Personal data

 Document: “Bank policy regarding the processing of personal data”

1.Purpose and scope

  • In order to maintain business reputation and ensure compliance with federal laws, in accordance with the requirements of Federal Law No. 152-FL dated 27.10.2006 “On Personal Data”, CB “Euro-Asian Investment Bank” LLC (hereinafter – the Bank) defines the most important tasks: ensuring legality processing of personal data in the Bank business processes and ensuring an adequate level of security of the personal data processed in the Bank.
  • This document “Policy of the processing personal data of CB “Euro-Asian Investment Bank” LLC (hereinafter referred to as the Policy) is aimed at defining the general principles and conditions of the Bank in the field of personal data processing (hereinafter referred to as PD), formulating goals and objectives in this area, relations related to the processing of personal data by the Bank, the allocation of basic roles and responsibilities, and the formalization of the process of managing the protection of personal data in the Bank under ensuring compliance with the legislation of Russia of the Russian Federation. The policy has been developed in accordance with the legislation of the Russian Federation of PD and the regulatory and methodological documents of the executive bodies of the state power of PD security issues, including processing in PD information systems (hereinafter referred to as ISPD).
  • The scope of the document is the actions related to the process of managing the protection of personal data for all processes and information systems related to ISPD and all actions related to the processing (collection, storage, transfer, destruction, etc.) of personal data. This Policy applies to all Bank employees who process personal data and ensure the safety of personal data, and is also a mandatory document for all Bank employees to execute.
  • The process of managing the protection of personal data is aimed at countering threats and vulnerabilities associated with the implementation of unauthorized access to violate the confidentiality or integrity of personal data, as well as violation of the legal rights of the subject of personal data.
  • The requirements of this Policy may be detailed, if necessary, by other internal regulatory documents of the Bank.
  • This Policy is subject to publication on the Bank website www.eab.ru with the provision of unlimited access to it, as a document defining the Bank policy regarding the processing of personal data, to information about the actual requirements for personal data protection.

2.Terms and definitions

2. Terms and definitions

2.1. The basic concepts provided in this Policy fully comply with the concepts specified in the Federal Law of 27.07.2006 No. 152-FL “On Personal Data” (hereinafter – the Federal Law “On Personal Data”), as well as in the “Information Security Policy CB “Euro-Asian Investment Bank LLC”.

2.2. Biometric personal  data is information that characterizes the physiological and biological characteristics of a person, the identity can be established on that basis to be used by the operator to identify the subject of personal data.

2.3. Electronic document  –  documented information presented in electronic form, i.e. in a form suitable for human perception using computer resources, as well as for transmission over information telecommunication networks or processing in information systems.

3.Goals and objectives

3.1  The main purpose of the development of this document is to define the Bank policy regarding PD processing and PD security.

3.2 The main objective of the Policy is to determine the high-level rules and requirements for PD processing and security activities.

4.Roles and obligation

  • Application area
  • As part of the PD security process, the following roles are highlighted:

A PD subject is an individual whose PD are processed  and protected by the Bank.

– A Bank employee involved (allowed) in the processing of personal data is an employee of the Bank that as part of official duties became aware of PD processed by the Bank and that ensures its confidentiality and security.

– ISPDN Administrator – an employee of the Bank, who, within the framework of the performance of his official duties, serves, supports and manages the required composition of technical means ensuring the processing of personal data.

The curator responsible for ensuring the safety of personal data is a member of the Board of the Bank, who within the framework of the fulfillment of his official duties oversees the enforcement of requirements in the field of personal data processing.

– Responsible officer for organizing the processing and ensuring the safety of personal data is the head manager responsible for organizing the processing and protection of personal data appointed by the order of the Chairman of the Board of the Bank.

  • In the job descriptions of Bank employees and agreements with third parties,the reflected rights and obligations should be defined in accordance with the requirements of the Federal Law “On Personal Data” for each participant in the PD processing process (the Bank, as a PD operator, employees involved in PD processing, a PD subject).
  • The Bank develops and maintains up to date the procedure (regulations) for processing applications of PD subjects, defining the duties of the Bank when the PD subject addresses it or upon receipt of a request from the PD subject or his representative as well as the authorized body to protect the rights of PD subjects as well as receiving such requests.
  • In case of violation of the established procedure for processing and ensuring the safety of personal data, unauthorized access to personal data, disclosing personal data and causing material or other damage to the Bank, customers, employees and visitors, the guilty persons shall be liable in accordance with the legislation of the Russian Federation:

– disciplinary, up to the termination of the employment contract (article 81, 192 of the Labor Code of the Russian Federation);

– administrative (art. 5.39, 13.11, 13.14 of the Administrative Code of the RF);

– criminal, in the presence of elements of crime (Article 137, 272 of the Criminal Code of the Russian Federation).

5.Main principles and conditions for the processing of personal data

  • Objects of protection
  • Principles of personal data processing.

5.1.1. PD processing at the Bank is carried out on the basis of the following principles:

– The Bank processes personal data in compliance with the principles, rules and in cases provided by the Federal Law “On Personal Data”, while taking into account the protection of the interests of the parties to the processing process;

– PD processing should be limited to achieving specific, predetermined and legitimate goals. PD processing that is incompatible with the purposes of collecting PD is not allowed;

– it is not allowed to merge databases containing PD which are processed for purposes that are incompatible with each other;

– only PDs are processed that meet the purposes of their processing;

– the content and volume of PD processed should meet the stated processing objectives. PDs processed should not be redundant in relation to the stated purposes of their processing;

– during PD processing, the PD accuracy should be ensured, their sufficiency, and, if necessary, also relevant to the purposes of PD processing. The Bank takes the necessary activities or ensures that they are taken to remove or clarify incomplete or inaccurate data;

– PD storage is carried out in a form that allows determining the PD subject not longer than the purpose of PD processing requires, if the PD storage period is not established by federal law, contract, the party to which the PD subject is a beneficiary;

– Processed PDs are subject to destruction or depersonalization upon the achievement of processing objectives or in case of unimportance to achieve these goals, unless otherwise provided by federal law;

– the processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health, intimate life, in order to carry out banking activities is not allowed.

  • Categories, composition and purposes of processing personal data.

5.2.1 In order to carry out its core business, the Bank processes PDs of entities, including but not limited to:

– individuals who are in a contractual relationship with the Bank or are planning to enter into a contractual relationship (customers, employees, candidates for filling vacant positions);

– Affiliates of the Bank (General Meeting of Members, members of the Bank Council);

– individuals who are representatives or employees of legal entities who are in a contractual relationship or plan to enter into a contractual relationship with the Bank;

– beneficiaries;

– visitors of buildings and structures of the Bank and who are not customers of the Bank.

5.2.2 The objectives and legal basis for processing PD, the composition and content of PD, as well as categories of PD subjects whose data are processed at the Bank, are recorded in the internal documents of the Bank, and are subject to update in case of changes.

5.2.3 The composition of PDs must comply with the principle of their adequacy to achieve the goals of processing. PD should not be redundant with respect to processing purposes.

  • Personal data processing conditions

5.3.1 The Bank independently determines the composition and the list of actions necessary and sufficient to ensure the fulfillment of the obligations on personal data processing provided by the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it, unless otherwise provided by federal laws.

5.3.2 The Bank performs PD processing both without the use of automation equipment, and automated PD processing, with and without transmission via the Bank internal network, with and without transmission to the public network of the Internet.

5.3.3 The Bank, in the course of its activities under the agreement, provides and (or) assigns the processing of PD to third parties with the consent of the PD subject, unless otherwise provided by federal law. At the same time, the condition for such provision and (or) order is the obligation of the third party processing the personal data on behalf of the Bank to follow the principles and rules of personal data processing, of confidentiality of personal data and to ensure the safety of personal data.

5.3.4 The Bank, in the course of its business, does not carry out the cross-border transfer of personal data to the territory of foreign states.

5.3.5 The Bank audits the compliance of PD processing with the Federal Law “On Personal Data” and regulations adopted in accordance with it, with the requirements for protecting PD, with this Policy and other internal documents of the Bank regarding PD processing and protection.

5.3.6 The processing of personal data by the Bank is carried out with the consent in writing of the subject of personal data in the following cases:

– for information support;

– to establish the identity of the subject PD;

– for making decisions based solely on automated PD processing.

5.3.7 The written consent form must be drawn up in accordance with the requirements set forth for it by the FL.“On Personal Data”.

5.3.8 PD processing periods (storage periods) should be determined in accordance with the purposes of PD processing and fixed for each category of PD subjects.

5.3.9 The storage of personal data should be carried out by the Bank in a form that allows to determine the subject of personal data, not longer than the purpose of processing personal data. The storage period can also be established by the contract, the party to which the beneficiary or guarantor for which is the subject of the PD, “List of model management documents generated in the course of activities of government bodies, local governments and organizations, indicating the storage periods”, limitation and other legal requirements and regulatory documents of the Bank of Russia.

  •   PD security

5.4.1 PDs processed by the Bank should have a level of confidentiality not lower than the data assigned to Bank secrecy, other security features can be applied. In particular, such characteristics include: integrity, availability, non-repudiation, accounting (controllability), authenticity (reliability), adequacy.

5.4.2 The Bank implements personnel policy (careful selection of personnel and motivation), allowing to exclude or minimize the possibility of violation of personal data security by employees.

5.4.3 PDs can have various forms of presentation (paper, electronic files / documents, records and fields of database records), each is associated with different ISPD resources.

5.4.4 PD processing in any form of presentation shall ensure PD safety and determine information on methods and means of ensuring this security.

5.4.5 Proposed measures to ensure the safety of PD (including for ISPD) should be planned so that the result of their application can be measured and evaluated.

5.4.6 An integral part of the work of PD protection should be an assessment of the effectiveness of the PD protection system.

5.4.7 In order to timely detect and stop attempts to violate the established rules for ensuring the safety of personal data, requirements, safety measures and procedures for continuous monitoring of the use of personal data processing and protection systems (including personal data protection systems) should be defined, the results of monitoring should be regularly reviewed .

6.Conclusion

  • Information Security Objectives
  • The document was developed based on:

Federal Law “On Personal Data” and the relevant regulatory acts of the Russian Federation;

– Information security policy of CB “Eurasian Investment Bank” LLC.

  • Control over the implementation of this private policy lies with the Responsible officer for organizing the processing and ensuring the safety of PD.
  • Responsibility for the implementation of this private policy lies with the Curator responsible for ensuring the safety of PD.
  • This document will be reviewed regularly – at least once every 2 years or when conditions arise that affect provisions of the document (based on the analysis of information security incidents, the relevance, sufficiency and effectiveness of personal data security actions used, the results of internal audits and other control actions).