accordance with it, requirements to personal data protection, local acts of JSC Meditsina;

-     informing staff members of JSC Meditsina engaged directly in personal data processing about the provisions of the legislation of the Russian Federation on personal data including the requirements to personal data protection, local acts on personal data processing and/or training of above staff members;

-     revealing security threats for personal data during their processing
in the personal data information systems;

-     use of organizational and technical measures for ensuring personal data security during its processing in personal data information systems required for meeting the requirements of personal data protection;

-    assessment of effectiveness of measures taken for ensuring personal data security before putting into operation of the personal data information system;

-     registration of machine (physical) personal data media;

-     revealing facts of unauthorized access to personal data and taking respective measures;

-    recovery of personal data modified or eliminated due to unauthorized access to such data;

-     establishment of rules for access to personal data processed in the personal data information system as well as registration and recording of all actions carried out with personal data in the personal data information system;

-     control over meeting the requirements in the field of personal data security and protection levels of personal data information systems.

7.2.2 The functions of staff members of JSC Meditsina engaged directly in personal data processing and their respective responsibilities are established in local acts of JSC Meditsina.

7.3. The rights of subjects of personal data

7.3.1 A subject of personal data has a right for obtaining information about processing of his(her) personal data at JSC Meditsina.

7.3.2 A subject of personal data has a right to require detailing of this personal data, its blocking or elimination in case if it is incomplete, out of date, inaccurate, obtained illegally or cannot be recognized as necessary for the claimed purpose of processing and also to take measures for protection of his(her) rights set by the law.

7.3.3 The right of a subject of personal data for access to his(her) personal data can be restricted in accordance with the federal laws including cases if access of the subject of personal data to his(her) personal data violates the rights and legal interests of third parties.

7.3.4 A subject of personal data has a right to appeal to JSC Meditsina in order to implement and protect his(her) rights and legal interests.
JSC Meditsina (Operator) considers applications and requests from subjects of personal data, investigates thoroughly facts of any violations and takes all necessary measures for their immediate elimination, punishment of guilty persons and settlement of disputable and conflict situations.

7.3.5 A subject of personal data has a right to appeal the actions or inaction of JSC Meditsina to the competent authority for protection of the rights of the subject of personal data or through the legal system.