Dear users! You are on the new web portal of Russian Railways

I. General Provisions

II. Basic Concepts

III. Purposes of Personal Data Processing

IV. Principles and Conditions of Personal Data Processing

V. Personal Data Subjects

VI. Processed Personal Data

VII. Personal Data Processing at JSC RZD

VIII. Rights of Personal Data Subjects

IX. Operator’s Duties

X. Personal Data Safety

 

I. General Provisions

1. This document has been developed on the basis of the Constitution of the Russian Federation, the Labour Code of the Russian Federation, the Civil Code of the Russian Federation, Federal Laws "On the Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data", "On Personal Data",and "On Information, Information Technologies and Information Protection" as well as other regulations of the Russian Federation and regulatory documents of "JSC RZD", and establishes the unified corporate objectives, principles and rules of personal data processing at "JSC RZD", and determines the key measures implemented by JSCo "RZD" to ensure personal data protection.

2. As the operator processing personal data, JSC RZD shall ensure protection of the rights and freedoms of subjects with regard to processing of their personal data and shall , take measures to ensure that the duties provided for in the Federal Law "On Personal Data" and the regulations passed in accordance therewith are performed.

3. This document shall be publicly available and shall be posted on the official site of "JSC RZD".

II. Basic Concepts

4. The following concepts are used in this document:

  • user of "JSC RZD" services a passenger, consignor, consignee or another person or entity that uses the services provided by "JSC RZD";
  • personal data any information related, directly or indirectly, to a specific or identifiable individual (personal data subject);
  • personal data subjects users of "JSC RZD" services, personnel of "JSC RZD", as well as other persons whose personal data became knownas a result of JSC RZD providing them with social benefits, guarantees or compensation;
  • operator a state body, municipal body, entity or person, which, individually or jointly with other persons, organizes and/or carries out processing of personal data, and determines the purposes of personal data processing, the structure of personal data subject to processing, and the actions (operations) performed with personal data;
  • special categories of personal data the personal data of personal data subjects, which pertains to race, national identity, political views, religious or philosophical beliefs, health status,  privacy and criminal record;
  • information system  information contained in databases and the information technologies and technological tools used for  processing such information;
  • personal data processing any action (operation) or a set of actions (operations) performed with personal data with or without the use of automation tools, including the collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transmission (distribution, provision, access), depersonalization, blocking, removal, destruction of personal data;
  • destruction of personal data actions which result in the impossibility of restoring the content of personal data in the personal data information system  and/or the destruction of tangible media carrying personal data;
  • cross-border transfer of personal data the transfer of personal data to the territory of the foreign state for use by a regulatory body of a foreign state, or by a foreign person or foreign entity;
  • confidentiality of personal data a requirement binding on the operator to not disclose personal data to third parties and to prevent the distribution of personal data without the consent of personal data subjects or availability of another lawful grounds to do so;
  • personal data protection actions of the operator that are activities aimed at preventing leaks of  protected personal data, and unauthorized and accidental impact on the protected personal data.

III. Purposes of Personal Data Processing

5. The personal data of users of "JSC RZD" services is processed for the following purposes:

  • to execute transport agreements and provide additional services during transportation;
  • to ensure transport safety;
  • to improve the quality of passenger services and the affordability of railroad transportation through the implementation of additional loyalty and incentive programmes for users of "JSC RZD" services.

6. The personal data of individuals who are in contract and other civil law relations with "JSC RZD" is processed for the purpose of executing the contracts entered into therewith.

7. The personal data of JSC RZD personnel is processed for the purpose of ensuring the performance of contractual agreements with employees, the performance of social obligations, and for other purposes provided for in the Articles of Association and other regulatory documents of "JSC RZD".

IV. Principles and Conditions of Personal Data Processing

8. Personal data shall be processed at "JSC RZD" in compliance with the principles and rules provided for in the Federal Law "On Personal Data", taking the necessity to ensure protection of the rights and freedoms of personal data subjects into account , including protection of the right to privacy-and the right to, personal and family secrets. Specifically

  • Processing shall be carried out on a lawful and equitable basis;
  • Processing shall be limited to achievement of the specific, predetermined and lawful purposes. Processing of personal data that is incompatible with the purposes of its collection shall not be allowed;
  • Integration of  databases containing personal data collected for purposes that are incompatible with the purposes established herein shall not be allowed;
  • Only personal data that satisfies the purposes of processing shall be processed;
  • The content and volume of the processed personal data shall meet the specified purposes of processing. The processing of data that is superfluous to the specified purposes shall not be allowed;
  • The accuracy and sufficiency of the personal data and, if necessary, its relevancein relation to the processing purposes shall be ensured during processing. "JSC RZD" shall take measures to remove or update incomplete or inaccurate data or shall ensure that such measures are taken;
  • Personal data shall be stored in a form that makes it possible to determine the personal data subject for no longer than the purposes of personal data processing require, unless the personal data retention period is set by federal law or a contract to which the personal data subject is a party, beneficiary or guarantor;
  • Unless otherwise provided by federal law, processed personal data shall be destroyed or depersonalized when the processing purposes are achieved or in the event that there is no longer any need for achieving these purposes.

9. Personal data shall be processed at "JSC RZD" with the consent of the personal data subject, unless otherwise provided by the laws of the Russian Federation. When processing personal data, "JSC RZD" shall ensure its confidentiality.

V. Personal Data Subjects

10. "JSC RZD" processes personal data of the following categories of personal data subjects: users of "JSC RZD" services, individuals who are in contract and other civil law relations with "JSC RZD", employees of "JSC RZD" and other personal data subjects (to ensure the achievement of the processing purposes specified in Section III hereof).

VI. Processed Personal Data

11. "JSC RZD" processes the following personal data of users of its services:

  • surname, first name, patronymic;
  • day, month, year of birth;
  • place of birth;
  • type and number of the identity document used to buy a travel document (for minors – birth certificate or a notarized copy);
  • point of departure, point of destination, route type (direct, transit);
  • trip date.

In accordance with loyalty and incentive programmes for users of "JSC RZD" services, the following personal data may also be processed:

  • gender;
  • date and place of birth;
  • contact telephone number;
  • email address;
  • full mailing address of the programme participant;
  • nationality;
  • taxpayer identification number.

"JSC RZD" may also process other personal data of users of "JSC RZD" services, as necessary for achieving the purposes of the purposes specified in Clause 5 hereof.

12. The personal data of employees, processed at "JSC RZD", shall be determined based on the Labour Code of the Russian Federation and regulatory documents of "JSC RZD".

13. The personal data of employees of "JSC RZD", that pertains to health-status, shall be processed in accordance with the requirements of the federal laws "On Personal Data" and "On Fundamental Principles Healthcare in the Russian Federation".

14. The personal data of special categories, with the exception of data on the health status of employees, as well as biometric personal data may be processed in the cases provided for in the laws of the Russian Federation.

VII. Personal Data Processing at “JSC RZD”

15. Personal data shall be processed with the consent of the personal data subjects, unless otherwise provided by the laws of the Russian Federation.

16. Personal data may be processed with the use of computer aids (automated processing) or with direct human involvement without the use of computer aids (non-automated processing).

17. Only those employees of "JSC RZD" whose job duties include personal data processing may be allowed to process personal data.

Said employees may only receive personal data required to perform their job duties.

18. Personal data shall be processed through:

  • the receipt of information containing personal data, both orally and in writing, directly from personal data subjects;
  • the provision by personal data subjects of original copies of the required documents;
  • the receipt of duly certified copies of documents containing personal data or copying of original documents;
  • the receipt of personal data as a response to requests sent to public authorities, state non-budgetary funds, other state bodies, local authorities, commercial and non-commercial
  • organizations,and individuals in the cases and in the manner provided for by the laws of the Russian Federation;
  • the receipt of personal data from public sources;
  • the recording (logging) of personal data in logs, books, registers and other account forms;
  • the entry of personal data into the information systems of "JSC RZD";
  • the use of other aids and ways of recording personal data received in the course of activities conducted by "JSC RZD".

19. The transfer of personal data to third parties (including cross-border transfer) shall be subject to the written consent of personal data subjects, except where it is necessary for the purpose of preventing danger to the life and health of personal data subjects, as well as in other cases prescribed by the laws of the Russian Federation.

When transferring personal data to third parties according to concluded contracts, "JSC RZD" shall ensure the obligatory performance of the requirements of the laws of the Russian Federation and the regulatory documents of "JSC RZD"regarding personal data.

20. The transfer of personal data to authorized executive bodies (the Federal Tax Service of the Russian Federation, the Pension Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund of the Russian Federation, etc.) shall be in compliance with the requirements of the laws of the Russian Federation.

21. The cross- border transfer of personal data to the territory of the foreign states that are parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as other foreign states that ensure adequate protection of the rights of personal data subjects, shall be in accordance with the Federal Law "On Personal Data" and may be forbidden or limited for the purpose of protecting the foundations of the constitutional system of the Russian Federation as well as the, public morals, health, rights and legitimate interests of citizens, and ensuring national defence and safety.

The cross-border transfer of personal data to the territory of a foreign state that is not a party to the said Convention shall be in accordance with legal acts of the Russian Federation subject to compliance of the legal rules in force in that state and the applied personal data security measures with the provisions of the Convention.

22. "JSC RZD" may engage another legal entity or individual entrepreneur to process personal data with the consent of personal data subjects based on the contract concluded with them. The legal entity or individual entrepreneur that processes personal data at the instructions of "JSC RZD" shall comply with the principles and rules of personal data processing provided for in the personal data laws of the Russian Federation.

23. Where "JSC RZD" engages another legal entity or individual entrepreneur to process personal data on the basis of a contract, the material terms of such contract shall be the duty of the said entity to ensure the confidentiality and safety of personal data during its transfer or processing.

24. Personal data shall be stored at  "JSC RZD" in a form that makes it possible to determine the personal data subject for no longer than the purposes of personal data processing require. Personal data shall be destroyed when the processing purposes are achieved or in the event that there is no longer any, need for achieving these purposes. The period of storing personal data at "JSC RZD" shall be determined in accordance with the laws of the Russian Federation and regulatory documents of "JSC RZD".

VIII. Rights of Personal Data Subjects

25.    Personal data subjects may:

  • receive full and complete information related to the processing of their personal data at “JSC RZD”, unless otherwise provided by the laws of the Russian Federation;
  • demand the correction of incorrect or incomplete personal data, as well as the data processed in violation of the requirements of the laws of the Russian Federation;
  • demand that their personal data be blocked or destroyed in the event that such personal data is incomplete, outdated or inaccurate, has been obtained illegally or is not necessary for the specified purpose of processing;
  • demand that all persons to which incorrect or incomplete personal data was communicated earlier are notified of all changes made thereto;
  • withdraw their consent to personal data processing;
  • appeal against the operator’s actions and omissions during the processing of their personal data in accordance with the Russian Federation;
  • exercise other rights provided by the laws of the Russian Federation.

IX. Operator’s Duties

26. When processing personal data,"JSC RZD" shall:

  • use reasonable efforts to perform the operator’s duties provided by the personal data processing and protection laws of the Russian Federation;
  • explain to the personal data subject the legal consequences of his/her refusal to provide personal data in the event that such provision is required under the laws of the Russian Federation;
  • block personal data that has been processed unlawfully;
  • stop processing personal data as provided for by the laws of the Russian Federation;
  • notify the personal data subject of any violations that have been made in the processing of his/her personal data any corrections made thereto or the destruction thereof;
  • at the request of the personal data subject or his/her representative, provide information related to processing of his/her personal data in the manner prescribed by the laws of the Russian Federation and regulatory documents of  "JSC RZD".

27. For the purpose of taking measures necessary for the performance of the duties provided for in the laws of the Russian Federation and regulatory documents of "JSC RZD", the Chief Executive Officer of  "JSC RZD" shall appoint a person in charge of personal data processing and protection at  "JSC RZD".

28. The person in charge of personal data processing and protection at "JSC RZD" shall:

  • ensure that legal, organizational and technical measures are taken to ensure the protection of personal data processed at "JSC RZD" against unlawful or accidental access thereto,as well as against the destruction, modification, blocking, copying or distribution of personal data, and other illegal acts with respect to personal data;
  • ensure internal control over compliance at  "JSC RZD" with the requirements of the laws of the Russian Federation and the regulatory documents of "JSC RZD" on personal data, including  personal data protection requirements;
  • ensure that the provisions of personal data laws of the Russian Federation, the regulatory documents of  "JSC RZD" on personal data processing, and personal data protection requirements are communicated to JSC RZD employees;
  • arrange the receipt and processing of requests from personal data subjects or their representatives, as well as control the receipt and processing of such requests at  "JSC RZD".

X. Personal Data Security

29. The security of personal data during its processing at "JSC RZD" shall be ensured in accordance with the laws of the Russian Federation and the requirements of the authorized state body for protection of the rights of personal data subjects, the federal executive body for safety control, and the federal executive body for technical intelligence countermeasures and technical protection of information.

30. "JSC RZD" shall take the necessary organizational and technical measures to protect personal data from accidental or unauthorized access, destruction, modification, blocking of access and other unauthorized actions.

31. Data protection measures implemented by "JSC RZD" during personal data processing shall include:

  • local regulatory documents and other documents related to personal data processing and protection;
  • appointing officials responsible for the personal data security in business units and information systems of "JSC RZD";
  • training employees that process personal data at  "JSC RZD";
  • organizing the necessary conditions for working with tangible media and information systems in which personal data is processed;
  • organizing the accounting of tangible media that carries the personal data and the information systems in which the personal data is processed;
  • storing tangible media that carries the personal data observing conditions to ensure the safety of personal data and exclude unauthorized access thereto;
  • isolating of personal data processed without the use of automation aids from other information;
  • separating the storage of media carrying personal data, that contains data of different categories or personal data processed for different purposes;
  • prohibiting the on transmission of personal data via open communication channels, computer networks and the internet without the use of the measures established at "JSC RZD" for ensuring personal data safety;
  • protecting documents containing personal data on paper and other tangible media during their transfer to third parties using the postal postage service;
  • exercising internal control over compliance at "JSC RZD" with the laws of the Russian Federation and regulatory documents of "JSC RZD" during personal data processing.

32. Liability for violating the requirements of the laws of the Russian Federation and regulatory documents of "JSC  RZD" with regard to personal data processing and protection shall be determined in accordance with the laws of the Russian Federation.