Policy on the processing of personal data in the Federal State Budget-Funded Cultural Institution ROSIZO, the Ural branch of the State Museum and Exhibition Centre ROSIZO
1. Introduction
1.1. An essential condition for the realization of the objectives of the Ural branch of the State Museum and Exhibition Centre ROSIZO (hereinafter "Ub ROSIZO" or the Operator) is to provide the necessary and sufficient level of information security for information, including personal data.
1.2. The policy for the processing of personal data in Ub ROSIZO (hereinafter referred to as Regulation) determines the collection, storage, transmission and other processing of personal data in the Ub ROSIZO (hereinafter – the Organization), as well as information on the requirements for the protection of personal data.
1.3. The policy has been developed in accordance with the current legislation of the Russian Federation.
1.4. Information that makes up personal data is any information that is directly or indirectly identifiable or defined by a physical person (subject of personal data). A detailed list of personal data is recorded in the local regulatory documents of the Ub ROSIZO.
1.5. All personal data revised by the Ub ROSIZO are confidential, strictly protected information in accordance with the law.
This policy is carried out by the Ub ROSIZO on the processing and protection of personal data (hereinafter the Policy) of natural persons (personal data entities) under article 24 of the Constitution of the Russian Federation, chapter 14 of the Labor Code of the RF, federal law of 27 N 152-XP (21.07.2014) on personal data, decree of the RF government of 2012 N 1119 "On approval of the requirements for the protection of personal data when processed in information systems of personal data", federal law of 27 N 149-XP (red 13.07.2015) on information, information technology and information protection, other regulations of the RF, order of 18 February 2013. N 21 on the approval of the composition and content of organizational and technical measures to ensure the security of personal data in the processing of information systems of personal data.
The purpose of the policy is to ensure the security of the Organization's protection objects against all types of threats, external and internal, intentional and unintentional, minimizing the potential for threats to the security of personal data, as well as making available to individuals who provide their personal data with the necessary information to assess what personal data and objectives are being handled by the Organization, what methods of ensuring their safety are being implemented.
The policy protects the rights and freedoms of subjects in the processing of their personal data by means of or without automation, and establishes the responsibility of persons who have access to personal data for failure to comply with the requirements governing the processing and protection of personal data.
This policy may be changed if the current legislation of the Russian Federation is amended.
2. List of personal data subjects
The policy applies to all personal information that the Organization can obtain in the course of its activities, including the customers of the Organization.
3. List of personal data processed in the Ub ROSIZO
The list of personal data to be protected is defined in accordance with the legislation of the Russian Federation, the normative and local acts of the Ub ROSIZO and is presented in these regulations.
The processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs and intimate life is not carried out in the Ub ROSIZO.
4. Functions of society in the processing of the personal data
The Ub ROSIZO in the processing of personal data:
-adopts the measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Russian Federation, the regulations of the Ub ROSIZO and the local regulations of the Ub ROSIZO in the field of personal data;
-adopts legal, organizational and technical measures to protect personal data from undue or accidental access, destruction, alteration, freezing, copying, provision, dissemination of personal data, as well as other misconduct with respect to personal data;
-designates the person responsible for organizing the processing of personal data in the Ub ROSIZO;
-publishes local and regulatory acts defining the policies and issues of processing and protection of personal data in the Ub ROSIZO;
-familiarizes employees of the Ub ROSIZO directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation, the regulations and local acts of the Ub ROSIZO in the field of personal data, including the protection of personal data, and the training of these employees;
-publishes or otherwise provides unrestricted access to this policy;
-communicates information on the availability of personal data to the subjects of personal data or their representatives, relevant entities, provide an opportunity to familiarize themselves with these personal data when requesting and (or) seeking the information of the said personal data entities or their representatives, unless otherwise established by the legislation of the Russian Federation;
-discontinues processing and destroys personal data in cases provided for by the legislation of the Russian Federation in the field of personal data;
-performs other acts provided for in the Law of the Russian Federation in the field of personal data. Customers, using the services of the Organization, providing their personal information to the Organization, including mediation by third parties, recognize their consent to the processing of personal data in accordance with this policy.
5. Conditions of treatment of personal data, transfer (provision, access) of the personal data of workers and other agents of personal data.
The processing of personal data in the Ub ROSIZO is carried out with the consent of the subject of personal data for processing their personal data, unless otherwise provided by the legislation of the Russian Federation in the field of personal data.
The Ub ROSIZO without the consent of the subject of the personal data does not disclose to third parties or distribute personal data unless otherwise provided by federal law.
The Ub ROSIZO is entitled to entrust the processing of personal data to another person with the consent of the subject of the personal data on the basis of the contract concluded with that person. The contract should contain a list of actions (transactions) with personal data, to be carried out by the person handling the personal data, the purpose of the processing, the duty of the person to respect the confidentiality of personal data and the security of the personal data when processed, as well as the requirements for the protection of the personal data processed in accordance with article 19 of the Federal law "on personal data".
For internal information purposes, the Ub ROSIZO may create internal reference materials with the written consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation, its surname, name, patronymic, place of work, title, year and place of birth, address, subscriber number, e-mail address, other personal data reported by the subject of the personal data may be included.
Access to the personal data processed in the Ub ROSIZO is permitted only to employees of the Ub ROSIZO who occupy positions included in the order of the positions of the units of the Ub ROSIZO, where the personal data is processed.
Consent to the processing of personal data may be revoked by the subject of personal data. If the subject of personal data is revoked by consent to the processing of personal data, the Operator may continue to process personal data without the consent of the subject of the personal data if there are grounds specified by the law.
6. Processing and storage time of personal data.
Customer data is processed and stored on the information systems and on paper media in the organization.
Customers' personal information is stored electronically: On the Organization's local computer network, in the electronic folders and in the files on the PC of the employees who are allowed to process the customer's personal information.
The customer's personal data may not be stored longer than the purpose of the processing unless the federal laws of the RF stipulate otherwise.
The retention period for personal data is shown in annex No. 1 (List of personal data)
During the retention period, personal information may not be deprived or destroyed.
After the expiration of the retention period, personal data may be deprived in information systems and destroyed on paper media in the manner prescribed by the RF regulation and legislation in force. (Personal Data Destruction Act)
7. Rights and duties of workers in society and other subjects of personal data
In accordance with art. 14 152 XP "Personal data" subjects of personal data are entitled to:
-full information on their personal data processed in the Ub ROSIZO;
-access to their personal data, including the right to obtain a copy of any record containing their personal data, except in cases provided for by federal law;
-the clarification of their personal data, their freezing or destruction in the event that the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
-withdrawal of consent to the processing of personal data;
-adoption of statutory measures to protect their rights;
-appeal against an act or omission by the Ub ROSIZO of the law of the Russian Federation in the field of personal data, the authorized body for the protection of the rights of subjects of personal data or the court;
-exercise of other rights provided by the legislation of the Russian Federation.
8. Procedure for internal control of compliance with Russian legislation in the field of personal data
Monitoring of compliance by the structural units of the Ub ROSIZO of the legislation of the Russian Federation, regulations and local acts of the Ub ROSIZO in the field of personal data including the requirements for the protection of personal data, is designed to verify compliance with the processing of personal data aimed at preventing and detecting violations of the legislation of the Russian Federation in the field of personal data, identifying possible channels of leakage and unauthorized access to personal data, and redressing the consequences of such violations.
Internal monitoring of the compliance by the structural units of the administration of the Ub ROSIZO of the legislation of the Russian Federation, the regulatory and local acts of the Ub ROSIZO in the field of personal data, including the protection of personal data, is carried out by the person responsible for processing the personal data at the Ub ROSIZO.
Personal responsibility for complying with the requirements of the legislation of the Russian Federation, the regulations and local acts of the Ub ROSIZO in the field of personal data in the structure of the Ub ROSIZO, and for ensuring the privacy and security of personal data in these units, the Ub ROSIZO, is assigned to the heads of those units.
9. Liability for breach of the rules
In accordance with art. 24 of the Federal law of the Russian Federation of 27 July 2006 No. 152-XP "on personal data", persons guilty of violating the requirements of this Federal Act are subject to the civil, criminal, administrative, disciplinary and other liability provided by the legislation of the Russian Federation.
The current legislation of the RF makes it possible to present requirements for the safe operation of the information protected and provides for liability for breaching the established operating rules of the computer and systems unlawful access to information, if these actions resulted in the destruction, blocking, modification or disruption of the computer or networks (articles 272.273 and 274 of the Criminal Code of the Russian Federation).
The Information systems Administrator and the security Administrator are responsible for all actions performed on behalf of their accounts or system accounts unless the user is proven to be using accounts.
In the case of violations of the personal data by the Organization's security, they are liable under the existing legislation of the Russian Federation.
The above requirements of the regulatory documents for the protection of information should be reflected in the Organization's regulations for the processing of personal data in the informational system of personal data and in the official instructions of the Organization's staff.
It is necessary to make provisions for units of the Organization processing personal data in the informational system of personal data on the responsibility of their supervisors and employees for disclosure and unauthorized modification (distortion, falsification) of personal data, as well as for undue interference in their automated processes of their processing.
10. Annexes/List of local documents.
A list of personal data processed in the Ub ROSIZO.
11. List of used sources
The main legal and methodological documents on which the present provision is based are:
1. The Federal Act of 27 No. 152-XP "on Personal Data" (hereinafter-FA "On Personal Data"), establishing the basic principles and conditions for the processing of personal data, the rights, duties and responsibilities of the participants in the handling of the personal data.
2. "Provision for the safety of personal data in the processing of information systems of personal data", approved by a decision of the RF government from 17.11.2007 G. No. 781.
3. "Procedure for the classification of information systems for personal data", approved by a joint order of the FSTEC of Russia No. 55, of the FSB of Russia No. 86 and of the Ministry of Information and Communication of the RF No. 20 from 13.02.2008 G.
4. "Regulations on the processing of personal data performed without the use of automation equipment", approved by a decision of the RF Government of 15 No. 687.
5. "Requirements for physical biometric personal data and technologies for storing such data outside the options of personal data", approved by a decision of the RF government of Jul. 6 No. 512.
6. Normative and methodological documents of the Federal service for the technical and expert control of the Russian Federation (hereinafter- FSTEC of Russia) to ensure the safety of personal data in the processing of information systems of personal data:
7. Recommendations to ensure the security of personal data when processed in personal information systems, approved by Deputy Director, FSTEC of Russia 15.02.08 (CPD)
8. The main activities for the organization and maintenance of the security of personal data processed in information systems of personal data are approved by Deputy Director, FSTEC of Russia 15.02.08 (CPD)
9. A basic model of threats to the security of personal data when processed in personal information systems, approved by Deputy Director, FSTEC of Russia 15.02.08 (CPD)
10. How to identify current threats to the security of personal data when processed in personal information systems, approved by Deputy Director, FSTEC of Russia 15.02.08 (CPD).
List of personal data processed in the Ub ROSIZO
Name (type) of personal data |
Personal Data content |
Category of personal data |
Receiving source |
Reason for processing personal data |
Technology process that uses the type of personal data |
Storage life, termination conditions |
Accessibility |
Primary Credentials of the Customer |
Customer Name |
Category 4 |
Subject of personal data, agreement |
- Terms of Agreement |
-Conclusion of contract with customer |
3 years following the termination of the contract * |
Not public |
Customer Details |
-E-mail Address Mail-Residential/delivery address |
Category 3 |
Subject of personal data, agreement |
- Terms of Agreement |
-Conclusion of contract with customer |
3 years following the termination of the contract * |
Not public |
* Category 3 - personal data identifying the subject of personal data.
Category 4 - anonymised and (or) public personal information.