Personal Data Processing Policy at JSC Meditsina

1. Purpose of the Policy

This Policy is intended to define the conceptual framework for Medicina JSC operations to ensure protection of human and civil rights and freedoms at personal data processing, including protection of the rights to privacy, personal and family secrets.

2. This Policy is enacted to replace Personal Data Processing Policy of 19.12.2024 No.01.02-14/490.

3. Scope of Application

3.1. This Policy shall be applied to the activities of all Medicina JSC departments (including the Institute of Nuclear Medicine, a separate division, Khimki) involved in the processing of personal data.

3.2. This Policy, according to the requirements of Clause 2 of Article 18.1 of Federal Law No.152-FZ dated 27.07.2006 “On Personal Data”, shall be publicated on the official website http://www.medicina.ru/. The current hard copy version of the Policy is kept at the address: 10,2nd Tverskoy-Yamskoy pereulok, Moscow, 125047.

3.3. If certain provisions of this Policy conflict with the current legislation of the Russian Federation, provisions of the current legislation of the Russian Federation shall prevail.

4. Validity Term

4.1. This Policy shall be effective for a period of 1 year.

4.2. This Policy may be reviewed and re-approved as changes are made to:

regulatory legal acts in the field of personal data;
local regulations of Medicina JSC governing organization of processing and ensuring security of personal data.

5. Terms and Definitions

Personal Data (PD) is any information related directly or indirectly to an identified or identifiable natural person (personal data subject).

Personal Data Processing is any action (operation) or a series of actions (operations) performed with or without using automation tools for personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, submission, access), depersonalization, blocking, deletion, destruction of personal data.

Automated Personal Data Processing is the processing of personal data using computer technology.

Submission of Personal Data is an action aimed at disclosing personal data to a certain person or a certain group of people.

Distribution of Personal Data is an action aimed at disclosing personal data to an unspecified group of people.

Destruction of Personal Data is the actions as a result of which restoration of the personal data contents becomes impossible in the personal data information system and/or as a result of which physical carriers of personal data become destroyed.

Depersonalization of Personal Data is an action that makes it impossible to determine the relevant personal data subject the relevant personal data belong to without using additional information.

Personal Data Information System is a combination of personal data contained in the databases and information technologies and equipment that ensure their processing.

Cross-Border Transfer of Personal Data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

Personal Data Subject is an individual who is directly or indirectly identified or identifiable using personal data.

6. Referenced Codes and Standards

6.1. This Policy was developed in accordance with the provisions of the following regulatory legal acts:

Constitution of the Russian Federation (adopted by the nation-wide vote on December 12, 1993);
Labor Code of the Russian Federation No.197-FZ dated December 30, 2001;
Code of Administrative Offences of the Russian Federation No.195-FZ dated December 30, 2001;
Federal Law No.323-FZ dated November 21, 2011 “On Fundamental Healthcare Principles in the Russian Federation”;
Federal Law No.149-FZ of July 27, 2006 “On Information, Information Technologies and Information Protection”;
Federal Law No.152-FZ dated July 27, 2006 “On Personal Data”;
Requirements for the protection of personal data at their processing in personal data information systems (approved by Decree of the Government of the Russian Federation No.1119 dated November 01, 2012);
Regulation concerning certain details of personal data processing carried out without the use of automation tools (approved by Decree of the Government of the Russian Federation No.687 dated September 15, 2008);
Composition and content of organizational and technical actions to ensure personal data security during their processing in personal data information systems (approved by Order of the Federal Service for Technical and Export Control of the Russian Federation No.21 dated February 18, 2013);
Composition and content of organizational and technical actions to ensure personal data security during their processing in personal data information systems using cryptographic information protection tools as required to comply with the personal data protection requirements established by the Government of the Russian Federation for each of the security levels (approved by Order of the Federal Security Service of the Russian Federation No.378 dated July 10, 2014);
Decree of the Government of the Russian Federation No.2526 dated December 29, 2022 “On Approval of the List of Cases when Operators Carrying out Cross-Border Transfer of Personal Data to Fulfill the Functions, Powers and Duties Assigned to the Government Bodies, Municipal Bodies by the International Treaty of the Russian Federation and the Legislation of the Russian Federation shall be Exempt from the Requirements of Parts 3–6, 8–11 of Article 12 of the Federal Law “On Personal Data”;
Decree of the Government of the Russian Federation No.6 dated January 10, 2023 “On Approval of the Rules for Making a Decision by an Authorized Body to Prohibit or Restrict the Cross-Border Transfer of Personal Data for the Protection of Rights of Personal Data Subjects and Inform Operators of the Decision”;
Decree of the Government of the Russian Federation No.24 dated January 16, 2023 “On Approval of the Rules for Making a Decision by an Authorized Body to Prohibit or Restrict the Cross-Border Transfer of Personal Data for the Protection of Morals, Health, Rights and Legitimate Interests of the Citizens”;
Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.128 dated August 05, 2022 “On Approval of the List of Foreign States Providing Relevant Protection of Rights of Personal Data Subjects”;
Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.187 dated November 14, 2022 “On Approval of the Procedure and Conditions for Interaction of the Federal Service for Supervision of Communications, Information Technology and Mass Media with Operators within the Framework of Maintaining a Register of Personal Data Incidents”;
Order of the Federal Security Service of Russia No.77 dated February 13, 2023 “On Approval of the Procedure for Interaction of Operators with the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks on Information Resources of the Russian Federation, including Reports to the Federal Security Service of Russia about Computer Incidents that Resulted in the Illegal Transfer (Provision, Distribution, Access) of Personal Data”;
Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.178 dated October 27, 2022 “On Approval of Requirements for Assessing the Harm that may be Caused to the Personal Data Subjects as a Result of a Breach of the Federal Law “On Personal Data”;
Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.179 dated October 28, 2022 “On Approval of the Requirements for Confirming Personal Data Destruction”;
Regulation of the European Parliament and of the Council of the European Union 2016/679 dated April 27, 2016 on the protection of natural persons relevant to the personal data processing and on the free movement of such data, and on the repealing Directive 95/46/EC (General Regulation on Personal Data Protection / GeneralDataProtectionRegulation).
International Standard ISO/IEC 27001:2022 “Information security, cybersecurity and privacy protection – Information security management systems – Requirements.”

6.2. For the purposes of this Policy, Medicina JSC approved Regulation on the Procedure to Arrange and Perform Activities for Personal Data Protection, Regulation on the Personal Data Protection of Medicina JSC Employees, Regulation on the Personal Data Protection of Job Seekers, Patients and Other Personal Data Subjects, and other local regulations related to the personal data processing and protection.

7. Policy Description

7.1. Principles, Objectives, Content and Methods of Personal Data Processing

7.1.1. Medicina JSC in its activities ensures compliance with the principles of personal data processing referred to in Article 5 of Federal Law No.152-FZ dated July 27, 2006 “On Personal Data”:

personal data are processed in accordance with the laws, fairly and openly with respect to the personal data subject;
personal data shall be collected for specific, pre-determined and legitimate purposes and shall not be subjected to any further processing contrary to these purposes;
personal data subject to processing shall be sufficient, current and relevant for the purposes of processing;
personal data shall be accurate and, if necessary, updated in a timely manner;
personal data shall be stored no longer than is necessary for processing purposes;
method of personal data processing shall ensure personal data protection, including protection against unauthorized or illegal processing, protection against accidental loss, destruction or damage, using appropriate technical and organizational measures.

7.1.2. When processing personal data, Medicina JSC ensures the exercise of the rights of the personal data subjects provided for by the laws of the Russian Federation, including:

the right to access own personal data;
the right to receive information regarding personal data processing;
The right to require Medicina JSC to clarify personal data, block or destroy them if personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;
the right to revoke consent to the personal data processing by the relevant request sent to Medicina JSC or by personal visit;
the right to appeal in court against any illegal actions or omissions of Medicina JSC in the personal data processing and protection.

7.1.3. Before personal data processing starts, personal data subjects, composition of the personal data subject to processing and specific purposes of personal data processing are determined, which are documented in the “List of Processed Personal Data” (Appendix No.1).

7.1.4. Access to the personal data is limited in accordance with the requirements of the legislation and internal regulatory documents of Medicina JSC.

7.1.5. Medicina JSC never discloses personal data received by it as a result of its professional activity, except for the cases provided for by the laws.

7.1.6. Medicina JSC employees who have received access to personal data assume obligations to ensure confidentiality of the processed personal data.

7.1.7. Medicina JSC undertakes any required technical and organizational actions within the frames of information security for the protection of personal data from unauthorized access, modification, disclosure or destruction, through internal checks of the processes of collection, storage and processing of personal data and security measures, and through implementation of the procedures that ensure physical security of personal data to prevent unauthorized access to the systems used by Medicina JSC for personal data processing.

7.2. Measures for Proper Organization of Personal Data Processing and Security

7.2.1. Personal data security in Medicina JSC is achieved, in particular, by the following:

appointment of a person responsible for the organization of personal data processing, whose rights and obligations are determined by local regulations of Medicina JSC;
implementation of internal control and/or audit of compliance of personal data processing with Federal Law No.152-FZ dated July 27, 2006 “On Personal Data” and regulatory legal acts adopted thereunder, requirements for personal data protection, local regulations of Medicina JSC;
briefing Medicina JSC employees directly involved in the personal data processing with the provisions of the laws of the Russian Federation on personal data, including requirements for personal data protection, local regulations regarding personal data processing and/or training of these employees;
identification of threats to personal data security while their processing in the personal data information systems;
implementation of organizational and technical procedures to ensure personal data security during their processing in the personal data information systems necessary to meet the requirements for personal data protection;
assessment of the efficiency of the measures taken to ensure personal data security prior to the commissioning of the personal data information system;
keeping records of machine (physical) personal data carriers;
identification of cases of unauthorized access to personal data and implementation of the relevant actions;
recovery of personal data modified or destroyed due to unauthorized access to them;
establishing rules for access to the personal data processed in the personal data information system, and ensuring registration and accounting of all actions performed with personal data in the personal data information system;
control over compliance with the requirements in the field of personal data security and security levels of personal data information systems.

7.2.2. In cases where purposes of PD processing require that Medicina JSC transfer personal data to third parties such transfer is carried out based on a concluded agreement containing provisions on confidentiality and ensuring personal data security or based on a contract for personal data processing.

7.2.3. Job responsibilities of Medicina JSC employees directly involved in the personal data processing, including their liability, are defined in the local regulations of Medicina JSC.

7.3. Rights of Personal Data Subjects

7.3.1. Personal data subject may receive information about processing of his personal data in Medicina JSC, including information containing:

information about Medicina JSC as an operator processing personal data (name and location);
personal data possessed by Medicina JSC;
confirmation that personal data are processed by Medicina JSC, statement of legal grounds and established purposes for personal data processing;
methods of personal data processing used in Medicina JSC;
information about persons who have access to personal data or to whom personal data may be disclosed based on an agreement with Medicina JSC (including instructions from the operator) or based on the federal law(s), with the exception of employees who were provided with an access to the personal data within the frames of their official (functional) responsibilities;
a list of processed personal data related to a specific personal data subject and the source of their origin;
periods for personal data processing, including duration of their storage;
procedure for exercising the rights of personal data subjects provided for by Federal Law No.152-FZ dated July 27, 2006 “On Personal Data”;
information about any ongoing or proposed cross-border transfer of personal data, including country;
other information provided by Federal Law No.152-FZ dated July 27, 2006 “On Personal Data”, which may include compliance with the conditions and principles of personal data processing, information on compliance with the requirements to ensure security of personal data, possible restrictions on the access of personal data subjects to their personal data.

7.3.2. Personal data subject may request to clarify these personal data, to block or destroy them if they are incomplete, outdated, inaccurate, illegally obtained or cannot be considered necessary for the stated purpose of processing, and take any measures to protect own rights provided for by the law.

7.3.3. The right of a personal data subject to access own personal data may be restricted based on the federal laws, including the cases where access of a personal data subject to own personal data infringes the rights and legitimate interests of third parties.

7.3.4. To exercise and protect own rights and legitimate interests, a personal data subject may send a request to Medicina JSC. This request shall contain the number of the main personal identity document of the personal data subject, his legal representative, date of the document issue, issuing authority and a handwritten signature of the personal data subject. The request can be sent in electronic form and signed with an electronic signature as provided for by the current laws of the Russian Federation.

7.3.5. If in the opinion of a personal data subject, Medicina JSC while processing his personal data violates requirements of Federal Law No.152-FZ dated July 27, 2006 “On Personal Data” or otherwise infringes his rights and freedoms, the personal data subject may file an appeal against the actions or omissions of Medicina JSC with the relevant body authorized for protection of rights of personal data subjects or with a court.

7.3.6. Personal data subject may protect his rights and legitimate interests, including claim for compensation of losses and/or moral damage through court proceedings.

7.3.7. Regulation for responding to requests from personal data subjects / authorized body for the protection of rights of personal data subjects and actions of Medicina JSC employees are detailed in Appendix No.2.

8. Feedback

8.1. In cases where a personal data subject wants to know what personal data Medicina JSC has about him, or to supplement, correct, depersonalize or delete any incomplete, inaccurate or outdated personal data, or wants to terminate the processing of his personal data by Medicina JSC, or has other legal requirements he may in accordance with the established procedure and the laws exercise such a right and send the relevant request to Medicina JSC.

8.2. However, in some cases (for instance, if a personal data subject wants to delete own personal data or stop processing it), this request may also mean that Medicina JSC will no longer be able to provide services to the personal data subject.

8.3. To fulfill requests of personal data subjects, Medicina JSC may require to establish identity of the personal data subject and request additional information evidencing his involvement in the relations with Medicina JSC, or any details that otherwise confirm that personal data are processed by Medicina JSC.

8.4. In addition, current legislation may impose restrictions and other conditions regarding the rights of personal data subjects referred to above.

8.5. The procedure for sending information requests by a personal data subject is determined by the requirements of Federal Law No.152-FZ dated July 27 “On Personal Data”. In particular, in accordance with the above requirements, an information request to Medicina JSC shall contain:

series and number of personal identity document of the personal data subject (his representative), date of issue of the specified document and its issuing authority;
information evidencing involvement of the personal data subject in relations with Medicina JSC (contract number, date of the contract conclusion, conventional word designation and/or other information), or any details that otherwise confirm that personal data are processed by Medicina JSC;
signature of the personal data subject (his representative).

8.6. If the request is sent by a representative of the personal data subject, the request shall contain a document (a copy of the document) confirming the powers of this representative.

8.7. PD subjects may use the following contacts to address their submissions regarding personal data processing to Medicina JSC: 10, 2nd Tverskoy-Yamskoy pereulok, Moscow, 125047, tel.: (499) 250-91-90, e-mail: contact@medicina.ru.

9. Liability

9.1. Persons that commit a breach of any rules governing personal data processing and protection shall be subject to the disciplinary, material, civil, administrative and criminal liability in accordance with the procedure established by federal laws, local regulations of Medicina JSC and agreements regulating legal relations with third parties.

Appendix 1

LIST of personal data processed by Medicina JSC

Medicina JSC processes personal data of the following categories of personal data subjects:

job seeker;
employee;
employee relative;
contracting partner;
patient;
visitor;
website user.

This list defines for each category of personal data subjects:

purposes of personal data processing;
composition of the processed personal data;
list of actions with personal data;
method of personal data processing;
duration of personal data processing and storage;
procedure for personal data destruction.

Job Seeker

Job seekers are defined as subjects who are considered by Medicina JSC as candidates for filling open vacancies.

Personal data of a job seeker are processed with a combination of methods (automated processing and processing without automation tools).

Personal data of a job seeker are destroyed in accordance with the procedure defined by the “Regulation on the Procedure to Arrange and Perform Activities for Personal Data Protection” in accordance with the requirements of Federal Law No.152-FZ dated July 27, 2006 “On Personal Data” and Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.179 dated October 28, 2022 “On Approval of the Requirements for Confirming Personal Data Destruction”.

Ser. No.	Purposes of Personal Data Processing	Composition of Personal Data for Processing	List of Actions with Personal Data	Periods for Personal Data Processing and Storage
1.	Recruitment of personnel to fill vacant positions and positions that may arise in the future	last name, first name, patronymic (full name); citizenship data; date of birth; place of birth; gender; details of personal identity document; residence address; address of the place of stay; profession; knowledge of foreign languages; position; structural unit; current place of employment; previous places of employment; military service obligation, details about registration for military service; information about education, qualifications, and specialty; details of the document on education, qualifications, specialty; photographic image of a face; taxpayer identification number (INN); insurance number of individual personal account (SNILS); salary; disability information; criminal record information; information about medical status relevant for ability to perform the job function; information provided in the resume; e-mail address; contact phone number; work experience	Collection, receipt from third parties, recording, systematization, accumulation, storage, updating, modification, retrieval, use, blocking, depersonalization, deletion, destruction	Until decision on employment is made
2.	Security clearance (including assessment of professional, business and personal qualities, including testing)	last name, first name, patronymic (full name); citizenship data; date of birth; place of birth; gender; details of personal identity document; residence address; address of the place of stay; profession; knowledge of foreign languages; position; structural unit; current place of employment; previous places of employment; information about education, qualifications, and specialty; details of the document on education, qualifications, specialty; taxpayer identification number (INN); insurance number of individual personal account (SNILS); salary; criminal record information; information provided in the resume;	Collection, receipt from third parties, recording, systematization, accumulation, storage, updating, modification, retrieval, use, blocking, depersonalization, deletion, destruction	Until decision on employment is made
3.	Organization and enactment of access control and intra-facility regulations	last name, first name, patronymic (full name); details of personal identity document; time and date of visits to the premises, buildings and territories of Medicina JSC	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, blocking, depersonalization, deletion, destruction	1 year

Employee

An employee shall mean:

current employees of Medicina JSC;
former employees of Medicina JSC, the subjects involved in the employment relations with Medicina JSC.

Personal data of an employee are processed with a combination of methods (automated processing and processing without automation tools).

Ser. No.	Purposes of Personal Data Processing	Composition of Personal Data for Processing	List of Actions with Personal Data	Periods for Personal Data Processing and Storage
1.	Conclusion and execution of an employment contract in accordance with the requirements of the laws of the Russian Federation	residence address (registered residence); address of actual residence; e-mail address; citizenship; details of a medical report based on the results of a preliminary medical examination (Article 213 of the Labor Code of the Russian Federation, p. 12 of Medical Examination Procedure approved by the Order of the Ministry of Health and Social Development of Russia No.302n dated April 12, 2011); details of an Accreditation Certificate of the specialist (in accordance with Regulation on the Accreditation of Specialists, approved by the Order of the Ministry of Health of Russia No.334n dated June 02, 2016); details of a Certificate of any Records Available (Absent) regarding Prior Conviction and/or any Ongoing Criminal Prosecution or any Criminal Prosecution Dismissed for excusing grounds issued by the Ministry of Internal Affairs of Russia; details of an employment record book; details of a working time sheet; date of birth; position; ID of admission pass; information about bank details, including account numbers; information about any booked hotel; information about any booked ticket; place of birth; phone number (mobile, home); specimen of own handwritten signature; fingerprint; gender; business phone number (landline, mobile); details of an identity document (series, number, issuing body, subdivision code, date of issue); details of an international passport (series, number, date of issue, issuing body); details of a driver’s license; details of a disability certificate; information about close relatives (surname, first name, patronymic, degree of kinship, date and place of birth of the relative); visa details; information about knowledge of foreign languages; information about military service booklet; information about registration for military service; information about power of attorney; information about additional remunerations; business trip information; information about awards; information about income taxes; information about accrued and withheld wages; information about accrued and paid insurance premiums; information about professional development and retraining; information about registration in the State Pension Insurance System (SNILS); information about registration in the Health Insurance System (OMS); information about registration in the tax authorities system (INN); information about medical status relevant for ability to perform the job function; information about employment periods qualifying for regular and accelerated pension assignment; information about the employment contract; information about employment period; information about membership in associations and professional communities; information about disability (including details of disability confirmation document); information about education; vacation information; information about the dismissal; information about the academic degree, academic title; marital status; structural unit; employee ID; last name, first name, patronymic (if changed); last name, first name, patronymic (full name); photographic image	Collection, systematization, storage, retrieval, transfer (submission, access), recording, accumulation, clarification (update, modification), use, destruction, deletion	5 years for the information contained in the primary accounting documents and included in the financial statements; 4 years for the information required for the calculation, withholding and transfer of taxes; 75 years (50 years for the documents created after 2003) for the information subject to archival storage
2.	Organization and enactment of access control and intra-facility regulations	last name, first name, patronymic; position; structural unit; admission pass ID (ID card); employee ID; photographic image of a face; fingerprints (biometric personal data); time and date of visits to the premises, buildings and territories of Medicina JSC	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, blocking, depersonalization, deletion, destruction	1 year after termination of employment relations with MedicinaJSC
3.	Registration of salary bank cards	last name, first name, patronymic; position; structural unit; date of birth; place of birth; citizenship data; details of personal identity document; residence address; date of registration at the residence address; address of the place of stay; contact telephone number; gender; current place of employment; employee ID	Collection, recording, systematization, accumulation, storage, clarification, retrieval, use, destruction and transfer	5 years after termination of employment relations with Medicina JSC
4.	Provision of mobile communication equipment	last name, first name, patronymic; date of birth; place of birth; citizenship data; details of personal identity document; residence address; date of registration at the residence address; address of the place of stay; contact phone number; gender; current place of employment	Collection, recording, systematization, accumulation, storage, clarification, retrieval, use, destruction and transfer	5 years after termination of employment relations with Medicina JSC
5.	Implementation of information policy and information support, including corporate directories maintenance	last name, first name, patronymic; photographic image of a face; position; category; structural unit; profession; details about employment period; current place of employment; information about education, qualifications, specialty; information about academic degree, academic title; information about professional development and retraining; information about membership in associations and professional communities; professional experience; employment period; area of scientific and practical interests; doctor’s rating; information about awards	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, distribution, blocking, deletion, destruction	1 year after termination of employment relations with MedicinaJSC
6.	Selection, booking, payment of transportation tickets, hotel rooms through specialized agents	last name, first name, patronymic; position; structural unit; date of birth; place of birth; citizenship data; details of personal identity document; details of the document for personal identity abroad; information about place and date of the business trip; information about business trip duration; residence address; date of registration at the residence address; address of the place of stay; contact phone number; gender; current place of employment; photographic image of a face	Collection, recording, systematization, accumulation, storage, clarification, retrieval, use, destruction and transfer	5 years after termination of employment relations with Medicina JSC
7.	Business card production	last name, first name, patronymic; position; structural unit; current place and address of employment; contact phone number; business telephone number, e-mail address	Collection, recording, systematization, accumulation, storage, clarification, retrieval, use, destruction and transfer	While employment relations with Medicina JSC are in effect
8.	Processing of messages from messengers and social networks (including displaying data in personal account and technical support)	last name, first name, patronymic; e-mail address; phone number (subscriber number)	Collection, recording, systematization, accumulation, storage, clarification, retrieval, use, destruction and transfer	While employment relations with Medicina JSC are in effect

Employee relative

Employee relatives shall mean:

relatives of current employees of Medicina JSC;
relatives of former employees of Medicina JSC.

Personal data of employee relatives are processed with a combination of methods (automated processing and processing without automation tools).

Personal data of employee relatives are destroyed in accordance with the procedure defined by the “Regulation on the Procedure to Arrange and Perform Activities for Personal Data Protection” in accordance with the requirements of Federal Law No.152-FZ dated July 27, 2006 “On Personal Data” and Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.179 dated October 28, 2022 “On Approval of the Requirements for Confirming Personal Data Destruction”.

Ser. No.	Purposes of Personal Data Processing	Composition of Personal Data for Processing	List of Actions with Personal Data	Periods for Personal Data Processing and Storage
1.	Provision of compensations and benefits provided for by the laws of the Russian Federation and internal documents	e-mail address; bank details; year of birth; citizenship; details of marriage certificate; details of marriage dissolution certificate; details of a birth certificate of a child; details of a death certificate (of a family member); date of birth; home address (address of actual residence); contact phone number; place of birth; passport details; gender; information about writs of execution; information about personal identity document; information about registration at the place of stay; degree of kinship; last name, first name, patronymic (full name)	Collection, systematization, storage, retrieval, transfer (submission, access), recording, accumulation, clarification (update, modification), use, destruction, deletion	5 years for the information contained in the primary accounting documents and included in the financial statements; 75 years (50 years for the documents created after 2003) for the information subject to archival storage
2.	Organization and enactment of access control and intra-facility regulations	last name, first name, patronymic (full name); details of personal identity document; time and date of visits to the premises, buildings and territories of Medicina JSC	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, blocking, depersonalization, deletion, destruction	1 year after termination of employment relations of an employee with Medicina JSC

Contracting partner

A contracting partner shall mean individuals, legal entities, and individual entrepreneurs who have concluded or intend to conclude civil law contracts with Medicina JSC (contracting partners) and their legal representatives (representatives of contracting partners).

Personal data of a contracting partner are processed with a combination of methods (automated processing and processing without automation tools).

Personal data of a contracting partner are destroyed in accordance with the procedure defined by the “Regulation on the Procedure to Arrange and Perform Activities for Personal Data Protection” in accordance with the requirements of Federal Law No.152-FZ dated July 27, 2006 “On Personal Data” and Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.179 dated October 28, 2022 “On Approval of the Requirements for Confirming Personal Data Destruction”.

Ser. No.	Purposes of Personal Data Processing	Composition of Personal Data for Processing	List of Actions with Personal Data	Periods for Personal Data Processing and Storage
1.	Preparation, conclusion and execution of a civil contract with contracting partners, accounting for the requirements of the applicable laws of the Russian Federation	e-mail address; admission pass details; details of account in the personal account; information about the power of attorney; information about assignment of an executive officer to the position; INN (taxpayer identification number); place of work, position; organization, position; contact phone number (business, mobile); OGRN (primary state registration number) of an individual entrepreneur; bank account details; details of an identity document (series, number, issuing body, subdivision code, date of issue); number in the State Pension Insurance System (SNILS); amount of payment (remuneration); last name, first name, patronymic (full name)	Collection, systematization, storage, retrieval, transfer (submission, access), recording, accumulation, clarification (update, modification), use, destruction, deletion	5 years after expiration of a contract
2.	Organization and enactment of access control and intra-facility regulations	last name, first name, patronymic; details of personal identity document; position; organization of a contracting partner; admission pass ID (ID card); photographic image of a face; fingerprints (biometric personal data); time and date of visits to the premises, buildings and territories of Medicina JSC	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, blocking, depersonalization, deletion, destruction	1 year after expiration of a contract
3.	Participation in procurement procedures on the website tender.medicina.ru	e-mail ; password; Taxpayer Identification Number of the Company	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction	5 years

Patient

Patients shall mean:

patients as individuals;
patient representatives:
- customers (payers) — individuals, legal entities and individual entrepreneurs;
- legal representatives of patients, including family members and close relatives.

Personal data of a patient are processed with a combination of methods (automated processing and processing without automation tools).

Personal data of a patient are destroyed in accordance with the procedure defined by the “Regulation on the Procedure to Arrange and Perform Activities for Personal Data Protection” in accordance with the requirements of Federal Law No.152-FZ dated July 27, 2006 “On Personal Data” and Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.179 dated October 28, 2022 “On Approval of the Requirements for Confirming Personal Data Destruction”.

Ser. No.	Purposes of Personal Data Processing	Composition of Personal Data for Processing	List of Actions with Personal Data	Periods for Personal Data Processing and Storage
1.	Conclusion and execution of medical service contracts	residence address (registered residence); address of the place of stay; address of actual residence; e-mail address; citizenship; disability group; blood type and Rh affinity; details of personal identity document of a foreign national; details of a disability certificate; information about amount paid under payable medical services contract; details of a birth certificate (for children under 14 years old); details of personal identity card of a serviceman of the Russian Federation; details of personal identity card of a seafarer; details indicated in the power of attorney; date and time for visits to Medicina JSC; date and time of death; date of birth; disease diagnosis; ID of admission pass; account name (Skype); information about pathology examination results; disease code according to the international classification of diseases; body weight; place of work; place of birth; organization, position; home phone number; patient record number; mobile phone number; gender; social group (retired person); HTMC profile and type; results of diagnostic tests; laboratory results; details of an identity document (series, number, issuing body, subdivision code, date of issue); details of the medical (physician) death certificate; details of Private Health Insurance policy; details of Obligatory Health Insurance policy; height; information about pregnancy, if any; information about cause of death; information about the medical services program; information about dietary pattern and certain features; information about medical status; information about payment, if made, and amount paid for the medical services; number in the State Pension Insurance System (SNILS); degree of kinship; structural unit; last name, first name, patronymic (full name); photo, video, audio information about operative interventions and diagnostics; photographic image of a face	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, submission (access provision) to the service providers, blocking, deletion, depersonalization, destruction	25 years after expiration of a contract
2.	Warranty service of medical equipment at Medicina JSC	last name, first name, patronymic; date of birth; gender; information about height, weight, and body temperature; patient record number; information about medical status (results of diagnostics, monitoring of human body conditions, medical research) obtained with the use of medical equipment	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, submission (access provision) to the service providers, blocking, deletion, depersonalization, destruction	10 years after Medicina JSC completed provision of its medical services
3.	Interaction with the Contact Center of Medicina JSC	last name, first name, patronymic; date of birth; residence address; address of the place of stay; contact phone, fax numbers; e-mail address for contacts; patient record number; details of a Private Health Insurance policy (if available); details of a medical service agreement; information about a period of medical services provided by Medicina JSC; information about legal basis for receiving medical care at Medicina JSC; time and date of applying for medical services	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, submission (access provision) to the service providers, blocking, deletion, depersonalization, destruction	10 years after Medicina JSC completed provision of its medical services
4.	Remuneration to an agent of Medicina JSC for the services rendered to bring me as a patient of Medicina JSC	last name, first name, patronymic; date of birth; patient record number; cost of the medical services provided	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, submission (access provision) to the service providers, blocking, deletion, depersonalization, destruction	10 years after Medicina JSC completed provision of its medical services
5.	Information and service support and feedback implementation	name; contact phone number; request for assistance	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction of personal data	1 year
6.	Use of the personal account services (patient registration in the personal account on website www.medicina.ru, registration of a QR code for physical access to the clinic)	login; password; medical record number; phone number; e-mail; full name; date of birth; gender; bills; health record data; Image	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction of personal data	1 year
7.	Organization and enactment of access control and intra-facility regulations	last name, first name, patronymic; admission pass ID (ID card); photographic image of a face (biometric personal data); time and date of visiting Medicina JSC	Collection, recording, systematization, accumulation, storage, updating, modification, retrieval, use, blocking, depersonalization, deletion, destruction	10 years after Medicina JSC completed provision of its medical services
8.	Processing of messages from messengers and social networks	last name, first name, patronymic; ID; contact phone number; request (including media files)	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction of personal data	1 year
9.	Filling out the questionnaire of guarantees for patients	data on services provided; comments	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction	1 year
10.	Publishing a review about a doctor	name; phone number; e-mail; No. of medical record; text of the review; Full name of a doctor	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction	10 years
11.	Advance payment for medical services	name; last name; phone; e-mail; No. of medical record	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction	1 year
12.	Checking the Private Health Insurance policy	No. of medical record; Private Health Insurance policy No.	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction	1 year

Visitor

A visitor shall mean individuals other than employees or patients.

Processing is performed without the use of automation tools.

Personal data of website visitors are destroyed in accordance with the procedure defined by the “Regulation on the Procedure to Arrange and Perform Activities for Personal Data Protection” in accordance with the requirements of Federal Law No.152-FZ dated July 27, 2006 “On Personal Data” and Order of the Federal Service for Supervision of Communication, Information Technology and Mass Media No.179 dated October 28, 2022 “On Approval of the Requirements for Confirming Personal Data Destruction”.

Ser. No.	Purposes of Personal Data Processing	Composition of Personal Data for Processing	List of Actions with Personal Data	Periods for Personal Data Processing and Storage
1.	Organization and enactment of access control and intra-facility regulations	passport details; last name, first name, patronymic; visit date; visit time	Collection, recording, storage, destruction	1 year

Website visitor

Personal data of website visitors are processed with a combination of methods (automated processing and processing without automation tools).

Ser. No.	Purposes of Personal Data Processing	Composition of Personal Data for Processing	List of Actions with Personal Data	Periods for Personal Data Processing and Storage
1.	Analysis of website traffic, user activity, and website operation optimization	user IP address; JavaScript events; page URL; browser and its version; Flash version; silverlight version; visit; age, gender, interests, geographical location of a user; duration of visit to the website; screen height and width; viewing depth; screen color depth; date and time of visiting the website; page header; user interests; information about behavior of a user on the website (including number and headings of the pages viewed); source of accessing the website; cookies, if any; Java, if available; JavaScript, if available; request; operating system and its version; failure; page downloading parameters; password; clicking on an external link; page view; other technical data (cookies, flash, java, etc.); page referrer; type and model of the mobile device; types of browser and operating system; time zone; width and height of the front end of the browser window; e-mail; browser language	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction	1 year
2.	Processing of requests (including information and service support (registration of an appointment with a doctor, registration for seminars, verification of Private Health Insurance policy, selection of a service program, registration of a request for a callback, etc.)	name; contact phone number; request for assistance	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction	1 year
3.	Submitting a request for a call back	e-mail; question; callback time; date; name; phone number; request; full name	Collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (submission, access provision), depersonalization, blocking, deletion, destruction	1 year

Appendix No.2

Regulation
for responding to requests from personal data subjects / authorized body for the protection of rights of personal data subjects and actions of Medicina JSC employees

Ser. No	Types of requests of personal data subjects / authorized body	Action of employees of MedicinaJSC	Deadline for actions to be completed with the personal data	Deadline for response and/or notice to the personal data subject/ authorized body
1.	Request from the personal data subject / authorized body for confirmation of personal data processing	Response to the request	No later than 10 business days. The specified period may be extended, but not for more than five business days if Medicina JSC sends a reasoned notice to the personal data subject / authorized body describing the rationale for extending the deadline for providing the requested information
2.	Request to review personal data	A response to a request with a date and time for the subject to review his personal data	No later than 10 business days. The specified period may be extended, but not for more than five business days if Medicina JSC sends a reasoned notice to the personal data subject / authorized body describing the rationale for extending the deadline for providing the requested information
		Refusal (reasoned response containing a reference to the provision of Part 8 of Article 14 of the Federal Law “On Personal Data” or another federal law, substantiating such refusal) to provide information about availability of personal data related to the relevant personal data subject or personal data to the personal data subject or his representative when they apply or receive a request from the personal data subject or his representative	No later than 10 business days. The specified period may be extended, but not for more than five business days if Medicina JSC sends a reasoned notice to the personal data subject / authorized body describing the rationale for extending the deadline for providing the requested information
		Block personal data if a personal data subject / authorized body provides information that proves the personal data are incomplete, inaccurate, or outdated	No later than 7 business days
		Destroy personal data if a subject provides the information that proves the personal data are illegally obtained or not required for the stated purpose of processing	No later than 7 business days
3.	Withdraw of consent for personal data processing	Delete and destroy personal data, unless otherwise stipulated by the contract with the subject, or if Medicina JSC is not entitled to process personal data without consent	No later than 30 calendar days of withdrawal registration date
3.	Withdraw of consent for personal data processing	Terminate the transfer (distribution, provision, access) of personal data previously authorized by the personal data subject for distribution	Within 3 business days of receiving request of the personal data subject or within the time period specified in the enacted court decision, and if such time period is not specified in the court decision, within three business days of effective date the court decision
4.	Request to terminate personal data processing	Terminate the processing or ensure termination of such processing (if such processing is carried out by the person processing the personal data)	No later than 10 business days. The specified period may be extended, but not for more than five business days if Medicina JSC sends a reasoned notice to the personal data subject / authorized body describing the rationale for extending the deadline for providing the requested information
5.	Illegal processing of personal data of a subject	Terminate personal data processing as soon as application/request of the personal data subject / authorized body is received	No later than 3 business days	Within 10 business days after personal data are deleted and destroyed
5.	Illegal processing of personal data of a subject	Delete and destroy personal data	Within 10 business days if legal basis for the processing can not be provided
6.	Achievement of the purposes of personal data processing	Delete and destroy personal data, unless otherwise stipulated by the contract with the subject, or if Medicina JSC is not entitled to process personal data without consent	Within 30 calendar days after the purposes are achieved