Политика en

POLICY OF PERSONAL DATA PROTECTION AND PROCESSING
INDUSTRIAL UNION OF MARKET PARTICIPANTS OF VIBRATION-PRESSED PRODUCTS AND LANDscaping ELEMENTS

Voronezh
30.06.2025

1. General Provisions
1.1. This Policy of the INDUSTRIAL UNION OF PARTICIPANTS IN THE MARKET OF VIBROPRESSED PRODUCTS AND LANDSCAPING ELEMENTS (hereinafter referred to as the Policy) has been developed in compliance with the requirements of clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" (hereinafter referred to as the Law on Personal Data) in order to ensure the protection of human and civil rights and freedoms when processing his personal data, including the protection of the rights to privacy, personal and family secrets.
1.2. The Policy applies to all personal data processed by the Industry Union of Market Participants of Vibro-Pressed Products and Landscaping Elements (hereinafter referred to as the Operator or OSVPI).
1.3. The Policy applies to the processing of personal data that the Operator has obtained both before and after the approval of this Policy.
1.4. In accordance with Part 2 of Article 18.1 of the Law on Personal Data, this Policy is publicly available on the Internet at the Operator's website - https://forymosvpi.tilda.ws/forymosvpien/.
2. Terms and Abbreviations
Personal data (PD) is any information relating to a directly or indirectly identified or identifiable physical person (subject of personal data).
Personal data authorized by the subject of personal data for distribution is personal data to which an unlimited number of persons have been granted access by the subject of personal data by giving consent to the processing of personal data authorized by the subject of personal data for distribution.
Personal data operator (operator) is a state body, municipal body, legal entity or individual who independently or jointly with other persons organize and (or) process personal data, as well as determine the purposes of personal data processing, the composition of personal data to be processed, and actions (operations) performed with personal data.
Personal data processing is any action (operation) or a set of actions (operations) with personal data performed using or without using automation tools, on paper and electronic media, as well as on the website https://forymosvpi.tilda.ws/forymosvpien. Personal data processing includes the following:
· collection;
· recording;
· systematization;
· accumulation;
· storage;
· clarification (update, modification);
· extraction;
· use;
· transfer (provision, access);
· distribution;
· anonymization;
· blocking;
· deletion;
· destruction.
Automated processing of personal data is the processing of personal data using computer technology.
Providing personal data is an action aimed at disclosing personal data to a certain person or a certain circle of people.
Dissemination of personal data is an action aimed at disclosing personal data to an unspecified group of people.
Blocking of personal data is the temporary termination of the processing of personal data (except in cases where the processing is necessary to clarify personal data).
Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.
Personal data anonymization is an action that makes it impossible to identify a particular personal data subject without using additional information.
A personal data information system is a collection of personal data contained in databases and the information technologies and technical means that support their processing.
Cross-border transfer of personal data is the transfer of personal data to a foreign government agency, a foreign individual, or a foreign legal entity in a foreign country.
Personal data protection is an activity aimed at preventing the leakage of protected personal data and unauthorized and unintentional impacts on protected personal data.
3. Procedure and conditions for processing and storage of personal data
3.1. Processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
3.2. Processing of personal data is carried out with the consent of the subjects of personal data to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.
3.3. Consent to the processing of personal data, permitted by the subject of personal data for distribution, is issued separately from other consent of the subject of personal data to the processing of his personal data.
3.4. Consent to the processing of personal data permitted by the subject of personal data for distribution may be provided to the operator:
· directly;
· using the information system of the authorized body for protecting the rights of subjects of personal data.
3.5. The Operator carries out both automated and non-automated processing of personal data.
3.6. The Operator's employees, whose official duties include processing personal data, are allowed to process personal data.
3.7. Personal data is processed by:
· obtaining personal data verbally and in writing directly from the subject of personal data, who agrees to the processing or dissemination of their personal data;
· entering personal data into the Operator's logs, registers, and information systems;
· using other methods of processing personal data.
3.8. Disclosure to third parties and dissemination of personal data is not allowed without the consent of the subject of personal data, unless otherwise provided by federal law.
3.9. Transfer of personal data to investigative and law enforcement agencies, the Federal Tax Service, the Pension Fund, the Social Insurance Fund, and other authorized executive authorities and organizations.
3.10. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution, and other unauthorized actions, including:
· identifies security threats to personal data during its processing;
· adopts local regulations and other documents governing relations in the field of personal data processing and protection;
· appoints individuals responsible for ensuring the security of personal data in the Operator's structural units and information systems;
· creates the necessary conditions for working with personal data;
· organizes the registration of documents containing personal data;
· organizes work with information systems that process personal data;
· stores personal data in conditions that ensure its safety and prevent unauthorized access to it;
·organizes training for the Operator's employees who process personal data.
3.11. The Operator stores personal data in a form that allows for the identification of the subject of personal data for no longer than necessary for the purposes of personal data processing, unless a federal law, contract, or agreement establishes a longer period of storage.
3.12. When collecting personal data, including through the information and telecommunications network Internet, the Operator provides recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation, except for the cases specified in the Law on personal data.
3.13. The purposes of processing personal data:
3.13.1. Only personal data that meet the purposes of their processing are subject to processing.
3.13.2. The Operator processes personal data for the following purposes:
· ensuring compliance with the Constitution, federal laws, and other regulatory legal acts of the Russian Federation;
· carrying out its activities in accordance with the Operator's contractual relations;
· monitoring the quantity and quality of the work performed, and ensuring the safety of property;
· filling out and submitting required reporting forms to executive authorities and other authorized organizations;
· carrying out civil law relations;
· maintaining accounting records.

3.14.3. Personal data of employees may be processed solely for the purpose of ensuring compliance with laws and other regulatory acts.

3.15. Categories of personal data subjects.
The following personal data subjects are processed:
· individuals who are in a contractual relationship with the Operator;
· individuals who interact with the Operator;
· individuals who are in a civil relationship with the Operator.
3.16. Personal data processed by the Operator:
· data obtained during contractual relationships;
· data obtained for interaction purposes;
· data obtained during civil relationships.
3.17. Storage of personal data.
3.17.1. Personal data of subjects can be received, further processed, and stored both on paper and in electronic form.
3.17.2. Personal data recorded on paper is stored in locked cabinets or in locked rooms with limited access.
3.17.3. Personal data of subjects processed using automation tools for different purposes is stored in separate folders.
3.17.4. It is not allowed to store and place documents containing PD in open electronic catalogs (file-sharing services) in the ISPD.
3.17.5. PD is stored in a form that allows the PD subject to be identified for no longer than is necessary for the purposes of their processing, and it is subject to destruction once the processing purposes have been achieved or if the need for them has been lost.
3.17. Destruction of PD.
3.17.1. Destruction of documents (media) containing PD is carried out by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass or powder. The use of a shredder is allowed for the destruction of paper documents.
3.17.2. PD on electronic media is destroyed by erasing or formatting the media.
3.17.3. The fact of destruction of PD is confirmed by a document on the destruction of media.
4. Personal Data Protection
4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (PDPS), consisting of legal, organizational, and technical protection subsystems.
4.2. The legal protection subsystem is a set of legal, organizational, administrative, and regulatory documents that ensure the creation, operation, and improvement of the PDPS.
4.3. The organizational protection subsystem includes the organization of the PD management structure, the authorization system, and information protection when working with employees, partners, and third parties.
4.4. The technical protection subsystem includes a set of technical, software, and hardware tools that ensure the protection of PD.
4.4. The main measures for protecting PD used by the Operator are:
4.5.1. Designation of a person responsible for the processing of PD, who is responsible for organizing the processing of PD, training and instruction, and internal control over compliance with the requirements for the protection of PD by the institution and its employees.
4.5.2. Identification of current threats to the security of PD during its processing in the ISPD and development of measures and activities to protect PD.
4.5.3. Development of a policy regarding the processing of personal data.
4.5.4. Establishment of rules for accessing PD processed in the ISPD, as well as ensuring the registration and accounting of all actions performed with PD in the ISPD.
4.5.5. Establishment of individual passwords for employees' access to the information system in accordance with their work duties.
4.5.6. Use of information security products that have passed the established conformity assessment procedure.
4.5.7. Certified antivirus software with regularly updated databases.
4.5.8. Compliance with the conditions that ensure the safety of PD and exclude
unauthorized access to them.
4.5.9. Detection of unauthorized access to personal data and taking measures.
4.5.10. Restoration of PD that has been modified or destroyed due to
unauthorized access.
4.5.11. Implementation of internal control and audits.
5. Basic rights of the PD subject and the Operator's responsibilities
5.1. Basic rights of the PD subject.
The subject has the right to access to his personal data and the following information:
· confirmation of the fact of PD processing by the Operator;
· legal grounds and purposes of PD processing;
· purposes and methods of PD processing used by the Operator;
· the name and location of the Operator, information about persons (with the exception of the Operator's employees) who have access to PD or to whom PD may be disclosed based on a contract with the Operator or based on a federal law;
· the terms of processing personal data, including the terms of their storage;
· the procedure for exercising the rights provided for by this Federal Law by the PD subject;
· name or surname, first name, patronymic, and address of the person who processes personal data on behalf of the Operator, if the processing has been or will be entrusted to such a person;
· contacting the Operator and sending requests to them;
· appealing against the actions or inaction of the Operator.
5.2. The Operator's responsibilities.
The Operator is obliged to:
· provide information about the processing of personal data when collecting it;
· notify the subject if personal data has been obtained from a source other than the subject;
· if the subject is denied access to personal data, the consequences of such a denial are explained;
· publish or otherwise provide unlimited access to a document that defines its policy regarding the processing of personal data, as well as information about the implemented requirements for the protection of personal data;
· to take the necessary legal, organizational, and technical measures or ensure that they are taken to protect PD from unauthorized or accidental access, destruction, modification, blocking, copying, provision, and dissemination of PD, as well as from other unauthorized actions in relation to PD;
· to respond to requests and appeals from PD subjects, their representatives, and the authorized body for protecting the rights of PD subjects.
6. Updating, correcting, deleting, and destroying personal data, and responding to requests from subjects for access to personal data
6.Updating, correcting, deleting, and destroying personal data, responding to requests from subjects for access to personal data
6.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of the Law on Personal Data, are provided by the Operator to the subject of personal data or their representative upon request or upon receipt of a request from the subject of personal data or their representative.
The request must contain:
· the number of the main document that identifies the personal data subject or their representative, information about the date of issue of this document and the issuing authority;
· information confirming the personal data subject's participation in relations with the Operator (the number of the contract, the date of conclusion of the contract, a conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing personal data by the Operator;
· the signature of the personal data subject or their representative.
Запрос может быть направлен в форме электронного документа и подписан электронной подписью в соответствии с законодательством Российской Федерации.
Право субъекта персональных данных на доступ к его персональным данным может быть ограничено в соответствии с ч. 8 ст. 14 Закона о персональных данных, в том числе если доступ субъекта персональных данных к его персональным данным нарушает права и законные интересы третьих лиц.
6.2. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
The right of a personal data subject to access to their personal data may be restricted in accordance with Part 8 of Article 14 of the Law on Personal Data, including if the personal data subject's access to their personal data violates the rights and legitimate interests of third parties.
6.3. In the event of the identification of the unlawful processing of personal data upon the appeal (request) of the subject of personal data or his representative or Roskomnadzor, the Operator shall block the unlawfully processed personal data relating to this subject of personal data from the moment of such appeal or receipt of the request.
6.4. Upon the achievement of the purposes of processing personal data, as well as in the event of the withdrawal of the subject of personal data consent to their processing, personal data shall be destroyed, unless:
· otherwise provided for by the contract, the party to which, the beneficiary or guarantor of which is the subject of personal data;
· the operator does not have the right to process personal data without the subject's consent, unless required by the Personal Data Act or other federal laws;
· otherwise provided for by another agreement between the Operator and the subject of personal data.
7. Final provisions
7.1. Responsibility for violation of the requirements of the legislation of the Russian Federation and regulatory documents of the OSDPI. in the field of personal data is determined in accordance with the legislation of the Russian Federation.
7.2. This Policy comes into force from the moment of approval and is valid indefinitely until the adoption of a new Policy.
7.3. All changes and additions to this Policy must be approved in accordance with the established procedure.

30.06.2025 г.

POLITIKA ZAPROSHCHENIYA I OBRABOTKI PERSONALNYKH DANNÝKH

COMPANY INDUSTRIAL UNION OF MARKET PARTICIPANTS OF VIBROPRESSOVANNYKH IZDELI I ELEMENTOV BLAGOUSTROISTVOI
109004, Moscow,
ul. Nikoloyamskaya d.43 k.4 pomeshch.3/9
INN 9709111067 PKP 770901001