The document defines the operator’s policy regarding the processing of personal data of users and employees under an employment contract (hereinafter referred to as employees) and contains information on the protection of such data.
The operator is NPP FILLIN LLC.
- Terms and definitions
1.1. Website – https://www.fillin.pro/.
1.2. User – any visitor to the Site.
1.3. Personal data – any information related directly or indirectly to a specific or identifiable user, employee.
1.4. Personal data processing is any action (operation) or set of actions (operations) with personal data performed with or without automation tools.
The processing of personal data includes the collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision),
blocking, deletion, destruction of personal data.
1.5. Automated personal data processing is the processing of personal data using computer technology.
1.6. Blocking of personal data is the temporary termination of the processing of personal data (except in cases where the processing is necessary to clarify personal data).
1.7. Cookies are identification files stored on the client’s system. - Legal grounds for personal data processing
2.1. The legal grounds for processing personal data by the operator are:
— The Constitution of the Russian Federation;
— The Labor Code of the Russian Federation;
— Federal Law “On Information, Information Technologies and Information Protection” dated 27.07.2006 N 149-FZ;
— Users’ consent to the processing of their personal data;
— Consent of employees to the processing of their personal data;
— Consent to receive newsletters of an advertising or informational nature;
— Employment contracts;
— Purchase and sale agreements with users.
- Conditions of personal data processing
3.1. Conditions for processing personal data of employees in order to comply with labor legislation:
3.1.1. List of personal data processed: surname, first name, patronymic, gender, age, date and place of birth, marital status,
information about the composition of the family that the employer may need to provide benefits provided for by labor and tax legislation, data on education and qualifications,
professional training, information about advanced training, address of registration at the place of residence and address of actual residence, contact phone number, passport data, information about military registration, information about the number and series of the insurance certificate of state pension insurance, information about the taxpayer identification number, information about work experience, previous jobs, income from previous jobs jobs, information about admission, transfer, dismissal and other events related to work, income information, information about business and other personal qualities that are evaluative.
3.1.2. Methods of personal data processing: mixed processing of personal data – using automation tools and without the use of such tools.
3.1.3. Terms of processing and storage of personal data: from the moment of submitting consent to the operator until the date of liquidation of the legal entity (operator) or until the employee withdraws consent to the processing of his personal data or the detection of unlawful processing
of personal data.
3.1.4. List of actions with personal data: collection, systematization, storage, recording, accumulation, clarification (updating, modification), extraction, use, blocking, deletion, destruction.
3.2. Conditions for processing personal data of users under purchase and sale agreements in order to fulfill contractual obligations:
3.2.1. List of processed personal data: surname, first name, patronymic, registration address, contact phone number, e-mail, passport data, bank details.
3.2.2. Methods of personal data processing: mixed processing of personal data – using automation tools and without the use of such tools.
3.2.3. Terms of processing and storage of personal data: from the moment of submitting consent to the operator until the date of liquidation of the legal entity (operator) or until the user withdraws consent to the processing of his personal data or the detection of unlawful processing
of personal data.
3.2.4. List of actions with personal data: collection, systematization, storage, recording, accumulation, clarification (updating, modification), extraction, use, blocking, deletion, destruction.
3.3. Conditions for processing users’ personal data for the purpose of advertising:
3.3.1. List of processed personal data: last name, first name, patronymic, e-mail, contact phone number.
3.3.2. Methods of personal data processing: mixed processing of personal data – using automation tools and without the use of such tools.
3.3.3. Terms of processing and storage of personal data: from the moment of submitting consent to the operator until the date of liquidation of the legal entity (operator) or until the user withdraws consent to the processing of his personal data or the detection of unlawful processing
of personal data.
3.3.4. List of actions with personal data: collection, systematization, storage, recording, accumulation, clarification (updating, modification), extraction, use, blocking, deletion, destruction.
3.4. The Website is the collection and processing of anonymous data about visitors (including cookies) using internetsatellite services (Yandex Metric and Google Analytics and others). - Transfer of personal data to third parties
4.1. The Operator has the right to transfer users’ personal data to its partners:
SDEK-GLOBAL LLC (TIN 7722327689, location – Novosibirsk), Business Lines LLC (TIN 7826156685, location – Saint Petersburg), Russian Post JSC (TIN
7724490000, location – Moscow), PEK LLC (TIN 7721823853, location – Moscow) in order to fulfill contractual obligations under purchase and sale agreements.
4.2. The list of personal data of users transferred to third parties: last name, first name, patronymic, registration address, contact phone number, e-mail.
4.3. Methods of personal data processing: mixed processing of personal data – using automation tools and without the use of such tools.
4.4. List of actions with personal data performed by third parties: collection, systematization, storage, recording, accumulation, clarification (updating, modification), extraction, use, blocking, deletion, destruction.
4.5. Terms of processing and storage of personal data: from the moment of submitting consent to the operator until the date of liquidation of the legal entity (operator) or until the user withdraws consent to the processing of his personal data or the detection of unlawful processing
of personal data. - Personal data protection measures
5.1. When processing personal data, the operator, at its discretion, takes the necessary legal, organizational and technical measures to protect them from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful
actions with respect to personal data, namely:
● identifies threats security of personal data during their processing in personal data information systems
● applies organizational and technical measures to ensure the security of personal data, including when processing them in personal data information systems necessary to meet the requirements for personal data protection, the implementation
of which ensures the levels of personal data security established by the Government of the Russian Federation.
● evaluates the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system
● ensures timely detection of unauthorized access to personal data and takes necessary measures to prevent such cases and eliminate their consequences.
● restores personal data that has been modified or destroyed due to unauthorized access to it
● establishes rules for access to personal data processed in the personal data information system, as well as ensures registration and accounting of all actions performed with personal data in the personal
data information system
● provides control over the measures taken to ensure the security of personal data and the level of security of personal data information systems
● publishes the Privacy Policy on the Website and provides unlimited access to it
● carries out internal control over the compliance of personal data processing with the legislation on personal data
● determines where personal data is stored
● Stores information on paper in lockable cabinets. - Procedure for responding in case of violation of processing or revocation of personal data
6.1. In case of detection of unlawful processing of personal data or identification of inaccurate personal data when contacting the user, employee or authorized body, the operator is obliged to block the unlawfully or inaccurately processed personal data related to this user, employee.
6.2. In case of confirmation of the inaccuracy of personal data, the operator, based on the information provided by the user, employee or authorized body, or other necessary documents, is obliged to clarify the personal data within 7 working days from the date of submission of such information and to remove the blocking of personal data. - 6.3. In case of detection of unlawful processing of personal data, the operator is obliged to stop the unlawful processing of personal data within a period not exceeding 3 working days from the date of this detection.
- 6.4. If it is impossible to ensure the legality of the processing of personal data, the operator is obliged to destroy such personal data within a period not exceeding 10 working days from the date of detection of the unlawful processing of personal data.
- 6.5. The operator is obliged to notify the user or the employee about the elimination of violations or the destruction of personal data, and if the request of the user, employee or the request of the authorized body has been sent by the authorized body, also the specified body.
- 6.6. If the fact of unlawful or accidental transfer (provision, dissemination, access) of personal data is established, which has resulted in a violation of the rights of the user, the employee, the operator is obliged to notify the authorized body from the moment such incident is identified by the operator, the authorized
- body or another interested person.:
- within 24 hours about the incident, about the alleged causes that led to the violation of the rights of users, employees and the alleged harm caused to their rights, about the measures taken to eliminate the consequences of the relevant incident, and
provide information about the person authorized by the operator to interact with the authorized body - within 72 hours on the results of the internal investigation of the identified incident, as well as provide information about the persons whose actions caused the identified incident (if
any).
6.7. If the user or employee withdraws consent to the processing of his personal data, the operator is obliged to terminate them processing and, if the storage of personal data is no longer required for the purposes of personal data processing, destroy the personal data on time.,
not exceeding 30 days from the date of receipt of the specified review.
6.8. If a user or employee requests the operator to stop processing personal data, the operator must stop processing them within a period not exceeding 10 working days from the date of receipt by the operator of the relevant request, except in cases provided for by law. The specified period may be extended, but
for no more than 5 working days if the operator sends a reasoned notification to the user or employee, indicating the reasons for extending the deadline for providing the requested information.
6.9. If it is not possible to destroy personal data, the operator blocks such personal data and ensures the destruction of personal data within a period of no more than 6 months, unless another period is established by federal laws.
6.10. In order to revoke consent to the processing of personal data or request the termination of personal data processing, the user or employee sends a letter requesting the termination of personal data processing in the same form in which consent to processing was previously given to the operator’s email address, to the operator’s postal address, or
hands the letter to the operator by hand.
6.11. The request for termination of personal data and revocation of consent to the processing of personal data must contain data allowing identification of the user, the employee, the personal signature of the applicant or his representative, information confirming the fact of processing personal data by the operator and the requirement of which
personal data the user, the employee withdraws, or in relation to which personal data processing must be stopped. - The procedure for responding to requests from users, employees and authorized bodies
7.1. The request of the user or employee regarding the processing of his personal data must contain:
● information about the main document certifying his identity or his representative (number, series, information about the date of issue and the issuing authority);
● information confirming the processing of personal data by the operator;
● signature of the personal data subject or his representative.
7.2. The request may be sent in the form of an electronic document and signed with an electronic signature.
7.3. The deadline for responding to a request from a user, employee, or authorized body for the protection of the rights of personal data subjects is 10 business days from the date of receipt of the request. - Procedure for the destruction of personal data
8.1. After the expiration of the storage period for documents containing personal data, the documents must be destroyed.
8.2. For this purpose, the operator creates an expert commission. The Commission draws up an act on the allocation of documents not subject to storage for destruction.
8.3. After that, the documents are destroyed.
8.4. Personal data in electronic form is erased from information media, or the media themselves on which the information is stored are physically destroyed. - Rights and obligations of the parties
9.1. The User has the right to - Request clarification of their personal data, their blocking or destruction if the personal data is incomplete, outdated, unreliable, illegally obtained or is not necessary for the stated purpose of processing
- Revoke consent to the processing of personal data
- Request a list of processed personal data held by the operator and the source of their receipt.
- Receive information about the processing time of personal data, including the duration of their storage.
- To appeal against illegal actions or omissions of the operator when processing his personal data
9.2. The User is obliged to - Provide reliable information about your personal data.
- Update and supplement the information provided about personal data in case of changes to this information.
9.3. The Operator has the right to - Defend their interests in court.
- Provide the user’s personal data to third parties in accordance with the Policy.
- To refuse to provide personal data in cases stipulated by law.
- To use the user’s personal data without his consent, in cases stipulated by the legislation of the Russian Federation.
- Independently determine the composition and list of measures necessary and sufficient to ensure the protection of the user’s personal data.
9.4. The Operator is obliged to - Use the information received exclusively for the purposes specified in the Policy.
- Ensure that confidential information is kept confidential, not disclosed without the user’s prior written permission, and not sold, exchanged, published, or otherwise disclosed
the user’s personal data, except as specified
in the Policy. - Take precautions to protect the confidentiality of the user’s personal data.
- Block personal data related to the relevant user from the moment of the user’s request or request, or his legal representative or authorized body for the protection of the rights of personal data subjects for the period
of verification, in case of identification of false personal data or illegal actions. - Dispute
Resolution 10.1. Prior to filing a claim with the court for disputes arising from the relationship between the user, employee and operator, a claim may be filed (a written proposal for a voluntary settlement of the dispute).
10.2. The recipient of the claim shall notify the claimant in writing of the results of the claim review within 10 business days from the date of receipt of the claim.
10.3. If an agreement is not reached, the dispute will be referred to the court in accordance with the current legislation of the Russian Federation.
10.4. The current legislation of the Russian Federation applies to the Privacy Policy and the relationship between the user, employee and operator.
10.5. All additional questions or suggestions regarding the Privacy Policy, as well as the processing of personal data, should be sent to the operator’s email address. - Final provisions
11.1. The User or employee can receive any clarifications on issues of interest related to the processing of his personal data by contacting the operator via e-mail.
11.2. This document will reflect any changes to the operator’s personal data processing policy. The policy is valid indefinitely until it is replaced by a new version.
11.3. The current version of the Policy is freely available on the Internet at fillin.pro . - Operator’s contacts
NPP FILLIN LLC
TIN 5406996575
OGRN 1185476101678
info@fillin.pro