RU EN
II. Key Terms
III. Principles and Rules of Personal Data Processing
IV. Legal Grounds for Personal Data Processing
V. Organization of Personal Data Processing
VI. Rights of Personal Data Subject
VII. Final Provisions
I. General Provisions
1. This Policy developed in accordance with the Federal Law “On Personal Data” establishes the purposes, basic principles, rules and legal grounds for processing personal data, as well as determines the key measures to ensure the security of personal data.
2. This Policy has been developed to implement the requirements of the Russian Federation laws in the field of personal data at JSCo “RZD”, as well as to ensure the protection of the rights of individuals when processing their personal data.
3. The provisions of this Policy provide the basis for developing and updating administrative, organizational and legal documents of JSCo “RZD”, which regulate the processing of personal data of various categories of personal data subjects, as well as the procedure for implementing measures to protect personal data being processed.
4. The provisions of this Policy are binding on employees of JSCo “RZD” who have access to personal data.
5. The list of the purposes of personal data processing at JSCo “RZD”, the scope of personal data and its categories, as well as the categories of personal data subjects is given in the Annex.
II. Key Terms
6. The following concepts are used in this Policy:
1) “automated processing of personal data” means personal data processing using computer equipment;
2) “personal data security” means the state of protection of personal data, which is characterized by the ability of users, technological tools and information technologies to ensure the confidentiality, integrity and availability of personal data when it is processed in information systems;
3) “biometric personal data” means data that describes physiological and biological peculiarities of a personal data subject, based on which his/her identity can be established and which is used by the operator to establish the identity of the personal data subject;
4) “information system” means a set of information contained in databases as well as information technologies and technological tools used for its processing;
5) “counterparty” means a Russian or foreign legal entity or individual with which JSCo “RZD” has contractual relations or plans to enter into contractual relations, except for employment relations;
6) “confidentiality of personal data” means a mandatory requirement not to disclose personal data to third parties and not to disseminate personal data without the consent of the personal data subject, unless otherwise provided for in the laws of the Russian Federation;
7) “tangible medium” means a paper or a machine-readable medium designed for recording, transferring and storing personal data;
8) “non-automated processing of personal data” means personal data processing directly by human intervention without the intermediation of computer systems;
9) “personal data processing” means any action (operation) or a set of actions (operations) performed to handle personal data with or without the use of automation aids, including collection, recording, classification, aggregation, storage, refinement (update or change), extraction, use, transfer (distribution, disclosure, or access), anonymization, blocking, erasure, and destruction of personal data;
10) “operator” means a state body, municipal body, entity or person, which, individually or jointly with other persons, organizes and/or carries out the processing of personal data, as well as determines the purposes of personal data processing, the scope of personal data subject to processing, actions (operations) performed with personal data;
11) “personal data” means any information related, directly or indirectly, to a specific or identifiable individual (personal data subject);
12) “personal data whose distribution is permitted by the personal data subject” means the personal data, the access to which is granted to an unlimited number of persons by the personal data subject by giving consent to the processing of personal data permitted by the personal data subject to be distributed in the manner provided for in the Federal Law “On Personal Data”;
13) “user of JSCo “RZD” services” means a passenger, consignor, consignee or another person or entity that uses the services provided by JSCo “RZD”;
14) “provision of personal data” means actions aimed at disclosing personal data to a specific person or a specific group of persons;
15) “dissemination of personal data” means actions aimed at disclosing personal data to an indefinite number of persons;
16) “special categories of personal data” means categories of personal data, which pertain to race, national identity, political views, religious or philosophical beliefs, state of health, privacy and record of conviction;
17) “personal data subjects” means service users, counterparties, employees of JSCo “RZD”, their close relatives, jobseekers (applicants), pensioners registered with JSCo “RZD” and their official representatives, as well as other persons whose personal data became known to JSCo “RZD” in the course of its activities, including due to the provision of social benefits, guarantees and compensations by JSCo “RZD” to such persons;
18) “cross-border transfer of personal data” means transmission of personal data to the territory of a foreign state, public authority of a foreign state, foreign individual or foreign legal entity;
19) “destruction of personal data” means actions which make it impossible to restore the personal data content in the information system or on a machine carrier and/or which result in the destruction of tangible carriers of personal data.
III. Principles and Rules of Personal Data Processing
7. Personal data shall be processed at JSCo “RZD” in compliance with the following principles and rules:
1) processing shall be carried out on a lawful and equitable basis;
2) processing shall be limited to achievement of the specific, predetermined and lawful purposes;
3) personal data processed shall meet the purposes of processing, and the volume and content of such data shall comply with the stated purposes of processing;
4) databases containing personal data processed for the purposes incompatible with each other may not be combined;
5) during processing, the accuracy and sufficiency of personal data and, if necessary, relevance to the purposes of processing shall be ensured and measures shall be taken to delete or update incomplete or inaccurate data;
6) personal data shall be stored in a form that makes it possible to identify the personal data subject for no longer than required by the purposes of personal data processing, unless the period of personal data storage is established by federal law, contract to which the personal data subject is a party, beneficiary or guarantor;
7) unless otherwise provided for in the laws of the Russian Federation, personal data processed shall be destroyed or depersonalized when the processing purposes are achieved or in case there is no more need for achieving these purposes.
8. When processing personal data, JSCo “RZD” shall ensure its confidentiality and security.
IV. Legal Grounds for Personal Data Processing
9. The legal grounds for personal data processing based on which personal data may be processed at JSCo “RZD” shall be as follows:
1) consent of the personal data subject to the processing of personal data, taking into account the requirements stipulated by the laws of the Russian Federation for the relevant category of personal data;
2) achievement of the goals stipulated by an international treaty to which the Russian Federation is a party or by law, implementation and fulfillment of the functions, powers and duties conferred on JSCo “RZD” by the laws of the Russian Federation and the Articles of Association of JSCo “RZD”;
3) judicial acts, acts of another authority or official, which must be executed by JSCo “RZD” in accordance with the legislative provisions of the Russian Federation on enforcement proceedings;
4) a contract to which the personal data subject is a party or beneficiary or guarantor, or a contract entered into at the initiative of the personal data subject, or a contract under which the personal data subject will be a beneficiary or guarantor;
5) ensuring the protection and/or protecting the life, health or other vital interests of the personal data subject if it is impossible to obtain the consent of the personal data subject;
6) exercising the rights and legitimate interests of JSCo “RZD” or third parties, or achieving socially significant goals provided that this does not violate the rights and freedoms of the personal data subject;
7) carrying out professional activities of a journalist and/or lawful activities of mass media, as well as scientific, literary or other creative activities, provided that the rights and legitimate interests of the personal data subject are not violated;
8) personal data processing for statistical or other research purposes, subject to mandatory depersonalization;
9) personal data processing for the purposes of publication or mandatory disclosure of information in accordance with the laws of the Russian Federation.
V. Organization of Personal Data Processing
10. In order to organize the effective processing and security of personal data at JSCo “RZD”, CEO – Chairman of the Managing Board of JSCo “RZD” shall appoint, from among his deputies, a person responsible for organizing the processing of personal data at JSCo “RZD”. Such person shall, in accordance with the powers conferred, ensure:
1) internal control over compliance by JSCo “RZD” with the requirements of the laws of the Russian Federation and the regulatory documents of JSCo “RZD” in the field of personal data, including the requirements to personal data protection at JSCo “RZD”;
2) that the provisions of the laws of the Russian Federation, the regulatory documents of JSCo “RZD” regarding personal data processing, as well as the requirements to personal data protection are communicated to employees of JSCo “RZD”;
3) control over the processing of requests from personal data subjects or their representatives regarding the violations of personal data laws committed by employees of JSCo “RZD”.
11. Personal data may be processed by managers of JSCo “RZD” who have been granted this right by their employer, as well as by employees of JSCo “RZD” who have been authorized to process personal data in accordance with the procedure established by JSCo “RZD”.
Said managers and employees may process only the personal data which they require to perform their job duties.
12. Personal data shall be processed at JSCo “RZD” in compliance with with and/or without the use of automation means.
13. Special categories of personal data and biometric personal data shall be processed at JSCo “RZD” in accordance with the requirements of the laws of the Russian Federation.
14. When processing personal data of personal data subjects, JSCo “RZD” shall:
1) take necessary legal, organizational and technical measures to protect personal data of personal data subjects from unauthorized or accidental access thereto, destruction, modification, blocking, copying, provision, distribution thereof, or any other illegal actions in respect of personal data;
2) explain to the personal data subjects the legal consequences of refusal to provide their personal data and/or to give consent to the processing thereof, if the provision of personal data is mandatory in accordance with the laws of the Russian Federation;
3) block, clarify and destroy personal data processed unlawfully, as well as stop such unlawful processing;
4) notify the personal data subject of remedying committed violations or destruction of his/her personal data;
5) at the request of the personal data subject or his/her representative, provide the information related to the processing of his/her personal data in the manner prescribed by the laws of the Russian Federation and the regulatory documents of JSCo “RZD”;
6) exercise internal control and/or audit of compliance of personal data processing with the laws of the Russian Federation and the regulatory documents of JSCo “RZD”;
7) assess the damage that may be caused to the personal data subjects in the event of a violation of the Russian Federation laws on personal data, the correlation between the said damage and the measures taken by JSCo “RZD” to ensure the fulfillment of the obligations stipulated by the Russian Federation laws on personal data.
15. The personal data whose distribution is permitted by the personal data subject shall be processed in compliance with the bans and conditions laid down by Article 10.1 of Federal Law “On Personal Data”.
Consent to the processing of personal data whose distribution is permitted by the personal data subject shall be executed separately from any other consents of the personal data subject.
16. Personal data may be transferred to third parties upon written consent of the personal data subjects, except for the cases when it is necessary in order to prevent a threat to the life and health of the personal data subjects, as well as in other cases stipulated by the laws of the Russian Federation.
17. Personal data may be transferred to public authorities without the consent of the personal data subject to the processing of his/her personal data in the manner and in the cases provided for in the laws of the Russian Federation.
18. Cross-border transfer of personal data shall be carried out subject to the restrictions and prohibitions provided for in the Russian Federation laws on personal data.
Prior to the commencement of cross-border transfer of personal data, JSCo “RZD” shall:
assess the measures taken by foreign authorities, foreign individuals and legal entities, to which the cross-border transfer of personal data is planned, to ensure confidentiality and security of personal data;
notify the body authorized to protect the rights of personal data subjects of its intention to carry out cross-border transfer of personal data.
19. JSCo “RZD” may engage another party to process personal data with the consent of the personal data subject pursuant to an agreement entered into with such party, unless otherwise stipulated by the laws of the Russian Federation.
20. When collecting personal data, including through the use of the information and telecommunications network “Internet”, JSCo “RZD” shall record, systematize, accumulate, store, clarify (update, change), retrieve personal data of the Russian Federation citizens using databases located in the territory of the Russian Federation, except as may be otherwise provided by the laws of the Russian Federation.
21. The security of personal data, including during its processing in information systems, shall be ensured in accordance with the laws of the Russian Federation and the requirements of the body authorized to protect the rights of personal data subjects, the federal executive body authorized in the field of security, and the federal executive body authorized in the field of technical intelligence countermeasures and technical protection of information.
22. The periods of personal data processing and storage for each purpose of personal data processing at JSCo “RZD” as set forth in Annex No. 1 to this Policy shall be determined in compliance with the requirements of the laws of the Russian Federation and/or the provisions of a contract to which the personal data subject is a party, beneficiary or guarantor and taking into account the consent of the personal data subject to the processing of his/her personal data.
23. The procedure and methods for destroying personal data at JSCo “RZD” shall be determined in accordance with the laws of the Russian Federation and the regulatory documents of JSCo “RZD”.
Personal data shall be destroyed in the following cases:
1) upon achievement of the processing purposes or in case there is no more need to achieve the purposes of personal data processing;
2) in case the personal data subject withdraws his/her consent to the processing of his/her personal data, except for the cases stipulated by the laws of the Russian Federation;
3) when the personal data subject or his/her representative provides information confirming that:
a) the personal data is incomplete, outdated, inaccurate (provided that it is impossible to clarify personal data);
b) the personal data was obtained in an illegal way;
c) the personal data is not necessary for the stated purpose of processing;
4) in case unlawful processing of personal data is detected (if it is impossible to ensure lawfulness of personal data processing);
5) if the personal data subject requests the termination of personal data processing, except for the cases stipulated by the laws of the Russian Federation.
VI. Rights of Personal Data Subject
24. Personal data subjects shall have the right to:
1) receive, upon request, full information about their personal data processed by JSCo “RZD”;
2) review their personal data upon application to JSCo “RZD”;
3) clarify their personal data, request that the personal data be blocked or destroyed if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
4) request that the processing of their personal data be stopped;
5) provide their personal data and consent to the processing thereof freely, of their own free will and in their own interest;
6) revoke consent to the processing of their personal data;
7) appeal against the acts (omissions) of JSCo “RZD” during the processing of their personal data in accordance with the laws of the Russian Federation;
8) exercise any other rights provided for in the laws of the Russian Federation.
25. The liability for violating the requirements of the laws of the Russian Federation and the regulatory documents of JSCo “RZD” in the field of personal data shall be determined in accordance with the laws of the Russian Federation.
26. The Policy is a publicly available document and shall be posted on the official website of JSCo “RZD” in the information and telecommunications network “Internet” at https://www.rzd.ru.
Annex