REGULATIONS
on processing and protection of personal data of the Clients staying at the Sanatorium
1. GENERAL PROVISIONS
1.1. These Regulations are governed by the Constitution of the Russian Federation, the Federal Law “On Information, Information Technologies and the Protection of Information” No. 149-ФЗ of 27.07.2006, the Federal Law “On Personal Data” No. 152-ФЗ of 27.07.2006 and other regulatory legal acts.
1.2. Basic concepts used in the Regulations:· Sanatorium – Medical and Wellness Center “Altai Valley” LLC;· The Subject of personal data (Client) is an individual who has received/purchased Treatment Packages for health and resort treatment at the Sanatorium, medical and other services not related to treatment;· Services are actions of the Sanatorium to accommodate Clients in the accommodation facility, as well as other activities related to accommodation and staying, treatment, which includes basic and additional services provided to the Client;· Personal data mean information stored in any format, related to a specific or determinable on the basis of such information individual (subject of personal data), which by itself or in combination with other information available to the Sanatorium, allows to identify the Client;· Processing of personal data is any action (operation) or set of actions (operations) performed with the use of automation tools or without the use of such tools with the personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;· Dissemination of personal data means actions aimed at disclosing personal data to an indefinite number of persons;· Provision of personal data means actions aimed at disclosing personal data to a specific person or a specific number of persons;· Confidentiality of personal data is a mandatory requirement for the operator or any other person who has gained access to personal data to prevent their dissemination without the consent of the personal data subject or other legal grounds;· Automated processing of personal data - processing of personal data using computer technology.
1.3. These Regulations establish the procedure for processing the personal data of Clients for whom the Sanatorium provides a full range of services.
1.4. The purpose of the Regulations is to ensure the protection of the rights and freedoms of man and citizen when processing his personal data.
1.5. Processing of personal data shall be carried out for purposes directly related to the activities of the Sanatorium:· provision of health and resort services;· provision of paid medical, health services;· provision of paid services not related to treatment: transportation services, accommodation services, food services, services in the field of customer service and household services, services for the organization of physical education and health, sports and cultural and entertainment events, excursion services, as well as other services, one of the Parties to which is the Client.The Sanatorium collects personal data only to the extent necessary to achieve the above purposes.
1.6. Personal data may not be used for the purpose of causing property or moral harm to citizens, or hindering the exercise of the rights and freedoms of citizens of the Russian Federation.
1.7. This Regulation is approved by the General Director and is mandatory for all employees who have access to the Client's personal data
2. COMPOSITION AND COLLECTION OF CLIENTS' PERSONAL DATA
2.1. The personal data collected and processed by the Sanatorium includes:• Biographical and identification data (full name, date and place of birth);• Details of identity documents;• Residential address (place of registration);• Contact phone number;• Email address;• Employment details (workplace, position, education, employment status);• Room number assigned for accommodation, duration of stay at the Sanatorium;• Details of the purchased Treatment Package (cost, duration, payment details);• Medical history and examination data (clinical, laboratory, instrumental), including but not limited to: health status, illnesses, instances of seeking medical care for preventive purposes, medical diagnosis, and provision of medical and other spa services;• Individual insurance account number (SNILS);• Information about diagnostic procedures, prescribed and administered treatments, and related recommendations;• Other similar information enabling unambiguous identification of the personal data subject.
2.2. Documents containing personal data of Clients include:· questionnaires;· medical history;· Sanatorium and Health Resort Card;· Sanatorium and Health Resort Book;· voluntary information consent for medical intervention;· Health and Resort Treatment Package Form;· exchange Treatment Package Forms, Treatment Package Forms, referrals for treatment and recreation;· room reservation requests;· lists of vacationers sent on excursions;· medical journals related to the dispensation of medical procedures;· contracts for the purchase of health and resort treatment services, other contracts;The aforementioned documents are classified as confidential information with restricted access.
2.3. All personal data is obtained by the Sanatorium's employees directly from the personal data subject—the Client.
3. PROCESSING AND STORAGE OF CLIENTS' PERSONAL DATA
3.1. Processing of personal data by the Sanatorium in the interests of Clients consists of any action (operation) or set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data of Clients.
3.2. The personal data of Clients is processed using the mixed processing method.
3.3. Only employees of the Sanatorium who are authorized to work with the personal data of Clients may have access to the processing of personal data of Clients.
3.4. The list of employees of the Sanatorium who have access to the personal data of Clients is determined by the order of the General Director.
3.5. The personal data of Clients in soft copies shall be stored in the Accommodation Service.
3.6. The personal data of Clients shall be stored in electronic form in the local computer network of the Sanatorium, in electronic folders and files in the personal computers of employees authorized to process the personal data of Clients.
4. USE AND TRANSFER OF CLIENTS' PERSONAL DATA
4.1. The use of personal data of Clients is possible only in accordance with the purposes that determined their receipt.
4.2. When transferring personal data of Clients, the Sanatorium shall comply with the following requirements:· persons receiving personal data of Clients shall be warned that these data can only be used for the purposes for which they were communicated, and require these persons to ensure the confidentiality of the personal data received. This provision does not apply in the case of anonymization of personal data and in relation to publicly available data;· access to personal data of the Client may be allowed only to specially authorized persons, while these persons have the right to receive only the personal data that is necessary to perform certain functions;· personal data of clients may not be transferred for commercial use without the Client's written consent;· personal data may not be transferred to a third party without the written consent of the client or his / her legal representative, except in cases where this is necessary to prevent a threat to the life and health of the subject of personal data, as well as in cases stipulated by the legislation of the Russian Federation;personal data of Clients shall not be transferred by telephone or fax.
5. PROTECTION OF CLIENTS' PERSONAL DATA
FROM UNAUTHORIZED ACCESS
5.1. When processing personal data, the Sanatorium is obliged to take the necessary organizational and technical measures to protect the personal data of clients from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data, as well as from other illegal actions.
5.2. In order to effectively protect the personal data of Clients, the employees of the Sanatorium undertake to:· comply with the procedure for receiving, recording and storing the personal data of Clients;· apply technical measures to protect personal data, including anti-virus protection, firewalls, access rights (passwords), specialized means of protecting information from unauthorized access.5.3. Access to personal data of Clients by employees of the Sanatorium who do not have properly issued access is prohibited.5.4. Documents containing personal data of Clients shall be stored in the premises of the Accommodation Service, archive, providing protection from any unauthorized access.5.5. Protection of access to electronic databases containing personal data of Clients shall be ensured by:· using licensed software products that prevent unauthorized access by third parties to personal data of Clients;· password system. Passwords shall be set by the system administrator and communicated individually to employees who have access to personal data of Clients.5.6. Copying and making extracts of the Client’s personal data is permitted exclusively for official purposes with the written permission of the head of the department.
6. LIABILITIES OF THE SANATORIUM
6.1. The Sanatorium shall be liable:6.1.1. To process personal data of Clients solely for the purpose of providing services to Clients.6.1.2. To obtain personal data of the Client directly from him/her. If personal data of the Client can only be obtained from a third party, the Client shall be notified thereof in advance and his/her written consent shall be obtained from him/her. The employees of the Sanatorium shall inform Clients of the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the client's refusal to give written consent to receive it.6.1.3. Not to receive or process the Client’s personal data about his/her race, nationality, political views, religious or philosophical beliefs, intimate life, except in cases provided by law.6.1.4. To provide access to their personal data to the Client or their legal representative upon their application or upon receipt of a request containing the number of the primary identity document of the Client or their legal representative, the date of issue of the said document and the issuing authority, and the handwritten signature of the Client or their legal representative. The request may be sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. Information about the personal data held shall be provided to the Client in an accessible form, and it must not contain personal data relating to other personal data subjects.6.1.5. To restrict the Client's right to access their personal data if:· The processing of personal data, including personal data obtained through operational-search, counterintelligence, and intelligence activities, is carried out for the purposes of national defense, state security, and the protection of public order;· The processing of personal data is conducted by bodies that have detained the data subject on suspicion of committing a crime, have charged the data subject in a criminal case, or have applied a preventive measure to the data subject prior to charges being filed, except in cases provided by the criminal procedural legislation of the Russian Federation where the suspect or accused is permitted to familiarize themselves with such personal data;· The provision of personal data violates the constitutional rights and freedoms of other persons.6.1.6. To ensure the storage and protection of the Client's personal data against their unlawful use or loss.
6.1.7. If inaccurate personal data is identified upon application or upon request from the personal data subject or their legal representative, or the authorized body for the protection of the rights of personal data subjects, to block the personal data pertaining to the relevant personal data subject from the moment of such application or receipt of such request for the duration of the verification
6.1.8. If the inaccuracy of the personal data is confirmed based on documents provided by the personal data subject or their legal representative, or the authorized body for the protection of the rights of personal data subjects, or other necessary documents, to update the personal data and remove their block.
6.1.9. In case unlawful processing of personal data is identified, to eliminate the identified violations within a period not exceeding three business days from the date of such identification. If it is impossible to eliminate the violations within three business days from the date of identifying the unlawful processing of personal data, to destroy the personal data. The personal data subject or their legal representative shall be notified of the elimination of the violations or the destruction of the personal data, and if the application or request was submitted by the authorized body for the protection of the rights of personal data subjects, the said body shall also be notified.
7. RIGHTS OF THE CLIENT
7.1. The Client has the right to:· access to information about himself / herself, including information confirming the fact of personal data processing, as well as the purpose of such processing; methods of personal data processing used by the Sanatorium; information about persons who have access to personal data or who may be granted such access; a list of personal data being processed and the source of their receipt, the terms of processing personal data, including the terms of their storage; information about what legal consequences for the Client may result from the processing of his personal data;· determine the forms and methods of processing his / her personal data;· limit the methods and forms of processing personal data;· prohibit the distribution of personal data without his / her consent;· change, clarify, destroy information about himself;· appeal against illegal actions or inactions in the processing of personal data.
8. CONFIDENTIALITY OF CLIENTS' PERSONAL DATA
8.1. The personal data shall be classified as confidential information.
8.2. The employees of the Sanatorium who have access to personal data shall ensure the confidentiality of such data and prevent their distribution by third parties without the consent of the Clients or the presence of other legal grounds, unless otherwise provided by the legislation of the Russian Federation.
8.3. The personal data shall be stored in a form that allows the subject of the personal data to be identified, no longer than required by the purposes of their processing, unless the storage period for personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor. The personal data shall be destroyed or anonymized upon achieving the processing purposes or in the event that the necessity for achieving these purposes is lost.
8.4. Persons with access to the Clients' personal data shall be obliged to maintain confidentiality and shall be informed of the requirement to adhere to these confidentiality restrictions. In relation to the confidentiality of personal information, appropriate security measures shall be implemented to protect the data from accidental or unauthorized destruction, accidental loss, unauthorized access, alteration, or dissemination.
8.5. The storage of Clients' personal data may be carried out on paper and electronic media, with access restricted to the list of persons authorized to process personal data. All electronic media containing personal data are subject to strict accounting.
8.6. The storage of Clients' personal data shall be conducted in a manner that prevents their loss or unlawful use. Clients' personal data stored on paper and alienable electronic media shall be kept in safes or locked cabinets located within a controlled access area.
8.7. Clients' personal data stored on electronic media shall be kept on automated workstations and servers of information systems located within a controlled access area.
8.8. All measures aimed at ensuring confidentiality during the collection, processing, and storage of a subject's personal data apply to both paper and electronic (automated) media.
8.9. The confidentiality restrictions for personal data shall be lifted in cases of anonymization or inclusion of such data in publicly available sources of personal data, if and when otherwise determined by law.
9. DESTRUCTION OF PERSONAL DATA
9.1. Processed personal data shall be destroyed in the following cases: · upon achieving the purpose of the personal data processing – within a period not exceeding thirty days from the date of achieving the purpose of processing the personal data; · in the event of the withdrawal of consent by the personal data subject for the processing of their personal data, and if the retention of the personal data is no longer necessary for the purposes of processing – within a period not exceeding thirty days from the date of receipt of the said withdrawal; · in the event of identification of unlawful processing of personal data and the impossibility of eliminating the violations – within a period not exceeding ten working days from the date of identification of the unlawful processing of personal data.
9.2. Upon the destruction of the personal data, the personal data subject or their legal representative shall be notified thereof.
9.3. Documents containing personal data are subject to storage and destruction in accordance with the procedure established by the archival legislation of the Russian Federation.
9.4. If it is impossible to destroy the personal data within the periods specified above, the Sanatorium shall block such personal data and ensure its destruction within a period not exceeding six months, unless a different period is established by federal laws.
10. LIABILITY FOR VIOLATION OF THE RULES GOVERNING THE PROCESSING OF PERSONAL DATA
10.1. The Sanatorium is responsible for the personal information in its possession and assigns personal responsibility to its employees for compliance with the established confidentiality regime.
10.2. Every employee granted access to a confidential document containing a client's personal data bears personal responsibility for the safety of the medium and the confidentiality of the information.
10.3. Persons guilty of violating the rules governing the receipt, processing, and protection of employees' personal data shall bear material, disciplinary, administrative, civil, or criminal liability in the manner prescribed by federal laws, and full financial liability in the event their actions cause damage, in accordance with the Labor Code of the Russian Federation.
10.4. The Sanatorium undertakes to maintain a system for receiving, registering, and controlling the review of Client complaints, accessible both via the Internet and through telephone or mail.
10.5. Complaints and statements regarding compliance with personal data processing requirements shall be reviewed within ten days of their receipt. Employees of the Sanatorium are obliged to ensure the proper handling of Client requests, applications, and complaints, and to assist in fulfilling the requirements of competent authorities.
11. FINAL PROVISIONS
11.1. This Regulation and any amendments thereto shall be approved by the General Director of the Sanatorium and enter into force by his/her order.
11.2. This Regulation enters into force from the moment of its approval and remains in effect indefinitely, until it is replaced by a new Regulation.
11.3. This Regulation is mandatory for all employees of the Sanatorium who are directly involved in the processing of personal data and/or have access to personal data.