Personal Data Processing Policy

This Personal Data Processing Policy (hereinafter – the Policy) is approved by Zurich Reliable Insurance JSC (the Company) to implement the requirements of the current legislation of the Russian Federation in the field of personal data. It discloses the methods and principles of personal data processing and includes a list of measures applied by the Company to ensure the security of personal data.

The Policy is approved by the CEO of the Company, is publicly available and is subject to publication on the Company’s official internet website at http://www.zurich.ru/.

I. Basic concepts used in policy:

Personal data – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data);

Personal data operator – гstate body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data data;

Personal data processing – any action (operation) or a set of actions (operations) with personal data performed with the use of automation tools or without their use. The processing of personal data includes, but is not limited to:

  • collection;
  • recording;
  • organizing;
  • accumulation;
  • storage;
  • clarification (update, change);
  • extract;
  • usage;
  • transfer (distribution, provision, access);
  • depersonalization;
  • blocking; removal; destruction.

Automated processing of personal data – processing of personal data using computer technology;

Providing personal data – actions aimed at disclosing personal data to a certain person or a certain circle of persons;

Blocking of personal data – temporary termination of the processing of personal data (unless the processing is necessary to clarify personal data); Personal data destruction & ndash; actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;

Personal data depersonalization & ndash; actions as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without using additional information;

Personal data information system & ndash; a set of personal data contained in databases and providing their processing information technologies and technical means;

Cross-border transfer of personal data & ndash; transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual or a foreign legal entity,

Ensuring confidentiality of information & ndash; a mandatory requirement for a person who has gained access to certain information not to transfer such information / not to provide access to such information to third parties without the consent of its owner,

Personal data subject & mdash; a natural person who is directly or indirectly identified or can be identified using personal data.

II. General provisions

This Policy applies to all personal data processing processes of all categories of personal data subjects.

The Company ensures compliance with the principles of personal data processing established by Article 3 of the Federal Law-152 `` On Personal Data '', in particular:

  • legality and fairness,
  • specific, predefined and legitimate purposes of processing,
  • prohibition of combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other
  • correspondence of the volume of personal data to the purposes of processing (data should not be redundant),
  • accuracy, sufficiency and relevance, storage within the specified time limits, confidentiality.
III. Rights and obligations of society and subjects of personal data

The main responsibilities of the Company as a personal data operator include:

  • Provide information to the subject of personal data at his request in accordance with the legislation on personal data;
  • Within thirty days from the date of receipt of the request of the subject of personal data or his representative, inform the subject of personal data or his representative in the manner prescribed by law about the availability of personal data relating to the respective subject of personal data, as well as provide the opportunity to get acquainted with these personal data when contacting the subject of personal data or his representative, or in case of refusal to provide information / access & ndash; provide in writing a reasoned response, containing a reference to the specific legal provision that is the basis for such refusal;
  • Make the necessary changes to the personal data within a period not exceeding seven working days from the date the subject of personal data or his representative provides information confirming that the personal data is incomplete, inaccurate or irrelevant;
  • Destroy personal data within a period not exceeding seven working days from the date the subject of personal data or his representative submits information confirming that such personal data is illegally obtained or is not necessary for the stated purpose of processing;
  • In appropriate cases, explain to the subject of personal data the legal consequences of refusing to provide his personal data;
  • In appropriate cases, if the personal data is not received from the personal data subject, before the processing of such personal data, provide the personal data subject with information in accordance with the legislation on personal data;
  • When collecting personal data, including through informational

telecommunication network `` Internet '' ensure the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except as otherwise provided by law;

  • Take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data;
  • Provide information at the request of the notified body;
  • Eliminate violations of the law committed during the processing of personal data; clarify, block and destroy personal data & ndash; in the manner and on the grounds provided for by the current legislation on personal data; Appoint a person responsible for organizing the processing of personal data; Other obligations established by the legislation on personal data.

The Company is obliged to take measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the legislation on personal data.

Subjects of personal data have the right:

  • To access your personal data in the manner prescribed by law and this Policy,
  • To appeal against the actions or inactions of the Company as a personal data operator to the authorized body for the protection of the rights of personal data subjects or in court.

Subjects of personal data are required to provide complete and accurate personal data necessary for the implementation of legal relations arising between the subject of personal data and the Company. The Company is not responsible for possible losses / costs that may arise in connection with the provision of incomplete or inaccurate personal data by the subject. In the event of a change in personal data, the subject of personal data must immediately inform Zurich Reliable Insurance AO.

IV. Purposes of processing personal data

Zurich Reliable Insurance JSC processes personal data for the following purposes:

  • conclusion and execution of insurance contracts (co-insurance, reinsurance),  settlement of losses and insurance payments,
  • the conclusion and execution of contracts with insurance intermediaries, other contracts of a civil nature, concluded by the company in the course of economic activity;
  • conducting interviews;
  • making a decision on hiring at Zurich Reliable Insurance JSC;
  • compliance with the requirements of the current legislation of the Russian Federation, including on joint stock companies, on combating the legalization (laundering) of proceeds from crime and financing of terrorism;
  • ensuring compliance with laws and other regulations;
  • assistance to employees in employment;
  • assistance in training and promotion;
  • ensuring the personal safety of employees;
  • control of the quantity and quality of work performed and ensuring the safety of property;
  • registration and maintenance of the employee's personal file;
  • providing access to IT systems;
  • backup and storage of information;  keeping statistics of training and performance evaluation;
  • opening a bank account for calculating wages and other payments;
  • sending on business trips and their organization (transfers, accommodation, meals, etc.);
  • provision of corporate mobile communication services;
  • insurance in external organizations;
  • registration of voluntary health insurance policies;
  • interaction during the conclusion and execution of contracts;
  • archival storage of personal data after the termination of the contract;
  • control of calculations and analysis of risks associated with the activities of Zurich Reliable Insurance JSC.
V. Legal basis for the processing of personal data by Zurich Reliable Insurance JSC

The legal basis for the processing of personal data is a set of legal acts, in pursuance of which and in accordance with which the Company processes personal data, in particular:

  • Insurance legislation of the Russian Federation, including the Law of the Russian Federation of November 27, 1992 N 4015-I 'On the organization of insurance business in the Russian Federation', regulatory legal acts of the Bank of Russia,
  • Legislation on Joint Stock Companies, in particular Federal Law No. 208-FZ of December 26, 1995 `` On Joint Stock Companies '',
  • Legislation on combating (laundering) the legalization of proceeds from crime and the financing of terrorism, in particular the Federal Law of August 7, 2001 N 115-FZ `` On Counteracting the Legalization (Laundering) of Criminally Obtained Incomes and Financing terrorism '', the relevant regulatory legal acts of the Bank of Russia and the Federal Service for Financial Monitoring,
  • The Labor Code of the Russian Federation and other regulations governing labor relations
  • Pension legislation, social security legislation, tax legislation,
  • Normative legal acts establishing requirements for the storage of documents (in particular, Order of the Federal Service for Financial Markets dated March 6, 2013 N 1316 / pz-n `` On approval of the List of documents, the safety of which insurers are obliged to ensure, and requirements to ensure the safety of such documents '', Order of the Ministry of Culture of the Russian Federation of August 25, 2010 N 558 `` On approval of the List of standard administrative archival documents generated in the course of the activities of state bodies, local government bodies and organizations, indicating the storage periods '',
  • contracts concluded between the Company and the subject of personal data or the beneficiaries of which are subjects of personal data

(insured persons, beneficiaries under insurance contracts),  consent to the processing of personal data.

The Company has the right to process personal data if it is necessary to exercise the rights and legitimate interests of the Company or third parties.

The Company has notified the authorized body for the protection of the rights of subjects of personal data about the processing of personal data.

Vi. Categories of subjects of personal data volume and categories of processed personal data

The Company processes the following categories of personal data subjects:

  • employees of Zurich Reliable Insurance JSC,  former employees of the Company,
  • candidates for vacancies,
  • persons under the insurance contract (policyholders, insured persons, beneficiaries, other persons specified in the insurance contract, and persons whose personal data are required in order to fulfill the insurance contract),
  • insurance agents and insurance brokers (individuals and individual entrepreneurs),
  • representatives of insurance agents and insurance brokers, as well as representatives of counterparties who interact with Zurich Reliable Insurance JSC, not related to insurance activities.

The Company collects and processes only those personal data that are necessary to achieve the goals stated in this Policy.

The Company processes special categories of personal data (information about criminal records, health status) in accordance with the requirements of the current legislation of the Russian Federation (in particular, to verify compliance with the qualification requirements provided for by insurance legislation), as well as on the basis of the written consent of the subject of personal data. < / p>

The Company does not process biometric personal data.

Vii. The procedure and conditions for the processing of personal data. Confidentiality. Transfer and entrusting the processing of Personal Data

The Company processes personal data: collection, recording, systematization, accumulation, storage, clarification, update, change, extraction, use, distribution, provision, access, transfer (including cross-border), depersonalization, blocking and destruction & ndash; in the following ways: automated, non-automated processing.

When collecting personal data, the Company ensures the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, with the exception of cases provided for by the requirements of the current legislation of the Russian Federation.

The Company ensures the confidentiality of personal data that is not publicly available.

The Company has the right to transfer personal data to authorized bodies or third-party organizations in accordance with the requirements of the current legislation of the Russian Federation (in particular, labor, tax, insurance legislation of the Russian Federation, legislation on combating legalization (laundering) of proceeds from crime and financing of terrorism, legislation on auditing, legislation on joint stock companies, legislation in the field of social and pension security, legislation on military registration in the Russian Federation).

The Company has the right to transfer personal data to third parties on the basis of the consent of the subject of personal data and in the presence of an agreement concluded with them, containing the obligations of such third parties to maintain confidentiality and ensure the security of personal data. The company transfers personal data in the following cases:

  • In order to conclude and execute reinsurance contracts (the Company also carries out cross-border transfer of personal data to the territory of the country of the reinsurer). The company has the right to transfer to the reinsurer the personal data contained in insurance contracts
  • For claims settlement purposes,
  • In order to carry out backup (including - to carry out cross-border transfer of personal data to other persons of the Zurich Insurance Group),
  • Transfer of personal data of the Company's employees as part of the implementation of labor legal relations between the parties (for issuing bank cards as part of a salary project, drawing up voluntary medical insurance contracts, issuing passes to the Company's office and other cases, as provided by the employee's written consent).

The Company has the right to entrust the storage of documents, including personal data, to a third party on the basis of an agreement.

AO Zurich Reliable Insurance has the right to carry out cross-border transfer of personal data on the territory of foreign states, subject to mandatory compliance with any of the following legal conditions:

  • a foreign state ensures adequate protection of the rights of subjects of personal data (the state is a party to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data or is included in the List of countries providing adequate protection of the rights of subjects of personal data);
  • cross-border transfer of personal data is provided for by international treaties of the Russian Federation or federal laws;
  • cross-border transfer of personal data is necessary for the performance of the contract concluded by the subject of personal data with Zurich Reliable Insurance JSC;
  • written consent of the personal data subject;
  • cross-border transfer of personal data is necessary to protect the life and health of the subject of personal data or other persons, other vital interests if it is impossible to obtain written consent.

The storage periods for personal data are determined in accordance with the validity period of civil law relations between the subject of personal data and the Company, the limitation period, the storage period for documents on paper and documents in electronic databases, other requirements of the legislation of the Russian Federation, as well as the period actions of the subject's consent to the processing of his personal data.

VIII. Protection of personal information

The Company takes measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the legislation of the Russian Federation in the field of personal data, in particular, to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, copying, provision, distribution of personal data. data, as well as from other illegal actions.

These measures include, but are not limited to:

  • appointment of a person responsible for organizing the processing of personal data, responsible for ensuring the security of personal data in information systems, responsible for ensuring the security of the premises where personal data is processed;
  • the system of local acts of JSC `` Zurich Reliable Insurance '' on the processing of personal data;
  • implementation of internal control over the compliance of personal data processing with the requirements of the current legislation of the Russian Federation in the field of personal data;
  • assessment of the harm that may be caused during the processing of personal data of the subject at Zurich Reliable Insurance JSC, and its relationship with those accepted at Zurich Reliable Insurance JSC; measures;
  • familiarization of employees of Zurich Reliable Insurance JSC; with the requirements of the current legislation of the Russian Federation in the field of personal data, as well as their training;
  • identification of threats to the security of personal data during their processing in personal data information systems;
  • application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems;
  • assessment of their effectiveness prior to the commissioning of the personal data information system;
  • detecting facts of unauthorized access to personal data and taking action;
  • setting the rules for access to personal data processed in the personal data information system;
  • regular monitoring of the measures taken to ensure the security of personal data and the level of protection of information systems of personal data.
IX. Answers to inquiries of subjects of personal data and authorized bodies

Subjects of personal data or their legal representatives (hereinafter & ndash; subjects of personal data) have the right to & nbsp;

  • to receive information about the processed personal data related to the relevant personal data subject, including those containing:
    • information about the Company as an operator processing personal data (name and location);
    • the presence of personal data in the Company;
    • confirmation of the fact of the processing of personal data by the Company, indication of the legal grounds and established purposes for the processing of personal data;
    • methods of processing personal data used by the Company; o information about persons who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Company (including instructions from the operator) or on the basis of federal law (s), with the exception of employees, access to which is provided in connection with the performance of official (functional) duties;
    • a list of processed personal data related to a specific subject;
    • terms of processing personal data, including the terms of their storage;
    • the procedure for exercising the rights of subjects of personal data provided for by Federal Law No. 152-FZ of July 27, 2006 'On Personal Data'; o information about the ongoing or intended cross-border transfer of personal data, indicating the name of the country;
    • other information provided by the Federal Law of July 27, 2006 No. 152-FZ `` On Personal Data '', which may include compliance with the conditions and principles of personal data processing, information on compliance with the requirements for ensuring the security of personal data, possible restrictions on access subjects of personal data to their personal data.
  • to familiarize himself with the personal data available in the Company and related to the respective subject of personal data,
  • require updating, clarification of the relevant personal data,
  • request the blocking or destruction of personal data in cases provided for by law
  • to revoke your consent to the processing of personal data at any time.

To receive the above information or withdraw consent to the processing of personal data, the subject of personal data sends to the Company a corresponding request or withdrawal of consent in the form of Appendices 1 or 2 to this Policy, respectively. A request for clarification, updating, blocking or destruction is sent by the subject of personal data in writing in free form with copies of the documents justifying the request attached. Access to the relevant personal data is provided to the subject of personal data upon personal contact or upon receipt of a written request in free form.

Any written request from the subject of personal data (request for information, access, withdrawal of consent, request for clarification, updating, blocking or destruction) must contain the number of the main identity document of the subject of personal data, information on the date of issue of the specified document and its authority and the handwritten signature of the subject of personal data. The request can be sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. When personally applying to gain access to personal data, the subject of personal data must have an identity document with him.

All requests of personal data subjects are considered by the person appointed in the Company responsible for organizing the processing of personal data.

The person responsible for organizing the processing is obliged to consider the received requests from the subjects of personal data and provide an appropriate response (to provide the subject with the opportunity to get acquainted with his personal data) within 30 calendar days from the date of receipt of the request.

The right to access personal data may be limited in accordance with the provisions of applicable law. In this case, a written reasoned refusal must be sent to the subject of personal data with reference to specific provisions of the law.

In case of receiving a request (request) from the subject to correct or clarify incomplete, inaccurate or irrelevant personal data, the person responsible for organizing the processing checks the availability and content of supporting documents and ensures that the necessary corrections are made to the documents and databases in which personal data are processed. data, within seven working days from the date of receipt of the request. The person responsible for organizing the processing of personal data is obliged to notify the subject of personal data about the changes and measures taken and take reasonable measures to notify third parties to whom the personal data of this subject was transferred.

In case of receiving information from the subject of personal data confirming that the relevant personal data is illegally obtained or is not necessary for the stated purpose of processing, the person responsible for organizing the processing of personal data is obliged to ensure the destruction of such personal data within seven working days from the date for information. & nbsp;

If the subject of personal data withdraws consent to the processing of his personal data, the person responsible for organizing the processing of personal data is obliged to:

  • notify the relevant subject of personal data about the possible consequences of revoking consent to the processing of personal data;
  • if there is a valid agreement with this subject, ensure the termination of the processing of personal data for purposes that go beyond the fulfillment of contractual obligations to the subject, as well as other obligations of the Company established by law;
  • in the absence of a valid agreement with this subject, stop processing the subject's personal data and destroy the personal data within a period not exceeding seven working days from the date of receipt of the said revocation, unless otherwise provided by applicable law.

The person in charge for organizing the processing of personal data considers requests and (or) applications of the authorized body for the protection of the rights of subjects of personal data and ensures that a response is sent within the time period set by the request.

Personal data access request form

В АО «Цюрих надежное страхование»

От ________________________________________

фамилия, имя, отчество, адрес субъекта персональных данных,  номер основного документа, удостоверяющего его личность,
сведения о дате выдачи указанного документа и выдавшем его органе

 

 

Форма запроса

Запрос на доступ субъекта персональных данных к своим персональным данным

Прошу предоставить мне для ознакомления следующие сведения, касающиеся обработки моих персональных данных, на основании __________________________ (например, заключенного договора № ______ дата _______):

    1. подтверждение факта обработки персональных данных АО «Цюрих надежное страхование»;
    2. правовые основания и цели обработки персональных данных;
    3. цели и применяемые АО «Цюрих надежное страхование» способы обработки персональных данных;
    4. наименование и место нахождения АО «Цюрих надежное страхование», сведения о лицах (за исключением работников АО «Цюрих надежное страхование»), которые имеют доступ к персональным данным или которым могут быть раскрыты персональные данные на основании договора с АО «Цюрих надежное страхование» или на основании федерального закона;
    5. состав обрабатываемых персональных данных, источник их получения, если иной порядок представления таких данных не предусмотрен федеральным законом;
    6. сроки обработки персональных данных, в том числе сроки их хранения;
    7. порядок осуществления мной прав, предусмотренных Федеральным законом от 27.07.2006 № 152-ФЗ «О персональных данных»;
    8. информацию об осуществленной или о предполагаемой трансграничной передаче данных;
    9. наименование или фамилию, имя, отчество и адрес лица, осуществляющего обработку персональных данных по поручению АО «Цюрих надежное страхование», если обработка поручена или будет поручена такому лицу;
    10. иные сведения, предусмотренные Федеральным законом от 27.07.2006 № 152-ФЗ «О персональных данных» или другими федеральными законами.

 

Данные сведения прошу направить почтовым отправлением на адрес: _______________, или по электронной почте ____________________.

 

Дата запроса:

«___»__________________ г.

___________________/________________________ подпись, фамилия, имя, отчество субъекта персональных данных

Withdrawal of consent to the processing of personal data

Отзыв согласия на обработку персональных данных

 

В АО «Цюрих надежное страхование»

От ________________________________________ 

фамилия, имя, отчество, адрес субъекта персональных данных

 

 

Я,___________________________________________________________________________________

__________________________________________________________________________ (фамилия, имя, отчество, адрес субъекта персональных данных, номер основного документа, удостоверяющего личность, сведения о дате выдачи указанного документа и выдавшем его органе)

в соответствии с пунктом 2 статьи 9 Федерального закона от 27.07.2006 № 152-ФЗ «О персональных данных» отзываю у АО «Цюрих надежное страхование» согласие на обработку моих персональных данных _________________________________________________ (указать перечень персональных данных) путем _________________________________________ (указать действия - сбор, запись, систематизация, накопление, хранение, уточнение (обновление, изменение), извлечение, использование, передача (предоставление, доступ), обезличивание, блокирование, удаление и уничтожение персональных данных).

Прошу прекратить обработку моих персональных данных и, если сохранение персональных данных более не требуется для целей обработки, уничтожить в срок, не превышающий тридцати дней с момента получения отзыва.

Настоящим я уведомлен о том, что АО «Цюрих надежное страхование» вправе продолжать обработку данных после отзыва согласия в случае, если обработка необходима для целей исполнения заключенного со мной договора, а также в иных целях, предусмотренных Федеральным законом от 27.07.2006 № 152-ФЗ «О персональных данных», включая ст. 9, ст. 6, ст. 10.

 

«___»__________________ г.

___________________/________________________ подпись, фамилия, имя, отчество субъекта персональных данных

Date and time of updating information: 13.07.2020 at 15:21