This Policy on personal data processing (hereinafter - the Policy) is developed in compliance with the following main legislative acts of the Russian Federation on personal data (hereinafter - PD), regulatory and procedural documents issued by state executive authorities and local documents of LLC “Ingka Hanim Ltd.” on information security (hereinafter - the Company):
The purpose of the Policy is to establish the procedure for processing and ensuring security of PD of employees and clients of the Company.
The Rule shall be reviewed and followed by all employees of the Company. Each employee of the Company by signing the consent to the transfer and processing of his/her PD to the Company certifies, in particular, that he/she read and understood the Rule.
Personal Data (PD) shall mean any information relating to an individual (an owner of personal data) who is or can be directly or indirectly identified.
Personal data processing shall mean actions (operations) with PD including the collection, retention, updating, changing, distribution, depersonalisation and destruction of PD.
Depersonalisation of personal data shall mean actions as a result of which it is impossible to identify appurtenance of PD to a particular individual.
Personal Data Information System (PDIS) shall mean an information system, that constitutes a complex of PD contained in the database, as well as information technologies and hardware ensuring PD processing.
Confidential data mean a high-priority information for business, the disclosure of which can lead to tangible financial losses, damage to image of the Company and/ or legal sanctions against the Company.
Personal data group owner is an employee of the Company who manages work flow in which the PD group is used, and therefore, is authorised to resolve issues related to the alteration of the PD group list, processing processes and the procedure for access to the data.
Responsible for arrangement of PD processing shall mean an appointed person responsible for arrangement and protection of PD in the Company, Information Security Manager.
The processing of personal data in the Company shall be based on the following principles:
The Company declares the following PD processing objectives:
PD may be processed by authorised employees of the Company only for the purposes mentioned above.
Processing of a certain category of PD may be carried out only with the consent of the PD owner or without the consent, if the processing of that PD category by the Company is stipulated by the requirements of the Russian Federation laws.
Upon receipt of the consent, PD owners shall be familiarised with the PD processing objectives, with the list of collected data and the list of actions with PD, on processing of which the consent is given. It is required to specify the period of validity of the consent and the procedure for withdrawal thereof.
The form of PD owner’s consent to his/her PD processing shall be developed in the Company’s appropriate unit that processes the PD. The Form shall be approved by the employee in charge of PD processing in the Company (see Chapter 4.4) and by the owner of the relevant PD category.
The Form of consent to PD processing is specific to each business process in the framework of which PD are processed, so the Form Template shall be developed jointly with an Employee responsible for PD processing arrangement in the Company.
Collected personal data of the Russian Federation citizens must be recorded, systematised, accumulated, stored, clarified (updated, revised) and extracted with the use of databases located in the Russian Federation.
All PD both on paper and in electronic form may be obtained only from the PD owner himself/herself, with the exception of cases when PD are obtained from public sources (including catalogues, address books). If PD are obtained from a third party, PD owner shall be notified from whom the PD were received and for what purpose.
It is prohibited to request, receive and process PD concerning race or ethnicity, political opinions, religious or other beliefs. Processing of PD concerning the state of health is allowed only in cases stipulated by the effective laws of the Russian Federation.
Owners of PD groups shall control correct processing of PD during the whole cycle of use thereof in line with the logic of their business processes, including the destruction process (depersonalisation) of PD, after the objectives of the data processing have been achieved.
Employees of the Company shall have access to PD when it is necessary for business. All exceptions to this rule shall be approved by the Owner of the relevant group of PD.
If the Company entrusts processing of PD a third party under an agreement, the agreement shall contain an essential condition for indication of the purpose of the transfer and a list of categories of PD transferred for processing, as well as the obligation of the third party to ensure confidentiality of PD and security of PD during their processing.
If the Owner of the relevant group of PD or an appointed project manager want to arrange a new procedure for processing of PD, introduce changes to the existing procedure for processing of PD, transfer PD for processing to a third party, they shall consult Responsible for arrangement of PD processing.
PD security shall be achieved by eliminating unauthorized, including accidental access to personal data, that can result in the destruction, modification, blocking, copying, distribution of personal data, as well as other illegal actions. This is achieved by applying organizational measures and means for technical protection of information (e.g., encryption tools, access authorisation facilities, information leakage prevention), ensuring the availability, integrity and confidentiality of PD.
According to the information system classification approved in the Company, all PD, with the exception of PD, which are in the public domain, and, in some cases, depersonalised PD, are classified as confidential information, and all the protection measures identified in the information security documents for this category of data are applied to them.
PD and PD processing results can only be stored in authorized PDIS databases, on secure encrypted external electronic media, as well as in hard copies retained in places closed to public access.
The Company’s Employees authorised within the frameworks of performance of their job duties to access PD shall not distribute, disclose PD to third parties without the consent of PD owner, unless otherwise provided by the laws of the Russian Federation.
The Company transfers PD to third parties (receiving party) for processing, only with the consent of the PD owner, and only if it is necessary to achieve the objectives of the PD processing, moreover, an essential condition of the contract with the third party shall be the third party's obligation to ensure reliable protection of the transferred PD.
Basic rules for access to PD are the following:
Basic rules for PD processing by the Company’s employee:
When processing PD it is necessary to secure the following rights of the owner in relation to his/her PD that are guaranteed to the owner by the laws of the Russian Federation:
In order to develop and implement measures to ensure PD security when they are processed in the Company’s PDIS, the official person responsible for arrangement of PD processing is determined by the Policy: Responsible for Arrangement of PD Processing. The official person, in particular, shall:
Pursuant to requirement of FZ-152 the Company:
PD group owner initiates the process of PD destruction upon achievement of the objectives of processing thereof, or if it is no longer necessary to achieve that objectives. In other cases PD destruction shall be initiated by the Responsible for the arrangement of PD processing.
The person carrying out PD destruction shall draw-up and sign the PD Destruction Report, which he/she shall send to the Responsible for PD processing arrangement.
Employees of the Company shall be personally liable for compliance with requirements to processing and security of PD established hereby. An employee of the Company may be made accountable in the event of:
unauthorised access to PD, disclosure of PD, and infliction to the Company, its employees or clients of financial or other damage, the persons at fault shall bear liability stipulated by the laws of the Russian Federation.