This personal data processing and protection policy (the Policy) was approved by Thuricum Insurance Company JSC (the Company) for the purpose of implementing the requirements of the current legislation of the Russian Federation in the field of personal data and disclosing the methods and principles of its processing. It also includes a list of measures used by the Company to ensure the security of personal data.
The Policy is approved by the CEO of the Company, is publicly available and is subject to publication on the Company’s official internet website at http://www.thuricum.ru/.
This Policy applies to all processes related to the processing of personal data by the Company.
Personal data – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data)
Personal data operator – state body, municipal body, legal or natural person, independently or jointly with other persons organizing and / or carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions or operations performed with personal data
Personal data processing – any action or operation or set of actions or operations with personal data performed with or without the use of automation tools. The processing of personal data includes, but is not limited to:
- collection
- recording
- organizing
- accumulation
- storage
- clarification (update, change)
- extract
- usage
- transfer (distribution, provision, access)
- depersonalization
- blocking
- removal
- destruction
Automated processing of personal data – processing of personal data using computer technology
Providing personal data – action aimed at disclosing personal data to a certain person or a certain circle of persons
Blocking of personal data – temporary termination of the processing of personal data (unless the processing is necessary to clarify personal data)
Personal data destruction – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and /or as a result of which material carriers of personal data are destroyed
Personal data depersonalization – actions as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without using additional information
Personal data information system – a set of personal data contained in databases as well as information technologies and technical means ensuring the processing of personal data
Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state, a foreign state authority, a foreign individual or a foreign legal entity
Ensuring confidentiality of information – a mandatory requirement for a person who has gained access to certain information not to transfer such information / not to provide access to such information to third parties without the consent of its owner
Personal data subject – a natural person who is directly or indirectly identified or can be identified using personal data
The Company ensures compliance with the principles of personal data processing established by Article 3 of the Federal Law-152 “On Personal Data”, in particular:
- legality and fairness
- specific, predefined, and legitimate purposes of processing
- prohibition of combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other
- compliance of the volume of personal data with the purposes of processing (data should not be redundant)
- accuracy, sufficiency and relevance
- storage within specified time limits
- confidentiality
The main responsibilities of the Company as a personal data operator include:
- providing information to the subject of personal data at his or her request in accordance with the legislation on personal data
- within 10 days from the date of receipt of the request of the subject of personal data or his or her representative, informing the subject of personal data or his or her representative in the manner prescribed by law about the availability of personal data relating to the respective subject of personal data, as well as providing the opportunity to become acquainted with the personal data when contacting the subject of personal data or his or her representative or, in case of refusal to provide information / access, providing a reasoned written response referring to the specific legal provision upon which that refusal is based
- make the necessary changes to the personal data within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that the personal data is incomplete, inaccurate or irrelevant
- destroy personal data within a period not exceeding seven working days from the date the subject of personal data or his representative submits information confirming that such personal data is illegally obtained or is not necessary for the stated purpose of processing
- in appropriate cases, explaining to the subject of personal data the legal consequences of refusing to provide his or her personal data
- In appropriate cases, if the personal data is not received from the personal data subject, before the processing of such personal data, providing the personal data subject with information in accordance with the legislation on personal data
- when collecting personal data, including via the internet, ensuring the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except as otherwise provided by law
- taking the necessary legal, organizational and technical measures or ensuring their adoption to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data
- providing information at the request of the notified body
- eliminating violations of the law committed during the processing of personal data – clarifying, blocking and destroying personal data – in the manner and on the grounds provided for by the current legislation on personal data
- appointing a person responsible for organizing the processing of personal data
- other obligations established by the legislation on personal data
The Company is obliged to take measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the legislation on personal data. The Company is obliged to take (ensure the adoption) of necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision or distribution, as well as from other illegal actions in relation to personal data.
Subjects of personal data have the right:
- to access their personal data in the manner prescribed by law and this Policy
- to receive information regarding the processing of their personal data (see Section IX)
- to require the Company to clarify their personal data, block or destroy that personal data if it is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing
- to appeal against the actions or inactions of the Company as a personal data operator to the authorized body for the protection of the rights of personal data subjects or in court
The data subject’s right to familiarize themselves with their personal data and to receive information regarding to its processing may be limited by the legislation of the Russian Federation.
Subjects of personal data are required to provide complete and accurate personal data necessary for the implementation of legal relations arising between the subject of personal data and the Company. The Company is not responsible for possible losses / costs that may arise in connection with the provision of incomplete or inaccurate personal data by the subject. In the event of a change in personal data, the subject of personal data must immediately inform the Company.
The Company processes personal data for the following purposes:
Implementation of insurance activity
- concluding and executing insurance contracts (co-insurance, reinsurance)
- settling losses and insurance payments
- concluding and executing contracts with insurance intermediaries
- complying with the requirements of the legislation on combating the legalization (laundering) of proceeds from crime and the financing of terrorism
- organizing and implementing (independently or with the involvement of third parties) the external and internal control and audit of the Company
- fulfilling other requirements of insurance legislation (in particular, complying with the requirements for qualification and business reputation of the Company’s officials)
Implementation of general business activity
- concluding and executing civil law contracts in the course of the Company’s business activities
- verifying counterparties, implementing due diligence procedures; tendering
Processing of personal data for the purposes of HR administration
- the Company performing its duties and exercising its rights as an employer
- conducting interviews, making hiring decisions
- complying with the requirements of current labour legislation of the Russian Federation
- assisting employees in finding employment
- employee training; assistance in training and career advancement
- ensuring the personal safety of employees
- controlling the quantity and quality of work performed and ensuring the safety of property
- business trips and their organization (transfers, accommodation, meals, etc.)
- provision of corporate mobile communication services
- opening a bank account for payroll and other payments
- insurance in external organizations, registration of voluntary medical insurance policies
- compliance with the requirements of the law when concluding employment contracts with foreign persons (issuing visas, work permits, etc.)
- reporting
- maintaining military records
Other purposes of processing necessary for the Company to carry out its activities
- backup and storage of information
- archival storage of personal data after contract termination
- registration of powers of attorney (for employees of the Company or third parties)
- participation in civil, arbitration, criminal, administrative proceedings, as well as the execution of judicial acts
- interaction with regulatory authorities
- ensuring the security and proper functioning of information systems, databases, software and / or technical and other means, as well as the information and information contained in them
The legal basis for the processing of personal data is a set of legal acts, in pursuance of which and in accordance with which the Company processes personal data, in particular:
- Insurance legislation of the Russian Federation, including the Law of the Russian Federation dated 27 November 1992, N 4015-I “On the organization of insurance business in the Russian Federation”, regulatory legal acts of the Bank of Russia
- Legislation on Joint Stock Companies, in particular Federal Law No. 208-FZ dated 26 December 1995 “On Joint Stock Companies”
- Legislation on combating (laundering) the legalization of proceeds from crime and the financing of terrorism, in particular the Federal Law dated 7 August 2001, N 115-FZ “On Counteracting the Legalization (Laundering) of Criminally Obtained Incomes and Financing terrorism”, the relevant regulatory legal acts of the Bank of Russia and the Federal Service for Financial Monitoring
- The Labour Code of the Russian Federation and other regulations governing labour relations
- Pension legislation, social security legislation, tax legislation
- Regulations that establish requirements for the storage of documents (in particular, Instruction of the Bank of Russia dated 12 September 2018, N 4902-U “On the list of documents the safety of which must be ensured by insurers, and the requirements for ensuring the safety of such documents”
- contracts the Company concludes with subjects of personal data, or the beneficiaries of which are subjects of personal data (insured persons, beneficiaries under insurance contracts)
- consent to the processing of personal data (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the powers of the Company)
The Company has the right to process personal data if it is necessary to exercise the rights and legitimate interests of the Company or third parties.
The Company has notified the authorized body for the protection of the rights of subjects of personal data about the processing of personal data.
The Company processes the following categories of personal data subjects:
- Company’s employees
- former employees of the Company
- candidates for job vacancies
- persons under the insurance contract (insured persons, insured persons, beneficiaries, other persons specified in the insurance contract, and persons whose personal data is necessary for the execution of the insurance contract (in particular, employees of the insurers))
- owners and beneficial owners of clients (insureds)
- insurance agents and insurance brokers (individuals and individual entrepreneurs)
- representatives of insurance agents and insurance brokers (legal entities)
- subjects of personal data with whom the Company has concluded contracts for the provision of other (non-insurance) services
- representatives of counterparties engaged in interaction with the Company, not related to insurance activities
The Company collects and processes only those personal data that are necessary to achieve the goals stated in this Policy.
The Company processes special categories of personal data (information about criminal records, health status) in accordance with the requirements of the current legislation of the Russian Federation (in particular, to verify compliance with the qualification requirements provided for by insurance legislation), as well as on the basis of the written consent of the subject of personal data.
The Company does not process biometric personal data.
The Company processes personal data – collection, recording, systematization, accumulation, storage, clarification, update, change, extraction, use, distribution, provision, access, transfer (including cross-border), depersonalization, blocking and destruction – in the following ways: automated, non-automated processing.
When collecting personal data, the Company ensures the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, with the exception of cases provided for by the requirements of the current legislation of the Russian Federation.
The Company ensures the confidentiality of personal data that is not publicly available.
The Company has the right to transfer personal data to authorized bodies or third-party organizations in accordance with the requirements of the current legislation of the Russian Federation (in particular, labour, tax, insurance legislation of the Russian Federation, legislation on combating legalization (laundering) of proceeds from crime and financing of terrorism, legislation on auditing, legislation on joint stock companies, legislation in the field of social and pension security, legislation on military registration in the Russian Federation).
The Company has the right to transfer personal data to third parties on the basis of the consent of the subject of personal data and in the presence of an agreement concluded with them, containing the obligations of such third parties to maintain confidentiality and ensure the security of personal data. The Company transfers personal data in the following cases:
- to conclude and execute reinsurance contracts (the Company also carries out cross-border transfer of personal data to the territory of the country of the reinsurer). The Company has the right to transfer to the reinsurer the personal data contained in insurance contracts
- for claim settlement purposes
- to carry out backup (including – to carry out cross-border transfer of personal data to other persons of the Company)
- to transfer personal data of the Company’s employees as part of the implementation of labour legal relations between the parties (for issuing bank cards as part of a salary project, drawing up voluntary medical insurance contracts, issuing passes to the Company’s office and other cases, as provided by the employee’s written consent)
- for the purpose of external audit and mandatory actuarial valuation
- for the purpose of obtaining services from third parties (including outsourcing contracts), in particular from lawyers, lawyers, external consultants, IT companies
The Company has the right to entrust the storage of documents, including personal data, to a third party on the basis of an agreement.
The Company has the right to transfer personal data to authorized state authorities, the Bank of Russia at their motivated request.
The terms of storage of personal data are determined in accordance with the period of validity of civil law relations between the subject of personal data and the Company, the limitation period, the period of storage of documents on paper and documents in electronic databases, other requirements of the legislation of the Russian Federation, as well as the period of validity of the consent of the subject to the processing of his personal data.
The Company takes measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the legislation of the Russian Federation in the field of personal data, in particular, to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as from other illegal actions.
These measures include, but are not limited to:
- the appointment of a person responsible for organizing the processing of personal data, responsible for ensuring the security of personal data in information systems, responsible for ensuring the security of the premises where personal data is processed
- the development of local acts relating to the Company’s processing of personal data
- the implementation of internal control over the compliance of personal data processing with the requirements of the current legislation of the Russian Federation in the field of personal data
- the assessment of the harm that may be caused by the processing of personal data, and its correlation with the measures taken in the Company
- familiarizing Company employees with the requirements of the current legislation of the Russian Federation in the field of personal data, as well as their training
- the identification of threats to the security of personal data during its processing in personal data information systems
- the application of organizational and technical measures to ensure the security of personal data during its processing in personal data information systems
- the assessment of the effectiveness of security measures prior to the commissioning of the personal data information system
- detecting the fact of unauthorized access to personal data and taking action
- setting the rules for access to personal data processed in the personal data information system
- regular monitoring of the measures taken to ensure the security of personal data and the level of protection of information systems of personal data
Subjects of personal data or their legal representatives (hereinafter – subjects of personal data) have the right:
- to receive information about the processed personal data related to the relevant personal data subject, including personal data containing:
- information about the Company as an operator processing personal data (name and location)
- confirmation of the fact of the processing of personal data by the Company
- indication of the legal grounds and established purposes for the processing of personal data
- methods of processing personal data used by the Company
- information about persons who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Company (including instructions from the operator) or on the basis of federal law(s), with the exception of employees, access to which is provided in connection with the performance of official (functional) duties
- a list of processed personal data related to a specific subject
- the source of personal data receipt, unless a different procedure for the provision of such data is provided by law
- the terms of processing personal data, including the terms of its storage
- the procedure for exercising the rights of subjects of personal data provided for by Federal Law No. 152-FZ of dated 27 July 2006 “On Personal Data”
- information about the ongoing or intended cross-border transfer of personal data, indicating the name of the country
- other information provided by Federal Law dated 27 July 2006, No. 152-FZ “On Personal Data”, which may include compliance with the conditions and principles of personal data processing, information on compliance with the requirements for ensuring the security of personal data, and possible restrictions on access subjects of personal data to their personal data
- to familiarize themselves with the personal data available in the Company and related to the respective subject of personal data
- to require updating, clarification of the relevant personal data
- to request the blocking or destruction of personal data in cases provided for by law
- to revoke their consent to the processing of personal data at any time
To exercise the rights listed above, the subject of personal data should send a written request to the Company (to the Company’s postal address or e-mail address indicated on the Company’s website) or apply in person. Withdrawal of consent is sent in the form of Appendix 1 to this Policy. A request for information, a request for clarification, updating, blocking or destruction is sent by the subject of personal data in writing in free form with copies of the documents substantiating the request attached.
Any written request from the subject of personal data (request for information, access, withdrawal of consent, request for clarification, updating, blocking or destruction) must contain the number of the principal identification document of the subject of personal data, information on the date of issue of the specified document and its authority and the handwritten signature of the subject of personal data. The request can be sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. When personally applying to gain access to personal data, the subject of personal data must have an identification document with him / her.
All requests from personal data subjects are considered by the person appointed in the Company responsible for organizing the processing of personal data (the “Responsible Person”).
The Responsible Person is obliged to consider the received appeals of personal data subjects and provide an appropriate response (to provide the subject with the opportunity to become acquainted with his or her personal data) within 10 working days from the date of receipt of the request. The specified period may be extended, but not more than 5 business days if the Company sends a reasoned notice to the subject of personal data indicating the reasons for extending the period for providing the requested information.
The right to access personal data may be limited in accordance with the provisions of applicable law. In this case, a written reasoned refusal must be sent to the subject of personal data with reference to specific provisions of the law.
If the person’s appeal does not contain the required details (passport data, personal signature, if applicable – supporting documents), the Responsible Person shall notify the sender within a reasonable time, but in any case within 10 working days, of the need to correct the deficiencies. In this case, the deadline for providing a response begins to run from the date when the Company receives a duly executed and signed request.
The Company has the right not to respond to anonymous requests, as well as to requests that do not contain a return address, that cannot be read, or that contain obscene or offensive expressions or threats.
If a request (requirement) is received from the subject to correct or clarify incomplete, inaccurate, or outdated personal data, the Responsible Person checks the availability and content of supporting documents and ensures that the necessary corrections are made to the documents and databases in which personal data is processed within seven business days from the receipt of the request. The Responsible Person is obliged to notify the subject of personal data about the changes made and the measures taken and to take reasonable measures to notify third parties to whom the personal data of this subject were transferred.
If information is received from the subject of personal data confirming that the relevant personal data was illegally obtained or not necessary for the stated purpose of processing, the Responsible Person is obliged to ensure the destruction of such personal data within seven working days from the date of receipt of the information.
If the subject of personal data withdraws consent to the processing of his / her personal data, the Responsible Person is obliged:
- to notify the relevant subject of personal data about the possible consequences of withdrawing consent to the processing of personal data
- if there is a valid agreement with the subject, to ensure the termination of the processing of personal data for purposes that go beyond the fulfillment of contractual obligations to the subject, as well as other obligations of the Company established by law
- in the absence of a valid agreement with this subject, to stop processing the subject’s personal data and destroy personal data within a period not exceeding seven working days from the date of receipt of the said withdrawal, unless otherwise provided by applicable law
The Responsible Person considers requests and / or appeals of the authorized body for the protection of the rights of personal data subjects and ensures that a response is sent within the time period established by the request.
Withdrawal of consent to the processing of personal data
To Thuricum Insurance Company JSC
From ________________________________________
last name, first name, patronymic, address of the subject of personal data
I,___________________________________________________________________________________
__________________________________________________________________________ (last name, first name, patronymic, address of the subject of personal data, number of the main identification document, information about the date of issue of the specified document and the issuing authority)
in accordance with paragraph 2 of Article 9 of the Federal Law dated 27 July 2006, No. 152-FZ “On Personal Data”, withdraw from Thuricum Insurance Company JSC my consent to the processing of my personal data _______________________ (indicate the list of personal data) by____________
(indicate actions – collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (provision, access), depersonalization, blocking, deletion and destruction of personal data) and ask you to stop processing that personal data.
I hereby confirm that I have been notified that Thuricum Insurance Company JSC has the right to continue processing data after the withdrawal of my consent if the processing is necessary for the purposes of fulfilling the contract concluded with me, as well as for other purposes provided for by Federal Law No. 152-FZ “On Personal Data”, including Articles 9, 6 and 10..
Date
Signature
Date and time of information update: 08.09.2022 at 09:00