Processing of Personal Data
NSPK JSC Policy of Personal Data Processing and Protection
Version 2.0, Moscow 2022The official language of the “NSPK JSC Policy of Personal Data Processing and Protection” (Version 2.0, Moscow 2022) is Russian. This English language text is not an official translation and is provided for information purposes only.
In the event of any discrepancies between the English version and the Russian original, the Russian original shall prevail. The recipient is solely responsible for the use of the information contained herein.
1. General Provisions
This NSPK JSC Policy of Personal Data Processing and Protection (hereinafter, the “Policy”) determines the underlying principles, objectives, conditions and methods of personal data processing, lists of subjects and personal data processed by NSPK JSC, functions of NSPK JSC in processing of personal data, rights of personal data subjects, as well as requirements to personal data protection implemented by NSPK JSC.
This Policy was written in compliance with the requirements of the Constitution of the Russian Federation, personal data laws, statutes and regulations of the Russian Federation.
The provisions hereof provide the basis for the drafting of internal policies and procedures governing within NSPK JSC the processing and protection of personal data of NSPK JSC employees and other personal data subjects whose personal data NSPK JSC processes. The provisions hereof are elaborated within the internal NSPK JSC documents.
NSPK JSC ensures the full observance of civil and political rights of personal data subjects when processing their personal data, including protecting their right to privacy, personal and family secrets.
2. Laws and Other Statutes and Regulations
This Policy was written in compliance with the following laws, statutes and regulations of the Russian Federation:
3. Terms, Definitions and Abbreviations
The following terms, definitions and abbreviations are used herein:
NSPK JSC – National Payment Card System Joint-Stock Company located at: 11, Bolshaya Tatarskaya Street, Moscow, 115184.
Automated Personal Data Processing – personal data processing by means of computers.
Personal Data Blocking – a temporary interruption of personal data processing (except where processing is required for personal data update or alteration).
Cardholders – private individuals who legally use payment cards as electronic payment facilities.
Domain Name – a symbol designation for addressing sites on the Internet in order to provide access to information hosted on the Internet.
Applicants – private individuals who sent applications to NSPK JSC.
Customers of Faster Payments System Participants – private individuals who entered into a banking agreement with a Faster Payments System Participant.
Mobile Application – computer software developed by NSPK JSC and designed to run at mobile devices to provide access to NSPK JSC web resources, goods/works/services of NSPK JSC, Mir Payment System Participants, partners (contractors) of NSPK JSC.
Personal Data Depersonalization – actions making it impossible to identify personal data as belonging to a certain data subject without using additional information.
Personal Data Processing – any action or a series of actions with personal data with or without the use of automation facilities, including the personal data acquisition, recording, systematization, accumulation, storage, update and alteration, extraction, use, transfer (distribution, presentation, providing access granting), depersonalization, blocking, deleting and annihilation.
Personal Data Operator (Operator) – a state authority, municipal authority, legal entity or private individual, who, independently or jointly, arranges and/or performs personal data processing, as well as defines the objectives of personal data processing, the scope of personal data to be processed and personal data processing operations. In this Policy, NSPK JSC shall be understood to mean the Operator.
Personal Data – any information directly or indirectly related to a specified private individual (data subject).
Subscribers – private individuals who subscribe to newsletters and feedback handling on NSPK JSC Web resources.
Visitors – private individuals who are issued single-use passes to access NSPK JSC premises.
Web Visitors – private individuals who are granted access to external NSPK JSC Web resources using a Web browser and (or) NSPK JSC mobile application.
Regulations on NSPK JSC Operational and Payment Clearing Services – an NSPK JSC document establishing the procedure, conditions and provisions of organizing interaction and obtaining operational and payment clearing services of acquisition, processing, and submission of data on transactions with bank cards to credit institutions and the state corporation “Bank for Development (VEB.RF)” when performing funds transfers in the Russian Federation using international payment cards, with the exception of cross-border transfers.
Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System – an NSPK JSC document establishing the procedure, conditions, and provisions of organizing interaction and obtaining operational and payment clearing services, including services of acquisition, processing, and submission of data to credit institutions to perform funds transfers using the Faster Payments System (FPS) of the payment system of the Bank of Russia.
Mir Payment System Regulations – a set of documents that determines conditions of participation in the Mir Payment System, performance of funds transfers, provision of payment infrastructure services, and other provisions determined by the Mir Payment System operator under the laws of the Russian Federation.
Loyalty Program Regulations of NSPK JSC – document(s) that define(s) the conditions of participation in the Loyalty Program, and other provisions determined by the Operator under the laws of the Russian Federation.
NSPK JSC Transport Processing Platform Rules – document(s) that define(s) the conditions of participation in NSPK JSC transport system and other provisions determined by the Operator under the laws and regulations of the Russian Federation.
Personal Data Presentation – actions aimed at disclosing personal data to a particular person or a specific group of people.
Personal Data Presentation – actions aimed at disclosing personal data to any number of unspecified persons.
Personal Data Annihilation – actions making it impossible to restore the scope of personal data in the personal data information system and (or) resulting in the elimination of tangible personal data media.
Cookies – a set of data stored in the browser settings of a personal data subject and processed by the NSPK JSC Web resource when a personal data subject uses such a Web resource.
Web Browser – software used by a personal data subject to view information, including Web resources on the Internet.
Web Resource – an NSPK JSC information system that uses data presentation and transmission technologies to provide information services on the Internet.
Other terms and definitions used herein are understood in accordance with the laws of the Russian Federation, Mir Payment System Regulations, Loyalty Program Regulations of NSPK JSC, Regulations on NSPK JSC Operational and Payment Clearing Services, Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System, NSPK JSC Transport Processing Platform Rules.
4. Concept and Scope of Personal Data
NSPK JSC makes a list of personal data processed and subject to protection in accordance with Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, other regulations, as well as internal policies and procedures of NSPK JSC, with due consideration of personal data processing objectives of personal data subjects specified in Section 5 hereof, and in accordance with the notification on personal data processing sent by NSPK JSC to the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor).
Information constituting personal data is any information directly or indirectly related to an identified or identifiable individual (personal data subject).
NSPK JSC does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, intimate life.
NSPK JSC processes the personal data of the following subjects:
5. Objectives and Principles of Personal Data Processing
NSPK JSC in its capacity of a personal data operator processes personal data for the following purposes:
When processing personal data, NSPK JSC abides by the following principles stipulated by Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”:
6. Personal Data Processing Conditions Within NSPK JSC
NSPK JSC processes personal data with the consent from personal data subjects, unless otherwise provided for by laws of the Russian Federation.
NSPK JSC does not disclose to third parties nor does it disseminate personal data without the consent of personal data subjects, unless otherwise provided for by laws of the Russian Federation.
NSPK JSC is entitled to charge another person with the processing of personal data with the consent from the personal data subject under an agreement with such person. Such agreement must contain a list of actions (operations) with personal data that will be performed by the person processing the personal data, as well as purposes of processing, the obligation of such person to keep personal data confidential and ensure personal data security when processing them, as well as requirements to personal data protection under Article 19 of Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”.
For purposes of internal informational support, NSPK JSC can create internal reference materials which, with the written consent of the personal data subject, unless otherwise provided for by laws of the Russian Federation, may contain their last name, first name, patronymic, photograph, place of work, position, year and place of birth, address, customer number, e-mail address, other personal data conveyed by the personal data subject.
Only authorized NSPK JSC employees may have access to personal data processed within NSPK JSC.
7. Personal Data Handling Operations and Processing Methods
NSPK JSC collects, records, systematizes, accumulates, stores, refines (updates, alters), extracts, uses, transfers (disseminates, provides, grants access), depersonalizes, blocks, deletes and annihilates personal data.
NSPK JSC uses the following personal data processing methods:
8. Personal Data Processing Conditions
The processing conditions of personal data of personal data subjects within NSPK JSC is set forth in the internal documents of NSPK JSC with due regard for:
9. Ensuring Personal Data Security and Confidentiality
NSPK JSC takes the legal, technical and organizational measures provided for by laws of the Russian Federation necessary to ensure security of processed personal data of personal data subjects to protect personal data from unlawful or accidental access, annihilation, alteration, blockage, copying, presentation, dissemination, as well as other illegal actions regarding personal data of personal data subjects.
The security of personal data of personal data subjects is ensured within NSPK JSC under the laws of the Russian Federation and NSPK JSC internal policies and procedures regarding processing and protection of personal data, namely:
10. Use of NSPK JSC Web Resources and Mobile Applications
NSPK JSC uses cookies, which includes processing information about Web Visitors, necessary for correct operation of NSPK JSC Web resources and mobile applications, as well as to improve the operation quality and usability of NSPK JSC Web resources and mobile applications, personalize services and offers for Web Visitors.
Some of the functionality of NSPK JSC Web resources and mobile applications can be used for personal data presentation. However, to use special features of NSPK JSC Web resources and mobile applications, user data, including personal data, have to be provided.
By checking a box or clicking a button in the electronic acceptance form provided by the NSPK JSC Web resource and (or) mobile application, a personal data subject agrees to processing of their personal data by NSPK JSC under the conditions provided for herein.
A personal data subject does not use the NSPK JSC Web resources and (or) mobile applications, nor do they provide their personal data to NSPK JSC unless they agree with the provisions of this Section of the Policy.
NSPK JSC processes personal data using Web resources and mobile applications under the conditions set forth in Appendix 1 hereto.
11. Rights and Obligations of NSPK JSC and Personal Data Subjects
NSPK JSC, in its capacity of the personal data operator, is entitled to:
NSPK JSC, in its capacity of the personal data operator, shall:
1) a designation or a full name and address of the operator or its representative;
2) purposes of personal data processing and its legal grounds;
3) intended users of personal data;
4) rights of a personal data provided for in the Federal law;
5) source of personal data.
NSPK JSC takes reasonable measures to maintain accuracy and relevance of the available personal data, as well as to delete personal data of personal data subjects if they are obsolete, inaccurate or redundant or if the purposes of their processing have been achieved.
A personal data subject is entitled to:
Personal data subjects are liable for provision of reliable information to NSPK JSC, as well as for the timely update of the data provided in case of changes.
12. Feedback, Request Handling
If a personal data subject wishes to know what personal data NSPK JSC holds on them, or to supplement, correct, depersonalize or delete any incomplete, inaccurate or obsolete personal data, or wishes for NSPK JSC to stop processing their personal data, or has other legal claims, they can exercise such right as and when required under the laws of the Russian Federation by contacting NSPK JSC.
In some cases (e.g., if a personal data subject wants to delete their personal data or interrupt their processing), such request may also mean that NSPK JSC will no longer be able to provide services to such personal data subject.
To handle requests of personal data subjects, NSPK JSC may require to establish the identity of such personal data subject and request additional information confirming their relations with NSPK JSC, or information otherwise confirming the fact of personal data processing within NSPK JSC. In addition, the right of a personal data subject to access its personal data may be abridged in accordance with the laws of the Russian Federation on personal data, including if access of a personal data subject to its personal data breaches rights and legitimate interests of third parties.
The procedure for submitting requests by a personal data subject is specified by the requirements of Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Namely, in accordance with the specified requirements, a request must contain:
If a request is sent by a representative of the personal data subject, the request must contain a document (copy of the document) confirming the authority of this representative.
A request may be sent by a personal data subject in electronic form. Such requests must be verified by an enhanced digital signature of the personal data subject.
NSPK JSC contacts for personal data subjects’ requests:
mail address: 11, Bolshaya Tatarskaya str., Moscow, 115184; e-mail: info@nspk.ru.
13. Final Provisions
This Policy is the NSPK JSC internal document which becomes effective upon approval and is publicly accessible and subject to publication (distribution) on the NSPK JSC web-resource with the domain name nspk.ru (the Russian version), nspk.com (the English version).
NSPK JSC may amend this Policy. When amending the front page of this document, the latest date of an update of the version hereof is indicated. Amendments made to this Policy become effective upon approval, unless otherwise specified by the very amendments.
The current version hereof is stored as a hard copy at the location of the NSPK JSC executive body at the address: 11, Bolshaya Tatarskaya Street, Moscow, 115184.
NSPK JSC recommends that personal data subjects regularly refer to this Policy to review the last current version.
Appendix 1. Personal Data Processing Conditions Using NSPK JSC Web Resources and Mobile Applications
NSPK JSC processes personal data using Web resources and mobile applications under the following conditions:
Personal data subject |
Purpose of personal data processing |
Scope of personal data |
Domain name / mobile application |
Method of personal data processing |
Personal data transfer |
Personal data processing operations |
Term of consent |
Web resources visitors |
ensuring proper operation, click stream analysis and performance optimization of NSPK JSC Web resources and mobile applications to improve the of operation and usability, personalization of services and offers |
|
Using automation facilities |
To the limited liability company “SAS Institute” located at: 21 build.1, Stanislavsky street, 109004 Moscow |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
5 years |
|
|
|
Using automation facilities |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
5 years |
||
Job applicants |
Staff recruitment |
|
Mixed processing (with or without the use of automation facilities) |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
15 years |
|
|
Mixed processing (with or without the use of automation facilities) |
The educational institution of the candidate specified in CV can be transmitted the full name, date of birth and education details |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
15 years |
|||
Employees |
Provision of services for creation and revocation of certificates of digital signature verification keys |
|
|
Mixed processing (with or without the use of automation facilities) |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
5 years |
Affiliated persons |
In order to comply with laws of the Russian Federation |
|
Mixed processing (with or without the use of automation facilities) |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
In accordance with the law |
|
Representatives of contractors |
provision of information and consulting services through seminars and webinars |
|
|
Mixed processing (with or without the use of automation facilities) |
To the limited liability company “WEBINAR TECHNOLOGII” located at: 21 Praskovyina street, 129515 Moscow |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
5 years |
Provision of information and consulting services through conferences and forums |
|
Mixed processing (with or without the use of automation facilities) |
To the contractor involved in preparation and organization of conferences, forums, under a services agreement |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
5 years |
||
|
|
Mixed processing (with or without the use of automation facilities) |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
5 years |
||
Provision of services for creation and revocation of certificates of digital signature verification keys |
|
Mixed processing (with or without the use of automation facilities) |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
5 years |
||
Operation under Federal Law of June 27, 2011 No. 161-FZ “On the National Payment System”, the Mir Payment System Regulations and Standards |
|
Automated processing (using automation facilities) |
Data transferred in accordance with provisions of Mir Payment System Regulations and Standards |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the Mir Payment System Regulations and Standards |
||
Organizational and legal arrangements for accedence to the Regulations, as well as organizational, operational and technical support to Participants and other business partners |
|
Mixed processing (with or without the use of automation facilities) |
Data transferred under the Regulations on NSPK JSC Operational and Payment Clearing Services, the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System and the Mir Payment System Regulations |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the Regulations on NSPK JSC Operational and Payment Clearing Services, the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System and the Mir Payment System Regulations |
||
Development and management of customer programs, including fulfillment of conditions of participation in the Loyalty Program, operation under the Loyalty Program Regulations of NSPK JSC |
|
|
Mixed processing (with or without the use of automation facilities) |
Data transferred in accordance with provisions of the Loyalty Program Regulations for Mir Cardholders |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the Loyalty Program Regulations of NSPK JSC |
|
Implementation of payment, record keeping of benefits and public transport fares, and provision of organizational and legal measures for accedence to the NSPK JSC Transport Processing Platform Rules, as well as provision of support on organizational, operational and technical issues to participants, partners. |
|
|
Automated processing (using automation facilities) |
Data transferred in accordance with provisions of the NSPK JSC Transport Processing Platform Rules |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the NSPK JSC Transport Processing Platform Rules |
|
Cardholders |
Development and management of customer programs, including fulfillment of conditions of participation in the Loyalty Program, operation under the Loyalty Program Regulations of NSPK JSC, organization of marketing activities and promotions, provision of personalized offers and information about the Loyalty Program, promotions, advertising and other information, including Partner information for Mir Cardholders, information about any marketing activities and promotions for Mir Cardholders |
|
|
Mixed processing (with or without the use of automation facilities) |
Data transferred in accordance with provisions of the Loyalty Program Regulations for Mir Cardholders |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the Loyalty Program Regulations of NSPK JSC |
Operation under Federal Law of June 27, 2011 No. 161-FZ “On the National Payment System”, the Mir Payment System Regulations and Standards |
|
Automated processing (using automation facilities) |
Data transferred in accordance with provisions of Mir Payment System Regulations and Standards |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the Mir Payment System Regulations and Standards |
||
|
|
||||||
|
- Mir Pay mobile application |
||||||
Implementation of payment, record-keeping of benefits and public transport fares, and provision of organizational and legal measures for accedence to the NSPK JSC Transport Processing Platform Rules, as well as provision of support and information on organizational, operational and technical issues to participants, partners |
|
Automated processing (using automation facilities) |
Data transferred in accordance with provisions of the NSPK JSC Transport Processing Platform Rules |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the NSPK JSC Transport Processing Platform Rules |
||
Performance of contracts (agreements) with contractors, implementation of conditions of NSPK JSC service provision for contractors |
|
Automated processing (using automation facilities) |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the relevant service agreement |
||
FPS Participants’ customers |
Operation under Federal Law of June 27, 2011 No. 161-FZ “On the National Payment System”, the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System and FPS OPCC Standards |
|
Automated processing (using automation facilities) |
Data transfer in accordance with provisions of the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System |
|
|
|
||||||
Development and management of customer programs, including fulfillment of conditions of participation in the Loyalty Program, operation under the Loyalty Program Regulations of NSPK JSC, marketing activities and promotions, provision of personal offers and information about the Loyalty Program, promotions, advertising and other information |
|
|
Mixed processing (with or without the use of automation facilities) |
Data transferred in accordance with provisions of the Loyalty Program Regulations for Mir Cardholders |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data |
Determined by provisions of the Loyalty Program Regulations of NSPK JSC |
|
Applicants |
Processing of applications and feedback handling |
|
Mixed processing (with or without the use of automation facilities) |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
5 years |
|
Subscribers |
Receiving information about the Loyalty Program, promotions, advertisements, and other information, personalization of services and offers, as well as feedback handling |
|
Automated processing (using automation facilities) |
None |
Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data |
5 years |
1 The term is used in accordance with the Loyalty Program Regulations of NSPK JSC.