Rules for the personal data processing

Rules for the personal data processing

1. General provisions

1.1. This Policy of CFD LLC (hereinafter referred to as the Operator) regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in order to ensure the protection of the rights and freedoms of the subject of personal data when processing his personal data, including the protection of the rights to privacy, personal and family secrets.

This Policy applies to personal data received both before and after the entry into force of this Policy.

Understanding the importance and value of personal data, as well as taking care of the observance of the constitutional rights of citizens of the Russian Federation, the Operator ensures reliable protection of personal data.

This Policy applies to all information that the Operator receives through its official website at: www.cphd.ru , its programs and products. This Policy is also applicable to information received by the Operator from personal data subjects by telephone, e-mail, fax, by telegrams, mail, etc., as well as by filling in electronic forms, feedback forms posted on the Operator's website by personal data subjects in the process of monitoring the safety of circulation of medicines and medical devices.

This Policy applies to all personal data processing processes, regardless of the form of personal data provision.

The use by the subject of personal data of the website services, as well as the provision by the subject to the Operator of his personal data in any way, including as provided for in paragraph 4 of this section, means the subject's unconditional consent to this Policy and the terms of processing of his personal data (the provision of information is an automatic expression of consent). In case of disagreement with these terms, the personal data subject must refrain from using the services.

The fact of filling out electronic forms, feedback forms, as well as other use of the site is a confirmation of familiarization with the terms of this Policy and unconditional acceptance of its terms.

By informing the Operator of his e-mail address and phone number, the subject of personal data - the user of the site, consents to the use of these means of communication by the Operator.

In case of questions and complaints from the subject of personal data, the visitor / user of the site, he can contact the Operator by phone 8- 800-234-61-16 or by e-mail safety@cphd.ru or in another accessible and convenient way for him.

The Operator's website may contain links to third-party sites and services that are not controlled by the Operator, and therefore the Operator is not responsible for the security or confidentiality of any information collected by third-party sites or services.


1.2. The Operator receives and processes personal data in accordance with the following regulations and legal acts:

- The Constitution of the Russian Federation;

- The Labor Code of the Russian Federation;

- The Civil Code of the Russian Federation;

- Federal Law No. 149-FZ of July 27, 2006 "On Information, Information Technologies and Information Protection";

- Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (hereinafter - the Federal Law "On Personal Data");

- Federal Law No. 61-FZ of 12.04.2010 "On Circulation of Medicines";

- other regulatory legal acts of the Russian Federation.


1.3. Basic concepts used in the Policy:

1.3.1. Personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).

1.3.2. Personal data processing - any action (operation) or a set of actions (operations) with personal data performed using automation tools or without their use. The processing of personal data includes, among other things:

collection;

record;

systematization;

accumulation;

keeping;

clarification (update, change);

extraction;

usage;

transfer (distribution, provision, access);

depersonalization;

blocking;

removal;

destruction.

1.3.3. Automated processing of personal data - processing of personal data using computer technology.

1.3.4. Dissemination of personal data - actions aimed at disclosure of personal data to an indefinite circle of persons.

1.3.5. Provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons.

1.3.6. Blocking of personal data - temporary termination of processing of personal data (except in cases where processing is necessary to clarify personal data).

1.3.7. Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.

1.3.8. Depersonalization of personal data: - actions as a result of which it becomes impossible to determine the identity of personal data to a specific subject of personal data without the use of additional information.

1.3.9. Personal data operator (operator) - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

1.3.10. Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing.

1.3.11. Pharmacovigilance is a type of activity for monitoring the effectiveness and safety of medicines aimed at identifying, evaluating and

preventing undesirable consequences of the use of medicines.

1.3.12. Medical worker (subject of personal data) - an individual who has a medical or other education, works in a medical organization and whose labor (official) duties include the implementation of medical activities, or an individual who is an individual entrepreneur directly engaged in medical activities.

1.3.13. Pharmaceutical worker (subject of personal data) - an individual who has a pharmaceutical education, works in a pharmaceutical organization and whose work responsibilities include wholesale of medicines, their storage, transportation and (or) retail sale of medicines for medical use (hereinafter referred to as medicines), their manufacture, vacation, storage and transportation.

1.3.14. Reporter (subject of personal data) - any natural person who reported the occurrence of an undesirable event when using a medicinal product.

1.3.15. Patient (subject of personal data) - an individual who has directly experienced an undesirable event during the use of a medicinal product.

1.3.16. Citizens (subjects of personal data) - individuals who have concluded a civil contract with the Operator.

1.3.17. Employees (subjects of personal data) - individuals who are in an employment relationship with the Operator.

1.4. The operator, having gained access to personal data, is obliged to respect the confidentiality of personal data - not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.


2. Basic rights of personal data subjects and obligations of the Operator

2.1. The subject of personal data has the right to receive information

concerning the processing of his personal data, including containing:

1) confirmation of the fact of processing of personal data by the Operator;

2) legal grounds and purposes of personal data processing;

3) purposes and methods of personal data processing used by the Operator;

4) the name and location of the Operator, information about persons (with the exception of the Operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;

5) processed personal data relating to the relevant subject of personal data, the source of their receipt, unless another procedure for the submission of such data is provided by federal law;

6) terms of processing of personal data, including the terms of their storage;

7) the procedure for the exercise by the subject of personal data of the rights provided for by federal law;

8) information on the transborder data transfer carried out or proposed;

9) the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if processing is or will be entrusted to such a person;

10) other information provided by the Federal Law "On Personal Data" or other federal laws.

The right of a personal data subject to access his personal data may be restricted in accordance with federal laws.

2.2. The subject of personal data has the right to demand from the Operator the clarification of his personal data, their blocking or destruction if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights.


2.3. The personal data operator is obliged to:

- when collecting personal data, provide the information provided for in Part 7 of Article 14 of the Federal Law "On Personal Data";

- notify the subject of personal data about the processing of personal data if the personal data was not received from the subject of personal data;

- in case of refusal to provide personal data to the subject, the consequences of such refusal are explained;

- to publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data;

- take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions with respect to personal data;

- provide answers to requests and requests of personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects;

- to provide the subject of personal data, upon his request, with information concerning the processing of his personal data, or to legally provide a refusal;

- at the request of the personal data subject to clarify the processed personal data, block or delete if the personal data is incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing;

- when collecting personal data, including through the Internet information and telecommunications network, the Operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in paragraphs 2, 3, 4, 8 of Part 1 of Article 6 of the Federal Law "On Personal Data";

- in case of achievement of the purpose of personal data processing, immediately terminate the processing of personal data and destroy the relevant personal data within a period not exceeding thirty days from the date of achievement of the purpose of personal data processing, unless otherwise provided by federal laws, and notify the personal data subject or his legal representative, and if the request or request were sent by the authorized body for the protection of the rights of personal data subjects, also the specified body;

- if the subject of personal data withdraws consent to the processing of their personal data, terminate the processing of personal data and destroy personal data within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided by an agreement between the Operator and the subject of personal data;

- notify the subject of personal data about the destruction of his personal

data.


3. Principles of personal data processing

3.1. Processing of personal data of citizens and employees is carried out on the basis of the following principles:

1) The processing of personal data must be carried out on a legal and fair basis.

2) The processing of personal data should be limited to achieving specific, predetermined and legitimate goals. Processing of personal data incompatible with the purposes of personal data collection is not allowed.

3) It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other.

4) Only personal data that meet the purposes of their processing are subject to processing.

5) The content and volume of the processed personal data must correspond to the stated purposes of processing. The processed personal data should not be redundant in relation to the stated purposes of their processing.

6) When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing must be ensured. The operator must take the necessary measures or ensure that they are taken to delete or clarify incomplete or inaccurate data.

7) The storage of personal data must be carried out in a form that allows determining the subject of personal data, no longer than the purposes of personal data processing require, unless the storage period of personal data is established by the Federal Law "On Personal Data", an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.

8) Continuity: personal data protection is ensured at all stages of their processing and in all modes of operation of personal data processing systems, including during repair and routine maintenance.

9) Timeliness: measures to ensure an appropriate level of security of personal data are taken before the start of their processing.

10) Continuity and continuity of improvement: modernization and enhancement of measures and means of personal data protection is carried out on the basis of the results of the analysis of the Operator's personal data processing practices, taking into account the emergence of new ways and means of implementing threats to the security of personal data, domestic and foreign experience in the field of information protection.

11) Personal responsibility: responsibility for ensuring the security of personal data is assigned to employees within the limits of their duties related to the processing and protection of personal data.

12) Minimization of access rights: access to personal data is provided to employees only to the extent necessary for the performance of their official duties.

13) Flexibility: ensuring the performance of personal data protection functions when the characteristics of the Operator's personal data information systems change, as well as the volume and composition of personal data processed.

14) Specialization and professionalism: the implementation of measures to ensure the security of personal data is carried out by employees with the necessary qualifications and experience.

15) Efficiency of personnel selection procedures: the personnel policy of the Operator provides for careful selection of personnel and motivation of employees, which allows to exclude or minimize the possibility of their violating the security of personal data.

16) Observability and transparency: measures to ensure the security of personal data should be planned so that the results of their application are clearly observable (transparent) and can be evaluated by persons exercising control.

17) Continuity of control and evaluation: procedures for continuous monitoring of the use of personal data processing and protection systems are established, and the results of control are regularly analyzed.


3.2. The Operator does not process personal data incompatible with the purposes of their collection. Unless otherwise provided by federal law, upon termination of the processing of personal data by the Operator, including upon achievement of the purposes of their processing or the loss of the need to achieve these goals, the personal data processed by the Operator is destroyed or depersonalized.


3.3. When processing personal data, their accuracy, sufficiency, and, if necessary, relevance in relation to the purposes of processing are ensured.


3.4. The Operator takes the necessary measures to delete or clarify incomplete or inaccurate personal data.


3.5. The security of the Operator's personal data is ensured by the implementation of agreed measures aimed at preventing (neutralizing) and eliminating threats to the security of personal data, minimizing possible damage, as well as measures to restore data and the operation of personal data information systems in the event of threats.


4. Purposes of personal data collection and processing

4.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate goals. Processing of personal data incompatible with the purposes of personal data collection is not allowed.


4.2.The purposes of personal data processing are defined by legal acts regulating the Operator's activities, including the legislation of the Russian Federation in the field of personal data protection for the purposes of pharmacovigilance, which is carried out by the Federal Service for Supervision in the Field of Healthcare (hereinafter - Roszdravnadzor) by analyzing the information provided by the subjects of the circulation of medicines on side effects of medicines, adverse reactions, serious adverse reactions, unforeseen adverse reactions when using medicines, individual intolerance, lack of efficacy of medicines (hereinafter referred to as adverse reactions), as well as other facts and circumstances that pose a threat to human life or health when the use of medicines (further - other information on safety and efficacy) identified at all stages of the circulation of medicines in the Russian Federation and other states in order to identify possible negative consequences of their use, individual intolerance, prevention of medical workers, patients and their protection from the use of such drugs.


4.3. The Operator processes personal data exclusively for the following purposes:

- ensuring compliance with federal laws, the legislation of the Russian Federation in the field of personal data and other regulatory legal acts, taking into account the provisions of the Federal Law "On Personal Data";

- registration of labor relations, calculation and issuance of wages or other income;

- fulfillment of the requirements of the tax and pension legislation of the Russian Federation in connection with the calculation and payment of personal income tax on the amount of income, insurance premiums for compulsory medical and pension insurance, the formation and submission of the reporting established by the legislation of the Russian Federation (personalized data of income data, the amount of withheld personal income tax, etc.) to the pension authorities Fund of the Russian Federation, Federal Tax Service of the Russian Federation, Social Insurance Fund of the Russian Federation, and also to third parties to provide information in cases provided for by federal laws and other regulatory legal acts of the Russian Federation;

- organization of personnel records of the Operator, personnel records management;

- assistance to employees in employment, training, professional development and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of the employer's property;

- fulfillment of contractual obligations;

- formation of information messages to patients;

- implementation of monitoring of the safety of circulation of medicines and medical devices;

- conducting clinical and/or non-interventional studies;

- provision of service mobile communication;

- organization of business trips (business trips) of employees;

- issuance of powers of attorney;

- participation in the Operator's events;

- for other purposes that do not contradict the current legislation of the Russian Federation.


5. Legal grounds for processing personal data

5.1. The legal basis for the processing of personal data is:

- a set of legal acts pursuant to which and in accordance with which the Operator processes personal data: the Constitution of the Russian Federation; Articles 86-90 of the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, the Civil Code of the Russian Federation, Federal Law No. 61-FZ of 12.04.2010 "On the Circulation of Medicines", other regulatory legal acts of the Russian Federation Federations;

- contracts concluded between the Operator and the subject of personal data;

- consent to the processing of personal data (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the powers of the Operator).


6. Scope and categories of personal data processed, categories of personal data subjects

6.1. The content and volume of the processed personal data correspond to the stated purposes of processing. The processed personal data should not be redundant in relation to the stated purposes of their processing.


6.2. The categories of subjects of personal data processed by the Operator include:

6.2.1. Employees of the Operator, former employees, as well as close relatives of employees, candidates for work.

6.2.2. Individuals who have concluded civil contracts with the Operator.

6.2.3. Individuals who are members of the Operator's management bodies and are not employees of the Operator;

6.2.4. Contractors - representatives of legal entities in contractual relations with the Operator.

6.2.5. Medical workers.

6.2.6. Pharmaceutical workers.

6.2.7. Reporters.

6.2.8. Patients, relatives of patients, representatives of patients (by virtue of the law or on the basis of a power of attorney).

6.2.9. Other persons who have given the Operator their consent to the processing of personal data.


6.3. Personal data processed by the Operator:

- data obtained during the implementation of labor relations;

- data obtained for the selection of candidates for work;

- data obtained during the implementation of civil law relations;

- data received from individuals who are members of the Operator's management bodies;

- data received from contractors - representatives of legal entities in contractual relations with the Operator;

- data obtained during clinical and/or non-interventional studies;

- data obtained during the implementation of pharmacovigilance.


6.4. Personal data processing is conducted:

- using automation tools;

- without using automation tools.


7. Processing of personal data

7.1. Receiving personal data

7.1.1. All personal data should be obtained from the subject himself or from his authorized representative in cases established by the current legislation of the Russian Federation. If the subject's personal data can only be obtained from a third party, then the subject must be notified of this or consent must be obtained from him.

7.1.2. The operator must inform the subject about the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid and the procedure for its withdrawal, as well as the consequences of the subject's refusal to give written consent to receive them.

7.1.3. The receipt of personal data is carried out on the basis of the written consent of the subject, except in cases expressly provided for by the current legislation of the Russian Federation.

In cases provided for by federal legislation, personal data processing is carried out only with the written consent of the Citizen and the Employee. Consent in the form of an electronic document signed in accordance with the Federal Law "On Personal Data" with an electronic signature is considered equivalent to a written consent on paper containing a handwritten signature of a Citizen and an Employee. The written consent of the Citizen and the Employee to the processing of his personal data should include, in particular:

1) surname, first name, patronymic (if any), address of the subject of personal data, number of the main document certifying his identity, information about the date of issue of the specified document and the issuing authority;

2) surname, first name, patronymic (if any), address of the representative of the personal data subject, number of the main document certifying his identity, information about the date of issue of the specified document and the issuing authority, details of a power of attorney or other document confirming the powers of this representative (upon receipt of consent from the representative of the personal data subject);

3) the name and address of the Operator receiving the consent of the personal data subject;

4) purpose of personal data processing;

5) a list of personal data for the processing of which the consent of the personal data subject is given;

6) the name or surname, first name, patronymic (if any) and address of the person processing personal data on behalf of the Operator, if processing will be entrusted to such a person;

7) a list of actions with personal data for which consent is given, a general description of the methods of processing personal data used by the Operator;

8) the period during which the consent of the subject of personal data is valid, as well as the method of its withdrawal, unless otherwise established by federal law;

9) signature of the personal data subject.

No additional consent is required for the processing of personal data contained in the written consent of a Citizen and an Employee for the processing of his personal data.

7.1.4. The procedure for the access of the personal data subject to his personal data processed by the Operator is determined in accordance with the legislation and is determined by the Operator's local regulations.

7.1.5. The Operator has no right to receive and process personal data of the subject concerning race, nationality, political views, religious or philosophical beliefs, intimate life, except in cases provided for by the Federal Law "On Personal Data". In cases directly related to issues of labor relations, in accordance with Article 24 of the Constitution of the Russian Federation, the Operator has the right to receive and process data on the private life of the subject only with his written consent.

7.1.6. It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences against the subject or otherwise affect his rights and legitimate interests, except in cases provided for by the Federal Law "On Personal Data".

A decision that generates legal consequences with respect to the subject, or otherwise affects his rights and legitimate interests, may be made on the basis of exclusively automated processing of his personal data only with the written consent of the subject, or in cases provided for by federal legislation, which also establishes measures to ensure compliance with the rights and legitimate interests of the subject of personal data.

7.1.7. Within the framework of pharmacovigilance activities, the Operator collects personal data by:

- a telephone message to a specially allocated number;

- filling out an electronic form on the website www.cphd.ru;

- receiving information by e-mail safety@mail.ru;

- receipt of information by mail to the address of the Operator's location;

- obtaining information directly from clinical trials organized by the Operator;

- informing regulatory authorities.

7.1.8. The full list of personal data of Citizens and Employees collected by the Operator is contained in the local regulatory act of the Operator, with which Citizens and Employees must be familiarized under signature.

7.1.9. In the course of pharmacovigilance, depending on the purposes of processing, the Operator collects the following information related to personal data, observing the principle of reasonable sufficiency:

- Surname, First name, Patronymic (if any) of the reporter;

- Address (registration, actual place of residence) of the reporter;

- Place of work, position of a reporter;

- The address of the reporter's place of work;

- Contact information of the reporter (contact phone number, email address);

- Initials of the patient;

- Gender of the patient;

- Year of birth, Month of birth, Date of birth of the patient;

- Biometric personal data of the patient (height in cm, weight in kg);

- Information about the patient's initial state of health — medical history, including the presence of chronic diseases, allergic reactions, liver and kidney dysfunction;

- Information about medications taken during the last three months, including within the framework of responsible self-medication;

- Information about the patient's health status, including a description of symptoms, syndromes and diagnoses that relate to the reported undesirable event, as well as the results of diagnostic procedures and examinations, including data on the outcome of the event and the prescribed therapy;

- Information about the current pregnancy and its outcomes;

- Other additional information at the request of the reporter/patient.


7.2. Processing of personal data

7.2.1. Personal data processing is carried out:

- with the consent of the personal data subject to the processing of his personal data;

- in cases where the processing of personal data is necessary for the implementation and fulfillment of the functions, powers and duties assigned by the legislation of the Russian Federation;

- in cases when personal data is processed, access to an unlimited number of persons to which is provided by the subject of personal data or at his request (hereinafter referred to as personal data made publicly available by the subject of personal data).

7.2.2. The access of the Operator's employees to the processed personal data is carried out in accordance with their official duties and the requirements of the Operator's local acts.

7.2.3. Employees admitted to the processing of personal data are familiarized with the Operator's local acts establishing the procedure for processing personal data, including documents establishing the rights and obligations of specific employees.

7.2.4. The Operator eliminates the identified violations of the legislation on the processing and protection of personal data.

7.2.5. The processing of biometric personal data must be carried out in accordance with the requirements for material carriers of biometric personal data and technologies for storing such data outside of personal data information systems.

7.2.6. The Operator does not carry out cross-border transfer of personal data.

7.2.7. The Operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person (hereinafter referred to as the Operator's order). At the same time, the Operator in the contract obliges the person processing personal data on behalf of the Operator to comply with the principles and rules of personal data processing provided for in this policy and the Federal Law "On Personal Data".

7.2.8. If the Operator entrusts the processing of personal data to another person, the Operator is responsible to the personal data subject for the actions of the specified person. The person who processes personal data on behalf of the Operator is responsible to the Operator.

7.2.9. The Operator undertakes and obliges other persons who have gained access to personal data not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation.


8. Recording information

8.1. During the pharmacovigilance, the responsible person of the Operator enters the received data into the personal case of an undesirable event, assigning it a registration number for further identification, consisting of the date of registration of the case and the serial number, regardless of the source of information.


8.2. Information can be entered using a special electronic data storage and processing system developed by the Operator, or using paper media with further transfer to an electronic system.


9. Accumulation, systematization, clarification of data

9.1. During the implementation of pharmacovigilance, the electronic data storage and processing system developed by the Operator receives data from the above sources by manually entering data by the responsible person of the Operator, as well as through the channels of the Internet automatically. All information is transmitted strictly through coded channels in compliance with security requirements.


9.2. The entire array of received data is systematized by the program automatically by generating the case number and assigning internal statuses of work stages.

The case number is generated from the date of registration of the case and the serial number of the receipt of information in the program. The status system allows you to work with cases in the order of their receipt and systematize information from all sources at the same time.


9.3. If it is necessary to clarify the case data, the responsible person of the Operator contacts the reporter using the provided contact information. All newly received information is entered into the event case using a special electronic data storage and processing system developed by the Operator, or using paper media with further transfer to an electronic system. In this case, the event case is assigned a version number following the previous one, while the case number remains the same. All the changed information that was entered earlier is stored in the previous version.


10. Storage of personal data

10.1. Personal information of a Citizen and an Employee is stored and processed in compliance with the requirements of the current Russian legislation on personal data protection.


10.2. The procedure for storing documents containing personal data of Employees shall be carried out in accordance with:

- Rules establishing the procedure for maintaining and storing workbooks, as well as the procedure for making workbook forms and providing employers with them, approved by the Decree of the Government of the Russian Federation No. 225 "On Workbooks" dated April 16, 2003;

- Federal Law No. I49-FZ of July 27, 2006 "On Information, Information Technologies and Information Protection";

- Federal Law No. I52-FZ of July 27, 2006 "On Personal Data";

- Decree of the Government of the Russian Federation dated July 06, 2008 X° 512

"On approval of requirements for material carriers of biometric personal data and technologies for storing such data outside of personal data information systems".

10.3. Processing of personal data of Citizens and Employees of the Operator is carried out in a mixed way:

- non-automated way of processing personal data;

- an automated way of processing personal data (using a PC and special software products).


10.4. Personal data of Citizens and Employees are stored on paper and in electronic form.


10.5. The storage of personal data of Citizens and Employees is carried out no longer than the purposes of their processing require, and they are subject to destruction upon achievement of the processing goals or in case of loss of the need to achieve them.

The storage of documents containing personal data of Citizens and Employees is carried out within the terms of storage of these documents established by the current regulations. After the expiration of the established storage periods, the documents are subject to destruction.


10.6. The Operator ensures that access to personal data of Citizens and Employees is restricted to persons not authorized by the Operator to obtain relevant information.


10.7. All collected data within the framework of pharmacovigilance, after being entered into the electronic data storage and processing system developed by the Operator, are stored in the MS SQL database of the program. The program is located on the Operator's server. Information from the Operator's server is subject to regular backup. Data storage period in an electronic data storage and processing system: three years. Backup storage period: indefinitely.

Backup from the Operator is carried out using the Windows Server BackUp program. Data is backed up from the disk array daily at 2:00 to an external HDD media. In folders with important documentation, shadow copies are configured inside the server every 6 hours (the last 64 copies are stored). All copies are fully automatic with subsequent logging. The server disks physically duplicate each other in case one of them fails.

Information on paper media is stored before being transferred to an electronic data storage and processing system in the Operator's archive, and subsequently destroyed by shredding.

At the end of all stages of work with the message, the data generated in one case is sent to Roszdravnadzor of the Yaroslavl region in the manner and terms established separately by the concluded agreement. The information is transmitted in encoded form using direct communication channels. Patient data is transmitted only in an impersonal form.


11. Destruction of personal data

11.1. The destruction of personal data, whose personal data is processed in the personal data information system, means actions as a result of which it is impossible to reliably restore the content of personal data in the personal data information system or as a result of which the material carrier of personal data is destroyed.


11.2. The destruction of personal data must comply with the following requirements:

11.2.1. Be as reliable and confidential as possible, excluding the possibility of subsequent recovery.

11.2.2. Formalized legally in the form of an act on the deletion of personal data.

11.2.3. Must be carried out by the commission for the destruction of personal data.

11.2.4. Destruction should concern only those personal data that are subject to destruction in connection with the achievement of the purposes of processing the specified personal data, or the loss of the need to achieve them.

Personal data of personal data subjects are stored no longer than the purposes of their processing require, and are subject to destruction upon achievement of these goals or in case of loss of the need to achieve them, but no more than 30 days from the date of termination of their processing.

11.2.5. Carriers of personal data of personal data subjects are destroyed upon achievement of the purposes of their processing or in case of loss of the need to achieve them as part of the Commission using the following means:

- the destruction of personal data stored in personal data information systems is carried out by deleting the corresponding values in the database by means of the computer operating system, which excludes the possibility of restoring these data;

- the destruction of personal data contained on paper is carried out by shredding into small parts (shredder), excluding the possibility of subsequent recovery of information.


11.3. The person responsible for fulfilling the requirements of this Policy is appointed by order of the Director.


11.4. Within the framework of pharmacovigilance, the deletion of data whose storage period in the electronic data storage and processing system has expired is carried out after archiving the data array to an external hard disk manually. An external hard drive with information is stored in the safe of the Operator's archive.


12. Measures to ensure the security of personal data during their processing

12.1. When processing personal data, the Operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions with respect to personal data.


12.2. Ensuring the security of personal data is achieved, in particular:

- identification of threats to the security of personal data during their processing in personal data information systems;

- the publication of local acts on the processing of personal data, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;

- appointment of the person responsible for the organization of personal data processing;

- the use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure;

- the use of certified antivirus software with regularly updated databases;

- establishment of individual passwords for Employees' access to the information system in accordance with their work responsibilities;

- assessment of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;

- taking into account machine-based personal data carriers;

- detection of unauthorized access to personal data and taking appropriate measures;

- recovery of personal data modified or destroyed due to unauthorized access to them;

- establishing rules for access to personal data processed in personal data information systems, as well as ensuring registration and accounting of all actions performed with personal data in personal data information systems;

- control over the measures taken to ensure the security of personal data and the level of security of personal data information systems;

- verification of the presence in contracts and, if necessary, the inclusion in contracts of clauses on ensuring the confidentiality of personal data;

- maintenance of technical means of protection, alarm systems in constant readiness;

- assessment of the harm that may be caused to personal data subjects in case of violation of the requirements of the legislation of the Russian Federation, the ratio of the specified harm and the measures taken by the Operator aimed at ensuring the fulfillment of obligations provided for by the legislation of the Russian Federation;

- compliance with the conditions that exclude unauthorized access to material carriers of personal data and ensure the safety of personal data;

- familiarization of the Operator's Employees directly engaged in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, local acts on the processing and protection of personal data, and training of the Operator's Employees.

- implementation of internal control and audit.

13. Processing of personal data without the use of automation tools

13.1. The rules for working with personal data and their material carriers without the use of automation tools are defined in accordance with the "Regulation on the specifics of personal data processing carried out without the use of automation tools", approved by the Decree of the Government of the Russian Federation No. 687 dated 15.09.2008. The processing of personal data received from a subject is considered to be carried out without the use of automation tools if such actions with personal data as the use, clarification, dissemination, destruction of personal data in relation to each of the subjects of personal data are carried out with the direct participation of a person.

A document containing personal data is a material carrier with information recorded on it in any form containing personal data of employees in the form of text, photos and (or) a combination thereof.


13.2. The processing of personal data is carried out in relation to personal personal data (personal data being processed) and must be separated from other information by fixing them on separate material carriers, in special sections or in the fields of forms.

When fixing personal data on tangible media, it is not allowed to fix personal data on one tangible medium, the purposes of processing of which are obviously incompatible.

Employees who process personal data are informed by their direct supervisor about the fact that they process personal data, the categories of personal data being processed, as well as about the specifics and rules of such processing.

Standard forms of documents should be drawn up in such a way that each of the subjects of personal data contained in the document has the opportunity to get acquainted with their own personal data contained in the document, without violating the rights and legitimate interests of other subjects of personal data.

Documents containing personal data are stored in closets that are locked with a key.

The destruction of documents containing personal data is carried out in a way that does not allow further familiarization with personal data.


13.3. When working with documents containing personal data, the employee is obliged to exclude the possibility of familiarization, viewing of these documents by persons who are not allowed to work with them (including other employees of the Operator).

When working with personal data of personal data subjects, as well as with their carriers, it is necessary to limit the number of employees allowed to work with specific personal data lists.

Employees allowed to process personal data are prohibited from:

1. To disclose information that is personal data to persons who do not have the right to access this information.

2. Make unrecorded copies of documents containing personal data.


3. Leave documents containing personal data on desktops unattended.

4. Leave the room where personal data is stored without placing documents with personal data in closets.

5. To remove documents containing personal data from the premises where personal data is stored, without official necessity.

14. Liability for violation of the requirements of this Policy

14.1. Persons guilty of violating the norms governing the receipt, processing and protection of personal data of subjects are subject to disciplinary, administrative, civil or criminal liability in accordance with federal legislation.


14.2. Employees of the Operator who are allowed to process personal data

of subjects, for disclosure of information received in the course of their work, are subject to disciplinary, administrative or criminal liability in accordance with the current legislation of the Russian Federation.

15. Final provisions

15.1. This Policy comes into force from the date of its approval by the order of the Director and is valid indefinitely until replaced by a new version.


15.2. If it is necessary to bring this Policy in line with newly adopted legislative acts, changes are made on the basis of the order of the head.


15.3. This Policy is a publicly available document and is subject to posting on the Operator's official website.

Заявка успешно отправлена
В ближайшее время с вами свяжутся менеджеры для уточнения деталей