For the purposes of its core activities, CJSC “Joint Stock Commercial Bank “ALEF-BANK” (the “Bank”) processes personal data of various categories of personal data subjects: employees, job applicants, users of the Bank’s services (customers) and their representatives, representatives of the Bank’s counterparties and other personal data subjects, and, as provided by the existing laws of the Russian Federation, is a personal data operator with relevants rights and duties.
In order to maintain its business reputation and ensure compliance with the requirements of federal laws, the Bank believes it to be of utmost importance to ensure that personal data for the purposes of the Bank’s business processes are handled in a legally proper manner and that personal data processed by the Bank are properly protected.
When organising and processing personal data, the Bank acts in accordance with the requirements of Personal Data Federal Law No. 152-FZ dated 27 July 2006 and the regulatory documents adopted in accordance with that law (the “Russian Personal Data Processing Legislation”).
The processing of personal data by the Bank is done on a legally valid and equitable basis and is limited to achieving specific pre-determined goals. Only those personal data are processed that are related to the goals of data processing. The content and the volume of the personal data processed by the Bank are in conformity with the declared goals of their processing, no extra data are allowed to be processed.
When personal data are processed by the Bank, it ensures that they are accurate, sufficient and, where necessary, up to date considering the goals of personal data processing. The Bank takes (or causes to be taken) necessary measures to delete or update incomplete or inaccurate personal data.
The Bank stores personal data in a form that allows to identify the relevant personal data subject and for no longer than is required given the goals of personal data processing, unless a period for personal data storage is specified by federal law, an agreement to which the relevant personal data subject is a party, beneficiary or principal. The personal data processed are to destroyed or depersonalised as soon as the processing goals are achieved, unless otherwise provided by federal law.
The goal of personal data processing, the composition and content of personal data and the categories of personal data subjects whose data are processed by the Bank are specified in personal data processing notices sent by the Bank to the authorised agency in charge of protecting the rights of personal data subjects (Federal Service for Supervision of Communications, Information Technology and Mass Media) and must be updated if they change. The Bank shall not process special categories of personal data and biometric personal data.
In the course of its operations, the Bank may provide personal data to and (or) have them processed by another person with the consent of the personal data subject, unless otherwise provided by federal law. If personal data are provided to and (or) processed by another person, it shall be upon the obligatory condition that the parties assume the obligation to keep the personal data confidential and ensure that they are safe during processing.
The Bank shall not publish any personal data of a personal data subject in publicly accessible places without the subject’s prior written consent.
In the course of its operations, the Bank may transmit personal data abroad to the authorities of a foreign country or to foreign individuals or entities. The Bank considers it to be a matter of the highest priority to ensure that, in the event of such transborder transmission, the rights of personal data subjects are adequately protected and their personal data are safe. These tasks are achieved in accordance with the Russian Personal Data Processing Legislation.
No transborder transmission of personal data to foreign countries that do not ensure adequate protection for the rights of personal data subjects is allowed unless there is a written consent of the personal data subject to the transborder transmission of his/her personal data, or such transmission is required in connection with the performance of an agreement to which the personal data subject is a party or in other circumstances specified by the laws.
For the purposes of ensuring the safety of personal data during their processing the Bank implements necessary and sufficient organisational and technical measures to protect personal data against unauthorised or accidental access, destruction, modification, blocking, copying, disclosure, dissemination or other illegal acts with respect to personal data.
CJSC “Joint Stock Commercial Bank “ALEF-BANK” is striving to ensure that all measures taken to protect personal data on an organisation and technical level are implemented on a legally valid basis, including in accordance with the Russian Personal Data Processing Legislation.
In order to ensure that personal data are adequately protected, the Bank assesses the damage that may be caused to personal data subjects in the event of a breach of their personal data security and also identifies real threats to personal data security during their processing through personal data information systems.
Based on the real threats identified by it, the Bank uses necessary and sufficient legal, organisational and technical measures to ensure the safety of personal data, including using data protection systems with proper conformity certification, identifying instances of unauthorised access to personal data and taking proper measures, restoring personal data, limiting access to personal data, registering and recording operations upon personal data, and controlling and assessing the efficiency of the measures taken to ensure personal data security.
The management of the Bank are aware of the importance and necessity of ensuring personal data security and encourage continuous improvement of the systems used to protect the personal data processed in connection with the Bank’s operations. The Bank has appointed persons responsible for organising the processes of personal data processing and protection.
Each new employee of the Bank directly involved in personal data processing must be made aware of the requirements of the laws of the Russian Federation relating to personal data processing and security, this Policy and other local documents of the Company relating to personal data processing and protection and must undertake to comply with them.