The Operator shall ensure protection of processed personal data from unauthorized access and disclosure, misuse or loss in accordance with the requirements of Ocean Data Portal.
The Operator has the right to make changes to this Policy. When making changes, the date of the last update of the revision shall be indicated in the title of the Policy. The new edition of the Policy comes into force from the moment of its posting on the website, unless otherwise provided by the new edition of the Policy.
Receipt of personal data
All personal data should be obtained from the subject himself/herself. If the subject’s personal data can only be obtained from a third party, the subject must be notified or consent must be obtained from him/her.
The operator must inform the subject about the purposes, expected sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid and the procedure for its withdrawal, as well as the consequences of the subject’s refusal to give written consent to obtain it.
Documents containing personal data are created by:
- copying original documents (passport, education document, TIN certificate, pension certificate, etc.);
- entering information into record forms;
- obtaining the originals of the necessary documents (employment record book, medical report, characteristic, etc.).
Personal data processing
Processing of personal data is carried out:
- With the consent of the personal data subject to the processing of his/her personal data;
- in cases where the processing of personal data is necessary for the exercise and fulfillment of functions, powers and duties imposed by the legislation;
- in cases when the processing of personal data is carried out to which an unlimited number of persons have access by the subject of personal data or at his/her request (hereinafter – personal data made publicly available by the subject of personal data).
The purposes of personal data processing are:
- realization of labor relations;
- realization of civil law relations;
- for communication with the user, in connection with filling out the feedback form on the website, including sending notifications, requests and information regarding the use of the website, processing, coordination of orders and their delivery, execution of agreements and contracts;
- depersonalization of personal data in order to obtain depersonalized statistical data, which are transferred to a third party to conduct research, perform work or provide services on behalf of.
Storage of personal data
Personal data of subjects can be received, further processed and transferred for storage both on paper and electronically.
Personal data recorded on paper are stored in locked cabinets or in locked rooms with limited access rights.
Personal data in a form that allows identification of the personal data subject shall be stored for no longer than required by the purposes of their processing, and they shall be destroyed upon achievement of the purposes of processing or in case of loss of necessity in their achievement.
Personal data protection
In accordance with the requirements of regulatory documents, the Operator has established a personal data protection system (PDPS) consisting of legal, organizational and technical protection subsystems.
The legal protection subsystem is a set of legal, organizational, administrative and regulatory documents ensuring the creation, operation and improvement of the SPPS.
The organizational protection subsystem includes the organization of the NWPA management structure, permitting system, information protection when working with employees, partners and third parties.
The technical protection subsystem includes a set of technical, program, software and hardware means ensuring the protection of personal data.
Basic rights of the personal data subject
The subject has the right to access his/her personal data and the following information:
- confirmation of the fact of personal data processing by the Operator;
- legal grounds and purposes of personal data processing;
- the purposes and methods of personal data processing applied by the Operator;
- name and location of the Operator, information about persons (except for the Operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Operator or on the basis of federal law;
- terms of personal data processing, including storage terms;
- appealing to the Operator and sending requests to the Operator;
- appealing against actions or inaction of the Operator.
Obligations of the Operator
The Operator is obliged to:
- when collecting personal data, to provide information about the processing of personal data;
- in cases where personal data was not obtained from the subject of personal data, notify the subject;
- in case of refusal to provide personal data, the subject shall be explained the consequences of such refusal;
- publish or otherwise provide unrestricted access to the document defining its policy on personal data processing, to the information on the implemented requirements to personal data protection;
- take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions in relation to personal data;
- provide answers to inquiries and appeals of personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.