REAB /

PDP Policy

Personal data processing policy

This policy describes how the REAB website and its owner accept, process, use, store and protect your personal data.

Your use of the REAB website means your acceptance of this policy. If you do not accept this policy, you must stop using this website.

Version 1.0
Moscow
2022

1. GENERAL

1.1. This policy regarding the processing of personal data (hereinafter the «Policy») has been developed in pursuance of the requirements of paragraph 2 of part 1 of article 18.1 of the Federal Law dated July 27^th, 2006 No. 152-FZ "On Personal Data" (hereinafter the «Law on Personal Data») in order to ensure the protection of the rights and freedoms of a human and citizen in the processing of its personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. This Policy applies to the following categories of personal data subjects processed by the Operator:

Operator employees;
Applicants for vacant positions of the Operator;
Operator's counterparties (individuals);
Clients of the Operator.

1.3. Basic definitions used in the Policy:

Personal data — any information relating directly or indirectly to a definite or identifiable natural person (subject of personal data);

Personal data operator (Operator) — LLC "REAB", PSRN (OGRN) 1076606000063, TIN/KPP 6606023960/667101001, Uspensky lane, 4A, office 4, Russia, Moscow, independently or jointly with other parties organizes and (or) carries out the processing of personal data, and also determines the purposes of processing of personal data, the details of personal data to be processed, actions (operations ) committed with personal data;

Personal data processing — any action (operation) or a set of actions (operations) with personal data performed with or without the use of automation tools. The processing of personal data includes, among other things: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction;

Automated processing of personal data — processing of personal data using computer technology;

Dissemination of personal data — actions aimed at disclosing personal data to an indefinite circle of persons;

Provision of personal data — actions aimed at disclosing personal data to a certain person or a certain circle of persons;

Blocking of personal data — temporary suspension of the processing of personal data (except where the processing is necessary to clarify personal data);

Destruction of personal data — actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;

Anonymization of personal data — actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information;

Personal Data Information System — details of personal data contained in databases and information technologies and technical means that ensure their processing;

Cross-border transfer of personal data — transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity;

1.4. Basic rights and obligations of the Operator

1.4.1. The Operator has the right:

to determine independently the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law on Personal Data and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;
entrust the processing of personal data to another party with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. The party who processes personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided for by the Law on Personal Data;
If the subject of personal data withdraws consent to the processing of personal data, the Operator has the right to continue processing of personal data without the consent of the subject of personal data upon cause under the Law on Personal Data.

1.4.2. The Operator is obliged:

to organize the processing of personal data in accordance with the requirements of the Law on Personal Data;
to respond to appeals and requests from personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;
to report to the authorized body for the protection of the rights of personal data subjects (hereinafter «Roskomnadzor») at the request of this authority body the necessary information within 10 working days from the date of receipt of such a request.

1.5. Basic rights of personal data subjects. The subject of personal data has the right:

to receive information regarding the processing of its personal data, except as otherwise provided by federal laws. The information is provided to the Personal Data Subject by the Operator in an accessible form, and it should not contain personal data relating to other Personal Data Subjects, except when there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;
to require the Operator to clarify its personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect its rights;
appeal to Roskomnadzor or in court against illegal actions or omission of the Operator when processing of its personal data.

The subject of personal data can exercise the rights to receive information regarding the processing of its personal data, as well as the right to clarify its personal data, block or destroy it by contacting the Operator with a corresponding request at: Uspensky lane, 4A, office 4, Russia, Moscow, 127006, or by contacting the Operator with a corresponding request by e-mail kalinin@reab.pro and skorokhodov@reab.pro In both cases, the request should be executed in compliance with the requirements of Article 7.1. hereof.

1.6. Control over the fulfillment of the requirements hereof is carried out by an authorized person responsible for organizing the processing of personal data in the Operator.

1.7. Responsibility for violation of the requirements of the legislation of the Russian Federation and local acts of the Operator in the field of processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.

2. PRINCIPLES OF PROCESSING OF PERSONAL DATA

2.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation and on the basis of the following principles:

legality and fairness;
limiting the processing of personal data to specific, predetermined and legitimate purposes;
avoiding the processing of personal data incompatible with the purposes of collecting personal data;
avoiding the merger of databases containing personal data processed for incompatible purposes;
processing only those personal data that meet the purposes of its processing;
conformity of the content and scope of the processed personal data to the stated purposes of processing;
avoiding the processing of excessive personal data in relation to the stated purposes of its processing;
ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of processing personal data;
destruction or depersonalization of personal data upon achievement of the goals of its processing or in case of loss of the need to achieve these goals, if it is impossible for the Operator to eliminate the committed violations of personal data, unless otherwise provided by federal law.

3. LEGAL BASIS FOR PROCESSING OF PERSONAL DATA

3.1. The legal basis for the processing of personal data is a set of regulatory legal acts, in execution of which and in accordance with which the Operator processes personal data, including:

Constitution of the Russian Federation;
Labor Code of the Russian Federation;
Civil Code of the Russian Federation;
Tax Code of the Russian Federation;
Federal Law No. 402-FZ dated December 6^th, 2011 "On Accounting";
other regulatory legal acts regulating relations related to the activities of the Operator.

3.2. The legal basis for the processing of personal data is also:

Operator's Charter;
contracts concluded with the Personal Data Subject;
Consent of the Personal Data Subject to the processing of personal data.

4. PURPOSES AND TERMS OF PROCESSING OF PERSONAL DATA

4.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data incompatible with the purposes of collecting of personal data is prohibited. Only personal data that meet the purposes of its processing are subject to processing.

4.2. The content and scope of the processed personal data shall comply with the stated purposes of processing provided for in this section. The processed personal data shall not be excessive in relation to the stated purposes of its processing.

4.3. In accordance with this Policy, the Operator may process personal data belonging to the following categories of Personal Data Subjects:

Operator's employees.
Applicants for vacant Operator positions.
To the Operator's counterparties (individuals).
Operator's clients.

4.3.1. Operator's employees

4.3.1.1. The Operator processes the personal data of employees for the following purpose(s):

Assistance to employees in finding employment;
Ensuring the personal safety of employees;
Enforcement of laws and other regulatory legal acts;
Conclusion and regulation of labor relations and other relations directly related to them;
Education and promotion;
Reflection of information in personnel documents;
Payroll;
Calculation and payment of taxes, fees and contributions for compulsory social and pension insurance provided for by the legislation of the Russian Federation;
Submission by the employer of reporting established by law in relation to individuals, including personalized accounting information to the Pension Fund of the Russian Federation, income tax information to the Federal Tax Service of Russia, information to the FSS of the Russian Federation;
Providing tax deductions;
Ensuring safe working conditions;
Monitoring the quantity and quality of work performed;
Securing the property of the employer;
Accounting in the organization's databases;
Issuing a bank card for a payroll project
Issuing passes to office premises
Issuing a corporate SIM card

4.3.1.2. When concluding an employment contract, employees give written consent to the Operator for the processing of its personal data. The content of the employee's consent shall be specific and informed, that is, contain information that allows one to unambiguously draw a conclusion about the purposes, methods of processing, indicating the actions performed with personal data, the amount of personal data being processed.

4.3.1.3. When concluding an employment contract, employees provide the Operator with the following documents containing its personal data:

passport or other identification document;
a work record book and (or) information about labor activity, except in cases where an employment contract is concluded for the first time or the employee enters into work on a part-time basis;
an insurance certificate of compulsory pension insurance, except for cases when an employment contract is concluded for the first time;
documents of military registration - for those liable for military service and persons subject to conscription for military service;
a document on education and (or) qualifications or the availability of special knowledge - when applying for a job requiring special knowledge or special training;
other documents as required by law.

4.3.1.4. In the case of the initial conclusion of an employment contract with employees, a work record book, an insurance certificate of state pension insurance is issued by the Operator.

4.3.1.5. In the event that other documents are required for the employment of an employee in accordance with the legislation, the Operator applies to the person applying for a work with a request to provide such documents containing personal data.

4.3.1.6. If required by the above purposes, the Operator processes the following categories of personal data of employees:

General:

Last name, first name, patronymic.
Position.
INN (TIN).
SNILS
Marital status.
Photo.
Date and place of birth.
Citizenship.
Information about knowledge of foreign languages.
Data on education (name of educational institution, year of graduation, document on education, qualification, specialty).
Profession.
Work experience (general, continuous, giving the right to length of service).
Data on family members (degree of relationship, full name, year of birth, provided copies of birth certificates of children, certificates from the Civil Registry Office about the birth of children, passport data, including registration and place of birth).
Passport (series, number, date of issue, issuer, division code).
Residence address (according to passport, actual), date of registration at the place of residence.
Phone number (home, cell).
Information about military registration.
Email address.
Bank details.
Social position.
Property.
Income.
A work permit for a foreign citizen.
Notice of migration registration.
Migration card.
The content of the contract or employment contract concluded with the employee;
Information about certification, advanced training, professional retraining of employees.
Information about vacations used.
Information about available awards (incentives), honorary titles.
Work record book.
Information about social benefits (in accordance with the current legislation of the Russian Federation).
Data on current employment (date of commencement of employment, personnel transfers, salaries and their changes).
Mark and state. car number.
Compulsory medical insurance policy data.
VHI policy data.

4.3.1.7. Processing by the Operator of biometric personal data of employees (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish its identity) is not carried out.

4.3.1.8. Processing by the Operator of special categories of personal data of employees relating to information about the state of health of employees necessary to determine suitability for the performance of assigned work and the prevention of occupational diseases, as provided for by the current legislation of the Russian Federation, as well as data from a medical book, certificates and vaccination certificates, is carried out in accordance with the requirements legislation of the Russian Federation.

4.3.1.9. The list of actions performed by the Operator with personal data of employees: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (provision, access), blocking, deletion, destruction.

4.3.1.10. The Operator carries out mixed processing of personal data of employees with transmission over the internal network, with transmission over the Internet.

4.3.1.11. The Operator has the right to process personal data of dismissed employees in cases and within the time limits stipulated by the legislation of the Russian Federation. Such cases, among other things, include the processing of personal data in the framework of accounting and tax accounting, including to ensure the safety of documents necessary for the calculation, withholding and transfer of tax.

4.3.1.12. The operator is obliged to store accounting documentation for the periods established in accordance with the rules for organizing state archives, but at the same time, the minimum storage period cannot be less than 5 (five) years.

4.3.1.13. After the expiration of the periods determined by the legislation of the Russian Federation, the personal files of employees and other documents are transferred for archival storage for a period of 50 years. The processing of this information does not require compliance with the conditions related to obtaining consent to the processing of personal data. Consent of employees to the processing of their personal data in cases provided for in Clauses 4.3.1.11—4.3.1.12 hereof is not required.

4.3.1.14. Disclosure to third parties and distribution of personal data without the consent of the employee is prohibited, unless otherwise provided by federal law.

4.3.1.15. When transferring personal data of an employee, the Operator shall comply with the following requirements:

it is prohibited to disclose the employee's personal data to a third party without the employee's written consent, except in cases where it is necessary in order to prevent a threat to the life and health of the employee, as well as in cases established by federal law;
an employee transferring the personal data of the Operator's employee is obliged to warn the persons receiving the employee's personal data that these data shall only be used for the purposes for which they are reported, and require these persons to confirm compliance with this rule. Persons receiving personal data of an employee of the Operator are obliged to maintain its confidentiality. This provision does not apply to the exchange of personal data of employees in the manner established by federal laws;
An employee transferring the personal data of an Operator's employee has the right to transfer the employee's personal data to employees' representatives in the manner prescribed by the Labor Code of the Russian Federation, and to limit this information only to those employee's personal data that are necessary for the specified representatives to perform its functions.
transfer of personal data of employees to the Social Insurance Fund of the Russian Federation, the Pension Fund of the Russian Federation in the manner established by federal laws, in particular the Federal Law "On Compulsory Pension Insurance in the Russian Federation", the Federal Law "On the Basics of Compulsory Social Insurance" , Federal Law "On Compulsory Medical Insurance in the Russian Federation" carried out without the consent of the employees.

4.3.1.16. The Operator does not carry out cross-border transfer of personal data of employees.

4.3.1.17. Employees are required to familiarize themselves against signature with the Operator's local regulations that establish the procedure for processing personal data, as well as their rights and obligations in this area.

4.3.2. Applicants for vacant positions of the Operator

4.3.2.1. The Operator processes the personal data of applicants for vacant positions for the following purpose(s):

Considering an applicant for a vacant position and making a decision on hiring or refusing to hire.
Formation of a personnel reserve.

4.3.2.2. Obtaining consent from applicants for vacant positions is carried out in the event of an invitation to an interview.

4.3.2.3. Applicants for vacant positions send its personal data to the Operator directly to an email address or via specialized Internet resources (vacancy aggregators).

4.3.2.4. Placement of resumes for vacant positions by applicants of resumes on electronic Internet resources (vacancy aggregators) is carried out in accordance with the rules of these resources. By sending a resume to the Operator's e-mail, applicants for vacant positions thereby consent in a conclusive form to the processing of its personal data.

4.3.2.5. For the abovementioned purposes, the Operator processes the following categories of personal data of applicants for vacant positions:

Last name, first name, patronymic.
Education
Profession.
Contact phone number.
Email address.
Job position.

4.3.2.6. Processing of biometric personal data of applicants for vacant positions (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish its identity) is not carried out by the Operator.

4.3.2.7. Processing of special categories of personal data of applicants for vacant positions is not carried out by the Operator.

4.3.2.8. The list of actions performed by the Operator with the personal data of applicants for vacant positions: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, blocking, deletion, destruction.

4.3.2.9. The Operator carries out manual processing of personal data of applicants for vacant positions with transmission over the internal network, with transmission over the Internet.

4.3.2.10. When conducting interviews with applicants for vacant positions, personal data contained in questionnaires and resumes may be documented. Copies of supporting documents may be kept by the Operator, but not longer than until the goals of its processing are achieved or the need to achieve such goals is no longer necessary. Upon achieving the purpose of its processing, the personal data of applicants for vacant positions are subject to deletion within 30 days.

4.3.2.11. Disclosure to third parties and distribute personal data without the consent of the applicant for a vacant position is not allowed, unless otherwise provided by federal law.

4.3.2.12. The Operator does not carry out cross-border transfer of personal data of applicants for vacant positions.

4.3.3. Counterparties of the Operator (individuals)

4.3.3.1. The Operator processes personal data of counterparties (individuals) for the following purpose(s):

ensuring compliance with laws and other regulatory legal acts;
conclusion and regulation of contracts for the provision of services / performance of work and other directly related relations;
accruel of payments for services rendered/work performed;
calculation and payment of taxes, fees and contributions for compulsory social and pension insurance provided for by the legislation of the Russian Federation;
submission by the organization of reporting established by law in relation to individuals, including personalized accounting information to the Pension Fund of the Russian Federation, income tax information to the Federal Tax Service of Russia, information to the FSS of the Russian Federation;
monitoring the quantity and quality of services rendered/work performed;
ensuring the safety of the organization's property;
accounting in the organization's databases;
issuance of passes to office premises.

4.3.3.2. The processing of personal data of counterparties (natural persons) does not require obtaining additional consent, in the case of processing personal data in accordance with paragraph 5 of part 1 of Article 6 of the Law on Personal Data.

4.3.3.3. For the abovementioned purposes, the Operator processes the following categories of personal data of counterparties (individuals):

Last name, first name, patronymic.
TIN.
SNILS
Date and place of birth.
Citizenship.
Information about knowledge of foreign languages.
Data on education (name of educational institution, year of graduation, document on education, qualification, specialty).
Profession.
Work experience (general, continuous, giving the right to length of service).
Passport (series, number, date of issue, issuer, division code).
Residence address (according to passport, actual), date of registration at the place of residence.
Phone number (home, cell).
Email address.
Bank details.
A work permit for a foreign citizen.
Notice of migration registration.
Migration card.
Content of the concluded contract for the provision of services / performance of work;
Mark and state car number.
Compulsory medical insurance policy data.
VHI policy data.

4.3.3.4. Processing of biometric personal data of counterparties (individuals) (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity) is not carried out by the Operator.

4.3.3.5. Processing of special categories of personal data of counterparties (individuals) is not carried out by the Operator.

4.3.3.6. Counterparties (individuals) transfer personal data when concluding a contract. Personal data of counterparties (individuals) are subject to storage during the period of fulfillment of contractual obligations and (or) within the periods established by law.

4.3.3.7. The list of actions performed by the Operator with personal data of counterparties (individuals): collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, blocking, deletion, transfer, destruction.

4.3.3.8. The Operator carries out mixed processing of personal data of counterparties (individuals) with transmission over the internal network, with transmission over the Internet.

4.3.3.9. Disclosure to third parties and distribute personal data without the consent of the counterparty is not allowed, unless otherwise provided by federal law.

4.3.3.10. The Operator does not carry out cross-border transfer of personal data of counterparties (individuals).

4.3.4. Operator's Clients

4.3.4.1. The Operator processes personal data of clients for the following purpose(s):

Conclusion and execution of contracts.
Place ads on the website reab.pro.
Responses to ads posted on the website reab.pro.

4.3.4.2. The processing of personal data of clients does not require obtaining additional consent from them, in the case of processing personal data in accordance with paragraph 5 of paragraph 1 of Article 6 of the Law on Personal Data.

4.3.4.3. For the abovementioned purposes, the Operator processes the following categories of personal data of customers:

Last name, first name, patronymic.
Passport data.
Contact phone number.
Email address.
Gender

4.3.4.4. Processing of biometric personal data of clients (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity) is not carried out by the Operator.

4.3.4.5. Processing of special categories of personal data of customers is not carried out by the Operator.

4.3.4.6. Customers transfer personal data when concluding a contract. Personal data of clients is subject to storage during the period of performance of contractual obligations and (or) within the periods established by law.

4.3.4.7. The list of actions performed by the Operator with personal data of clients: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, blocking, deletion, destruction.

4.3.4.8. The Operator carries out mixed processing of personal data of customers without transmission over the internal network, without transmission over the Internet.

4.3.4.9. Disclosure to third parties and distribute personal data without the consent of the client is not allowed, unless otherwise provided by federal law.

4.3.4.10. The Operator does not carry out cross-border transfer of personal data of customers.

5. COLLECTION AND STORAGE OF PERSONAL DATA

5.1. When collecting personal data, the Operator ensures recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

5.2. Persons who transferred to the Operator information about another Personal Data Subject, without the consent of the subject whose personal data were transferred, are liable in accordance with the legislation of the Russian Federation.

5.3. The Operator stores personal data in a form that allows determining the subject of personal data, no longer than required by the purposes of processing of personal data, if the period for storing personal data is not established by federal law, an agreement to which the Personal Data Subject is a party, beneficiary or guarantor.

5.4. The processed personal data is subject to destruction in the event of:

reaching the deadline for processing of personal data;
achieving the purposes of processing of personal data;
no need to achieve the purposes of processing of personal data;
obtaining withdrawal of consent to the processing of personal data;
exclusion of the Operator from the Unified State Register of Legal Entities.

6. PROTECTION OF PERSONAL DATA

6.1. The Operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, distribution and other unauthorized actions, including:

identifies threats to the security of personal data during its processing;
adopts local regulations and other documents regulating relations in the field of processing and protection of personal data;
appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
creates the necessary conditions for working with personal data;
organizes accounting of documents containing personal data;
organizes work with information systems in which personal data is processed;
stores personal data in conditions that ensure its safety and exclude unauthorized access to them;
organizes training for the Operator's employees who process personal data.

7. UPDATING, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA, RESPONSES TO REQUESTS OF SUBJECTS FOR ACCESS TO PERSONAL DATA

7.1. Confirmation of the fact of processing of personal data by the Operator, the legal grounds and purposes of processing of personal data, as well as other information specified in part 7 of Article 14 of the Law on Personal Data, are provided by the Operator to the Personal Data Subject or its representative when contacting or upon receiving a request from the Personal Data Subject or its representative within 10 (ten) working days from the date of receipt of the application or receipt of the request. The provided information does not include personal data relating to other Personal Data Subjects, unless there are legal grounds for disclosing such personal data.

Request shall contain:

number of the main identity document of the Personal Data Subject or its representative, information about the date of issue of the specified document and the issuing authority;
information confirming the participation of the Personal Data Subject in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator;
Signature of the Personal Data Subject or its representative.

The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

If the Personal Data Subject's request does not contain all necessary information in accordance with the requirements of the Law on Personal Data or the Subject does not have the right to access the requested information, then a reasoned refusal is sent to the Subject.

The right of the Personal Data Subject to access his personal data may be limited in accordance with part 8 of Article 14 of the Law on Personal Data, including if the Personal Data Subject's access to his personal data violates the rights and legitimate interests of third parties.

7.2. If inaccurate personal data is detected when the Personal Data Subject or its representative contacts or at their request or at the request of Roskomnadzor, the Operator blocks personal data related to this Personal Data Subject from the moment of such request or receipt of the specified request for the verification period, if the blocking of personal data does not violate the rights and legitimate interests of the Personal Data Subject or third parties.

If the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the Personal Data Subject or its representative or Roskomnadzor, or other necessary documents, clarifies personal data within seven working days from the date of submission of such information and removes the blocking of personal data.

7.3. In the event that illegal processing of personal data is detected upon contact (request) by the Personal Data Subject or its representative or Roskomnadzor, the Operator shall block the illegally processed personal data relating to this Personal Data Subject from the moment of such request or receipt of the request.

7.4. Upon reaching the goals of processing of personal data, as well as in the event that the Personal Data Subject withdraws consent to their processing, personal data is subject to destruction if:

not otherwise provided in the contract to which the Personal Data Subject is a party;
the Operator is not entitled to process without the consent of the Personal Data Subject on the grounds provided for by the Law on Personal Data or other federal laws;
otherwise is not provided by another agreement between the Operator and the Personal Data Subject.

8. FINAL PROVISIONS

8.1. In pursuance of the requirements of part 2 of article 18.1 of the Law on Personal Data, this Policy is posted at the address of the Operator's location in the public domain.