логотип компании
home Sitemapsitemap
Русский Oct 24, 2018 06:05
(GMT+3)
Latest news
Oct 18, 2018
69th meeting of Council for Rail Transport of the Commonwealth Member States opens in Moscow
Oct 16, 2018
RZD Holding exports modern high-speed technology to Serbia
Oct 11, 2018
Temporary changes to timetable of train number 13/14 Strizh Moscow - Berlin
Oct 11, 2018
Russian Railways to lay on doubled Allegro trains during New Year holidays
Oct 11, 2018
RZD Holding and Belarusian Railways agree to joint development of China-Europe-China transit services
Oct 11, 2018
Get 60% discount on Leo Tolstoy train from October to December
News archive
Home
The Company
Personal Data Processing and Protection Policy (JSCo "RZD")

Personal Data Processing and Protection Policy (JSCo "RZD")

I. General Provisions

II. Basic Concepts

III. Purposes of Personal Data Processing

IV. Principles and Conditions of Personal Data Processing

V. Personal Data Subjects

VI. Processed Personal Data

VII. Personal Data Processing at JSCo “RZD”

VIII. Rights of Personal Data Subjects

IX. Operator’s Duties

X. Personal Data Safety

 

I. General Provisions

1. This document developed based on the Constitution of the Russian Federation, the Labour Code of the Russian Federation, the Civil Code of the Russian Federation, Federal Laws "On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data", "On Personal Data", "On Information, Information Technologies and Information Protection" as well as other regulations of the Russian Federation and regulatory documents of JSCo "RZD" establishes the unified corporate objectives, principles and rules of personal data processing at JSCo "RZD" and determines the key measures implemented by JSCo "RZD" to ensure personal data protection.

2. JSCo "RZD", being the operator that processes personal data, shall ensure protection of the rights and freedoms of subjects with regard to processing of their personal data as well as take measures to ensure that the duties provided for in the Federal Law "On Personal Data" and the regulations passed in accordance therewith are performed.

3. This document shall be publicly available and shall be posted on the official site of JSCo "RZD".

II. Basic Concepts

4. The following concepts are used in this document:

  • user of JSCo "RZD" services means a passenger, consignor, consignee or another person or entity that uses the services provided by JSCo "RZD";
  • personal data means any information related, directly or indirectly, to a specific or identifiable individual (personal data subject);
  • personal data subjects mean users of JSCo "RZD" services, personnel of JSCo "RZD", as well as other persons whose personal data became known due to provision of social benefits, guarantees and compensations by JSCo "RZD" to them;
  • operator means a state body, municipal body, entity or person, which, individually or jointly with other persons, organizes and/or carries out processing of personal data, as well as determines the purposes of personal data processing, structure of personal data subject to processing, actions (operations) performed with personal data;
  • special categories of personal data mean personal data of personal data subjects, which pertains to race, national identity, political views, religious or philosophical beliefs, state of health, privacy and record of conviction;
  • information system means a set of information contained in databases as well as information technologies and technological tools used for its processing;
  • personal data processing means any action (operation) or a set of actions (operations) performed with personal data with or without the use of automation aids, including collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transmission (distribution, provision, access), depersonalization, blocking, removal, destruction of personal data;
  • destruction of personal data means actions which result in the impossibility to restore the contents of personal data in the information system of personal data and/or destruction of tangible media bearing personal data;
  • cross-border transfer of personal data means transfer of personal data to the territory of the foreign state to a regulatory body of the foreign state, foreign person or foreign entity;
  • confidentiality of personal data means the requirement binding on the operator not to disclose personal data to third parties and to prevent the distribution of personal data without the consent of personal data subjects or availability of another lawful ground;
  • personal data protection means the operator’s activities aimed at preventing leakage of the protected personal data, unauthorized and accidental impact on the protected personal data.

III. Purposes of Personal Data Processing

5. Personal data of users of JSCo "RZD" services is processed for the following purposes:

  • to execute transport agreements and provide additional services during transportation;
  • to ensure transport safety;
  • to improve the quality of passenger service and the affordability of railroad transportation by implementation of additional loyalty and incentive programs for users of JSCo "RZD" services.

6. Personal data of individuals who are in contract and other civil law relations with JSCo "RZD" is processed for the purpose of executing the contracts entered into therewith.

7. Personal data of personnel of JSCo "RZD" is processed for the purpose of ensuring the performance of contractual agreements with employees, performance of social obligations, as well as for other purposes provided for in the Articles of Association and other regulatory documents of JSCo "RZD".

IV. Principles and Conditions of Personal Data Processing

8. Personal data shall be processed at JSCo "RZD" in compliance with the principles and rules provided for in the Federal Law "On Personal Data", taking into account the necessity to ensure protection of the rights and freedoms of personal data subjects, including protection of the right to privacy, personal and family secret, namely:

  • processing shall be carried out on a lawful and equitable basis;
  • processing shall be limited to achievement of the specific, predetermined and lawful purposes. The personal data processing incompatible with the purposes of its collection shall not be allowed;
  • integration of the databases containing the personal data which is processed for incompatible purposes shall not be allowed;
  • only personal data meeting the purposes of processing shall be processed;
  • the contents and volume of the processed personal data shall meet the specified purposes of processing. The processing of data excessive in relation to the specified purposes shall not be allowed;
  • accuracy and sufficiency of the personal data and, if necessary, actuality in relation to the processing purposes shall be ensured during processing. JSCo "RZD" shall take measures to remove or update incomplete or inaccurate data or shall ensure that such measures are taken;
  • personal data shall be stored in the form which makes it possible to determine the personal data subject for no longer than the purposes of personal data processing require, unless the personal data retention period is set by the federal law or a contract to which the personal data subject is a party, beneficiary or guarantor;
  • unless otherwise provided by the federal law, processed personal data shall be destroyed or depersonalized when the processing purposes are achieved or in case there is no more need for achieving these purposes.

9. Personal data shall be processed at JSCo "RZD" with the consent of the personal data subject, unless otherwise provided by the laws of the Russian Federation. When processing personal data, JSCo "RZD" shall ensure its confidentiality.

V. Personal Data Subjects

10. JSCo "RZD" processes personal data of the following categories of personal data subjects: users of JSCo "RZD" services, individuals who are in contract and other civil law relations with JSCo "RZD", employees of JSCo "RZD" and other personal data subjects (to ensure the achievement of the processing purposes specified in section III hereof).

VI. Processed Personal Data

11. JSCo "RZD" processes the following personal data of users of services:

  • surname, first name, patronymic;
  • day, month, year of birth;
  • place of birth;
  • type and No. of the identity document used to buy a travel document (for minors – birth certificate or its notarized copy);
  • point of departure, point of destination, route type (direct, transit);
  • trip date.

In accordance with loyalty and incentive programs for users of JSCo "RZD" services, the following personal data may also be processed:

  • gender;
  • date and place of birth;
  • contact telephone number;
  • email address;
  • full mailing address of the program participant;
  • nationality;
  • taxpayer identification number.

JSCo "RZD" may also process other personal data of users of JSCo "RZD" services, which is necessary for achievement of the processing purposes specified in clause 5 hereof.

12. Personal data of employees, which is processed at JSCo "RZD", shall be determined based on the Labour Code of the Russian Federation and regulatory documents of JSCo "RZD".

13. Personal data of employees of JSCo "RZD", which pertains to the state of health, shall be processed in accordance with the requirements of the Federal Laws "On Personal Data" and "On Fundamental Healthcare Principles in the Russian Federation".

14. Personal data of special categories, except for the data on the state of health of employees, as well as biometric personal data may be processed in the cases provided for in the laws of the Russian Federation.

VII. Personal Data Processing at JSCo “RZD”

15. Personal data shall be processed with the consent of the personal data subjects, unless otherwise provided by the laws of the Russian Federation.

16. Personal data may be processed with the use of computer aids (automated processing) or with direct human involvement without the use of computer aids (non-automated processing).

17. Only those employees of JSCo "RZD" whose job duties include personal data processing may be allowed to process personal data.

Said employees may receive only that personal data which they require to perform their job duties.

18. Personal data shall be processed by means of:

  • receipt of information containing personal data, both orally and in writing, directly from personal data subjects;
  • provision by personal data subjects of original copies of the required documents;
  • receipt of duly certified copies of documents containing personal data or copying of original documents;
  • receipt of personal data as a response to requests sent to public authorities, State non-budgetary funds, other state bodies, local authorities, commercial and non-commercial
  • organizations, individuals in the cases and in the manner provided for in the Russian Federation laws;
  • receipt of personal data from public sources;
  • recording (logging) of personal data in logs, books, registers and other account forms;
  • entry of personal data into the information systems of JSCo "RZD";
  • use of other aids and ways of recording personal data received in the course of activities conducted by JSCo "RZD".

19. Transfer of personal data to third parties (including cross-border transfer) shall be subject to written consent of personal data subjects, except where it is necessary for the purpose of preventing danger to life and health of personal data subjects, as well as in other cases prescribed by the Russian Federation laws.

When transferring personal data to third parties according to the concluded contracts, JSCo "RZD" shall ensure the obligatory performance of the requirements of the laws of the Russian Federation and the regulatory documents of JSCo "RZD" in the field of personal data.

20. Transfer of personal data to authorized executive bodies (Federal Tax Service of the Russian Federation, Pension Fund of the Russian Federation, Federal Compulsory Medical Insurance Fund of the Russian Federation, etc.) shall be in compliance with the requirements of the Russian Federation laws.

21. Cross-border transfer of personal data to the territory of the foreign states that are parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as other foreign states that ensure adequate protection of the rights of personal data subjects, shall be in accordance with the Federal Law "On Personal Data" and may be forbidden or limited for the purpose of protecting the foundations of the constitutional system of the Russian Federation, public morals, health, rights and legitimate interests of citizens, and ensuring national defense and safety.

Cross-border transfer of personal data to the territory of a foreign state that is not a party to the said Convention shall be in accordance with legal acts of the Russian Federation subject to compliance of the legal rules in force in that state and the applied personal data security measures with the provisions of the Convention.

22. JSCo "RZD" may engage another legal entity or individual entrepreneur to process personal data with the consent of personal data subjects based on the concluded contract. The legal entity or individual entrepreneur that processes personal data on the instructions of JSCo "RZD" shall comply with the principles and rules of personal data processing provided for in the personal data laws of the Russian Federation.

23. Where JSCo "RZD" engages another legal entity or individual entrepreneur to process personal data based on a contract, the material term of such contract shall be the duty of the said entity to ensure the confidentiality and safety of personal data during its transfer or processing.

24. Personal data shall be stored at JSCo "RZD" in the form which makes it possible to determine the personal data subject for no longer than the purposes of personal data processing require. Personal data shall be destroyed when the processing purposes are achieved or in case there is no more need for achieving these purposes. The period of storing personal data at JSCo "RZD" shall be determined in accordance with the laws of the Russian Federation and regulatory documents of JSCo "RZD".

VIII. Rights of Personal Data Subjects

25.    Personal data subject may:

  • receive full information related to processing of its personal data at JSCo “RZD”, except as otherwise provided by the Russian Federation laws;
  • demand the correction of incorrect or incomplete personal data, as well as the data processed in violation of the requirements of the Russian Federation laws;
  • demand blocking or destruction of his/her personal data where such personal data is incomplete, outdated, inaccurate, received illegally or is not necessary for the specified purpose of processing;
  • demand that all persons to which his/her incorrect or incomplete personal data was communicated earlier are notified of all changes made thereto;
  • withdraw his/her consent to personal data processing;
  • appeal against the operator’s acts and omissions during processing of his/her personal data in accordance with the Russian Federation laws;
  • exercise other rights provided by the Russian Federation laws.

IX. Operator’s Duties

26. When processing personal data, JSCo "RZD" shall:

  • use reasonable efforts to perform the operator’s duties provided by the personal data processing and protection laws of the Russian Federation;
  • explain to the personal data subject the legal consequences of his/her refusal to provide personal data in case such provision is required under the Russian Federation laws;
  • block personal data processed unlawfully;
  • stop personal data processing in accordance with the Russian Federation laws;
  • notify the personal data subject of correction of the committed violations or destruction of his/her personal data;
  • at the request of the personal data subject or his/her representative, provide the information related to processing of his/her personal data in the manner prescribed by the laws of the Russian Federation and regulatory documents of JSCo "RZD".

27. For the purpose of taking measures necessary for the performance of the duties provided for in the laws of the Russian Federation and regulatory documents of JSCo "RZD", President of JSCo "RZD" shall appoint a person in charge of personal data processing and protection at JSCo "RZD".

28. The person in charge of personal data processing and protection at JSCo "RZD" shall:

  • arrange that legal, organizational and technical measures are taken to ensure protection of personal data processed at JSCo "RZD" against unlawful or accidental access thereto, destruction, change, blocking, copying, distribution of personal data, as well as against other illegal acts with respect to personal data;
  • ensure internal control over compliance at JSCo "RZD" with the requirements of the laws of the Russian Federation and the regulatory documents of JSCo "RZD" in the field of personal data, including the requirements to personal data protection;
  • arrange that the provisions of personal data laws of the Russian Federation, the regulatory documents of JSCo "RZD" regarding personal data processing, as well as the requirements to personal data protection are communicated to employees of JSCo "RZD";
  • arrange the receipt and processing of requests from personal data subjects or their representatives, as well as control the receipt and processing of such requests at JSCo "RZD".

X. Personal Data Safety

29. Safety of personal data during its processing at JSCo "RZD" shall be ensured in accordance with the laws of the Russian Federation and the requirements of the authorized state body for protection of the rights of personal data subjects, the federal executive body for safety control, and the federal executive body for technical intelligence countermeasures and technical protection of information.

30. JSCo "RZD" shall take necessary organizational and technical measures to protect personal data from accidental or unauthorized access, destruction, change, blocking of access and other unauthorized actions.

31. Protection measures implemented by JSCo "RZD" during personal data processing shall include:

  • adoption of local regulatory documents and other documents in the field of personal data processing and protection;
  • appointment of officials responsible for the personal data safety in business units and information systems of JSCo "RZD";
  • organization of training of, and methodological work with, employees that process personal data at JSCo "RZD";
  • arrangement of the necessary conditions for work with tangible media and information systems in which personal data is processed;
  • arrangement of accounting of tangible media bearing personal data and information systems in which the personal data is processed;
  • storage of tangible media bearing personal data with observance of the conditions which ensure safety of personal data and exclude unauthorized access thereto;
  • isolation of personal data processed without the use of automation aids from other information;
  • separate storage of tangible media bearing personal data, which contain personal data of different categories or personal data processed for different purposes;
  • prohibition on transmission of personal data via open communication channels, computer networks and Internet without the use of the measures established at JSCo "RZD" for ensuring personal data safety;
  • protection of documents containing personal data on paper and other tangible media during their transfer to third parties with the use of postage service;
  • internal control over compliance at JSCo "RZD" with the laws of the Russian Federation and regulatory documents of JSCo "RZD" during personal data processing.

32. The liability for violation of the requirements of the laws of the Russian Federation and regulatory documents of JSCo "RZD" with regard to personal data processing and protection shall be determined in accordance with the Russian Federation laws.

screenRenderTime=1

© 2003-2018, Russian Railways
Mass Media Registration Certificate El. No. ФС77-25927
When using any material from the site reference to rzd.ru is obligatory

The Company | Passengers | Freight | Press Centre | Investor Relations | Contacts | Search