Dear users! You are on the new web portal of Russian Railways

I. General Provisions

1. The Personal Data Processing Policy of JSCo "RZD" (the "Policy"), developed in accordance with the Federal Law "On Personal Data", establishes the goals, basic principles and rules for processing personal data and determines the key measures to ensure the security of personal data.

2. This Policy has been developed to implement the requirements of the Russian Federation laws in the field of personal data at JSCo "RZD", as well as to ensure the protection of the rights of individuals when processing their personal data.

3. The provisions of this Policy provide the basis for developing and updating administrative, organizational and legal documents (the "regulatory documents") of JSCo "RZD", which regulate the processing of personal data of various categories of personal data subjects, as well as the procedure for implementing measures to protect personal data being processed.

These regulatory documents are developed by the business units of JSCo "RZD" in the prescribed manner.

4. The provisions of this Policy are binding on employees of JSCo "RZD" who have access to personal data.

II. Basic Concepts

5. The following concepts are used in this Policy:

  • personal data security means the state of protection of personal data, which is characterized by the ability of users, technological tools and information technologies to ensure the confidentiality, integrity and availability of personal data when it is processed in information systems;
  • biometric personal data means data that characterizes the physiological and biological characteristics of a person, based on which such person’s identity can be established and which is used by JSCo "RZD" to establish the identity of a personal data subject;
  • personal data protection means the activities aimed at preventing leakage of the protected personal data, unauthorized and accidental impact on the protected personal data;
  • information system means a set of information (personal data) contained in databases as well as information technologies and technological tools used for its processing;
  • confidentiality of personal data means the binding requirement not to disclose personal data to third parties and to prevent the distribution of personal data without the consent of personal data subjects or availability of another lawful ground;
  • personal data processing means any action (operation) or a set of actions (operations) performed with personal data with or without the use of automation aids, including collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transmission (distribution, provision, access), depersonalization, blocking, removal, destruction of personal data;
  • personal data means any information related, directly or indirectly, to a specific or identifiable individual (personal data subject);
  • user of JSCo "RZD" services means a passenger, consignor, consignee or another person or entity that uses the services provided by JSCo "RZD";
  • personal data subjects mean users of JSCo "RZD" services, employees of JSCo "RZD" and their close relatives, jobseekers (applicants), pensioners registered with JSCo "RZD" and their representatives, as well as other persons whose personal data became known due to provision of social benefits, guarantees and compensations by JSCo "RZD" to them, or performance of functions and tasks assigned to JSCo "RZD";
  • special categories of personal data mean personal data of personal data subjects, which pertains to race, national identity, political views, religious or philosophical beliefs, state of health, privacy and record of conviction;
  • cross-border transfer of personal data means transfer of personal data to the territory of the foreign state to a regulatory body of the foreign state, foreign person or foreign entity;
  • destruction of personal data means actions which result in the impossibility to restore the contents of personal data in the information system and/or destruction of tangible media bearing personal data.

III. Purposes of Personal Data Processing

6. JSCo "RZD" processes personal data for the following purposes:

  • to execute transport agreements and provide additional services during transportation;
  • to ensure transport safety;
  • to improve the quality of service and the affordability of railroad transportation by implementing additional loyalty and incentive programs for users of JSCo "RZD" services;
  • to provide information on the services rendered, on the development of new products and services, as well as on the services provided by subsidiaries and affiliates of JSCo "RZD";
  • to collect and develop ideas aimed at improving the train management;
  • to examine startup projects with innovative solutions;
  • to conduct promotional campaigns, surveys, marketing, statistical and other research activities;
  • to perform the contracts entered into with individuals who are in contract and other civil law relations with JSCo "RZD";
  • to work with personnel, including to engage and select candidates for employment by JSCo "RZD", subsidiaries and affiliates of JSCo "RZD";
  • to perform contractual agreements with employees;
  • to ensure that social benefits, guarantees and compensations are provided by JSCo "RZD";
  • to perform and exercise the functions, powers and duties assigned by the laws of the Russian Federation to JSCo "RZD", as well as to achieve the goals stipulated by the international treaties of the Russian Federation or the laws.

IV. Principles and Rules of Personal Data Processing

7. The processing of personal data at JSCo "RZD" shall be carried out in compliance with the following principles and rules:

  • processing shall be carried out on a lawful and equitable basis;
  • processing shall be limited to achievement of the specific, predetermined and lawful purposes;
  • personal data processed shall meet the purposes of processing, and the volume and content of such data shall comply with the stated purposes of processing;
  • integration of the databases containing the personal data which is processed for incompatible purposes shall not be allowed;
  • accuracy and sufficiency of personal data and, if necessary, actuality in relation to the processing purposes shall be ensured during processing, and the measures to remove or clarify incomplete or inaccurate data shall be taken or the adoption of such measures shall be ensured;
  • personal data shall be stored in the form which makes it possible to determine the personal data subject for no longer than the purposes of personal data processing require, unless the personal data retention period is set by the federal law or a contract to which the personal data subject is a party, beneficiary or guarantor;
  • unless otherwise provided by the laws of the Russian Federation, personal data processed shall be destroyed or depersonalized when the processing purposes are achieved or in case there is no more need for achieving these purposes.

8. Personal data shall be processed at JSCo "RZD" with the consent of the personal data subject, unless otherwise provided by the laws of the Russian Federation.

9. When processing personal data, JSCo "RZD" shall respect the confidentiality of such data.

V. Rights of Personal Data Subject

10. Personal data subject may:

  • receive full information related to processing of his/her personal data at JSCo "RZD", except as otherwise provided by the Russian Federation laws;
  • demand that his/her personal data is updated, blocked or destructed, where such personal data is incomplete, outdated, inaccurate, received illegally or is not necessary for the specified purpose of processing;
  • demand that all persons to which his/her incorrect or incomplete personal data was communicated earlier are notified of all changes made thereto;
  • withdraw his/her consent to personal data processing;
  • appeal against the acts and omissions of JSCo "RZD" during processing of his/her personal data in accordance with the laws of the Russian Federation;
  • exercise other rights provided by the laws of the Russian Federation.

VI. Categories and Volume of Personal Data Processed

11. The content and volume of the personal data processed shall be determined by the purposes of processing such data, as set forth in Section III of the Policy, and shall be stated in the consent of the personal data subject to the processing of his/her personal data, except where personal data may be processed without obtaining such consent.

12. The processing of personal data that is redundant in relation to the stated purpose of processing shall not be allowed.

13. Special categories of personal data, as well as biometric personal data of personal data subjects shall be processed at JSCo "RZD" in the manner prescribed by the laws of the Russian Federation.

VII. Organization of Personal Data Processing

14. For the purposes of implementing the rights of personal data subjects, JSCo "RZD" shall, when processing their personal data:

  • use reasonable efforts to perform the duties provided by the laws of the Russian Federation;
  • explain to the personal data subject the legal consequences of his/her refusal to provide personal data in case such provision is required under the laws of the Russian Federation;
  • block, clarify and destroy unlawfully processed personal data, as well as stop such unlawful processing;
  • notify the personal data subject of correction of the committed violations or destruction of his/her personal data;
  • at the request of the personal data subject or his/her representative, provide the information related to processing of his/her personal data in the manner prescribed by the laws of the Russian Federation and regulatory documents of JSCo "RZD".

15. In order to effectively organize the processing of personal data, JSCo "RZD" shall appoint a person responsible for organizing the processing of personal data, and such person shall, in accordance with the established powers, ensure:

  • development and updating of regulatory documents of JSCo "RZD" on the processing and protection of personal data;
  • that the provisions of the laws of the Russian Federation, the regulatory documents of JSCo "RZD" regarding personal data processing, as well as the requirements to personal data protection are communicated to employees of JSCo "RZD";
  • that legal, organizational and technical measures are taken to protect personal data, including that processed in information systems, against unlawful or accidental access thereto, destruction, change, blocking, copying, distribution of personal data, as well as against other illegal acts with respect to personal data;
  • internal control over compliance by JSCo "RZD" with the requirements of the laws of the Russian Federation and the regulatory documents of JSCo "RZD" in the field of personal data, including the requirements to personal data protection;
  • control over the processing of requests from personal data subjects or their representatives regarding the violations of personal data laws committed by employees of JSCo "RZD";
  • interaction with state bodies on the protection of personal data.

16. Personal data shall be processed at JSCo "RZD" with the use of computer aids (automated processing) or with direct human involvement without the use of computer aids (non-automated processing).

17. The managers of JSCo "RZD" so authorized by the employer, and only those employees of JSCo "RZD" whose job duties include personal data processing may be allowed to process personal data.

Said managers and employees may process only that personal data which they require to perform their job duties.

18. Transfer of personal data to third parties (including cross-border transfer) shall be subject to written consent of personal data subjects, except where it is necessary for the purpose of preventing danger to life and health of personal data subjects, as well as in other cases prescribed by the laws of the Russian Federation.

19. Transfer of personal data to state bodies shall be carried out in accordance with the requirements of the laws of the Russian Federation.

20. Cross-border transfer of personal data to the territory of the foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, other foreign states that ensure adequate protection of the rights of personal data subjects, as well as to the territory of a foreign state that is not a party to the said Convention, shall be in accordance with the laws of the Russian Federation.

21. JSCo "RZD" may entrust the processing of personal data to another legal entity or individual entrepreneur with the consent of personal data subjects based on a contract, the material term of which contract shall be the duty of the contractor to ensure the confidentiality of personal data and its safety during processing.

22. When collecting personal data, including with the use of the Internet, an information and telecommunication network, JSCo "RZD" shall ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of the Russian Federation citizens using databases located in the territory of the Russian Federation, except as otherwise provided by the laws of the Russian Federation.

23. The period of storing personal data at JSCo "RZD" shall be determined in accordance with the laws of the Russian Federation and regulatory documents of JSCo "RZD".

24. Safety of personal data, including when processing it in information systems, shall be ensured in accordance with the laws of the Russian Federation and the requirements of the authorized state body for protection of the rights of personal data subjects, the federal executive body for safety control, and the federal executive body for technical intelligence countermeasures and technical protection of information.

VIII. Final Provisions

25. The liability for violating the requirements of the laws of the Russian Federation and regulatory documents of JSCo "RZD" in the field of personal data shall be determined in accordance with the laws of the Russian Federation.

26. This Policy shall be publicly available and shall be posted on the official site of JSCo "RZD".