Data protection policy
1. This Policy defines the general purposes and principles of personal data processing and measures to ensure the security of personal data in JSC BIOCAD in order to protect the rights and freedoms of individuals and citizens when processing their personal data, as well as establishes the intentions and obligations officially expressed by the management of JSC BIOCAD in this field.
2. This Policy is valid for three (3) years and may be revised after this period, or earlier, in case of any changes in the applicable laws and regulations in the field of personal data protection and processing.
3. Definitions and Abbreviations
4. Responsibility/Process Owner
4.1. This Policy shall be binding on all employees of JSC BIOCAD, regardless of their position, including full-time and part-time employees, from the effective date of the Policy. Other internal regulations on ensuring the protection of personal data at JSC BIOCAD shall not contradict this Policy.
5. General Provisions
5.1. Principles and conditions for processing personal data
5.1.1. Personal data shall be processed by the Operator on the basis of the following principles:
5.1.1.1. lawfulness, fairness and transparency;
5.1.1.2. processing of personal data shall be limited to the achievement of specific, predetermined and legitimate purposes;
5.1.1.3. personal data processing incompatible with the purposes of personal data collection shall be prohibited;
5.1.1.4. integration of databases containing personal data that are processed for any incompatible purposes shall be prohibited;
5.1.1.5. only those personal data that answer the purposes of processing shall be processed;
5.1.1.6. the content and volume of the processed personal data shall comply with the stated purposes of processing;
5.1.1.7. the processed personal data shall not be redundant in relation to the stated purposes of their processing;
5.1.1.8. the accuracy, sufficiency and relevance of personal data in relation to the purposes of their processing shall be ensured;
5.1.1.9. the processed personal data shall be destroyed or depersonalized upon achievement of their processing purposes or if the necessity to achieve these purposes is lost, if the Operator is unable to eliminate the committed violations of personal data, unless otherwise provided by the federal law;
5.1.1.10. personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction or damage, by appropriate technical and organizational measures.
5.1.2. Conditions for personal data processing:
5.1.2.1. categories of personal data subjects, a list of processed personal data, purposes and legal grounds for their processing shall be defined in the Operator’s Policy on Personal Data Processing;
5.1.2.2. if there are no other legal grounds, the Operator shall obtain the subject’s explicit consent to the processing of its personal data at the time of personal data collection. If the Operator plans to process personal data for a purpose incompatible with the primary purpose of personal data processing, the Operator shall obtain a separate consent of the personal data subject for this planned purpose. If personal data are obtained by the Operator other than from the personal data subject, the Operator shall notify the subject of such processing.
5.1.3. Confidentiality of personal data
5.1.3.1. The Operator and other persons who have obtained access to personal data shall not disclose to any third parties and shall not distribute personal data without the consent of the personal data subject, unless otherwise provided for by the federal law.
5.1.4. Assignment of personal data processing to another person
5.1.4.1. The Operator may assign the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided for by the federal law, under a contract entered into this person. A person who processes personal data under the Operator’s instruction shall comply with the principles and rules for processing personal data provided for by the applicable legislation and this Policy.
5.1.5. Cross-border transfer of personal data
5.1.5.1. In the course of its activities, the Operator may carry out cross-border transfer of personal data to the territory of foreign states to the authorities of a foreign state, foreign individuals or legal entities. Prior to such transfer, the Operator shall ensure that a foreign state, to which territory the personal data are supposed to be transferred, ensures reliable protection of the rights of personal data subjects.
5.2. Subjects of personal data shall have the right to:
5.2.1. protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage;
5.2.2. be notified by the Operator of the obligation to provide reliable personal data, as well as possible consequences of providing unreliable data;
5.2.3. exercise their data subject rights either independently or through a representative. At the same time, the Operator reserves the right to request from the representative any information required to confirm the legitimacy of the application (e.g. power of attorney, court judgement or decision by child protective services, etc.).
5.3. The Operator’s personal data subject shall have the right to:
5.3.1. receive information about the Operator: the Operator’s location, personal data held by the Operator relating to them as a personal data subject, and familiarize themselves with such personal data;
5.3.2. demand from the Operator to update their personal data, restrict their processing, block or destroy them in case their personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the purpose of processing declared by the Operator;
5.3.3. take measures provided for by the legislation to protect their rights;
5.3.4. withdraw consent to the processing of personal data with subsequent destruction (deletion) of personal data;
5.3.5. file a complaint with supervisory bodies in the case of violation of the applicable legislation in the field of personal data processing and security.
5.4. Ensuring security of personal data
5.4.1. The security of personal data processed by the Operator shall be ensured by implementing legal, organizational and technical measures necessary to comply with the requirements of the federal legislation in the field of personal data protection.
5.4.2. The Operator shall apply the following organizational and technical measures to prevent unauthorized access to personal data:
5.4.2.1. appoint officials responsible for organizing personal data processing and security;
5.4.2.2. limit the number of persons having access to the processing of personal data;
5.4.2.3. familiarize employees with the requirements of the legislation and the Operator’s regulatory documents on processing and protecting personal data;
5.4.2.4. organize the accounting, storage and circulation of storage media containing information with personal data;
5.4.2.5. identify threats to the security of personal data during their processing, and form threat models on their basis;
5.4.2.6. elaborate internal regulations in the field of personal data protection;
5.4.2.7. exercise internal control over the compliance of personal data processing with the applicable legislation in the field of personal data processing and security;
5.4.2.8. maintain the register of personal data processing operations and keep it up to date;
5.4.2.9. control and monitor the time periods for handing appeals and requests for exercising the rights of personal data subjects;
5.4.2.10. take measures to ensure the security of personal data processing by any third parties having access to personal data (execute special agreements and processing instructions);
5.4.2.11. monitor security incidents (if any) and their consequences, investigate them, and, if necessary, notify the supervision body as well as personal data subjects (if necessary);
5.4.2.12. conduct regular audits of personal data processing operations;
5.4.2.13. take other measures stipulated by the Operator’s internal regulations.
5.5. Operator’s rights and obligations with respect to personal data processing
5.5.1. The Operator may:
5.5.1.1. entrust the processing of personal data to another person with the consent of the personal data subject, based on an agreement entered into with this person;
5.5.1.2. determine the purposes, grounds and the list of personal data to be processed;
5.5.1.3. exercise control over the legal basis for personal data processing to eliminate risks related to imposing administrative sanctions for violations of the personal data processing procedure.
5.5.2. The Operator shall:
5.5.2.1. when collecting personal data, provide the personal data subject, upon their request, with information related to the processing of their personal data;
5.5.2.2. ensure the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing;
5.5.2.3. ensure the collection of consents to the processing of personal data permitted for distribution by the personal data subject — in the case of granting access to the subject’s personal data to an unlimited number of people;
5.5.2.4. take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data;
5.5.2.5. refrain from disclosing to any third parties or from distributing personal data without the consent of the personal data subject, unless otherwise provided for by the law;
5.5.2.6. immediately stop processing of personal data at the request of the personal data subject, if there are no legal grounds for further processing of personal data without the subject’s consent;
5.5.2.7. explain to the personal data subject the decision-making procedure based on exclusively automated processing of their personal data and possible legal consequences of such a decision, provide an opportunity to oppose such a decision, as well as explain the procedure for protecting the personal data subject’s rights and legitimate interests;
5.5.2.8. ensure the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of Russian citizens using databases located in the territory of the Russian Federation;
5.5.2.9. take all necessary legal, organizational and technical measures or ensure that these measures are taken to protect personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision, and distribution of personal data, as well as against other illegal actions in relation to personal data;
5.5.2.10. provide the personal data subject or their representative with the opportunity to familiarize themselves with personal data relating to that personal data subject free of charge;
5.5.2.11. stop processing personal data, or ensure termination thereof, if the purpose of personal data processing is achieved;
5.5.2.12. fulfill other obligations stipulated by federal laws and other regulations on data processing and protection.
5.5.3. The Operator’s employees processing the personal data of subjects shall:
5.5.3.1. process the subject’s personal data only as part of their official duties;
5.5.3.2. refrain from disclosing the subject’s personal data obtained as a result of fulfilling their official duties, as well as those that became known to them as part of their work;
5.5.3.3. prevent any acts of third parties that may lead to disclosure (destruction, distortion) of the subject’s personal data;
5.6. identify the facts of disclosure, destruction or distortion of the subject’s personal data and inform the Operator’s information security department thereabout.
6. Training and Knowledge Assessment
6.1. All the Company’s employees shall read and understood this Policy and be guided by this Policy in their work.
1. This Policy defines the general purposes and principles of personal data processing and measures to ensure the security of personal data in JSC BIOCAD in order to protect the rights and freedoms of individuals and citizens when processing their personal data, as well as establishes the intentions and obligations officially expressed by the management of JSC BIOCAD in this field.
2. This Policy is valid for three (3) years and may be revised after this period, or earlier, in case of any changes in the applicable laws and regulations in the field of personal data protection and processing.
3. Definitions and Abbreviations
Term (designation) | Definition |
Automated processing of personal data | processing of personal data using computer technology |
Blocking of personal data | temporary suspension of personal data processing (except where processing is necessary to clarify personal data) |
Depersonalization of personal data | actions as a result of which it is impossible to determine, without the use of additional information, the ownership of personal data by a specific subject of personal data |
Processing of personal data | any action (operation) or a set of actions (operations) performed with personal data with or without automation means. The personal data processing includes: |
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- clarification (updating, modification);
- extraction;
- use;
- transfer (distribution, provision, access);
- depersonalization;
- blocking;
- deletion;
- destruction.
Operator | JSC BIOCAD |
Personal data | any information relating directly or indirectly to a specific or identifiable person (subject of personal data) |
Specific (or identifiable) person | a person who can be identified, directly or indirectly, for example by name, passport details, telephone number, online identifier or by one or more factors specific to a person’s physical, physiological, genetic, mental, economic, cultural or social identity |
Providing personal data | any actions aimed at disclosing personal data to a specific person or a specific range of persons |
Dissemination of personal data | any actions aimed at disclosing personal data to an indefinite range of persons (transfer of personal data) |
Cross-border transfer of personal data | transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity |
Destruction of personal data | any actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which physical storage media of personal data are destroyed |
Personal data information system | a set of personal data contained in personal data databases and of information technologies and technical means ensuring personal data processing |
4.1. This Policy shall be binding on all employees of JSC BIOCAD, regardless of their position, including full-time and part-time employees, from the effective date of the Policy. Other internal regulations on ensuring the protection of personal data at JSC BIOCAD shall not contradict this Policy.
5. General Provisions
5.1. Principles and conditions for processing personal data
5.1.1. Personal data shall be processed by the Operator on the basis of the following principles:
5.1.1.1. lawfulness, fairness and transparency;
5.1.1.2. processing of personal data shall be limited to the achievement of specific, predetermined and legitimate purposes;
5.1.1.3. personal data processing incompatible with the purposes of personal data collection shall be prohibited;
5.1.1.4. integration of databases containing personal data that are processed for any incompatible purposes shall be prohibited;
5.1.1.5. only those personal data that answer the purposes of processing shall be processed;
5.1.1.6. the content and volume of the processed personal data shall comply with the stated purposes of processing;
5.1.1.7. the processed personal data shall not be redundant in relation to the stated purposes of their processing;
5.1.1.8. the accuracy, sufficiency and relevance of personal data in relation to the purposes of their processing shall be ensured;
5.1.1.9. the processed personal data shall be destroyed or depersonalized upon achievement of their processing purposes or if the necessity to achieve these purposes is lost, if the Operator is unable to eliminate the committed violations of personal data, unless otherwise provided by the federal law;
5.1.1.10. personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, as well as accidental loss, destruction or damage, by appropriate technical and organizational measures.
5.1.2. Conditions for personal data processing:
5.1.2.1. categories of personal data subjects, a list of processed personal data, purposes and legal grounds for their processing shall be defined in the Operator’s Policy on Personal Data Processing;
5.1.2.2. if there are no other legal grounds, the Operator shall obtain the subject’s explicit consent to the processing of its personal data at the time of personal data collection. If the Operator plans to process personal data for a purpose incompatible with the primary purpose of personal data processing, the Operator shall obtain a separate consent of the personal data subject for this planned purpose. If personal data are obtained by the Operator other than from the personal data subject, the Operator shall notify the subject of such processing.
5.1.3. Confidentiality of personal data
5.1.3.1. The Operator and other persons who have obtained access to personal data shall not disclose to any third parties and shall not distribute personal data without the consent of the personal data subject, unless otherwise provided for by the federal law.
5.1.4. Assignment of personal data processing to another person
5.1.4.1. The Operator may assign the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided for by the federal law, under a contract entered into this person. A person who processes personal data under the Operator’s instruction shall comply with the principles and rules for processing personal data provided for by the applicable legislation and this Policy.
5.1.5. Cross-border transfer of personal data
5.1.5.1. In the course of its activities, the Operator may carry out cross-border transfer of personal data to the territory of foreign states to the authorities of a foreign state, foreign individuals or legal entities. Prior to such transfer, the Operator shall ensure that a foreign state, to which territory the personal data are supposed to be transferred, ensures reliable protection of the rights of personal data subjects.
5.2. Subjects of personal data shall have the right to:
5.2.1. protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage;
5.2.2. be notified by the Operator of the obligation to provide reliable personal data, as well as possible consequences of providing unreliable data;
5.2.3. exercise their data subject rights either independently or through a representative. At the same time, the Operator reserves the right to request from the representative any information required to confirm the legitimacy of the application (e.g. power of attorney, court judgement or decision by child protective services, etc.).
5.3. The Operator’s personal data subject shall have the right to:
5.3.1. receive information about the Operator: the Operator’s location, personal data held by the Operator relating to them as a personal data subject, and familiarize themselves with such personal data;
5.3.2. demand from the Operator to update their personal data, restrict their processing, block or destroy them in case their personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the purpose of processing declared by the Operator;
5.3.3. take measures provided for by the legislation to protect their rights;
5.3.4. withdraw consent to the processing of personal data with subsequent destruction (deletion) of personal data;
5.3.5. file a complaint with supervisory bodies in the case of violation of the applicable legislation in the field of personal data processing and security.
5.4. Ensuring security of personal data
5.4.1. The security of personal data processed by the Operator shall be ensured by implementing legal, organizational and technical measures necessary to comply with the requirements of the federal legislation in the field of personal data protection.
5.4.2. The Operator shall apply the following organizational and technical measures to prevent unauthorized access to personal data:
5.4.2.1. appoint officials responsible for organizing personal data processing and security;
5.4.2.2. limit the number of persons having access to the processing of personal data;
5.4.2.3. familiarize employees with the requirements of the legislation and the Operator’s regulatory documents on processing and protecting personal data;
5.4.2.4. organize the accounting, storage and circulation of storage media containing information with personal data;
5.4.2.5. identify threats to the security of personal data during their processing, and form threat models on their basis;
5.4.2.6. elaborate internal regulations in the field of personal data protection;
5.4.2.7. exercise internal control over the compliance of personal data processing with the applicable legislation in the field of personal data processing and security;
5.4.2.8. maintain the register of personal data processing operations and keep it up to date;
5.4.2.9. control and monitor the time periods for handing appeals and requests for exercising the rights of personal data subjects;
5.4.2.10. take measures to ensure the security of personal data processing by any third parties having access to personal data (execute special agreements and processing instructions);
5.4.2.11. monitor security incidents (if any) and their consequences, investigate them, and, if necessary, notify the supervision body as well as personal data subjects (if necessary);
5.4.2.12. conduct regular audits of personal data processing operations;
5.4.2.13. take other measures stipulated by the Operator’s internal regulations.
5.5. Operator’s rights and obligations with respect to personal data processing
5.5.1. The Operator may:
5.5.1.1. entrust the processing of personal data to another person with the consent of the personal data subject, based on an agreement entered into with this person;
5.5.1.2. determine the purposes, grounds and the list of personal data to be processed;
5.5.1.3. exercise control over the legal basis for personal data processing to eliminate risks related to imposing administrative sanctions for violations of the personal data processing procedure.
5.5.2. The Operator shall:
5.5.2.1. when collecting personal data, provide the personal data subject, upon their request, with information related to the processing of their personal data;
5.5.2.2. ensure the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing;
5.5.2.3. ensure the collection of consents to the processing of personal data permitted for distribution by the personal data subject — in the case of granting access to the subject’s personal data to an unlimited number of people;
5.5.2.4. take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data;
5.5.2.5. refrain from disclosing to any third parties or from distributing personal data without the consent of the personal data subject, unless otherwise provided for by the law;
5.5.2.6. immediately stop processing of personal data at the request of the personal data subject, if there are no legal grounds for further processing of personal data without the subject’s consent;
5.5.2.7. explain to the personal data subject the decision-making procedure based on exclusively automated processing of their personal data and possible legal consequences of such a decision, provide an opportunity to oppose such a decision, as well as explain the procedure for protecting the personal data subject’s rights and legitimate interests;
5.5.2.8. ensure the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of Russian citizens using databases located in the territory of the Russian Federation;
5.5.2.9. take all necessary legal, organizational and technical measures or ensure that these measures are taken to protect personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision, and distribution of personal data, as well as against other illegal actions in relation to personal data;
5.5.2.10. provide the personal data subject or their representative with the opportunity to familiarize themselves with personal data relating to that personal data subject free of charge;
5.5.2.11. stop processing personal data, or ensure termination thereof, if the purpose of personal data processing is achieved;
5.5.2.12. fulfill other obligations stipulated by federal laws and other regulations on data processing and protection.
5.5.3. The Operator’s employees processing the personal data of subjects shall:
5.5.3.1. process the subject’s personal data only as part of their official duties;
5.5.3.2. refrain from disclosing the subject’s personal data obtained as a result of fulfilling their official duties, as well as those that became known to them as part of their work;
5.5.3.3. prevent any acts of third parties that may lead to disclosure (destruction, distortion) of the subject’s personal data;
5.6. identify the facts of disclosure, destruction or distortion of the subject’s personal data and inform the Operator’s information security department thereabout.
6. Training and Knowledge Assessment
6.1. All the Company’s employees shall read and understood this Policy and be guided by this Policy in their work.
Dear visitors
This website is a specialized resource for medical and pharmaceutical professionals. If you are not one of these specialists, please leave this site. By continuing to use the resource, I confirm that I am a professional with a medical or pharmaceutical background and that the information obtained from the site may only be used by me for professional purposes.
This website uses cookies to better understand how visitors use our site, for advertising, and to offer you a more personalized experience. We share information about your use of our site with analytics according with Cookie Notice