Dear Clients!

General provisions

• This Policy is developed in accordance with provisions of the Constitution of the Russian Federation dated 12.12.1993 (articles 2, 17-24, 41), Labor Code of the Russian Federation, Federal Law dated 27.07. 2006 No.152-FZ "On personal data", Federal Law dated 27.07.2006 No.149-FZ “On information, information technologies and protection of information”, Resolution of the Government of the Russian Federation dated 01.11.2012 No.1119 “On approval of requirements to protection of personal data at processing thereof in information systems of personal data”, Resolution of the Government of the Russian Federation dated 15.09.2008  No. 687 “On approval of the Regulation on particularities of processing of personal data not using automated means”, Federal Law of the Russian Federation dated 21.11.2011 No.323-FZ "On basics of protection of health of citizens in the Russian Federation", Federal Law of the Russian Federation dated 29.11.2010 No.326-FZ “On compulsory medical insurance in the Russian Federation” and other regulations governing matters of protection of personal data.
• This Policy determines general matters associated with processing of personal data at «MEDSCAN» Co.Ltd. (hereinafter referred to as the “Operator”) using automated means including information-telecommunication networks or not using any such means.
• Personal data represent confidential protected information which is subject to all requirements established by internal documents of the Operator to protection of confidential information.

Terms and composition of personal data

2.1. Operator – a legal entity arranging and (or) exercising on its own or together with others processing of personal data and determining purposes of processing of personal data, composition of personal data to be processed, acts (operations) to be done with personal data;

2.2. Processing of personal data – any act (operation) or a series of acts (operations) to be done using automated means or not using such means with personal data including collection, recording, systematization, accumulation, storage, specification (updating, change), extraction, use, transmission (distribution, provision, access), impersonalization, blocking, deletion, destruction of personal data;

2.3. Subject of personal data – customers of Operator’s services and individual patients of the Operator including potential customers and patients, representatives of customers and patients, users of the Corporate Web-Site of the Operator.

2.4. Medical Secrecy – data on the fact of application of a patient for provision of medical aid, state of his/her health and diagnosis, other data received as a result of his/her medical examination and treatment.

2.5. Personal data (PD) – any information including, if applicable, information constituting medical secrecy, relating directly or indirectly to an identified or identifiable subject of personal data.

2.6. The Operator shall process personal data of the following categories of subjects of personal data:

• personal data of Operator’s employees – information which is necessary for the Operator in connection with labor relations;
  
• personal data of a patient, customer, client (potential client) and personal data of a manager, member (shareholder) or employee of a legal entity being a client or counteragent (potential client, partner, counteragent) of the Operator – information which is necessary for the Operator to fulfill its obligations within the framework of contractual relationship with a patient, client (counteragent);

Purposes and events of processing of personal data

3.1. Purposes of processing of personal data are the following:

• organization of staff accounting, staff records management, assistance in employment, training and promotion of employees, compliance with tax laws of the Russian Federation in connection with assessment and payment of the individual income tax and pension laws of the Russian Federation in connection with formation and submission of personified data on each recipient of income taken into account for the purposes of assessment of insurance contributions for compulsory pension insurance and security, preparation of primary statistical documentation;
• execution, fulfillment and termination of civil contracts;
• fixation of principles of protection of personal data of subjects of personal data of the Operator, protection of their rights and freedoms, establishment of rules for processing and protection of personal data.

3.2. The Operator may process personal data in the following cases:

• if personal data are processed upon consent of the subject of personal data;
• if processing of personal data is necessary for fulfillment of a contract whereto the subject of personal data is a party or beneficiary or surety or for execution of a contract at the initiative of the subject of personal data or a contract whereto the subject of personal data is a party or beneficiary or surety;
• if processing of personal data is necessary for protection of life, health or other vital interests of the subject of personal data, if obtainment of the consent of the subject of personal data is impossible;
• if processing of personal data is necessary for exercise of rights and legal interests of the Operator or third parties or for achievement of publicly important purposes provided that this shall not infringe rights and freedoms of the subject of personal data;
• if processing of personal data is necessary for scientific, literature or other creative activities provided that this shall not infringe rights and freedoms of the subject of personal data;
• if personal data are to be processed for research, statistical or other purposes subject to compulsory impersonalization of personal data;
• if the subject of processing is personal data whereto the subject of personal data provides or requires to provide access to an unlimited circle of persons;
• if the subject of processing is personal data which is subject to publication or compulsory disclosure in accordance with law;

3.3. Personal data are processed at «MEDSCAN» Co.Ltd. for the following purposes:

• for execution and fulfillment of a contract whereto the subject of personal data is a party or beneficiary or surety, personal data are to be processed on the basis of Federal Law dated 27.07.2006 No. 152-FZ "On personal data".
• for medical-preventive purposes, for establishment of a medical diagnosis, provision of medical and medical-social services provided that personal data should be processed by a person professionally performing medical activities and obliged to keep medical secrecy in accordance with laws of the Russian Federation, personal data shall be processed on the basis of Federal Law dated 27.07.2006 No. 152-FZ "On personal data".
• for the purposes of provision by the Operator of additional services to subjects of personal data, simplification of the procedure for interaction between the Operator and subjects of personal data, for fulfillment of requirements of rules for provision of payable medical services and check of quality of provision of services by the customer, personal data are to be processed upon written consent of the subject of personal data.
• for other purposes personal data shall be processed on the basis of the consent of the subject of personal data subject to obtainment of the consent for specific purposes of processing of personal data.

3.4. In some cases the Operator may process personal data of a subject of personal data without his/her consent if this is necessary to protect life, health or other vital interests of the subject of personal data.

3.5. Personal data of a special category may be processed by the Operator only upon the written consent of the subject.

3.6. The Operator shall not process any other personal data not compliant with purposes of such processing or legal rights and interests of the subject of personal data.

3.7. The Operator shall on its own and at its own expense arrange for organizational technical activities and take measures to ensure protection of personal data of subjects of personal data.

4. Basic principles of processing of personal data

4.1. Personal data may be processed only pursuant to the purposes determining receipt of such data.

4.2. It is not permissible to combine databases containing personal data to be processed for mismatching purposes.

4.3. The right of access for processing of personal data shall be granted to employees of the Operator in accordance with their functional duties.

4.4. Processing of personal data shall provide for accuracy of personal data, sufficiency thereof and when necessary actuality thereof in relation to the declared purposes of processing thereof.

4.5. Personal data shall be kept in a form enabling to determine the subject of personal data no longer than required for the purposes of processing of personal data, unless the period of storage of personal data is determined by federal law, contract whereto the subject of personal data is a party or beneficiary or surety.

4.6. Processed personal data shall be destroyed or impersonalized upon achievement of the purposes of processing or loss of the necessity to achieve such purposes, unless otherwise is determined by federal laws.

4.7. Terms of storage of personal data shall be determined in accordance with the term of validity of civil relationship between the subject of personal data and the Operator, period of limitation, terms of storage of documents in hard copies and documents in electronic databases, other requirements of Russian laws and the term of validity of the consent of the subject to processing of his/her personal data.

4.8. The Operator shall process personal data of subjects of personal data on the basis of the following principles:

• legality of purposes and means of processing of personal data and fairness;
• compliance of the purposes of processing of personal data with the purposes predetermined and declared when collecting personal data and powers of the Operator;
• compliance of the scope and nature of personal data to be processed, methods of processing of personal data with the purposes of processing of personal data;
• fairness of personal data, sufficiency thereof for processing purposes, impermissibility of processing of personal data excessive for the purposes declared when collecting personal data;

The procedure for receipt of personal data of a subject of personal data

5.1. A subject of personal data shall provide personal data and the Operator shall further process thereof on the basis of the written consent unless otherwise is determined by laws.

5.2. The Operator warrants that the subject of personal data takes the decision to provide his/her personal data and gives his/her consent to processing thereof freely, according to his/her own will and pursuing his/her personal interests. The obligation to provide evidence of obtainment of the consent of a subject of personal data to processing of his/her personal data or evidence of existence of grounds determined in Federal Law dated 27.07.2006 No.152-FZ “On personal data” is imposed on the Operator.

5.3. Written consent:

5.3.1. The consent to processing of personal data should be specific, informed and conscious.

5.3.2. The form of the written consent to processing of personal data shall be determined by the Operator and approved by the manager of the Operator.

5.3.3. The form of the written consent shall necessarily include the following:

• the family name, first name and middle name of the subject of personal data, number of the main identification document, date of issue of the document and issuer;
• the family name, first name and middle name of the representative of the subject of personal data, number of the main identification document, date of issue of the document and issuer, details of the power of attorney or other document certifying powers of the representative (if the consent is obtained from a representative of the subject of personal data);
• name, details and address of the Operator obtaining the consent of the subject of personal data;
• the purpose of processing of personal data;
• the list of personal data processing whereof is consented by the subject of personal data;
• the list of acts to be taken with personal data processing whereof is consented, general description of methods of processing of personal data used by the operator;
• the term of validity of the consent of the subject of personal data and method of withdrawal thereof, unless otherwise is determined by federal law;
• the signature of the subject of personal data.

5.3.4. The consent in the form of an electronic document signed by a digital signature in accordance with federal laws will have the same force as the personal signature of the subject of personal data on the written consent on paper.

5.3.5. If the subject of personal data dies, the consent to processing of his/her personal data shall be given by heirs of the subject of personal data unless such consent is given by the subject of personal data when alive.

Processing of personal data

6.1. The procedure for processing of personal data of subjects is determined by job description of the Operator, orders and other local regulations.

6.2. The Operator shall process personal data of subjects of personal data using automated and unautomated means (mixed type).

6.3. Processing of personal data – general provisions:

6.3.1. The right to process personal data of a subject shall be granted to employees of the Operator admitted to work with personal data and third parties possessing access to personal data of the subject by virtue of contractual relationship with the Operator, subject to observance of confidentiality of personal data.

6.3.2. An employee of the Operator is entitled to use only such personal data use whereof is necessary to accomplish his/her job function and job duties.

6.3.3. The list of persons having access to any personal data shall be determined by the manager of the Operator by signing an appropriate order unless otherwise is determined in another local act duly approved by the Operator.

6.4. Storage of carriers of personal data:

•          6.4.1. Carriers of personal data shall be stored in accordance with conditions of this Policy, job descriptions and other local regulations approved by the Operator.
•          6.4.2. Paper carriers of personal data (medical cards, printouts and other documents) and digital carriers (hard disks, CD, flash cards etc.) shall be stored in boards especially designated for such purpose or other storage places located in premises equipped with an electronic access separation system.
•          6.4.3. Boards where personal data are kept shall be equipped with locks and where necessary other means restricting access thereto.
•          6.4.4. Premises wherein boards containing carriers of personal data of subjects of personal data are located shall be accessible only for authorized employees.
•          6.4.5. If a person not having access to personal data needs access to such premise (cleaning, repair works etc.), adequate measures should be taken to avoid realization of topical threats for personal data.

Measures to ensure safety of personal data

7.1. Protection of personal data – complex of measures aimed at:

• ensuring the regime of confidentiality of information in relation to personal data, observance of medical secrecy;
• protection of personal data against unauthorized access, destruction, modification, blocking, copying, disclosure, distribution or any other illegal acts;
• ensuring legal rights and interests of subjects of personal data.

7.2. Personal data of subjects of personal data shall be protected by force of all employees of the Operator on the basis of a complex of approved documents and measures regulating rules for processing of personal data and may be protected with engagement of specialized organizations.

7.3.Personal data in information systems of personal data used by the Operator shall be protected in accordance with this Policy, Regulations on processing and protection of personal data in information systems of personal data, job descriptions and other local regulations adopted by the Operator.

7.4. Safety of personal data is to be achieved by the following without limitation:

• application of organizational and technical measures ensuring safety of personal data when being processed in information systems of personal data necessary for fulfillment of requirements to protection of personal data fulfillment whereof ensures levels of protection of personal data established by the Government of the Russian Federation;
• detection of facts of unauthorized access to personal data and implementation of necessary measures;
• establishment of rules for access to personal data processed in the information system of personal data and arrangement for registration and accounting of all acts taken with personal data in the information system of personal data;
• control of applied measures ensuring safety of personal data and level of protection of the information system of personal data.

Rights of a subject of personal data

8.1. The subject of personal data is entitled to be informed on processing of his/her personal data including the following information:

• confirmation of the fact of processing of personal data by the Operator;
• legal grounds and purposes of processing of personal data;
• purposes and methods of processing of personal data used by the Operator;
• name and address of location of the Operator, details of the persons (other than employees of the Operator) who possess access to personal data or to whom such data may be disclosed on the basis of a contract with the Operator or on the basis of law;
• personal data to be processed relating to the relevant subject of personal data, source of receipt thereof, unless another procedure for provision of such data is determined by law;
• terms of processing of personal data including terms of storage thereof;
• the procedure for exercise by the subject of personal data of rights determined by applicable laws;
• information on effected or proposed transborder disclosure of personal data;
• name or family name, first name, middle name and address of persons processing personal data by order of the Operator if processing is or will be ordered to such persons;
• other data prescribed by laws of the Russian Federation;

8.2. Data mentioned in clause 8.1. of this Policy shall be provided to subjects of personal data by the Operator in an accessible form and shall not contain personal data relating to other subjects of personal data unless there are legal grounds for disclosure of such personal data.

8.3. Data mentioned in clause 8.1. of this Policy shall be provided to the subject of personal data or his/her representative by the Operator upon application or submission of a Request by the subject of personal data or his/her representative within 30 (Thirty) calendar days after receipt of the relevant request by the Operator.

8.4. The request under clause 8.3. of this Policy shall contain the number of the main identification document of the subject of personal data, date of issue of the document and issuer, data confirming participation of the subject of personal data in relationship with the Operator (number of the contract, date of the contract, number of the outpatient card etc.) or data otherwise confirming the fact of processing of personal data by the Operator, the signature of the subject of personal data or his/her representative. The request may be submitted in form of an electronic document and signed with a digital signature in accordance with laws of the Russian Federation.

8.5. The subject of personal data may request from the Operator specification of his/her personal data, blocking or destruction thereof if such data are incomplete, inaccurate, illegally received or are not necessary for the declared purpose of processing and measures for protection of his/her rights as determined by law.

8.6. Free and free of charge access to his/her personal data including the right to receive copies of any record containing personal data other than in cases determined by laws of the Russian Federation.

8.7. In some cases determined by law the right of the subject of personal data for access to his/her personal data may be restricted.

8.8. If the subject of personal data believes that the Operator processes his/her personal data violating requirements of laws or otherwise infringes his/her rights and freedoms, the subject of personal data may complain against acts or omissions of the Operator at an authorized body for protection of rights of subjects of personal data or judicially.

8.9. The subject of personal data is entitled for protection of his/her rights and legal interests including indemnification of loss and (or) compensation of moral harm judicially.

Obligations of the Operator

The Operator is obliged:

9.1. To take necessary and sufficient legal, organizational and technical measures for protection of personal data against illegal or accidental access thereto, destruction, modification, blocking, copying, disclosure, distribution of personal data and any other illegal acts relating to personal data.

9.2. Undertake activities for organizational and technical protection of personal data in accordance with requirements of laws of the Russian Federation on matters of processing of personal data.

9.3. For the purposes of protection of personal data to assess damage which may be caused to subjects of personal data if safety of their personal data is broken and determination of actual threats against safety of personal data in the course of processing thereof in information systems of personal data.

9.4. If any actual threats are revealed, to take necessary and sufficient legal, organizational and technical measures for protection of personal data including:

• determination of threats against safety of information containing personal data in the course of processing thereof;
• application of organizational and technical measures for safety of information containing personal data in the course of processing thereof;
• assessment of efficiency of applied measures before commissioning of the information system of personal data;
• accounting of machine information carriers containing personal data;
• identification of facts of unauthorized access to information containing personal data and implementation of measures;
• restoration of personal data, modified or destroyed as a result of unauthorized access thereto;
• establishment of rules for access to information containing personal data, arrangement for registration and recording of all acts taken with information containing personal data in the information system of personal data;
• control of implemented measures.

Duties and lability of employees of the Operator

10.1. Employees of the Operator admitted to processing of personal data shall:

• know and inviolately fulfill requirements of this Policy;
• process personal data only within the framework of fulfillment of their job duties;
• not disclose personal data received as a result of fulfillment of their job duties or acquired ex officio;
• suppress acts of third parties which may cause disclosure (destruction, misrepresentation) of personal data;
• reveal facts of disclosure (destruction, misrepresentation) of personal data and inform the direct chief thereon;
• keep information containing personal data in confidence in accordance with local regulations of the Operator.

10.2. Employees of the Operator admitted to processing of personal data may not copy without authorization or in conflict with regulations personal data to paper carriers of information or any electronic information media which are not designated for storage of personal data.

10.3. Each new employee of the Operator directly processing personal data shall be familiarized with requirements of Russian laws on processing and ensuring safety of personal data, this Policy and other local regulations on matters of processing and ensuring safety of personal data and agrees to observe the same.

10.4.Persons guilty in violation of requirements of Russian laws in the area of personal data will bear disciplinary, material, civil, administrative or criminal liability.

Final provisions

11.1. The current version of the Policy in paper form is kept at the medical center «MEDSCAN» Co.Ltd. at the address: Moscow, Leningradskoe highway, 47А

11.2. The electronic version of the current version of the Policy is kept at the web-site of the Operator in Internet [medscannet.ru].

11.3. When amendments are introduced, the heading of the Policy shall include the date of approval of the current version of the Policy.

11.4. The Policy shall be updated and re-approved on the regular basis – annually.

11.5. The Policy may be updated and re-approved before the term stipulated in clause 11.4 of this Policy in case of amendment of regulations in the area of personal data or local acts governing organization of processing and ensuring safety of personal data.