Policy
Personal Data Processing Agreement (DPA)
TNG-Group is the Operator, which independently or jointly with other juridical persons organizes and (or) carries out personal data processing, as well as determines the purposes of personal data processing, scope of personal data to be processed, actions (operations) performed on personal data.
The following Data Processing and Protection Policy is an internal document of TNG-Group.
Since TNG-Group collects personal data, unlimited access to the following Policy is provided by publishing (posting) it on the Operator's website www.tng.tagras.ru/en.
Section 1. Policy objectives
This document defines DPA policy in terms of personal data processing (section 3), as well as contains information on the implemented requirements for the personal data protection (section 4), and is approved pursuant to Art. 18.1. The Federal Law of July 27, 2006 Federal Law No. 152-FZ "On Personal Data" (hereinafter - the Law).
Section 2. General definitions
The definitions related to personal data processing are used in the strict sense they are given in Article 3 of the Law, in particular:
- personal data processing - any action (operation) or a set of actions (operations), performed with or without automation tools, usage of personal data including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data (clause 3, article 3 of the Law);
- personal data (PD)- any information relating directly or indirectly to a specific or an identified or identifiable natural person (the data subject) (clause 1, article 3 of the Law);
- providing of PD - actions aimed at disclosing personal data to a certain person or a certain circle of persons (clause 6, article 3 of the Law);
- dissemination of PD- actions aimed at disclosing personal data to an indefinite circle of persons (clause 5, article 3 of the Law);
- cross-border transfer of PD - transfer of personal data to another country or jurisdiction, foreign government authority, a foreign individual or a foreign legal entity (clause 11, article 3 of the Law);
- destruction of PD - operations allowing to restore the content of personal data in the personal data information system and (or) to destroy the personal data media (clause 8, article 3 of the Law).
Section 3. PD processing policy
3.1. Depending on the data subject the Operator processes the following personal data:
- applicants for job openings- physical persons who make a formal application for vacant positions of the Operator;
- employees - individuals associated with the Operator by labor relations;
- counterparties - individuals with whom the Operator has entered into civil law contracts;
- clients - individuals who purchases professional services from the Operator;
- other entities in connection with the Operator in terms of deal-making that do not contradict the legislation of the Russian Federation and the Charter of the Operator.
3.2. The operator is guided by the following principles to establish the purposes of PD processing.
PD processing must be carried out on a lawful and fair basis.
The Operator differ and establish the purposes of PD processing depending on the category of the data subjects and (or) individual groups of PD subjects belonging to the same category. At the same time, the purposes of processing must be specific, predetermined and lawful, and must be kept within the bounds of these goals.
3.3. Purposes of PD processing.
3.3.1. PD processing handled by the Operator is limited to achieve specific, predetermined and legitimate purposes.
3.3.2. Processing of employees personal data (including dismissed employees) is allowed only for these purposes:
- staff onboarding, regulation of labor relations;
- ensuring compliance with the Constitution of the Russian Federation, labor, tax and pension legislation; performance of obligations and functions of the employer; conducting personnel records; calculation, accrual and wages payment ,remuneration;
- making deductions, submitting of reporting documentation to the Pension Fund of the Russian Federation, to the Social Insurance Fund of the Russian Federation, to the Federal Compulsory Medical Insurance Fund, as well as to the other state bodies;
- provision of benefits and guarantees in accordance with the legislation of the Russian Federation and the Collective Agreement of the enterprise, as well as non-state pension funds, voluntary medical insurance;
- assistance in carrying out labor activities, quantity and quality control of performed work;
- staff training, advanced training and promotion, educational or industrial practice;
- booking and paying for tickets and hotel rooms;
- ensuring personal safety.
3.3.3. Processing PD of close relatives of employees is allowed only for the following purposes:
- legislation enforcement of the Russian Federation;
- fulfillment of the obligations of the employer;
- personnel records;
- providing benefits and guarantees.
3.3.4. Processing PD of applicants for vacant positions is allowed only for the following purposes:
- legislation enforcement of the Russian Federation;
- employment assistance, conclusion of an employment contract;
- fulfillment of the obligations of the employer.
3.3.5. Processing PD of counterparties for the purposes of:
- conclusion of civil law contracts;
- performance of obligations and provision of services stipulated in the civil law contract;
- performance of obligations and functions assigned to TNG-Group by the legislation of the Russian Federation.
3.3.6. no PD collection goals.
The content and scope of the processed PD must comply with the declared processing goals.
When processing PD, the Operator complies with other principles and processing rules established by the legislation of the Russian Federation.
3.4. The operator is guided by the terms of processing PD depending on categories of the PD subjects with regard to regulatory acts of the Russian Federation (including the provisions of Federal Archival Agency of Russia) of 20 December, 2019, No. 236 "On approval of the List of standard management archival documents, formed in the activities of state and non-state organizations, indicating the storage period", taking into account the terms and conditions of the agreement, by the party, beneficiary or guarantor under which the PD subject is.
3.5. The operator processes personal data of the subjects in cases established by the legislation of the Russian Federation in the field of PD. one of these cases is granting consent to the processing of personal data by the data subject.
The data subject decides to provide his/her personal data and agrees to process it freely, by his/her own will and in his/her own interest.
The operator provides specific conscious consent to PD processing given by the informed data subject.
Unless otherwise provided by federal law, the following actions are carried out by the Operator only with the consent of the data subject:
- entrusting PD processing to another person on the basis of an agreement concluded with this person;
- disclosure and dissemination of personal data to third parties.
Furthermore, the consent of the data subject is required in other cases provided for by the legislation of the Russian Federation.
When consent is necessary, the Operator receives it in any form that allows confirming the fact of its receipt, except in cases when, PD processing is executed solely upon the data subject written consent.
Consent to the PD processing can be withdrawn by the data subject. In case of withdrawal of PD processing consent, the Operator continues PD processing, if this does not contradict the current legislation of the Russian Federation on personal data.
3.6. Rights of the data subject
3.6.1. The data subject has the right to receive information regarding PD processing. The scope of provided information, as well as the procedure, rules and terms are established by Chapter 3 and other provisions of the Law.
The right of the data subject to access his personal data may be limited in accordance with federal laws, including if PD processing performs in accordance with the legislation on countering the legalization (laundering) of proceeds from crime and the financing of terrorism
3.6.2.The data subject has the right to demand from the Operator the clarification of his/her personal data, blocking or destruction of personal data if it is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated PD processing purposes, as well as take legal action for the protection of her/his rights and legitimate interests.
3.6.3. Other rights of the data subject, including the right to appeal against the actions or inactions of the Operator, are established by the Law.
3.7. Rights and obligations of the Operator
3.7.1. The operator has the right:
- provide personal data to third parties with the consent of the data subject;
- continue PD processing after the withdrawal of consent by the data subject in cases provided for by the Law;
- reasonably refuse the data subject (his/her representative) to satisfy the information request regarding PD processing, only on grounds of the legislation of the Russian Federation.
3.7.2. Obligations of the Operator:
Performing PD processing, the Operator is obliged to observe the security and confidentiality of the processed personal data, as well as to comply with other requirements stipulated by the legislation of the Russian Federation in the field of personal data.
Section 4. Information on implemented requirements for the protection of personal data
4.1. The operator implements the following legal requirements in the field of personal data:
- requirements for confidentiality of personal data;
- requirements to ensure the exercise of the data subject rights (including access to information);
- requirements to ensure the accuracy of personal data, and, if necessary, relevance in relation to the purposes of PD processing (with the adoption (ensuring the adoption) of measures to delete or clarify incomplete or inaccurate data);
- requirements for personal data protection from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to personal data;
- other legal requirements.
4.2. In accordance with Part 1 of Art. 18.1. of the Law, unless otherwise provided by the Law or other federal laws, the Operator independently determines the scope and the list of necessary and sufficient measures to ensure the fulfillment of the obligations stipulated by the legislation in the field of personal data. In particular, personal data security shall be ensured by the Operator, in particular, by:
- publication by the Operator of this Policy, as well as the development of other documentation, taking into account the requirements of legislation in the field of personal data;
- organization of employees' access to information containing personal data of the data subjects, in accordance with their official (functional) duties; establishing access rules to personal data processed in PD information system;
- compliance by employees admitted to PD processing with the requirements established by the legislation of the Russian Federation in the field of personal data, local regulations of the Operator.
Section 5. Final provisions
5.1. This Policy is an internal document of the Operator.
5.2. Pursuant to Part 2 of Article 18.1. Of The Law, this Policy must be published or otherwise provide unlimited access.
5.3. The Operator reserves the right to make changes to this Policy (in all its sections and the preamble, as well as in the name), unless otherwise provided by the order of the CEO of the Operator:
- changes (withdrawals, additions, etc.) are made by issuing a new version of this Policy;
- the new version of the Policy comes into force from the date of its approval;
- the previous version of the Policy becomes invalid from the moment the new version is approved.
5.4. Other local regulations of the Operator must be issued in accordance with this Policy and legislation in the field of personal data.