<div><img src="https://mc.yandex.ru/watch/396811" style="position:absolute; left:-9999px;" alt="" /></div>

Personal Data Processing Policy

PJSC “Insurance Company Rosgosstrakh”
Approved by Order of PJSC “Insurance Company Rosgosstrakh” No. 525 dated 30/08/2018

1. General

1.1 Purpose

This Personal Data Processing Policy has been developed as per cl. 2, Art. 18.1 of Federal Law of the Russian Federation “On Personal Data” No. 152-FZ dated July 27, 2006, and outlines the position of PJSC “Insurance Company Rosgosstrakh” (hereinafter - the Company) in personal data processing and protection, observation of rights and freedoms of the personal data subject. The Company is registered in the Register of the Personal Data Processing Operators under No. 08-0003937 according to Order No. 343 dated 16/05/2008.

1.2 Terms, definitions and abbreviations

Term
Definition
Personal Data Information System
The pooled personal data contained in the database, as well as information technologies and technical means that allow for processing of such personal data with and without the use of automation tools
Data Depersonalization
Actions as a result of which it is impossible to determine the personal data ownership by a specific personal data subject without using additional information
Personal Data Processing
Any action (operation) or a combination of actions (operations) undertaken with or without the use of automation means, with personal data, including personal data collection, recording, systematization, accumulation, storage, specification (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction
Personal Data
Any information relating to a directly or indirectly identified or identifiable individual (personal data subject)
Personal Data Destruction
Actions as a result of which it is impossible to restore the content of personal data in the personal data information system and (or) as a result of which the personal data physical carriers are destroyed
CC
Civil Contract
TIN
Taxpayer’s Identification Number
PDIS
Personal Data Information System
UA
Unauthorized Access
CCLIOMV
Compulsory Civil Liability Insurance of Owners of Motor Vehicles
PD
Personal Data
RF
Russian Federation
FL
Federal Law

2. Legal Basis for Personal Data Processing

The Company shall process the PD by following:

  • Law of the RF No. 4015-1 dated 27/11/1992 “On Organization of the Insurance Business in the Russian Federation”;
  • Federal Law No. 40-FZ dated 25/04/2002 “On Compulsory Civil Liability Insurance of Owners of Motor Vehicles”;
  • Federal Law No. 115-FZ dated 07/08/2001 “On Countering the Legalization (Laundering) of Proceeds from Crime and Financing of Terrorism”;
  • Civil Code of the RF (Chapter 48);
  • Labor Code of the RF;
  • Statute of PJSC “Insurance Company Rosgosstrakh”;
  • Licenses of PJSC “Insurance Company Rosgosstrakh for insurance activity СЛ No. 0001 dated 06/06/2018, СИ No. 0001 dated 06/06/2018, ОС No. 0001-02 dated 06/06/2018, ОС No. 0001-03 dated 06/06/2018, ОС No. 0001-04 dated 06/06/2018, ОС No. 0001-05 dated 06/06/2018, for re-insurance activity ПС No. 0001 dated 06/06/2018;
  • Consent for Personal Data Processing.

3. Purposes and Methods of Personal Data Processing

Purposes of Personal Data Processing of the PD Subjects:

  • implementation of powers, authorities and obligations by the Company as provided by the legislation of the Russian Federation, according to the Federal Laws, particularly: Federal Law “On Organization of the Insurance Business in the Russian Federation”, Tax Code, Civil Code, Labor Code, “On Compulsory Civil Liability Insurance of Owners of Motor Vehicles”, “On Countering the Legalization (Laundering) of Proceeds from Crime and Financing of Terrorism”, " On Procedure for Considering Applications of Citizens of the Russian Federation ”, as well as the Statute and licenses;
  • regulation of labor relations between the Company and employees, assistance to employees in the performance of their functional duties, training, career advancement, control of the scope and quality of work performed and ensuring the safety of the Company property, priority of granting vacations, establishment and calculation of the amount of wages and salaries, insurance of employees, issuing the state pension insurance certificates, access control of the Company and safety of employees, recording the time spent by an employee at the Company premises, as well as for other purposes required by the Company in connection with labor relations with the Company employees, including observation of the Company corporate culture of the (in terms of maintenance of telephone directory). The personal data processing of the PD subjects working under the CC is performed in order to control the scope and quality of the work performed, fulfill the Company's contractual obligations before the PD subject (including in terms of payment for services);
  • carrying out insurance activities for individuals and legal entities: insurance and reinsurance in accordance with the legislation of the Russian Federation and a special permit (license), including assessing the insurance risk, obtaining the assets, determining the amount of losses or damage, making insurance payments, as well as making other performance-related obligations under the acts insurance contracts to control the implementation of the main type of activity for the purposes of countering the legalization (laundering) of proceeds from crime and financing of terrorism, by determining and identifying the customers (beneficiaries);
  • selection of candidates for work;
  • organization of access regime;
  • study of the situation on the insurance market, conduct of research and sociological works;
  • investment activities, including operations with securities;
  • organization of advertising and publishing activities, exhibitions and sales, auctions;
  • visitor’s access to the Company's website to obtain information about services;
  • giving an opportunity for employees of the Company contractors to fulfill the obligations stipulated by agreements between the Company and its contractors.

Personal data processing (collection, recording, systematization, accumulation, storage, specification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, destruction, deletion are subdivided into:

  • personal data processing in the personal data information systems using the automation tools;
  • personal data processing without using the automation tools.

4. Processed Data Categories

The personal data collection and processing procedure in the Company is realized according to the RF legislation.

The processed personal data includes: surname, name, patronymic; year of birth; month of birth; date of birth; place of birth; address; marital status; social status; photographic image, information on labor activity, information on military registration of persons liable for military service and persons to be called to military duty; property status; education; income; health status; gender; details of the identity document (series and number of the document, date of issue, name of the issuing authority and code of the unit); driving experience; citizenship; number of the state pension insurance certificate; information about certificate of insurance, information about insurance payments; information about insured events; information on the insured vehicle (type, make, model, year of manufacture, license plate, vehicle document); taxpayer identification number, contact details; cookies; data on user behavior and preferences.

5. List of Personal Data Processing Operations

Collection; recording; systematization; accumulation; storage; specification (update, change); use; transfer (distribution, provision, access); depersonalization; blocking; destruction; deletion.

6. Categories of Subjects Whose Personal Data are Processed

The Company processes the PD of the following categories of the PD subjects:

  • candidates for vacant positions (applicants);
  • Company employees, including personal data subjects working under the CC;
  • individuals - the Company customers who are the insured, insurants or beneficiaries; affected third-party insurants under CCLIOMV;
  • individuals being in the contractual and other civil law relations with the Company:
    • visitors;
    • members of the board of directors, shareholders, founders, affiliates;
    • visitors to the Company's website;
    • third party employees;
    • dismissed employees of the Company;
    • relatives of the Company's employees.

7. Conditions for Personal Data Processing Termination

Personal data are subject to destruction after the purposes of processing are achieved or in case of no further need to achieve them, unless otherwise provided by federal laws, as well as in the event of illegal actions with personal data and the impossibility of eliminating the violations within the time period established by law.

8. PD Protection Requirements

The personal data of our customers and partners are contained in the contracts concluded with them, documents related to the execution of these contracts, and personal data information systems.

Our Company takes measures necessary and sufficient to ensure fulfillment of the obligations provided for by Federal Law No. 152 "On Personal Data" and the regulatory acts adopted in accordance with it. The Company individually determines the scope and list of measures necessary and sufficient to ensure fulfillment of the obligations assigned to it, unless otherwise provided by Federal Law No. 152 "On Personal Data" or other federal laws. As per FL No. 152 "On Personal Data”, such measures include the following:

  • appointment of a person responsible for organizing the PD processing;
  • development and approval of local acts on the personal data processing and protection;
  • use of legal, organizational and technical measures to ensure the personal data safety:
    • identification of threats to the PD safety in their processing in the PDIS;
    • use of organizational and technical measures to ensure the PD safety in their processing in the PDID, necessary to meet the PD protection requirements, the implementation of which is ensured by the levels of the PD safety established by the Government of the Russian Federation;
    • use of information security tools;
  • accounting of the PD computer-assisted carriers;
  • identification of unauthorized access to the personal data and taking measures to prevent similar incidents in the future;
  • restoration of personal data modified or destroyed as a result of unauthorized access to them;
  • establishment of access rules for the PD processed in the PDIS, as well as registration and recording of all actions performed with the PD in the PDIS;
  • control over the measures taken to ensure the PD safety and the level of the PDIS protection;
  • observance of the conditions that exclude unauthorized access to the PD paper carriers data and ensure the PD integrity;
  • familiarization of the Company employees who are directly involved in the personal data processing with the PD protection requirements, local acts on the PD processing and protection.

9. PD Processing (Storage) Periods

The PD processing (storage) periods are determined on the basis of the purposes of the PD processing according to the validity period of the agreement with the RD subject, Order of the Ministry of Culture of the RF No. 558 “On Approval of the List of Typical Management Archive Documents Drawn Up in the Course of Activity of the State Authorities, Local Authorities and Organization with the Retention Periods to Be Specified” dated 25/08/2010, federal laws requirements, statute of limitations.

The PD which processing (storage) periods have been expired must be destructed unless otherwise provided by the Federal Law.

10. Conditions of Disclosure and Scope of Data Available to Partners and Third Parties

The Company ensures the personal data confidentiality and is obliged not to transfer them to the third parties without consent of the personal data subjects, unless otherwise provided by law. The subject's personal data transfer to third parties is carried out by the Company on the basis of an appropriate agreement which essential condition is the third party’s obligation to ensure the personal data confidentiality and/or the consent of the PD subject.

11. Rights and Obligations of the PD Subjects, as well as of the Company in Terms of the PD Processing

The subject whose Personal Data is processed by the Company has the right to:

  • receive from the Company:
    • confirmation of the PD processing and information about availability of the PD related to the corresponding PD subject;
    • information on the legal basis and purposes of the PD processing;
    • information about the PD processing methods used by the Company;
    • information about name and location of the Company;
    • information about persons (excluding the Company employees) who have access to the PD or to whom the PD can be disclosed on the basis of an agreement with the Company or on the basis of the federal law;
    • list of the processed PD related to the PD subject, and information about the PD source, unless another procedure for giving such PD is provided for by federal law;
    • information about the PD processing periods, including their storage periods;
    • information about exercise of the PD subject’s rights as provided by Federal Law No. 152 “On Personal Data”;
    • other information as provided by Federal Law No. 152 “On Personal Data” or other regulatory acts of the Russian Federation;
  • require from the Company to specify its PD, block or destroy it if the PD is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
  • withdraw its consent to the personal data processing;
  • demand elimination of the Company's illegal actions in relation to its personal data;
  • appeal against the Company acts or omissions in the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) or in court, if the PD subject believes that the Company is processing its PD in violation of the requirements of Federal Law No. 152 “On Personal Data” or otherwise violates its rights and freedoms;
  • protect their rights and legal interests, including compensation for losses and/or compensation for moral damage in court.

In the process of the PD processing, the Company is obliged to:

  • provide the PD subject at his request with the information provided for in part 7 of Article 14 of the Law, taking into account the restrictions established by Federal Law No. 152 “On Personal Data”;
  • explain to the PD subject the legal consequences of refusing to provide the PD, if the provision of the PD is mandatory in accordance with Federal Law No. 152 “On Personal Data”;
  • before the PD processing (if the PD was not received from the PD subject), provide the PD subject with the following information, except for the cases provided for in part 4 of Article 18 of Federal Law No. 152 “On Personal Data”;
  • take the necessary legal, organizational and technical measures or ensure their adoption to protect the PD from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to the PD;
  • publish on the Internet and provide unrestricted access using the Internet to the document determining the Company PD processing policy, to information on the PD protection requirements being implemented;
  • free of charge, provide to the PD subjects and/or their representatives the opportunity to familiarize themselves with the PD when submitting an appropriate request within the period established by the current legislation of the Russian Federation;
  • block the unlawfully processed PD related to the PD subject, or ensure their blocking (if the PD processing is carried out by another person acting on behalf of the Company) from the date of application or receipt of request for the verification period, if the unlawful PD processing is detected in case of application of the PD subject or his representative, either at the request of the PD subject or his representative, or the authorized body for protection of the PD subjects’ rights;
  • specify the PD or ensure their specification (if the PD processing is carried out by another person acting on behalf of the Company) within 7 working days from the date of submission of the information and remove the PD blocking in case of confirmation of the PD inaccuracy based on the information provided by the PD subject or his representative;
  • stop unlawful PD processing or ensure termination of the unlawful PD processing by a person acting on behalf of the Company in the event of unlawful PD processing carried out by the Company or a person acting on the basis of an agreement with the Company, within a period not exceeding 3 working days from the date of such detection;
  • stop the PD processing or ensure this (if the PD processing is carried out by another person acting under an agreement with the Company) and destroy the PD or ensure its destruction (if the PD processing is carried out by another person acting under an agreement with the Company) within a period not exceeding 30 days from the date of achievement of the purpose of the PD processing, unless otherwise provided by the current legislation of the Russian Federation and/or and agreement to which the PD subject is a party, beneficiary or guarantor, if the purpose of the PD processing is achieved;
  • stop the PD processing or ensure such termination, and destroy the PD or ensure such destruction if the PD subject withdraws consent to the PD processing, if the Company is not entitled to process the PD without the consent of the PD subject.

12. Contact details of the Persons Responsible for Consideration of Complaints and Inquiries.

The subjects whose PD is processed by the Company can receive clarifications on their PD processing in one of the following ways mentioned below:

E-mail: support_visa@rgs.ru

Access to the personal data is provided to the personal data subject (his legal representative) on the basis of a request. The request must contain the number of the main document proving the identity of the personal data subject or his legal representative, information about the date of issue of the specified document and the issuing authority and the handwritten signature of the personal data subject or his legal representative and specification of the contract details, or information otherwise confirming the fact of personal data processing by the Company.


Выберите ваш город
А
Абакан
Архангельск
Астрахань
Б
Барнаул
Белгород
Благовещенск
Брянск
В
Великий Новгород
Владивосток
Владикавказ
Владимир
Волгоград
Волгодонск
Вологда
Воронеж
Г
Грозный
Е
Екатеринбург
И
Иваново
Ижевск
Иркутск
Й
Йошкар-Ола
К
Казань
Калининград
Калуга
Кемерово
Киров
Кострома
Краснодар
Красноярск
Кузнецк
Курск
Л
Липецк
М
Майкоп
Махачкала
Москва
Мурманск
Н
Назрань
Нальчик
Нижний Новгород
Нижний Тагил
Новокузнецк
Новороссийск
Новосибирск
Новый Уренгой
О
Омск
Орёл
Оренбург
П
Пенза
Пермь
Петрозаводск
Петропавловск-Камчатский
Псков
Р
Ростов-на-Дону
Рязань
С
Самара
Санкт-Петербург
Саранск
Саратов
Смоленск
Сочи
Ставрополь
Стерлитамак
Сургут
Сыктывкар
Т
Тамбов
Тверь
Тольятти
Томск
Тула
Тюмень
У
Улан-Удэ
Ульяновск
Уфа
Х
Хабаровск
Ханты-Мансийск
Ч
Чебоксары
Челябинск
Черкесск
Чита
Ю
Южно-Сахалинск
Я
Якутск
Ярославль