PERSONAL DATA PROCESSING POLICY
|
PERSONAL DATA PROCESSING POLICY |
1. GENERAL PROVISIONS
1.1 This
Policy defines the activities of GNC-ALFA CJSC, registered at: 1, Abovyan
Khakhakhutyan Street, Kotayk Marz, 2201, Armenia (hereafter referred to as the
Company) in relation to the processing of personal data of all subjects whose
data is processed by the Company, being an operator or processor of personal
data within the meaning of the Law of the Republic of Armenia dated 18.05.2015 No. ՀՕ-49-Ն “On the Personal Data
Protection” (hereafter referred to as the Law).
1.2 The
Policy has been developed in accordance with the provisions of the Law, the
Company’s Information Security Policy and other local and legislative acts of
the Republic of Armenia.
1.3 The
goals of this Policy are to ensure adequate protection of personal data, as
well as other information about the personal data subjects from unauthorized
access and disclosure, as well as to unify the procedure for processing such
data by the Company in accordance with the requirements of the legislation of
the Republic of Armenia.
1.4 This
Policy applies to all actions performed by the Company with personal data using
or without the use of automation tools.
1.5 For the
purpose of this Policy, terms are used with the following meanings:
1.5.1 personal data operator is state or local government body,
state or municipal institution or organization, legal entity or individual that
organizes and (or) processes personal data;
1.5.2 data subject is an individual to whom the personal
data relates;
1.5.3 biometric personal data are information characterizing the
physical, physiological and biological characteristics of a person;
1.5.4 personal data of a special category are information relating to race,
nationality or ethnic origin, political views, religious or philosophical
beliefs, membership in a trade union, state of health and intimate life of a
person;
1.5.5 publicly available personal
data are information that
becomes available to a certain or unspecified circle of persons with the
consent of the data subject or when taking conscious actions aimed at making
them publicly available, as well as information provided by law as publicly
available information;
1.5.6 authorized person is a legal entity or individual, a
state or local government body, a state or municipal institution or
organization, which, in cases established by law or on the basis of a contract,
has been ordered by the data operator to collect, enter, systematize or
otherwise process personal data;
1.5.7 personal data is information about the personal
life, marital status, physical, physiological, intellectual, social condition
of a person or other similar information;
1.5.8 services are a set of works (services) related
to the Company’s activities aimed at meeting the needs of personal data subjects;
1.5.9 counterparty is a party to a civil
contract concluded with the Company;
1.5.10 personal account is a set of protected
website pages created as a result of registration of the personal data subject
by filling out a special form, using which the subject has the opportunity to
receive legally and technically significant information regarding the Company’s
services, conclusion, execution, termination of contracts, as well as carry out
other actions provided for by the explicit functions of the personal account;
1.5.11 website is information resource of the Company on the global computer network of
Internet;
Other terms used in this Policy are used in the meanings defined by the
Law.
1.6 The
Policy is mandatory for familiarization and execution by all persons authorized
to process personal data in the Company, and persons involved in organizing the
processing and ensuring the personal data protection in the Company.
1.7 This
Policy comes into force from the moment of its approval.
2. PRINCIPLES OF PERSONAL DATA PROCESSING
2.1 The
Company takes actions to protect the privacy of personal data subjects, as well
as their rights to confidentiality, regardless of the methods of collecting
personal data, taking into account the following principles of their
processing:
2.1.1
principle of legality – Personal data
will be processed for lawful and specified purposes and may not be used for
other purposes without the consent of the data subject. If the subject does not
agree with the processing of personal data, the Company notifies those services,
the implementation of which is directly related to the personal data
processing, may be unavailable, and use of the website is limited;
2.1.2
principle of limiting goals – Personal
data is processed by the Company only for express and legitimate purposes and
must not be further processed in a manner incompatible with these purposes;
2.1.3
principle of proportionality – Personal
data is processed in the minimum amount necessary to achieve legitimate
purposes. If the purpose of data processing can be achieved by
depersonalization, then the company does not process personal data.
2.1.4
principle of reliability – The processed personal data must be complete,
accurate, clear and, where possible, up to date. The personal data subject must
take all reasonable measures to ensure that incomplete, outdated or inaccurate
personal data, depending on the purposes of their processing, are deleted or
corrected without delay.
2.1.5
principle
of minimal involvement of subjects – In the event that the Company can receive personal data from another
body through a unified electronic information system, the submission of
personal data necessary for certain actions from the personal data subject is
not required.
2.1.6
principle of limiting the storage period of data – Personal
data must be stored in a form that allows the personal data subject to be
identified, but not longer than required for the purposes of personal data
processing;
2.1.7
principle of confidentiality and data security – Personal
data must be processed by the Company in a manner that ensures adequate
security of personal data, including protection from unauthorized or illegal
processing, as well as from accidental loss, destruction or damage, using
appropriate legal, organizational and technical measures.
3. PURPOSES
AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
3.1 The
Company, acting as an operator or data processor, processes personal data of
subjects for the purposes and on the grounds specified in Appendix LI 01.08.15 “Personal Data of Data Subjects Processed by the Company”
3.2 The
Company ensures that the content and volume of personal data processed
corresponds to the stated purposes of processing and, if necessary, takes
measures to eliminate their redundancy in relation to the stated purposes of
processing.
3.3 When
changing any of the processing purposes specified in Appendix
LI 01.08.15 “Personal Data of Data Subjects
Processed by the Company”, for which the Company took the
consent of the personal data subject, in the absence of other grounds for such
processing, the Company is obliged to request from the personal data subject to
re-consent in accordance with the changed purpose.
3.4 The
Company may process personal data of subjects within the framework of the
following actions (or a set of actions, including with or without the use of
any automation, technical means): collection, input, systematization, formation,
storage, use, transformation, recovery, transfer, correction, blocking,
depersonalization, destruction.
3.5 Main
methods of personal data processing by the Company:
3.5.1
using automation tools;
3.5.2
without using them;
3.5.3
mixed method.
3.6 The
Company processes special personal data only with the consent of the personal
data subject or without consent in cases provided for by the legislation of the
Republic of Armenia.
In particular, the Company may process special personal data of persons
related to employee accidents (health data). At the same time, the Company
takes measures aimed at preventing risks that may arise during the processing
of such personal data for the rights and freedoms of personal data subjects.
3.7 The
Company, if necessary, to achieve the purposes of data processing, has the
right to transfer personal data to third parties in compliance with the
requirements of the legislation of the Republic of Armenia.
3.8 The
terms of processing of personal data by the Company are determined taking into
account:
3.8.1
established purposes for personal data processing;
3.8.2
terms of contracts concluded with personal data
subjects;
3.8.3
validity periods of consents of personal data subjects
to the processing of their personal data;
3.8.4
deadlines determined by the local legal act specified
in paragraph 10 of this Policy and the legislation of the Republic of Armenia.
3.8.5
The Company stops processing personal data in the
following cases:
3.8.6
upon the occurrence of conditions for termination of
the processing of personal data or upon expiration of the established deadlines;
3.8.7
upon achievement of the purposes of their processing
or in case of loss of the need to achieve these purposes;
3.8.8
at the request of the personal data subject, in cases
provided for by the legislation of the Republic of Armenia on the personal data
protection;
3.8.9
in case of unlawful processing of personal data, if it
is impossible to ensure the legality of the personal data processing;
3.8.10
in case of liquidation of the Company.
4. OTHER
INFORMATION ABOUT THE PERSONAL DATA SUBJECTS
4.1
The Company also has the right to process other
information about personal data subjects, which includes:
4.1.1
data automatically received by the server when
accessing the website using bookmarks (cookies), see “Cookie
Policy”.
4.1.2
data automatically received by the server when
accessing the website and subsequent user actions on the website (including,
but not limited to: host IP address, type of operating system of the website
user, browser type, website pages visited by the user, etc.).
4.2
The information specified in paragraph 4.1 of this Policy is processed by the Company in
order to obtain anonymous (depersonalized) and aggregate statistics to improve
functionality, as well as improve the quality of the website, improve the
Company’s services, as well as for the purpose of preventing and suppressing
dishonest behaviour on the part of personal data subjects, assistance in the
prevention, detection and suppression of offenses and crimes and ensuring the
display of personalized and relevant content to website users.
4.3
The Company, if necessary and to achieve the purposes
of processing information about personal data subjects specified in paragraph 4.1 of this Policy, has the right to transfer such
information to third parties in compliance with the requirements of the
legislation of the Republic of Armenia.
4.4 The
Company may process information about personal data subjects specified in
paragraph 4.1 of this Policy within the framework of the actions, conditions, methods
and terms specified in paragraphs 3.4, 3.5, 3.7, 3.8 of this Policy.
5. PROCEDURE AND CONDITIONS FOR PERSONAL
DATA PROCESSING
5.1
The basis for the personal data processing is the
consent of the personal data subject, with the exception of cases established
by the legislation of the Republic of Armenia, when the personal data processing
is carried out without obtaining such consent.
5.2
The consent of the personal data subject is a free,
unambiguous, informed expression of their will, through which they authorize
the processing of their personal data.
Refusal to give consent to the personal data processing gives the
Company the right to refuse the personal data subject to provide services
(works) to the Company, the implementation of which is directly related to the
personal data processing.
5.3
The storage of personal data is carried out in a form
that allows identifying the personal data subject, for a period no longer than
required by the purposes of the personal data processing, except in cases where
the storage period for personal data is established by the legislation of the
Republic of Armenia, a contract concluded (to be concluded) with the personal
data subject for the purpose of performing actions established by this contract
or other laws of the Republic of Armenia.
5.4
The condition for terminating the personal data
processing may be the achievement of the goals of the personal data processing,
the expiration of the period for the personal data processing, the withdrawal
of the consent of the personal data subject to the processing of their personal
data, as well as the identification of unlawful processing of personal data.
5.5
After the termination of the personal data processing,
the Company destroys it, which involves physical destruction of the media or
erasure of information from it. Methods and rules for destroying personal data
depend on where it is contained – on paper or electronic media. The Company
gets rid of paper documents: by heat treatment (burning) or by shredding (you
need to make sure that the integrity of the media or information cannot be
restored in any way). Digital media is physically destroyed, causing severe
damage that cannot be repaired. The Company has the right to choose the method
of destruction of integrity independently; this could be exposure to chemically
aggressive compounds, surface erosion, sandblasting, ultrasonic or
electrochemical treatment. The main task is to reduce to zero the likelihood of
obtaining personal data from destroyed media.
5.6
The Company, acting as an authorized person, processes
personal data of entities that are clients of third parties, acts on behalf of
the personal data processing in accordance with the legislation of the Republic
of Armenia.
6. PROCEDURE,
CONDITIONS AND PURPOSES OF PROCESSING BIOMETRIC DATA
6.1
Biometric
personal data is processed only with the consent of the data subject, except in
cases provided for by law, and if the implementation of the purpose pursued by
law is possible only by processing these biometric data.
6.2
The use and storage of biometric personal data can
only be carried out on such tangible media, using such technologies or in such
ways that ensure the protection of this data from illegal penetration, illegal
use, destruction, transformation, blocking, copying, distribution of personal
data and other things.
6.3
The Company processes biometric data for two purposes:
6.3.1
to provide access to certain areas
6.3.2
to record visits to the company’s area
6.4
The procedure and conditions for processing biometric
data are the same as for personal data.
7.
RIGHTS OF PERSONAL DATA SUBJECTS AND MECHANISM FOR EXERCISING THESE
RIGHTS
7.1
The personal data subject has a set of rights in
relation to their personal data specified in the appendix LI
01.08.16 “The Set of Rights of the Subject in Relation to Their
Personal Data”.
7.2
Exercise of one or more powers specified in the
appendix LI 01.08.16 “The Set of Rights of
the Subject in Relation to Their Personal Data”, carried out by
the personal data subject by submitting a request (application) in writing by
registered mail, or in the form of an electronic document. At the same time,
the right to revoke previously granted consent to the personal data processing
can be exercised in electronic form, corresponding to the form of expression of
such consent.
7.3
The request (application) must contain:
7.3.1
full name of the personal data subject; address of
residence (place of stay);
7.3.2
date of birth;
7.3.3
identification number (if indicated when giving
consent or the personal data processing is carried out without the consent of
the personal data subject);
7.3.4
statement of the essence of the requirement;
7.3.5
personal signature or electronic digital signature.
7.4
The request (application) must be submitted:
7.4.1
in writing to the address: 1, Abovyan Khakhakhutyan
Street, Kotayk Marz, 2201, Armenia or;
7.4.2
in the form of an electronic document filled out in
the Company’s sales and service offices
7.4.3
in electronic form to the email address: pdpօ@ovio.am
7.5
Any information (including personal data) that the
personal data subject provides when registering a personal account can be used
by the Company in accordance with this Policy.
7.6
Termination of the Company’s processing of the
subject’s personal data may make it impossible to further provide the subject
with the Company’s services.
7.7
A person who provided the Company with incomplete,
outdated, false information about themselves, or information about another
personal data subject without the latter’s consent, is liable in accordance
with the legislation of the Republic of Armenia.
8.
MEASURES TAKEN BY THE COMPANY TO
PROTECT PERSONAL DATA OF SUBJECTS
8.1
The Company takes and constantly improves the
necessary legal, organizational and technical measures to ensure the protection
of personal data from unauthorized or accidental access to it, modification,
blocking, copying, distribution, provision, deletion of personal data, as well
as from other unlawful actions in regarding personal data.
8.2
Legal measures taken by the Company:
8.2.1
The Company has developed and put into effect
documents establishing the procedure for processing and ensuring the protection
of personal data, which ensure compliance with the requirements of the Law and
other acts of legislation of the Republic of Armenia regulating relations in
the field of personal data.
8.3
Organizational measures taken by the Company include:
8.3.1
appointment by the Company of a person and (or)
structural unit responsible for internal control over the processing of
personal data;
8.3.2
familiarization of the Company's employees with the
requirements of the legislation of the Republic of Armenia and the Company's
regulatory documents in the field of working with personal data;
8.3.3
definition by the Company of a list of persons whose
access to personal data processed in the information system is necessary for
the performance of their job duties;
8.4
Publication of internal documents defining the
Company’s policy regarding the personal data processing, local legal acts on
the personal data processing, as well as local legal acts establishing
procedures aimed at preventing and identifying violations when working with
personal data, eliminating the consequences of such violations.
8.5
Technical measures taken by the Company include:
implementation of technical and cryptographic protection of personal data.
9.
CROSS-BORDER TRANSFER OF PERSONAL DATA
9.1
Before the start of cross-border transfer of personal
data, the Company is obliged to make sure that the foreign state to whose
territory it is intended to transfer personal data provides reliable protection
of the rights of personal data subjects.
9.2
Cross-border transfer of personal data to the
territory of foreign states that do not meet the above requirement can be
carried out only in cases provided for by the Law.
10.
FINAL PROVISIONS
10.1
Issues related to the personal data processing not covered
by this Policy are regulated by other local legal acts of the Company, as well
as by the legislation of the Republic of Armenia.
10.2
In the event that any provision of the Policy is found
to be contrary to the legislation of the Republic of Armenia, the remaining
provisions consistent with the legislation of the Republic of Armenia remain in
force and are valid, and any invalid provision will be considered
deleted/modified to the extent necessary for ensuring its compliance with the
legislation of the Republic of Armenia.
10.3 The operator has the right, at their own discretion, to change and (or) supplement the terms of this Policy without prior and (or) subsequent notification of personal data subjects. The current version of the Policy is constantly available on the Company’s website.
Contacts