POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
TERMS AND ACCEPTED ABBREVIATIONS
Personal data (PD) – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).
Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automated means on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.
Operator – a state body, municipal body, legal or physical entity, independently or jointly with other entities organizing and/or performing the processing of personal data and determining the purposes of the processing of personal data, the composition of the personal data to be processed, and the actions (operations) performed with personal data.
Distribution of personal data – actions aimed at disclosing personal data to an indefinite group of persons.
Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons.
Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data).
Destruction of personal data – actions resulting in the inability to restore the content of personal data in the personal data information system and/or actions resulting in the destruction of the physical media containing personal data.
Anonymization of personal data – actions that make it impossible, without the use of additional information, to determine the ownership of personal data by a specific subject of personal data.
Automated processing of personal data – the processing of personal data using computing equipment.
Personal data information system (PDIS) – a set of personal data contained in databases and ensuring their processing using information technologies and technical means.
Client – an individual who takes any action on the website and is also a consumer of the products and services of LLC «TOP» regardless of Internet use.
1.GENERAL PROVISIONS
1.1. This Policy on the processing and protection of personal data of the limited liability company «Third Opinion Platform» («TOP») (hereinafter referred to as the «Policy») is compiled in accordance with Article 18.1 of Federal Law No. 152-FZ dated 27.07.2006 «On Personal Data» (as amended) and is the foundational internal regulatory document of LLC «TOP» (hereinafter referred to as the «Company» or the «Operator»), defining the key areas of its activities in the field of personal data processing and protection (hereinafter referred to as «PD»), which are managed by the Company.
1.2. The Policy is developed to implement the requirements of Russian legislation in the field of personal data processing and protection and is aimed at ensuring the protection of human and civil rights and freedoms in the processing of their personal data within the Company, including the protection of rights to privacy, personal, family, and medical secrets.
1.3. The provisions of the Policy apply to relations regarding the processing and protection of personal data obtained by the Company both before and after the approval of the Policy, except in cases where, for legal, organizational, or other reasons, the provisions of the Policy cannot be applied to the relations regarding the processing and protection of personal data obtained before its approval.
1.4. The processing of personal data within the Company is carried out in connection with the fulfillment of the Company's functions provided for by its founding documents and defined by:
-Federal Law No. 152-FZ «On Personal Data» dated 27.07.2006;
-Federal Law No. 323-FZ «On the Basics of Health Protection of Citizens in the Russian Federation» dated 21.11.2011;
-The Labor Code of the Russian Federation;
-Government Decree No. 687 «On Approving the Regulations on the Peculiarities of Processing Personal Data Without the Use of Automation Tools» dated 15.09.2008;
-Government Decree No. 1119 «On Approving Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems» dated 01.11.2012;
-FSTEC Order No. 21 «On Approving the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems» dated 18 February 2013;
-Roskomnadzor Order No. 996 «On Approving the Requirements and Methods for Anonymizing Personal Data» dated 05 September 2013;
-Ministry of Labor of the Russian Federation Order No. 695n «On Defining Threats to Personal Data Security Relevant in the Processing of Personal Data in Personal Data Information Systems Operated in Areas Whose Normative and Legal Regulation is Carried Out by the Ministry of Labor and Social Protection of the Russian Federation» dated 05.10.2020;
-Presidential Decree No. 188 «On Approving the List of Confidential Information» dated 06 March 1997;
-Government Decree No. 512 «On Approving Requirements for Physical Carriers of Biometric Personal Data and Storage Technologies for Such Data Outside of Personal Data Information Systems» dated 6 July 2008;
-and other normative legal acts of the Russian Federation and regulatory documents of authorized government bodies.
1.5. The current version is stored at the location of the Company at the address: 121205 Moscow, Skolkovo Innovation Center, Nobel Street, 7, 2nd floor, room No. 37, workplace No. 2; the electronic version of the Policy is available on the Company's website https://thirdopinion.ai/
1.6. Personal data is processed using automated means or without them.
1.7. The Company is obliged to notify the authorized body for the protection of the rights of personal data subjects of its intention to process personal data.
1.8. The General Director of the Company is appointed as responsible for the processing and protection of personal data in accordance with paragraph 1 of Article 18.1 of Law No. 152-FZ.
1.9. With the written consent of employees and clients, their personal data may be posted on the Company's website.
1.10. The Company has the right to make changes to this Policy. When changes are made, the date of the last update of the version is indicated in the title of the Policy.
2.PRINCIPLES FOR ENSURING THE SECURITY OF PERSONAL DATA
2.1.The main task of ensuring the security of personal data (PD) during their processing by the Company is to prevent unauthorized access by third parties, to prevent intentional software and technical or other impacts aimed at stealing, destroying, or distorting PD during processing.
2.2.The Company, as the operator of personal data, processes the personal data of clients who have entered into agreements with the Company, employees of the Company's counterparties, and the Company’s own employees.
2.3.To ensure the security of PD, the Company is guided by the following principles:
-Legality: The protection of PD is based on the provisions of regulatory legal acts and guidelines issued by authorized state bodies in the field of personal data processing and protection;
-Systematic approach: PD processing in the Company is carried out taking into account all interconnected, interacting, and changing over time elements, conditions, and factors significant for understanding and solving the problem of ensuring the security of PD;
-Comprehensiveness: The protection of PD is based on the use of functional capabilities of information technologies implemented in the Company's information systems and other available systems and means of protection;
-Continuity: PD protection is ensured at all stages of their processing and in all operating modes of PD processing systems, including during repair and maintenance work;
-Timeliness: Measures ensuring an appropriate level of PD security are taken before processing begins;
-Continuity and continuous improvement: The modernization and enhancement of measures and means of PD protection are carried out based on the results of the analysis of PD processing practices within the Company, taking into account the identification of new methods and means of implementing PD security threats, as well as domestic and foreign experience in information protection;
-Personal responsibility: Responsibility for ensuring PD security is assigned to employees within the scope of their duties related to the processing and protection of PD;
-Minimization of access rights: Access to PD is granted to employees only to the extent necessary to perform their job duties;
-Flexibility: Ensuring the performance of PD protection functions when changing the characteristics of the functioning of the Company's personal data information systems, as well as the volume and composition of processed PD;
-Specialization and professionalism: The implementation of PD security measures is carried out by employees with the necessary qualifications and experience;
-Effectiveness of personnel selection procedures: The Company's personnel policy provides for careful staff selection and motivation of employees to eliminate or minimize the possibility of PD security violations by them;
-Observability and transparency: Measures to ensure PD security should be planned so that the results of their application are clearly observable (transparent) and can be evaluated by those who control them;
-Continuous control and evaluation: Procedures for the continuous monitoring of the use of PD processing and protection systems are established, and the results of the control are regularly analyzed.
2.4.The Company does not process PD that is incompatible with the purposes for which it was collected. Unless otherwise provided by Federal Law No. 152-FZ «On Personal Data» dated 27.07.2006, upon the completion of PD processing by the Company, including when the processing goals have been achieved or when there is no longer a need to achieve these goals, the PD processed by the Company are destroyed or anonymized.
2.5.During PD processing, their accuracy, sufficiency, and, if necessary, relevance concerning the purposes of processing are ensured. The Company takes the necessary measures to delete or clarify incomplete or inaccurate PD.
3.PROCESSING OF PERSONAL DATA
3.1.Obtaining Personal Data:
3.1.1. All personal data must be obtained from the subject of the personal data. If personal data can only be obtained from a third party, the personal data subject must be notified of this, and written consent must be obtained from them.
3.1.2. The Company must inform the personal data subject about the purposes, expected sources, and methods of obtaining the personal data, the nature of the personal data to be obtained, the list of actions to be performed with the personal data, the duration for which consent is valid, the procedure for revoking it, as well as the consequences of the personal data subject refusing to provide written consent for its collection.
3.1.3. Documents containing personal data are created by:
-Copying original documents (passport, educational documents, ITN certificate, pension certificate (if applicable), and other information (if applicable);
-Entering information into registration forms;
-Obtaining the necessary original documents (employment record, medical certificate, reference, etc.).
3.2.Processing of Personal Data:
3.2.1. The processing of personal data is carried out:
-With the consent of the personal data subject for processing their personal data;
-In cases where the processing of personal data is necessary for the fulfillment of functions, powers, and duties imposed by the legislation of the Russian Federation;
-In cases where the processing of personal data is carried out, and access to the data is provided to an unlimited number of persons by the personal data subject or at their request (hereinafter referred to as «Personal data made publicly available by the personal data subject»).
Employee access to processed personal data is granted in accordance with their job responsibilities, internal Company documents, and is regulated by an order from the Company's General Director.
Employees authorized to process personal data must, under their signature, familiarize themselves with the Company’s documents establishing the procedure for processing personal data, including documents specifying the rights and obligations of specific employees.
The Company eliminates identified violations of the legislation on the processing and protection of personal data.
3.2.2. Purposes of Personal Data Processing:
The Company collects and processes personal data for the following purposes:
-Remote interaction between the Company and clients or other interested parties within the framework of service and information support using telephone communication, instant messaging services, IP telephony, and email;
-Remote interaction between the Company and clients or other interested parties through the Company's website on the Internet;
-Organizing and conducting events aimed at increasing recognition and loyalty towards the Company, as well as promoting the Company's services;
-Conducting tenders, handling contractual work unrelated to the main activities of the Company, within the framework of establishing, changing, and terminating relationships between the Company and third parties, as well as issuing powers of attorney for representing the Company's interests;
-Participation in civil, arbitration, criminal, and administrative proceedings, and execution of court rulings;
-Analyzing site traffic and optimizing the operation of the Company’s website.
3.2.3. Categories of Personal Data Subjects:
The Company collects and processes personal data from the following categories of personal data subjects:
-Actual clients of the Company;
-Potential clients of the Company;
-Family members and other relatives of actual and potential clients of the Company;
-Representatives (by law or by power of attorney) of actual and potential clients of the Company;
-Employees and representatives of external medical organizations;
-Employees and representatives of the Company's current counterparties (legal entities), including insurance and assistance companies;
-Persons applying for vacant positions in the Company;
-Current and potential counterparties of the Company (individuals);
-Employees and representatives of the Company’s current and potential counterparties (legal entities);
-Visitors to private and public events organized by the Company;
-Employees of legal entities and individuals representing the interests of the Company;
-Persons participating in civil, arbitration, criminal, and administrative proceedings and enforcement procedures (in which the Company is a participant);
-Visitors to the Company’s premises, buildings, and territory;
-Visitors to the Company’s website https://thirdopinion.ai/
3.2.4. Personal Data Processed by the Company:
-Obtained in the course of civil relations;
-Obtained in the course of medical activities;
-Obtained during advertising and marketing campaigns, etc.
3.2.5. The Company has established the following conditions for terminating the processing of personal data:
-Achievement of the purposes for processing personal data and the maximum retention periods established by the legislation of the Russian Federation;
-Loss of the necessity to achieve the purposes for processing personal data;
-Submission by the personal data subject or their legal representative of documented evidence that the personal data was obtained unlawfully or is not necessary for the stated purpose of processing;
-Impossibility of ensuring the legality of processing personal data;
-Withdrawal by the personal data subject of consent to the processing of personal data, if the retention of personal data is no longer required for processing purposes;
-Withdrawal by the personal data subject of consent to the publication of personal data in a publicly available source;
-Expiration of the statute of limitations for legal relationships in which personal data was or is being processed.
3.3.Processing of Personal Data is carried out:
-Using automated means;
-Without the use of automated means.
3.4.Storage of Personal Data:
3.4.1. Personal data of subjects can be obtained, further processed, and transferred for storage both on paper and in electronic form.
3.4.2. Personal data recorded on paper is stored in locked cabinets or in locked rooms with restricted access rights.
3.4.3. Personal data of subjects processed using automated means for different purposes are stored in separate folders (tabs).
3.4.4. Storing and placing documents containing personal data in open electronic catalogs (file-sharing services) within the personal data information system (PDIS) is not allowed.
3.4.5. Personal data, in a form that allows the identification of the personal data subject, is stored no longer than required for the purposes of processing, and is subject to destruction when the purposes of processing are achieved or when it is no longer necessary to achieve them.
3.5.Destruction of Personal Data:
3.5.1. Destruction of documents (media) containing personal data is carried out by burning, shredding (grinding), chemical decomposition, or turning into a shapeless mass or powder. The use of a shredder is allowed for destroying paper documents.
3.5.2. Personal data on electronic media is destroyed by erasing or formatting the media.
3.6.Transfer of Personal Data:
3.6.1. The Company transfers personal data to third parties if the personal data subject has given their consent to such actions, or if the transfer is provided for by Russian or other applicable legislation as part of the procedure established by law.
4.PROTECTION OF PERSONAL DATA
4.1. The main measures for the protection of personal data (PD) used by the Company are:
4.1.1. Appointment of a person responsible for the processing of personal data, who organizes the processing of personal data, provides training and instruction, and conducts internal control over the compliance of the Company and its employees with the requirements for the protection of personal data;
4.1.2. Identification of current security threats to personal data during their processing and the development of measures and actions for the protection of personal data;
4.1.3. Development of a policy regarding the processing of personal data;
4.1.4. Establishment of rules for access to personal data, as well as ensuring the registration and recording of all actions performed with personal data;
4.1.5. The use of information protection measures that have undergone the required conformity assessment procedure, the accounting of personal data media, and ensuring their security;
4.1.6. Certified antivirus software with regularly updated databases;
4.1.7. Certified information security software to protect against unauthorized access;
4.1.8. Certified firewalls and intrusion detection systems;
4.1.9. Compliance with conditions that ensure the security of personal data and prevent unauthorized access to them, as well as the evaluation of the effectiveness of measures implemented to ensure the security of personal data;
4.1.10.Establishment of rules for access to processed personal data, ensuring the registration and recording of actions performed with personal data, as well as the detection of unauthorized access to personal data and taking appropriate measures;
4.1.11.Restoration of personal data modified or destroyed as a result of unauthorized access;
4.1.12.Training of employees of the Company directly involved in the processing of personal data on the provisions of Russian Federation legislation on personal data, including requirements for the protection of personal data, documents defining the Company’s policy on the processing of personal data, and local regulations on personal data processing;
4.1.13.Implementation of internal control and auditing;
4.1.14.Employees of the Company directly involved in the processing of personal data must, before beginning their work, acknowledge in writing their familiarity with the provisions of Russian Federation legislation on personal data, including requirements for the protection of personal data, this Policy, and any amendments to it (if applicable).
5.MAIN RIGHTS OF THE PERSONAL DATA SUBJECT AND OBLIGATIONS OF THE COMPANY
5.1. Main rights of the personal data subject:
5.1.1. The personal data subject has the right to obtain information regarding the processing of their personal data, including:
-Confirmation of the fact of the processing of personal data by the Company;
-Legal grounds and purposes of the processing of personal data;
-The purposes and methods used by the Company for processing personal data;
-The name and location of the Company, information about persons (except Company employees) who have access to personal data or to whom personal data may be disclosed under a contract with the Company or under applicable Federal Law;
-Processed personal data related to the respective personal data subject, the source of their receipt if a different procedure for providing such data is not stipulated by applicable Federal Law;
-The terms of the processing of personal data, including the terms of storage;
-The procedure for exercising the personal data subject's rights provided for by Federal Law «On Personal Data» dated 27.07.2006 No. 152-FZ, information on any actual or intended cross-border data transfer;
-The name or last name, first name, patronymic, and address of the person processing the personal data on behalf of the Company, if the processing has been or will be entrusted to such a person;
- Other information provided by Federal Law «On Personal Data» dated 27.07.2006 No. 152-FZ or other Federal laws.
5.1.2. The personal data subject has the right to demand that the Company clarify their personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, obtained unlawfully, or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights.
5.2. Obligations of the Company:
5.2.1. The Company is obligated to:
-When collecting personal data, provide the subject with information about the processing of their personal data;
-In cases where personal data was not obtained from the personal data subject, notify the subject;
-When refusing to provide personal data, explain the consequences of such refusal to the subject;
-Publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data and to the information about the implemented requirements for the protection of personal data;
-Take necessary legal, organizational, and technical measures or ensure their implementation to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions concerning personal data;
-Respond to inquiries and requests from personal data subjects, their representatives, and the authorized body for the protection of personal data subjects' rights;
-Not disclose personal data to third parties without the written consent of the subject, except in cases where this is necessary to prevent a threat to the life and health of the employee, as well as in other cases provided for by the Labor Code or other Federal laws of the Russian Federation;
-Not disclose personal data for commercial purposes without the subject's written consent;
-Inform persons receiving personal data that such data may only be used for the purposes for which it was disclosed and require those persons to confirm that this rule is followed;
-Allow access to personal data only to specially authorized persons, and such persons should only be entitled to receive the personal data necessary for performing specific functions.
6.LIABILITY FOR VIOLATION OF REGULATIONS GOVERNING THE PROCESSING AND PROTECTION OF PERSONAL DATA
6.1. Persons found guilty of violating the provisions of the legislation of the Russian Federation in the field of personal data during the processing of personal data of personal data subjects are subject to disciplinary and material liability in the manner established by the Labor Code and other federal laws, as well as to civil, administrative, and criminal liability as established by the Federal laws of the Russian Federation.
7.COLLECTION OF PERSONAL DATA USING THE COMPANY'S WEBSITE
7.1. The Company's website uses «cookies» and collects the following information about visitors to improve the website’s functionality: visitor’s IP address, date and time of website visit, types of browsers and operating systems, type and model of mobile device.
7.2. When using electronic services and providing personal data through the Company's website, the user's information will not be used by the Company for any purposes other than fulfilling their specific request.
7.3. By using the website and/or providing their personal data to the Company, the website user (personal data subject) consents to the processing of their personal data under the terms provided in this Policy.
7.4. If the user disagrees with this Policy, they should not use the website or provide their personal data to the Company.
TERMS AND ACCEPTED ABBREVIATIONS
Personal data (PD) – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).
Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automated means on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.
Operator – a state body, municipal body, legal or physical entity, independently or jointly with other entities organizing and/or performing the processing of personal data and determining the purposes of the processing of personal data, the composition of the personal data to be processed, and the actions (operations) performed with personal data.
Distribution of personal data – actions aimed at disclosing personal data to an indefinite group of persons.
Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons.
Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data).
Destruction of personal data – actions resulting in the inability to restore the content of personal data in the personal data information system and/or actions resulting in the destruction of the physical media containing personal data.
Anonymization of personal data – actions that make it impossible, without the use of additional information, to determine the ownership of personal data by a specific subject of personal data.
Automated processing of personal data – the processing of personal data using computing equipment.
Personal data information system (PDIS) – a set of personal data contained in databases and ensuring their processing using information technologies and technical means.
Client – an individual who takes any action on the website and is also a consumer of the products and services of LLC «TOP» regardless of Internet use.
1.GENERAL PROVISIONS
1.1. This Policy on the processing and protection of personal data of the limited liability company «Third Opinion Platform» («TOP») (hereinafter referred to as the «Policy») is compiled in accordance with Article 18.1 of Federal Law No. 152-FZ dated 27.07.2006 «On Personal Data» (as amended) and is the foundational internal regulatory document of LLC «TOP» (hereinafter referred to as the «Company» or the «Operator»), defining the key areas of its activities in the field of personal data processing and protection (hereinafter referred to as «PD»), which are managed by the Company.
1.2. The Policy is developed to implement the requirements of Russian legislation in the field of personal data processing and protection and is aimed at ensuring the protection of human and civil rights and freedoms in the processing of their personal data within the Company, including the protection of rights to privacy, personal, family, and medical secrets.
1.3. The provisions of the Policy apply to relations regarding the processing and protection of personal data obtained by the Company both before and after the approval of the Policy, except in cases where, for legal, organizational, or other reasons, the provisions of the Policy cannot be applied to the relations regarding the processing and protection of personal data obtained before its approval.
1.4. The processing of personal data within the Company is carried out in connection with the fulfillment of the Company's functions provided for by its founding documents and defined by:
-Federal Law No. 152-FZ «On Personal Data» dated 27.07.2006;
-Federal Law No. 323-FZ «On the Basics of Health Protection of Citizens in the Russian Federation» dated 21.11.2011;
-The Labor Code of the Russian Federation;
-Government Decree No. 687 «On Approving the Regulations on the Peculiarities of Processing Personal Data Without the Use of Automation Tools» dated 15.09.2008;
-Government Decree No. 1119 «On Approving Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems» dated 01.11.2012;
-FSTEC Order No. 21 «On Approving the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems» dated 18 February 2013;
-Roskomnadzor Order No. 996 «On Approving the Requirements and Methods for Anonymizing Personal Data» dated 05 September 2013;
-Ministry of Labor of the Russian Federation Order No. 695n «On Defining Threats to Personal Data Security Relevant in the Processing of Personal Data in Personal Data Information Systems Operated in Areas Whose Normative and Legal Regulation is Carried Out by the Ministry of Labor and Social Protection of the Russian Federation» dated 05.10.2020;
-Presidential Decree No. 188 «On Approving the List of Confidential Information» dated 06 March 1997;
-Government Decree No. 512 «On Approving Requirements for Physical Carriers of Biometric Personal Data and Storage Technologies for Such Data Outside of Personal Data Information Systems» dated 6 July 2008;
-and other normative legal acts of the Russian Federation and regulatory documents of authorized government bodies.
1.5. The current version is stored at the location of the Company at the address: 121205 Moscow, Skolkovo Innovation Center, Nobel Street, 7, 2nd floor, room No. 37, workplace No. 2; the electronic version of the Policy is available on the Company's website https://thirdopinion.ai/
1.6. Personal data is processed using automated means or without them.
1.7. The Company is obliged to notify the authorized body for the protection of the rights of personal data subjects of its intention to process personal data.
1.8. The General Director of the Company is appointed as responsible for the processing and protection of personal data in accordance with paragraph 1 of Article 18.1 of Law No. 152-FZ.
1.9. With the written consent of employees and clients, their personal data may be posted on the Company's website.
1.10. The Company has the right to make changes to this Policy. When changes are made, the date of the last update of the version is indicated in the title of the Policy.
2.PRINCIPLES FOR ENSURING THE SECURITY OF PERSONAL DATA
2.1.The main task of ensuring the security of personal data (PD) during their processing by the Company is to prevent unauthorized access by third parties, to prevent intentional software and technical or other impacts aimed at stealing, destroying, or distorting PD during processing.
2.2.The Company, as the operator of personal data, processes the personal data of clients who have entered into agreements with the Company, employees of the Company's counterparties, and the Company’s own employees.
2.3.To ensure the security of PD, the Company is guided by the following principles:
-Legality: The protection of PD is based on the provisions of regulatory legal acts and guidelines issued by authorized state bodies in the field of personal data processing and protection;
-Systematic approach: PD processing in the Company is carried out taking into account all interconnected, interacting, and changing over time elements, conditions, and factors significant for understanding and solving the problem of ensuring the security of PD;
-Comprehensiveness: The protection of PD is based on the use of functional capabilities of information technologies implemented in the Company's information systems and other available systems and means of protection;
-Continuity: PD protection is ensured at all stages of their processing and in all operating modes of PD processing systems, including during repair and maintenance work;
-Timeliness: Measures ensuring an appropriate level of PD security are taken before processing begins;
-Continuity and continuous improvement: The modernization and enhancement of measures and means of PD protection are carried out based on the results of the analysis of PD processing practices within the Company, taking into account the identification of new methods and means of implementing PD security threats, as well as domestic and foreign experience in information protection;
-Personal responsibility: Responsibility for ensuring PD security is assigned to employees within the scope of their duties related to the processing and protection of PD;
-Minimization of access rights: Access to PD is granted to employees only to the extent necessary to perform their job duties;
-Flexibility: Ensuring the performance of PD protection functions when changing the characteristics of the functioning of the Company's personal data information systems, as well as the volume and composition of processed PD;
-Specialization and professionalism: The implementation of PD security measures is carried out by employees with the necessary qualifications and experience;
-Effectiveness of personnel selection procedures: The Company's personnel policy provides for careful staff selection and motivation of employees to eliminate or minimize the possibility of PD security violations by them;
-Observability and transparency: Measures to ensure PD security should be planned so that the results of their application are clearly observable (transparent) and can be evaluated by those who control them;
-Continuous control and evaluation: Procedures for the continuous monitoring of the use of PD processing and protection systems are established, and the results of the control are regularly analyzed.
2.4.The Company does not process PD that is incompatible with the purposes for which it was collected. Unless otherwise provided by Federal Law No. 152-FZ «On Personal Data» dated 27.07.2006, upon the completion of PD processing by the Company, including when the processing goals have been achieved or when there is no longer a need to achieve these goals, the PD processed by the Company are destroyed or anonymized.
2.5.During PD processing, their accuracy, sufficiency, and, if necessary, relevance concerning the purposes of processing are ensured. The Company takes the necessary measures to delete or clarify incomplete or inaccurate PD.
3.PROCESSING OF PERSONAL DATA
3.1.Obtaining Personal Data:
3.1.1. All personal data must be obtained from the subject of the personal data. If personal data can only be obtained from a third party, the personal data subject must be notified of this, and written consent must be obtained from them.
3.1.2. The Company must inform the personal data subject about the purposes, expected sources, and methods of obtaining the personal data, the nature of the personal data to be obtained, the list of actions to be performed with the personal data, the duration for which consent is valid, the procedure for revoking it, as well as the consequences of the personal data subject refusing to provide written consent for its collection.
3.1.3. Documents containing personal data are created by:
-Copying original documents (passport, educational documents, ITN certificate, pension certificate (if applicable), and other information (if applicable);
-Entering information into registration forms;
-Obtaining the necessary original documents (employment record, medical certificate, reference, etc.).
3.2.Processing of Personal Data:
3.2.1. The processing of personal data is carried out:
-With the consent of the personal data subject for processing their personal data;
-In cases where the processing of personal data is necessary for the fulfillment of functions, powers, and duties imposed by the legislation of the Russian Federation;
-In cases where the processing of personal data is carried out, and access to the data is provided to an unlimited number of persons by the personal data subject or at their request (hereinafter referred to as «Personal data made publicly available by the personal data subject»).
Employee access to processed personal data is granted in accordance with their job responsibilities, internal Company documents, and is regulated by an order from the Company's General Director.
Employees authorized to process personal data must, under their signature, familiarize themselves with the Company’s documents establishing the procedure for processing personal data, including documents specifying the rights and obligations of specific employees.
The Company eliminates identified violations of the legislation on the processing and protection of personal data.
3.2.2. Purposes of Personal Data Processing:
The Company collects and processes personal data for the following purposes:
-Remote interaction between the Company and clients or other interested parties within the framework of service and information support using telephone communication, instant messaging services, IP telephony, and email;
-Remote interaction between the Company and clients or other interested parties through the Company's website on the Internet;
-Organizing and conducting events aimed at increasing recognition and loyalty towards the Company, as well as promoting the Company's services;
-Conducting tenders, handling contractual work unrelated to the main activities of the Company, within the framework of establishing, changing, and terminating relationships between the Company and third parties, as well as issuing powers of attorney for representing the Company's interests;
-Participation in civil, arbitration, criminal, and administrative proceedings, and execution of court rulings;
-Analyzing site traffic and optimizing the operation of the Company’s website.
3.2.3. Categories of Personal Data Subjects:
The Company collects and processes personal data from the following categories of personal data subjects:
-Actual clients of the Company;
-Potential clients of the Company;
-Family members and other relatives of actual and potential clients of the Company;
-Representatives (by law or by power of attorney) of actual and potential clients of the Company;
-Employees and representatives of external medical organizations;
-Employees and representatives of the Company's current counterparties (legal entities), including insurance and assistance companies;
-Persons applying for vacant positions in the Company;
-Current and potential counterparties of the Company (individuals);
-Employees and representatives of the Company’s current and potential counterparties (legal entities);
-Visitors to private and public events organized by the Company;
-Employees of legal entities and individuals representing the interests of the Company;
-Persons participating in civil, arbitration, criminal, and administrative proceedings and enforcement procedures (in which the Company is a participant);
-Visitors to the Company’s premises, buildings, and territory;
-Visitors to the Company’s website https://thirdopinion.ai/
3.2.4. Personal Data Processed by the Company:
-Obtained in the course of civil relations;
-Obtained in the course of medical activities;
-Obtained during advertising and marketing campaigns, etc.
3.2.5. The Company has established the following conditions for terminating the processing of personal data:
-Achievement of the purposes for processing personal data and the maximum retention periods established by the legislation of the Russian Federation;
-Loss of the necessity to achieve the purposes for processing personal data;
-Submission by the personal data subject or their legal representative of documented evidence that the personal data was obtained unlawfully or is not necessary for the stated purpose of processing;
-Impossibility of ensuring the legality of processing personal data;
-Withdrawal by the personal data subject of consent to the processing of personal data, if the retention of personal data is no longer required for processing purposes;
-Withdrawal by the personal data subject of consent to the publication of personal data in a publicly available source;
-Expiration of the statute of limitations for legal relationships in which personal data was or is being processed.
3.3.Processing of Personal Data is carried out:
-Using automated means;
-Without the use of automated means.
3.4.Storage of Personal Data:
3.4.1. Personal data of subjects can be obtained, further processed, and transferred for storage both on paper and in electronic form.
3.4.2. Personal data recorded on paper is stored in locked cabinets or in locked rooms with restricted access rights.
3.4.3. Personal data of subjects processed using automated means for different purposes are stored in separate folders (tabs).
3.4.4. Storing and placing documents containing personal data in open electronic catalogs (file-sharing services) within the personal data information system (PDIS) is not allowed.
3.4.5. Personal data, in a form that allows the identification of the personal data subject, is stored no longer than required for the purposes of processing, and is subject to destruction when the purposes of processing are achieved or when it is no longer necessary to achieve them.
3.5.Destruction of Personal Data:
3.5.1. Destruction of documents (media) containing personal data is carried out by burning, shredding (grinding), chemical decomposition, or turning into a shapeless mass or powder. The use of a shredder is allowed for destroying paper documents.
3.5.2. Personal data on electronic media is destroyed by erasing or formatting the media.
3.6.Transfer of Personal Data:
3.6.1. The Company transfers personal data to third parties if the personal data subject has given their consent to such actions, or if the transfer is provided for by Russian or other applicable legislation as part of the procedure established by law.
4.PROTECTION OF PERSONAL DATA
4.1. The main measures for the protection of personal data (PD) used by the Company are:
4.1.1. Appointment of a person responsible for the processing of personal data, who organizes the processing of personal data, provides training and instruction, and conducts internal control over the compliance of the Company and its employees with the requirements for the protection of personal data;
4.1.2. Identification of current security threats to personal data during their processing and the development of measures and actions for the protection of personal data;
4.1.3. Development of a policy regarding the processing of personal data;
4.1.4. Establishment of rules for access to personal data, as well as ensuring the registration and recording of all actions performed with personal data;
4.1.5. The use of information protection measures that have undergone the required conformity assessment procedure, the accounting of personal data media, and ensuring their security;
4.1.6. Certified antivirus software with regularly updated databases;
4.1.7. Certified information security software to protect against unauthorized access;
4.1.8. Certified firewalls and intrusion detection systems;
4.1.9. Compliance with conditions that ensure the security of personal data and prevent unauthorized access to them, as well as the evaluation of the effectiveness of measures implemented to ensure the security of personal data;
4.1.10.Establishment of rules for access to processed personal data, ensuring the registration and recording of actions performed with personal data, as well as the detection of unauthorized access to personal data and taking appropriate measures;
4.1.11.Restoration of personal data modified or destroyed as a result of unauthorized access;
4.1.12.Training of employees of the Company directly involved in the processing of personal data on the provisions of Russian Federation legislation on personal data, including requirements for the protection of personal data, documents defining the Company’s policy on the processing of personal data, and local regulations on personal data processing;
4.1.13.Implementation of internal control and auditing;
4.1.14.Employees of the Company directly involved in the processing of personal data must, before beginning their work, acknowledge in writing their familiarity with the provisions of Russian Federation legislation on personal data, including requirements for the protection of personal data, this Policy, and any amendments to it (if applicable).
5.MAIN RIGHTS OF THE PERSONAL DATA SUBJECT AND OBLIGATIONS OF THE COMPANY
5.1. Main rights of the personal data subject:
5.1.1. The personal data subject has the right to obtain information regarding the processing of their personal data, including:
-Confirmation of the fact of the processing of personal data by the Company;
-Legal grounds and purposes of the processing of personal data;
-The purposes and methods used by the Company for processing personal data;
-The name and location of the Company, information about persons (except Company employees) who have access to personal data or to whom personal data may be disclosed under a contract with the Company or under applicable Federal Law;
-Processed personal data related to the respective personal data subject, the source of their receipt if a different procedure for providing such data is not stipulated by applicable Federal Law;
-The terms of the processing of personal data, including the terms of storage;
-The procedure for exercising the personal data subject's rights provided for by Federal Law «On Personal Data» dated 27.07.2006 No. 152-FZ, information on any actual or intended cross-border data transfer;
-The name or last name, first name, patronymic, and address of the person processing the personal data on behalf of the Company, if the processing has been or will be entrusted to such a person;
- Other information provided by Federal Law «On Personal Data» dated 27.07.2006 No. 152-FZ or other Federal laws.
5.1.2. The personal data subject has the right to demand that the Company clarify their personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, obtained unlawfully, or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights.
5.2. Obligations of the Company:
5.2.1. The Company is obligated to:
-When collecting personal data, provide the subject with information about the processing of their personal data;
-In cases where personal data was not obtained from the personal data subject, notify the subject;
-When refusing to provide personal data, explain the consequences of such refusal to the subject;
-Publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data and to the information about the implemented requirements for the protection of personal data;
-Take necessary legal, organizational, and technical measures or ensure their implementation to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions concerning personal data;
-Respond to inquiries and requests from personal data subjects, their representatives, and the authorized body for the protection of personal data subjects' rights;
-Not disclose personal data to third parties without the written consent of the subject, except in cases where this is necessary to prevent a threat to the life and health of the employee, as well as in other cases provided for by the Labor Code or other Federal laws of the Russian Federation;
-Not disclose personal data for commercial purposes without the subject's written consent;
-Inform persons receiving personal data that such data may only be used for the purposes for which it was disclosed and require those persons to confirm that this rule is followed;
-Allow access to personal data only to specially authorized persons, and such persons should only be entitled to receive the personal data necessary for performing specific functions.
6.LIABILITY FOR VIOLATION OF REGULATIONS GOVERNING THE PROCESSING AND PROTECTION OF PERSONAL DATA
6.1. Persons found guilty of violating the provisions of the legislation of the Russian Federation in the field of personal data during the processing of personal data of personal data subjects are subject to disciplinary and material liability in the manner established by the Labor Code and other federal laws, as well as to civil, administrative, and criminal liability as established by the Federal laws of the Russian Federation.
7.COLLECTION OF PERSONAL DATA USING THE COMPANY'S WEBSITE
7.1. The Company's website uses «cookies» and collects the following information about visitors to improve the website’s functionality: visitor’s IP address, date and time of website visit, types of browsers and operating systems, type and model of mobile device.
7.2. When using electronic services and providing personal data through the Company's website, the user's information will not be used by the Company for any purposes other than fulfilling their specific request.
7.3. By using the website and/or providing their personal data to the Company, the website user (personal data subject) consents to the processing of their personal data under the terms provided in this Policy.
7.4. If the user disagrees with this Policy, they should not use the website or provide their personal data to the Company.
Terms of use
