PERSONAL DATA PROCESSING POLICY
Health Measurement LLC

(approved by order of the General Director of Health Measurement LLC No. 07/06/2019 of June 7, 2019)

 

Published Date: June 7, 2019

 

 

1. General Provisions

 

1.1. This document (hereinafter referred to as the “Policy”) defines the policy of the Health Measurement Limited Liability Company (hereinafter referred to as the “Operator” or “Society”) in the field of personal data processing and is applicable to all personal data that the Operator can receive personal data from the subject in connection with the latter's use, both on his own behalf and in the interests of third parties, of services and / or the purchase of goods from the Operator:

 

1.2. This Policy does not apply to relations arising from the processing of personal data of the Operator’s employees and / or applicants for vacant positions of the Company, since such relations are regulated by a separate local act of the Company.

1.3. The operator protects the processed personal data from unauthorized access and disclosure, misuse or loss in accordance with the requirements of the Federal Law of July 27, 2006 No. 152-ФЗ "On Personal Data".

 

2. Terms and Acronyms


2.1.Personal data (PD) - any information relating directly or indirectly to a specific or determinable natural person (subject of personal data).

2.2. Processing of personal data - any action (operation) or a set of actions (operations) with personal data performed using automation tools or without their use. The processing of personal data includes, including:

 

2.3. Automated processing of personal data - processing of personal data using computer technology.

2.4. Distribution of personal data - actions aimed at the disclosure of personal data to an indefinite number of persons.

2.5. Providing personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons.

2.6. Blocking of personal data - temporary termination of the processing of personal data (unless the processing is necessary to clarify personal data).

2.7. Destruction of personal data - actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.

2.8. Anonymization of personal data - actions that make it impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data.

2.9.Information system of personal data (ISPD) - a set of personal data contained in databases and providing their processing of information technologies and technical means.

2.10. Cross-border transfer of personal data - the transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity.


3. Purpose of processing personal data

 

3.1. The processing of personal data is carried out in connection with the implementation by the Operator of the activity provided for by its constituent documents, taking into account the specifics of its business processes. The main purposes of processing personal data are:

3.1.1. The conclusion and execution of civil contracts for the provision of services and the sale of goods by the Operator.

3.1.2. Providing access to information and services presented on the Site and in the Mobile Application.

3.1.3. Providing PD entities with the opportunity to interact with the Site and the Mobile Application, in particular, access and navigate the Site, register on the Site / Mobile Application, send notifications, comments, requests to the Company.

< p> 3.1.4. Obtaining by PD entities feedback from the Company, including notifications, replies, information on the status of orders, proposals of the Company and / or its partners.

3.1.5. Providing PD entities with access to personalized resources of the Site / Mobile application, including special offers, any information messages, including advertising and other information on behalf of the Company or partners of the Company, providing access to the sites or services of partners of the Company, according to user agreements.

3.1.6. Placement of orders on the website of the Company and the conclusion of relevant agreements with the Company and their execution, including with the involvement of third parties, including delivery services, call centers, Internet connection providers, hosting, storage services and processing customer data, sales management systems and customer communications, etc.

3.1.7. The Company conducts accounting and tax accounting and reporting.

3.1.8. Protection by the Company of its legal rights and interests.

3.1.9. Display of the data of the subject of the PD in the user interface on the Site / in the Mobile application.

3.1.10. Profiling and optimization of advertising, raising the awareness of visitors to the Company's website / users of the Mobile application / customers and counterparties of the Company about the products and services of the Company, as well as informing them about the services of the Company and its counterparties by making direct contacts with PD entities with using means of communication, participation in promotions, surveys, surveys conducted by the Company (including, inter alia, conducting surveys, surveys by electronic, telephone and cellular communications).

3.1.11. Other goals, directly or indirectly related to the conclusion by the subject of personal data or, on his behalf, of agreements with the Company, his use of any services or services of the Company, decision-making or other actions by the Company that give rise to legal consequences in relation to subject PD.

3.1.12. Providing services for the analytical processing of data from Engy Beat heart rate monitors and outputting the processing results to the user interface of the subject of this data in the Mobile application.

3.2. The specific and detailed purposes of processing personal data are set forth in the texts of consents to the processing of personal data located on the Operator’s resources through which the collection of relevant personal data is carried out.


4. Legal basis for the processing of personal data.

 

4.1. The legal basis for the processing of personal data are:

4.2. Processing of personal data is carried out:


5. Volume and categories of processed PD, categories of PD subjects

 

5.1. Category 1: individuals - users of the Mobile application. Processed personal data for Category 1:

5.2. Category 2: individuals - visitors to the Site. Processed personal data for Category 2:

5.3. Category 3: individuals with whom a civil law contract is concluded or is expected to be concluded. Processed personal data for Category 3:

5.4. Category 4: representatives / legal representatives / employees of clients and counterparties of the operator (legal entities, individual entrepreneurs, individuals). Processed personal data for Category 3:

5.5. Data collected for Category 1, namely: weight, height, blood pressure (average), heart rate are processed solely for the purpose of providing services for the analytical processing of data from Engy Beat heart rate monitors and displaying the processing results in the user interface of the subject this data in the Mobile application. This data is not used to identify subjects of the PD.


6. The procedure and conditions for the processing of personal data

 

6.1. Collection of personal data

6.1.1. Personal data is obtained directly from the subject or with his prior permission through third-party resources or third parties.

6.1.2. The operator begins processing the Subject's PD from the moment he receives his consent.

6.1.3. Consent to the processing of the PD may be given by the Subject of the PD in any form to confirm the receipt of consent, unless otherwise provided by federal law: in writing, verbally or in any other form provided for by applicable law, including through The subject of the PD of Conclusive Actions.

In particular, consent to the processing of personal data is considered granted by the Subject through the performance by the Subject of the PD of the following conclusive actions on the Site and in the Mobile Application: putting a tick in a special field when placing an order and clicking the "I agree with the Personal Processing Policy data ”in the Mobile application and“ I agree with the conditions for the processing of personal data ”on the Site.

6.1.4. In the absence of the Subject’s consent to the processing of his PD, such processing is not carried out.

6.1.5. The receipt by the Operator of personal data from other persons, as well as the transfer of instructions for processing PD, is carried out on the basis of an agreement containing conditions on the procedure for processing and maintaining the confidentiality of received PDs.

6.1.6. The operator informs the PD subject of the processing objectives, the alleged sources and methods of obtaining them, the nature of the PD subject to receipt, the list of actions with them, the period during which the consent is valid, and the procedure for its withdrawal, as well as the consequences of refusal subject to agree to receive them.

6.1.7. Documents containing personal data are created by:


6.2. Actions carried out with personal data

6.2.1. Processing of personal data is carried out:

 

6.2.2. Methods of processing PD include the implementation of any actions with PD in accordance with the current legislation of the Russian Federation, including:


6.3. Storage of personal data.

6.3.1. PD of subjects can be obtained, undergo further processing and transferred to storage both in electronic form and on paper.

6.3.2. PD recorded on paper is stored in locked cabinets or in locked rooms with limited access. Subject PDs processed for different purposes are stored in different folders.

6.3.3. It is not allowed to store and place documents containing PD in open electronic directories (file sharing) in ISPD.

6.3.4. Storage of PD in a form that allows you to determine the subject of the PD takes no longer than the goals of their processing require, and they must be destroyed when the processing goals are achieved or if the need to achieve them is lost.

6.3.5. Personal retention period is:

 

6.4. Termination of the processing of personal data and their destruction.

6.4.1. The termination of the processing of personal data may be the achievement of the purposes of processing personal data, the expiration of the consent period or the withdrawal of the consent of the personal data subject to the processing of his personal data, as well as the identification of illegal processing of personal data.

6.4.2. The PD subject can withdraw consent to the processing of his personal data by sending a corresponding request to the Operator’s email address: info@engy.app . The recall will be considered perfect (the moment of withdrawal) after 30 (thirty) business days from the date of receipt of the corresponding letter by the Operator. However, such a recall does not affect the legality of the processing carried out prior to the recall.

6.4.3. Upon the occurrence of one of the conditions for termination of the processing of personal data, as well as in the event that the subject of personal data withdraws consent to their processing, personal data must be destroyed if:

6.4.4. Destruction of documents (media) containing PD is carried out by burning, crushing (grinding), chemical decomposition, turning into a shapeless mass or powder. For the destruction of paper documents allowed the use of a shredder.

6.4.5. PD on electronic media is destroyed by erasing or formatting the media.

6.4.6. The fact of the destruction of PD is documented by the act on the destruction of carriers.

6.5. Transfer of personal data.

6.5.1. The operator transfers the PD to third parties, including cross-border data transmission, in the following cases:

 

6.5.2 Third parties to whom personal data is transmitted:


7. Personal data protection

 

7.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (SZPD), consisting of subsystems of legal, organizational and technical protection.

7.2. The subsystem of legal protection is a set of legal, organizational, administrative and regulatory documents that ensure the creation, operation and improvement of the CPA.

7.3. The organizational protection subsystem includes the organization of the management structure of the CPA, the licensing system, and the protection of information when working with employees, partners and third parties.

7.4. The subsystem of technical protection includes a set of technical, software, software and hardware tools that provide PD protection.

7.5. The main PD security measures used by the Operator are:

7.5.1. Appointment of the person responsible for processing PD, which organizes the processing of PD, training and briefing, internal control over compliance by the institution and its employees with requirements for the protection of PD.

7.5.2. Identification of current threats to the security of PD during their processing in ISPD and the development of measures and measures to protect PD.

7.5.3. Developing a policy regarding the processing of personal data.

7.5.4. Establishing rules for access to PD processed in ISPD, as well as ensuring the registration and recording of all actions performed from PD in ISPD.

7.5.5. Setting individual passwords for employees to access the information system in accordance with their production responsibilities.

7.5.6. Application of conformity of information protection means that have passed the assessment procedure in the established manner.

7.5.7. Certified anti-virus software with regularly updated databases.

7.5.8. Compliance with the conditions ensuring the safety of PD and excluding unauthorized access to them.

7.5.9. Detecting the facts of unauthorized access to personal data and taking measures.

7.5.10. Restoring PD modified or destroyed due to unauthorized access to them.

7.5.11. Familiarization of the Operator’s employees who directly process personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, a document determining the Operator’s policy regarding the processing of personal data, local acts on processing personal data.

7.5.12. Implementation of internal control and audit.


8. Basic rights and obligations of the personal data subject and the Operator

 

8.1. Rights of the subject of personal data. The subject of PD has the right:

8.1.1.on access to his personal data and the following information:

8.1.2. to appeal against the actions or omissions of the Operator;

8.1.3.to correct or destroy your personal data;

8.1.4.on the restriction on the processing of your personal data;

8.1.5. object to the processing of your personal data;

8.1.6. require the Company to transfer its personal data, including to another operator.

To exercise the rights specified in clauses 8.1.1-8.1.6 the PD subject sends a corresponding request to the Operator’s email address: info@engy.app .

8.2. Obligations of the subject of personal data. The personal data subject is obliged:

8.2.1. transmit to the Operator reliable personal data. The operator has the right to verify the accuracy of the provided PD in the manner that does not contradict the legislation of the Russian Federation, however, he proceeds from the fact that the Subject of the PD provides reliable and sufficient PD for the implementation of the purposes of their processing and maintains this information up to date;

8.2.2. timely inform the Operator of a change in its PD.

8.2.3. The PD subject makes the decision to provide his PD and agrees to their processing freely, by his own will and in his interest.

8.3. Responsibilities of the Operator. The operator must:

8.3.1. when collecting PD provide information on processing PD;

8.3.2. in cases where the APs were not received from the subject of the PD, notify the subject of this;

8.3.3. in case of refusal to provide PD, the PD subject shall be explained the consequences of such refusal;

8.3.4.publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of PDs, to information on the implemented requirements for the protection of PDs;

8.3.5. to take the necessary legal, organizational and technical measures or to ensure their adoption to protect the PD from unlawful or accidental access to them, destruction, alteration, blocking, copying, provision, distribution of the PD, as well as from other illegal actions in regarding PD;

8.3.6. to provide answers to inquiries and appeals of PD subjects, their representatives and the authorized body for the protection of the rights of PD subjects.


9. Final Provisions

 

9.1. This Policy is valid for the Operator from the date of its approval, for other persons - from the date of publication on the Site. The date of publication is indicated at the beginning of the document.

9.2. The Operator has the right to make changes to this Policy. When making changes, the heading of the Policy indicates the date of the last update of the editorial office (“Date of publication”). The new version of the Policy comes into force from the moment it is posted on the Site, unless otherwise provided by the new version of the Policy.

9.3. If the User does not agree with the terms of this Policy, then he must immediately send the Operator a request to delete his PD and stop using the Site and the Mobile application, otherwise the continued use of the Site and / or Mobile application by the User means that the User I agree to the terms of this Policy.

9.4. In the event of a change in the applicable law, amendments to the regulatory acts on the protection of personal data, this Policy shall be effective in so far as it does not contradict the current legislation until it is brought into compliance with such changes.