Personal Data Processing Policy at JSC Meditsina

1. Policy Assignment

This Policy is intended to define the conceptual foundations of the activities of JSC "Medicine" to ensure the protection of human rights and freedoms and a citizen in the processing of his personal data, including the protection of rights the right to privacy, personal and family secrets.

2. This Policy is introduced instead of Personal Data Processing Policy No. 01.02-14/196 dated 04.08.2021.

3. Scope of application

3.1. This Policy applies to the activities of all divisions of JSC "Medicine" involved in the processing of personal data.

3.2. This Policy, in accordance with the requirements of paragraph 2 of Article 18.1 of Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data", is subject to publication on the official website http://www.medicina.ru/. The current version of the Policy on paper is stored at the address: 10, 2nd Tverskaya-Yamskaya Lane, Moscow, 125047.

4. Validity period

4.1 This Policy is put into effect for a period of 1 year.

4.2. This Policy may be revised and re-approved as changes are made:

• to regulatory legal acts in the field of personal data;
• to local acts of JSC "Medicine" regulating the organization of processing and ensuring the security of personal data.

5. Terms and definitions

Personal data (PD) − any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).

Processing of personal data − any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, presentation, access), depersonalization, blocking, deletion, destruction of personal data.

Automated processing of personal data − processing of personal data using computer technology.

Submission of personal data − actions aimed at disclosing personal data to a certain person or a certain circle of persons.

Dissemination of personal data – actions aimed at disclosure of personal data to an indefinite circle of persons.

Destruction of personal data − actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system, and (or) as a result of which the material carriers of personal data are destroyed.

Depersonalization of personal data − actions as a result of which it becomes impossible to determine the identity of personal data to a specific subject of personal data without the use of additional information.

Personal data Information System − the totality of the contained in databases of personal data and information technologies and technical means providing their processing.

Cross-border transfer of personal data − transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.

6. Regulatory references

6.1. This Policy has been developed in accordance with the provisions of the following regulatory legal acts:

• The Constitution of the Russian Federation (adopted by popular vote on 12.12.1993);
• Labor Code of the Russian Federation No. 197-FZ dated 30.12.2001;
• Code of the Russian Federation on Administrative Offences of 30.12.2001 No. 195-FZ;
• Federal Law No. 323-FZ of 21.11.2011 "On the Protection of the Health of Citizens in the Russian Federation";
• Federal Law No. 149-FZ of 27.07.2006 "On Information, Information Technologies and Information Protection";
• Federal Law No. 152-FZ of 27.07.2006 "On Personal Data";
• Requirements for the protection of personal data during their processing in personal data information systems (approved Resolution of the Government of the Russian Federation No. 1119 dated 01.11.2012);
• Regulation on the specifics of personal data processing carried out without the use of automation tools (approved Resolution of the Government of the Russian Federation No. 687 dated 15.09.2008);
• The composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems (approved by Order of the Federal Service for Technical and Export Control of the Russian Federation No. 21 dated 02/18/2013);
• The composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to meet the requirements established by the Government of the Russian Federation for the protection of personal data for each of the security levels (approved by Order of the Federal Security Service of the Russian Federation dated 10.07.2014 No. 378);
• Regulation of the European Parliament and of the Council of the European Union 2016/679 of April 27, 2016 on the protection of individuals in the processing of personal data and on the free circulation of such data, as well as on the repeal of Directive 95/46/EC (General Data Protection Regulation).

6.2. Pursuant to this Policy, JSC "Medicine" has approved the Regulations on the procedure for organizing and conducting work on personal data protection, the Regulations on the protection of personal data of an employee of JSC "Medicine", the Regulations on the protection of personal data of applicants, patients and other personal data subjects and other local acts in the field of personal data processing and protection.

7. Policy Description

7.1. Principles, objectives, content and methods of personal data processing

7.1.1. JSC "Medicine" in its activities ensures compliance with the principles of personal data processing specified in Article 5 of Federal Law No. 152-FZ of 27.07.2006 "On Personal Data":

• personal data is processed lawfully, in good faith and openly with respect to the subject of personal data;
• personal data must be collected for specific, predetermined and legitimate purposes and not be subjected to subsequent processing contrary to these purposes;
• the personal data processed must be sufficient, up-to-date and necessary for the purposes of processing;
• personal data must be accurate and, if necessary, updated in a timely manner;
• personal data should be stored no longer than is necessary for the purposes of processing;
• personal data must be processed in such a way as to ensure the protection of personal data, including protection against unauthorized or illegal processing, protection against accidental loss, destruction or damage, using appropriate technical and organizational measures.

7.1.2. When processing personal data, JSC "Medicine" ensures the implementation of the rights of personal data subjects established by the legislation of the Russian Federation, including:

• the right to access your personal data;
• the right to receive information concerning the processing of personal data;
• the right to demand from JSC "Medicine" clarification of personal data, their blocking or destruction, if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing;
• the right to withdraw consent to the processing of personal data by sending a corresponding request to JSC "Medicine" or by contacting personally;
• the right to appeal in court any unlawful actions or omissions of JSC "Medicine" in the processing and protection of personal data.

7.1.3. Before the start of personal data processing, the subjects of personal data, the composition of the processed personal data and the specific purposes of personal data processing are determined, which are documented by the "List of processed personal data".

7.1.4. Access to personal data is restricted in accordance with the requirements of legislation and internal regulatory documents of JSC "Medicine".

7.1.6. Employees of JSC "Medicine" who have received access to personal data assume obligations to ensure the confidentiality of the processed personal data.

7.1.7. JSC "Medicine" takes the necessary technical and organizational information security measures to protect personal data from unauthorized access, modification, disclosure or destruction, through internal checks of the processes of collection, storage and processing of personal data and security measures, as well as the implementation of measures to ensure the physical security of PD to prevent unauthorized access to systems, in particular which JSC "Medicine" processes personal data.

7.2. Measures for the proper organization of processing and ensuring the security of personal data

7.2.1. Ensuring the security of personal data in JSC "Medicine" is achieved, in particular, in the following ways:

• appointment of a responsible person for the organization of personal data processing, whose rights and obligations are determined by local acts of JSC "Medicine";
• implementation of internal control and/or audit of compliance of personal data processing with Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" and regulatory legal acts adopted in accordance with it, requirements for personal data protection, local acts of JSC "Medicine";
• familiarization of the employees of JSC "Medicine" directly engaged in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, local acts regarding the processing of personal data and / or training of these employees;
• identification of threats to the security of personal data during their processing in personal data information systems;
• application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to meet the requirements for personal data protection;
• assessment of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
• taking into account machine (material) carriers of personal data;
• identifying the facts of unauthorized access to personal data and taking appropriate measures;
• recovery of personal data modified or destroyed due to unauthorized access to them;
• establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;
• control over compliance with the requirements in the field of personal data security and the levels of security of personal data information systems.

7.2.2. In cases when, in order to achieve the purposes of PD processing, JSC "Medicine" transfers personal data to third parties, such transfer is carried out on the basis of a concluded agreement containing provisions on confidentiality and security of personal data or a contract for the processing of personal data.

7.2.3. The duties of the employees of JSC "Medicine" who directly process personal data, as well as their responsibilities are defined in the local acts of JSC "Medicine".

7.3. Rights of personal data subjects

7.3.1. The subject of personal data has the right to receive information about the processing of his personal data in JSC "Medicine", including those containing:

• information about JSC "Medicine" as an operator processing personal data (name and location);
• availability of personal data in JSC "Medicine";
• confirmation of the fact of processing of personal data of JSC "Medicine", indication of the legal grounds and established purposes of personal data processing;
• methods of processing personal data used in JSC "Medicine";
• information about persons who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with JSC "Medicine" (including instructions from the operator) or on the basis of federal law(s), with the exception of employees who have access in connection with the performance of official (functional) duties) responsibilities;
• the list of processed personal data related to a specific subject of personal data and the source of their receipt;
• terms of processing of personal data, including the terms of their storage;
• the procedure for exercising the rights of personal data subjects provided for by Federal Law No. 152-FZ of 27.07.2006 "On Personal Data";
• information about the ongoing or proposed cross-border transfer of personal data with the indication of the name of the country;
• other information provided by Federal Law No. 152-FZ of 27.07.2006 "On Personal Data", which may include compliance with the conditions and principles of personal data processing, information on compliance with personal data security requirements, possible restrictions on subjects' access to their personal data.

7.3.2. The subject of personal data has the right to demand clarification of these personal data, their blocking or destruction if they are incomplete, outdated, inaccurate, illegally obtained or cannot be recognized as necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights.

7.3.3. The right of the subject of personal data to access his personal data may be restricted in accordance with federal laws, including if the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties.

7.3.4. In order to realize and protect their rights and legitimate interests, the subject of personal data has the right to apply to JSC "Medicine". The request must contain the number of the main identity document of the personal data subject, his legal representative, information about the date of issue of the specified document and the issuing authority and a handwritten signature. The request can be sent in electronic form and signed with an electronic signature in accordance with the current legislation of the Russian Federation.

7.3.5. If the subject of personal data believes that JSC "Medicine" processes his personal data in violation of the requirements of Federal Law No. 152-FZ of 27.07.2006 "On Personal Data" or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal against the actions or omissions of JSC "Medicine" to the authorized body for protection the rights of the subjects of personal data or in court.

7.3.6. The subject of personal data has the right to protect his rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.

7.3.7. The regulations for responding to requests from personal data subjects/the authorized body for the protection of the rights of personal data subjects and the actions of employees of JSC "Medicine" are given in the Appendix.

8. Feedback

8.1. In cases where the subject of personal data wants to find out what personal data JSC "Medicine" has about him, or to supplement, correct, depersonalize or delete any incomplete, inaccurate or outdated personal data, or wants to terminate the processing of JSC "Medicine" of his personal data, or has other legal requirements, he may in accordance with the established procedure and in accordance with the legislation, to exercise such a right by contacting JSC "Medicine".

8.2. At the same time, in some cases (for example, if the subject of personal data wants to delete his personal data or stop processing them), such an appeal may also mean that JSC "Medicine" will no longer be able to provide services to the subject of personal data.

8.3. In order to fulfill the requests of the subjects of personal data, JSC "Medicine" may require to establish the identity of such a subject of personal data and request additional information confirming his participation in relations with JSC "Medicine", or information otherwise confirming the fact of processing of personal data of JSC "Medicine".

8.4. In addition, the current legislation may establish restrictions and other conditions relating to the above-mentioned rights of personal data subjects.

8.5. The procedure for sending requests for information by the subject of personal data is determined by the requirements of Federal Law No. 152-FZ of 27.06.2006 "On Personal Data". In particular, in accordance with these requirements, a request for information from JSC "Medicine" must contain:

• the series, the number of the identity document of the personal data subject (his representative), information about the date of issue of the specified document and the issuing authority;
• information confirming the participation of the subject of personal data in relations with JSC "Medicine" (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data of JSC "Medicine";
• signature of the personal data subject (his representative).

8.6. If a request is sent by a representative of the personal data subject, the request must contain a document (a copy of the document) confirming the powers of this representative.

8.7. Contacts of JSC "Medicine" for the treatment of PD subjects regarding the processing of personal data: 125047, Russian Federation, Moscow, 2nd Tverskaya-Yamskaya Lane, 10, tel.: (499) 250-91-90, e-mail: contact@medicina.ru .

9. Responsibility

9.1. Persons guilty of violating the norms governing the processing and protection of personal data bear disciplinary, material, civil, administrative and criminal liability in accordance with the procedure established by federal laws, local acts of JSC "Medicine" and contracts regulating legal relations with third parties.