- 1. Principal conditions
- 2. Privacy policy
- 3. Terms of use
- 4. Conditions
- 5. Data Center Services Description
- 6. REGULATION ON THE PROVISION OF TECHNOLOGICAL SERVICES (COLOCATION)
- 7. Electronic signature procedure
- 8. Personal data processing policy
- 9. Information security policy
- 10. Cookie policy
- 11. Video surveillance policy
- 1. Principal conditions
- 2. Privacy policy
- 3. Terms of use
- 4. Conditions
- 5. Data Center Services Description
- 6. REGULATION ON THE PROVISION OF TECHNOLOGICAL SERVICES (COLOCATION)
- 7. Electronic signature procedure
- 8. Personal data processing policy
- 9. Information security policy
- 10. Cookie policy
- 11. Video surveillance policy
PERSONAL DATA PROCESSING POLICY
|
PERSONAL
DATA PROCESSING POLICY |
1. GENERAL PROVISIONS
1.1 This Policy defines the activities of GNC-ALFA CJSC, registered
at: 1, Abovyan Khakhakhutyan Street, Kotayk Marz, 2201, Armenia (hereafter
referred to as the Company) in relation to the processing of personal data of
all subjects whose data is processed by the Company, being an operator or
processor of personal data within the meaning of the Law of the Republic of
Armenia dated 18.05.2015 No. ՀՕ-49-Ն “On the Personal Data Protection”
(hereafter referred to as the Law).
1.2 The Policy has been developed in accordance with the provisions of
the Law, the Company’s Information Security Policy and other local and
legislative acts of the Republic of Armenia.
1.3 The goals of this Policy are to ensure adequate protection of
personal data, as well as other information about the personal data subjects
from unauthorized access and disclosure, as well as to unify the procedure for
processing such data by the Company in accordance with the requirements of the
legislation of the Republic of Armenia.
1.4 This Policy applies to all actions performed by the Company with
personal data using or without the use of automation tools.
1.5 For the purpose of this Policy, terms are used with the following
meanings:
1.5.1 personal data operator is state or local government body,
state or municipal institution or organization, legal entity or individual that
organizes and (or) processes personal data;
1.5.2 data subject is an individual to whom the personal data
relates;
1.5.3 biometric personal data are information characterizing the
physical, physiological and biological characteristics of a person;
1.5.4 personal data of a special category are information
relating to race, nationality or ethnic origin, political views, religious or
philosophical beliefs, membership in a trade union, state of health and
intimate life of a person;
1.5.5 publicly available personal data are information that
becomes available to a certain or unspecified circle of persons with the
consent of the data subject or when taking conscious actions aimed at making
them publicly available, as well as information provided by law as publicly
available information;
1.5.6 authorized person is a legal entity or individual, a state
or local government body, a state or municipal institution or organization,
which, in cases established by law or on the basis of a contract, has been
ordered by the data operator to collect, enter, systematize or otherwise
process personal data;
1.5.7 personal data is information about the personal life,
marital status, physical, physiological, intellectual, social condition of a
person or other similar information;
1.5.8 services are a set of works (services) related to the
Company’s activities aimed at meeting the needs of personal data subjects;
1.5.9 counterparty is a party to a civil contract concluded with
the Company;
1.5.10 personal account is a set of protected website pages
created as a result of registration of the personal data subject by filling out
a special form, using which the subject has the opportunity to receive legally
and technically significant information regarding the Company’s services,
conclusion, execution, termination of contracts, as well as carry out other
actions provided for by the explicit functions of the personal account;
1.5.11 website is information resource of the Company on the global computer
network of Internet;
Other terms used in this Policy are used in the meanings defined by the
Law.
1.6 The Policy is mandatory for familiarization and execution by all
persons authorized to process personal data in the Company, and persons
involved in organizing the processing and ensuring the personal data protection
in the Company.
1.7 This Policy comes into force from the moment of its approval.
1.8 Providing unlimited access to the Policy is implemented by
publishing it in the public domain on the Company’s website.
2. PRINCIPLES OF PERSONAL DATA PROCESSING
2.1 The Company takes actions to protect the privacy of personal data
subjects, as well as their rights to confidentiality, regardless of the methods
of collecting personal data, taking into account the following principles of
their processing:
2.1.1 principle of legality – Personal data will be processed for
lawful and specified purposes and may not be used for other purposes without
the consent of the data subject. If the subject does not agree with the processing
of personal data, the Company notifies those services, the implementation of
which is directly related to the personal data processing, may be unavailable,
and use of the website is limited;
2.1.2 principle of limiting goals – Personal data is processed by
the Company only for express and legitimate purposes and must not be further
processed in a manner incompatible with these purposes;
2.1.3 principle of proportionality – Personal data is processed
in the minimum amount necessary to achieve legitimate purposes. If the purpose
of data processing can be achieved by depersonalization, then the company does
not process personal data.
2.1.4 principle of reliability – The processed personal data must
be complete, accurate, clear and, where possible, up to date. The personal data
subject must take all reasonable measures to ensure that incomplete, outdated
or inaccurate personal data, depending on the purposes of their processing, are
deleted or corrected without delay.
2.1.5 principle of minimal involvement of subjects – In the event
that the Company can receive personal data from another body through a unified
electronic information system, the submission of personal data necessary for certain
actions from the personal data subject is not required.
2.1.6 principle of limiting the storage period of data – Personal
data must be stored in a form that allows the personal data subject to be
identified, but not longer than required for the purposes of personal data
processing;
2.1.7 principle of confidentiality and data security – Personal
data must be processed by the Company in a manner that ensures adequate
security of personal data, including protection from unauthorized or illegal
processing, as well as from accidental loss, destruction or damage, using
appropriate legal, organizational and technical measures.
3.PURPOSES AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
3.1 The Company, acting as an operator or data processor, processes personal
data of subjects for the purposes and on the grounds specified in Appendix LI
01.08.15 “Personal Data of Data Subjects Processed by the Company”
3.2The Company ensures that the content and volume of personal data
processed corresponds to the stated purposes of processing and, if necessary,
takes measures to eliminate their redundancy in relation to the stated purposes
of processing.
3.3 When changing any of the processing purposes specified in Appendix LI
01.08.15 “Personal Data of Data Subjects Processed by the Company”, for
which the Company took the consent of the personal data subject, in the absence
of other grounds for such processing, the Company is obliged to request from the
personal data subject to re-consent in accordance with the changed purpose.
3.4 The Company may process personal data of subjects within the
framework of the following actions (or a set of actions, including with or
without the use of any automation, technical means): collection, input,
systematization, formation, storage, use, transformation, recovery, transfer,
correction, blocking, depersonalization, destruction.
3.5 Main methods of personal data processing by the Company:
3.5.1 using automation tools;
3.5.2 without using them;
3.5.3 mixed method.
3.6 The Company processes special personal data only with the consent of the
personal data subject or without consent in cases provided for by the
legislation of the Republic of Armenia.
In particular, the Company may process special personal data of persons
related to employee accidents (health data). At the same time, the Company
takes measures aimed at preventing risks that may arise during the processing of
such personal data for the rights and freedoms of personal data subjects.
3.7 The Company, if necessary, to achieve the purposes of data
processing, has the right to transfer personal data to third parties in
compliance with the requirements of the legislation of the Republic of Armenia.
3.8 The terms of processing of personal data by the Company are
determined taking into account:
3.8.1 established purposes for personal data processing;
3.8.2 terms of contracts concluded with personal data subjects;
3.8.3 validity periods of consents of personal data subjects to the
processing of their personal data;
3.8.4 deadlines determined by the local legal act specified in
paragraph 10 of this Policy and the legislation of the Republic of Armenia.
3.8.5 The Company stops processing personal data in the following
cases:
3.8.6 upon the occurrence of conditions for termination of the
processing of personal data or upon expiration of the established deadlines;
3.8.7 upon achievement of the purposes of their processing or in case
of loss of the need to achieve these purposes;
3.8.8 at the request of the personal data subject, in cases provided
for by the legislation of the Republic of Armenia on the personal data
protection;
3.8.9 in case of unlawful processing of personal data, if it is
impossible to ensure the legality of the personal data processing;
3.8.10 in case of liquidation of the Company.
4. OTHER INFORMATION ABOUT THE PERSONAL DATA SUBJECTS
4.1 The Company also has the right to process other information about personal
data subjects, which includes:
4.1.1 data automatically received by the server when accessing the
website using bookmarks (cookies), see “Cookie Policy”.
4.1.2 data automatically received by the server when accessing the
website and subsequent user actions on the website (including, but not limited
to: host IP address, type of operating system of the website user, browser
type, website pages visited by the user, etc.).
4.2 The information specified in paragraph 4.1 of this
Policy is processed by the Company in order to obtain anonymous
(depersonalized) and aggregate statistics to improve functionality, as well as
improve the quality of the website, improve the Company’s services, as well as
for the purpose of preventing and suppressing dishonest behaviour on the part
of personal data subjects, assistance in the prevention, detection and
suppression of offenses and crimes and ensuring the display of personalized and
relevant content to website users.
4.3 The Company, if necessary and to achieve the purposes of
processing information about personal data subjects specified in
paragraph 4.1 of this Policy, has the right to transfer such
information to third parties in compliance with the requirements of the
legislation of the Republic of Armenia.
4.4 The Company may process information about personal data subjects
specified in paragraph 4.1 of this Policy within the framework of the
actions, conditions, methods and terms specified in paragraphs 3.4, 3.5,
3.7, 3.8 of this Policy.
5.PROCEDURE AND CONDITIONS FOR PERSONAL DATA PROCESSING
5.1 The basis for the personal data processing is the consent of the personal
data subject, with the exception of cases established by the legislation of the
Republic of Armenia, when the personal data processing is carried out without
obtaining such consent.
5.2 The consent of the personal data subject is a free, unambiguous,
informed expression of their will, through which they authorize the processing
of their personal data.
Refusal to give consent to the personal data processing gives the Company
the right to refuse the personal data subject to provide services (works) to
the Company, the implementation of which is directly related to the personal
data processing.
5.3 The storage of personal data is carried out in a form that allows
identifying the personal data subject, for a period no longer than required by
the purposes of the personal data processing, except in cases where the storage
period for personal data is established by the legislation of the Republic of
Armenia, a contract concluded (to be concluded) with the personal data subject
for the purpose of performing actions established by this contract or other
laws of the Republic of Armenia.
5.4 The condition for terminating the personal data processing may be
the achievement of the goals of the personal data processing, the expiration of
the period for the personal data processing, the withdrawal of the consent of
the personal data subject to the processing of their personal data, as well as
the identification of unlawful processing of personal data.
5.5 After the termination of the personal data processing, the Company
destroys it, which involves physical destruction of the media or erasure of
information from it. Methods and rules for destroying personal data depend on
where it is contained – on paper or electronic media. The Company gets rid of
paper documents: by heat treatment (burning) or by shredding (you need to make
sure that the integrity of the media or information cannot be restored in any
way). Digital media is physically destroyed, causing severe damage that cannot
be repaired. The Company has the right to choose the method of destruction of
integrity independently; this could be exposure to chemically aggressive
compounds, surface erosion, sandblasting, ultrasonic or electrochemical
treatment. The main task is to reduce to zero the likelihood of obtaining
personal data from destroyed media.
5.6 The Company, acting as an authorized person, processes personal
data of entities that are clients of third parties, acts on behalf of the
personal data processing in accordance with the legislation of the Republic of
Armenia.
6. PROCEDURE, CONDITIONS AND PURPOSES OF PROCESSING BIOMETRIC DATA
6.1 Biometric personal data is processed only with the consent of the
data subject, except in cases provided for by law, and if the implementation of
the purpose pursued by law is possible only by processing these biometric data.
6.2 The use and storage of biometric personal data can only be carried
out on such tangible media, using such technologies or in such ways that ensure
the protection of this data from illegal penetration, illegal use, destruction,
transformation, blocking, copying, distribution of personal data and other
things.
6.3 The Company processes biometric data for two purposes:
6.3.1 to provide access to certain areas
6.3.2 to record visits to the company’s area
6.4 The procedure and conditions for processing biometric data are the
same as for personal data.
7. RIGHTS OF PERSONAL DATA SUBJECTS AND MECHANISM FOR EXERCISING THESE
RIGHTS
7.1 The personal data subject has a set of rights in relation to their
personal data specified in the appendix LI 01.08.16 “The Set of
Rights of the Subject in Relation to Their Personal Data”.
7.2 Exercise of one or more powers specified in the appendix LI 01.08.16 “The
Set of Rights of the Subject in Relation to Their Personal Data”, carried out
by the personal data subject by submitting a request (application) in writing
by registered mail, or in the form of an electronic document. At the same time,
the right to revoke previously granted consent to the personal data processing
can be exercised in electronic form, corresponding to the form of expression of
such consent.
7.3 The request (application) must contain:
7.3.1 full name of the personal data subject; address of residence (place of
stay);
7.3.2 date of birth;
7.3.3 identification number (if indicated when giving consent or the
personal data processing is carried out without the consent of the personal
data subject);
7.3.4 statement of the essence of the requirement;
7.3.5 personal signature or electronic digital signature.
7.4 The request (application) must be submitted:
7.4.1 in writing to the address: 1, Abovyan Khakhakhutyan Street, Kotayk Marz,
2201, Armenia or;
7.4.2 in the form of an electronic document filled out in the
Company’s sales and service offices
7.4.3 in electronic form to the email address: pdpօ@ovio.am
7.5 Any information (including personal data) that the personal data
subject provides when registering a personal account can be used by the Company
in accordance with this Policy.
7.6 Termination of the Company’s processing of the subject’s personal
data may make it impossible to further provide the subject with the Company’s
services.
7.7 A person who provided the Company with incomplete, outdated, false
information about themselves, or information about another personal data
subject without the latter’s consent, is liable in accordance with the
legislation of the Republic of Armenia.
8.MEASURES TAKEN BY THE COMPANY TO PROTECT PERSONAL DATA OF SUBJECTS
8.1 The Company takes and constantly improves the necessary legal,
organizational and technical measures to ensure the protection of personal data
from unauthorized or accidental access to it, modification, blocking, copying,
distribution, provision, deletion of personal data, as well as from other
unlawful actions in regarding personal data.
8.2 Legal measures taken by the Company:
8.2.1 The Company has developed and put into effect documents
establishing the procedure for processing and ensuring the protection of
personal data, which ensure compliance with the requirements of the Law and
other acts of legislation of the Republic of Armenia regulating relations in
the field of personal data.
8.3 Organizational measures taken by the Company include:
8.3.1 appointment by the Company of a person and (or) structural unit
responsible for internal control over the processing of personal data;
8.3.2 familiarization of the Company's employees with the requirements
of the legislation of the Republic of Armenia and the Company's regulatory
documents in the field of working with personal data;
8.3.3 definition by the Company of a list of persons whose access to
personal data processed in the information system is necessary for the
performance of their job duties;
8.4 Publication of internal documents defining the Company’s policy
regarding the personal data processing, local legal acts on the personal data
processing, as well as local legal acts establishing procedures aimed at
preventing and identifying violations when working with personal data,
eliminating the consequences of such violations.
8.5 Technical measures taken by the Company include: implementation of
technical and cryptographic protection of personal data.
9. CROSS-BORDER TRANSFER OF PERSONAL DATA
9.1 Before the start of cross-border transfer of personal data, the
Company is obliged to make sure that the foreign state to whose territory it is
intended to transfer personal data provides reliable protection of the rights
of personal data subjects.
9.2 Cross-border transfer of personal data to the territory of foreign
states that do not meet the above requirement can be carried out only in cases
provided for by the Law.
10.FINAL PROVISIONS
10.1 Issues related to the personal data processing not covered by this Policy
are regulated by other local legal acts of the Company, as well as by the
legislation of the Republic of Armenia.
10.2 In the event that any provision of the Policy is found to be
contrary to the legislation of the Republic of Armenia, the remaining
provisions consistent with the legislation of the Republic of Armenia remain in
force and are valid, and any invalid provision will be considered
deleted/modified to the extent necessary for ensuring its compliance with the
legislation of the Republic of Armenia.
10.3 The operator has the right, at their own discretion, to change
and (or) supplement the terms of this Policy without prior and (or) subsequent
notification of personal data subjects. The current version of the Policy is
constantly available on the Company’s website.
Contacts