This personal data processing and protection policy (the Policy) was approved by Thuricum Insurance Company JSC (the Company) for the purpose of implementing the requirements of the current legislation of the Russian Federation in the field of personal data.
The Policy discloses the purposes, legal basis and principles of personal data processing in the Company; sets the main rights and obligations of the Company when processing personal data and the rights of personal data subjects and includes a list of measures used by the Company to ensure the security of personal data.
The Policy is approved by the CEO of the Company, is publicly available and is subject to publication on the Company’s official internet website at http://www.thuricum.ru/.
Personal data – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data);
Personal data operator– state body, municipal body, legal or natural person, independently or jointly with other persons organizing and / or carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions or operations performed with personal data;
Personal data processing– any action or operation or set of actions or operations with personal data performed with or without the use of automation tools. The processing of personal data includes, but is not limited to:
- clarification (update, change)
- transfer (distribution, provision, access)
Automated processing of personal data – processing of personal data using computer technology;
Providing personal data – action aimed at disclosing personal data to a certain person or a certain circle of persons;
Dissemination of personal data – action aimed at making personal data available to the public;
Personal data destruction – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and /or as a result of which material carriers of personal data are destroyed;
Ensuring confidentiality of information – a mandatory requirement for a person who has gained access to certain information not to transfer such information / not to provide access to such information to third parties without the consent of its owner;
Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state, a foreign state authority, a foreign individual or a foreign legal entity.
The Policy applies to all processing of personal data by the Company.
The Company ensures compliance with the principles of personal data processing established by the Russian legislation, in particular:
- legality and fairness
- specific, predefined, and legitimate purposes of processing
- compliance of the volume of personal data with the purposes of processing (data should not be excessive)
- accuracy, sufficiency and relevance
- retention within specified time limits (storage/retention within time limits required for the specified purpose of processing, unless retention period is specified by the applicable law or relevant contract)
- prohibition of combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other
Processing of personal data by the Company is limited by specified, predefined and legitimate purposes. The Company does not process any personal data not required for the specified purposes.
The Company processes personal data for the following purposes:
- Processing of personal data for the purposes of HR administration and corporate governance: maintaining personnel and accounting records; ensuring compliance with labour, tax, pension, insurance legislation, legislation on military registration, other applicable legislation (including requirements to qualification and business reputation of officials of insurance organizations) assisting employees in employment and training, promotion, ensuring personal safety of employees, controlling the quantity and quality of work performed, performance management, support measures in accordance with the Company’s social policy, safeguarding the company’s property, providing taxi and corporate mobile services, issuing powers of attorney, making business cards, organizing business trips, providing insurance for employees and their relatives, providing employees with company vehicles, preparing, concluding and executing civil law contracts, organizing medical examinations of employees in cases stipulated by law, archival storage (records retention) in accordance with the requirements of applicable legislation, fulfillment of corporate law requirements (holding meetings of the Board of Directors, general meetings of shareholders);
- Recruitment of personnel for vacant positions;
- Implementation of insurance and reinsurance activity: conclusion, support, execution and termination of insurance (reinsurance) contracts, settlement of losses and insurance payments, subrogation, conclusion and execution of contracts with insurance intermediaries (brokers, agents), implementing the requirements of the anti-money laundering and anti-terrorism financing legislation, legislation on special economic measures and coercive measures, consideration and documenting of appeals and complaints of clients, intermediaries and other persons, organization and implementation of internal control, external and internal audit, actuarial calculations, actuarial valuation in accordance with the requirements of insurance legislation, insurance risk assessment, pre-insurance inspections, participation in dispute resolution in courts/ arbitration tribunals, implementation of data retention requirements;
- Implementation of general business activity: concluding and executing civil law contracts (supply of goods, works and services) in the course of the Company’s business activities; tendering; verifying counterparties and implementing due diligence procedures.
The legal basis for the processing of personal data by the Company:
- processing of personal data is necessary for the exercise of the functions and obligations of the Company set by the legislation of the Russian Federation,
- processing of personal data is necessary for the execution of an agreement to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of an agreement at the initiative of the personal data subject or an agreement under which the personal data subject will be a beneficiary or guarantor,
- processing of personal data is necessary for the exercise of the rights and legitimate interests of the Company, provided that the rights and freedoms of the personal data subject are not violated,
- processing of personal data that the Company is required by law to disseminate or publicly disclose,
- processing of personal data is carried out with the consent of the subject of the personal data.
The Company processes personal data based on the following legal acts:
- The Labour Code of the Russian Federation and other regulations governing labour relations,
- Pension legislation, social security legislation, tax legislation, legislation on military registration and work safety,
- Insurance legislation of the Russian Federation, including the Law of the Russian Federation dated 27 November 1992, N 4015-I “On the organization of insurance business in the Russian Federation”, regulatory legal acts of the Bank of Russia,
- Regulations that establish requirements for the storage and retention of documents,
- The Civil Code of the Russian Federation, other legislation governing civil law,
- Legislation on Joint Stock Companies, in particular Federal Law No. 208-FZ dated 26 December 1995 “On Joint Stock Companies”,
- Legislation on combating (laundering) the legalization of proceeds from crime and the financing of terrorism, in particular the Federal Law dated 7 August 2001, N 115-FZ “On Counteracting the Legalization (Laundering) of Criminally Obtained Incomes and Financing terrorism”, the relevant regulatory legal acts of the Bank of Russia and the Federal Service for Financial Monitoring,
- Legislation on special economic measures and coercive measures, including the Federal Law of December 30, 2006 N 281-FZ “On Special Economic Measures and Coercive Measures”,
- Legislation regulating electronic document flow, including the Federal Law dated 06.04.2011 N 63-FZ “On Electronic Signature”.
The Company processes the following categories of personal data subjects:
- Company’s employees,
- Relatives of the Company’s employees,
- former employees of the Company,
- members of the Board of Directors and candidates to the Board of Directors,
- shareholders of the Compeny,
- candidates for job vacancies,
- subjects of personal data with whom the Company has concluded contracts for the provision of services,
- representatives of counterparties engaged in interaction with the Company,
- persons under the insurance contract (insured persons, beneficiaries, owners and beneficial owners of clients (insureds),
- insurance agents and insurance brokers (their representatives),
- third parties when the Company has the right to pursue a subrogation claim against such third party.
The Company collects and processes only the personal data that is necessary to achieve the purposes stated in this Policy.
The Company processes special categories of personal data: health data (conclusion and execution of personal insurance contracts, medical check-up of employees as required by law), criminal record (legal requirements for officers of an insurance company).
The Company does not process biometric personal data.
The Company processes personal data – collection, recording, systematization, accumulation, storage, clarification, update, change, extraction, use, blocking, provision, access, transfer, destruction and distribution – in the following ways: automated, non-automated, mixed processing.
When collecting personal data, the Company ensures the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.
The Company ensures the confidentiality of personal data it processes.
The Company has the right to transfer personal data to authorized bodies or third-party organizations in accordance with the requirements of the current legislation (in particular, labour, tax, insurance, social security, pension, military registration legislation).
The Company has the right to transfer personal data to third parties (including cross-border transfer) subject to obtaining consent from the personal data subject and to concluding an agreement containing the obligations of such third parties to maintain confidentiality and ensure the security of personal data.
The Company distributes personal data (publishes personal data on the Company’s website) in cases prescribed by law (disclosure of information by insurance organizations), and may distribute personal data if a separate consent of the personal data subject to data dissemination is obtained in accordance with the terms of such consent.
The terms of personal data retention (storage) are determined in accordance with the period of validity of civil law relations between the subject of personal data and the Company, the limitation period, the period of retention of documents on paper and documents in electronic databases, other requirements of the legislation of the Russian Federation, as well as the period of validity of the consent of the subject to the processing of his/her personal data.
The Company destroys personal data when the purposes of personal data processing are achieved, or if the subject of personal data withdraws their consent to processing (if the Company is not entitled to carry out processing without the consent of the subject of personal data).
The Company takes measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the legislation of the Russian Federation in the field of personal data, in particular, to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as from other illegal actions.
These measures include, but are not limited to:
- the appointment of a person responsible for organizing the processing of personal data;
- the development of local acts relating to the Company’s processing of personal data;
- the implementation of internal control over the compliance of personal data processing with the requirements of the current legislation of the Russian Federation in the field of personal data;
- the assessment of the harm that may be caused by the processing of personal data, and its correlation with the measures taken in the Company;
- familiarizing Company employees with the requirements of the current legislation of the Russian Federation in the field of personal data, as well as their training;
- the application of organizational and technical measures to ensure the security of personal data during its processing in personal data information systems;
- the assessment of the effectiveness of security measures prior to the commissioning of the personal data information system;
- detecting the fact of unauthorized access to personal data and taking action;
- setting the rules for access to personal data processed in the personal data information system;
- regular monitoring of the measures taken to ensure the security of personal data and the level of protection of information systems of personal data;
- restoration of personal data modified or destroyed due to unauthorized access to it.
The Company has the right to process personal data in accordance with the legislation on personal data for the purposes listed in this Policy. The Company can at its own discretion determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the duties of a personal data operator stipulated by the legislation on personal data.
The main responsibilities of the Company as a personal data operator include:
- providing information to the subject of personal data at his or her request in accordance with the legislation on personal data;
Within 10 working days from the date of receipt of the personal data subject’s or his/her representative’s inquiry, the Company shall inform the personal data subject or his/her representative, if the Company processes their data, and shall provide them with an opportunity to familiarize with these personal data free of charge. In case of refusal to provide such information/access the Company shall provide a written motivated response containing a reference to a specific provision of the legislation that is the basis for such refusal.
- making the necessary changes to the personal data within a period not exceeding seven working days from the date the subject of personal data or his/her representative provides information confirming that the personal data is incomplete, inaccurate or irrelevant;
- destroying personal data within a period not exceeding seven working days from the date the subject of personal data or his/her representative submits information confirming that such personal data is illegally obtained or is not necessary for the stated purpose of processing;
- eliminating violations of the law committed during the processing of personal data – clarifying, blocking and destroying personal data – in the manner and on the grounds provided for by the current legislation on personal data;
- in appropriate cases, explaining to the subject of personal data the legal consequences of refusing to provide his or her personal data;
- in appropriate cases, if the personal data is not received from the personal data subject, before the processing of such personal data, providing the personal data subject with information in accordance with the legislation on personal data;
- when collecting personal data, including via the internet, ensuring the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation;
- taking the necessary legal, organizational and technical measures or ensuring their adoption to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data;
- providing information at the request of the authorized body;
- appointing a person responsible for organizing the processing of personal data;
- disclosing the Company’s policy on personal data processing;
- notifying the authorized body in accordance with the procedure and within the terms established by the law if the Company learns of the fact of unlawful or accidental transfer (provision, dissemination, access) of personal data resulting in violation of the rights of personal data subjects;
- other obligations established by the legislation on personal data.
The Company can process personal data for the purpose of promoting the Company’s services by means of direct contact with a potential customer only subject to obtaining a a prior consent of the personal data subject.
The Company does not make any decisions that have legal consequences for personal data subjects or otherwise affect their rights and legitimate interests on the basis of solely automated processing of personal data.
Subjects of personal data have the right: to access their personal data in the manner prescribed by law and this Policy.
- Subjects of personal data have the right to receive information about the processed personal data related to the relevant personal data subject, including:
- confirmation of the fact of the processing of personal data by the Company;
- indication of the legal grounds and established purposes for the processing of personal data;
- methods of processing personal data used by the Company;
- information about the Company as an;
- operator processing personal data (name and location);
- information about persons who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Company (including instructions from the operator) or on the basis of federal law(s), with the exception of employees who have access to personal data in connection with the performance of official (functional) duties;
- a list of processed personal data related to the specific subject and the source of personal;
- the terms of processing personal data, including the terms of its retention;
- the procedure for exercising the rights of subjects of personal data provided for by law;
- информации о способах исполнения Обществом обязанностей, установленных законодательством о персональных данных;
- information about the ongoing or intended cross-border transfer of personal data;
- information on compliance by the Company with the requirements for ensuring the security of personal data and other requirements of the law;
- other information provided by the law.
- to require the Company to clarify or update their personal data,
- to require the Company to block or destroy their personal data (in cases provided for by the law),
- to withdraw his/her consent to personal data processing,
- to appeal against the actions or inactions of the Company as a personal data operator to the authorized body for the protection of the rights of personal data subjects or in court.
Subjects of personal data are required to provide complete and accurate personal data necessary for the implementation of legal relations arising between the subject of personal data and the Company. The Company is not responsible for possible losses / costs that may arise in connection with the provision of incomplete or inaccurate personal data by the subject or failure by the subject to inform the Company of a change in his/her personal data.
To exercise the rights listed above, the subject of personal data should send a written request in free form to the Company (to the Company’s postal address or e-mail address indicated on the Company’s website) or apply in person.
Any written request from the subject of personal data (request for information, access, withdrawal of consent, request for clarification, updating, blocking or destruction) must contain the number of the principal identification document of the subject of personal data, information on the date of issue of the specified document and its authority and the handwritten signature of the subject of personal data. The request can be sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. When personally applying to gain access to personal data, the subject of personal data must have an identification document with him / her.
All requests from personal data subjects are considered by the person appointed in the Company responsible for organizing the processing of personal data (the “Responsible Person”).
The Responsible Person is obliged to consider the received inquiries of personal data subjects and provide an appropriate response (to provide the subject with the opportunity to become acquainted with his or her personal data) within 10 working days from the date of receipt of the request. The specified period may be extended, but not more than by 5 business days if the Company sends a reasoned notice to the subject of personal data indicating the reasons for extending the period for providing the requested information.
The right to access personal data may be limited in accordance with the provisions of applicable law. In this case, a written reasoned refusal must be sent to the subject of personal data with reference to specific provisions of the law.
If the person’s appeal does not contain the required details (passport data, personal signature, if applicable – supporting documents), the Responsible Person shall notify the sender within a reasonable time, but in any case within 10 working days, of the need to correct the deficiencies. In this case, the deadline for providing a response begins to run from the date when the Company receives a duly executed and signed request.
The Company has the right not to respond to anonymous requests, as well as to requests that do not contain a return address, that cannot be read, or that contain obscene or offensive expressions or threats.
If a request (requirement) is received from the subject to correct or clarify incomplete, inaccurate, or outdated personal data, the Responsible Person checks the availability and content of supporting documents and ensures that the necessary corrections are made to the documents and databases in which personal data is processed within seven business days from the receipt of the request. The Responsible Person is obliged to notify the subject of personal data about the changes made and the measures taken and to take reasonable steps to notify third parties to whom the personal data of this subject was transferred.
If information is received from the subject of personal data confirming that the relevant personal data was illegally obtained or not necessary for the stated purpose of processing, the Responsible Person is obliged to ensure the destruction of such personal data within seven working days from the date of receipt of the information.
The Policy is approved by the CEO of the Company and shall remain valid until it is revoked or changed.
The Policy is publicly available on the Company’s official internet website.
Persons guilty of violating the norms governing the processing and protection of personal data shall be liable under the laws of the Russian Federation, local acts of the Company and contracts governing the Company’s legal relations with third parties.
Date and time of information update: 17.01.2024 at 17:00