FASTMED24 personal data protection and processing policy

1.1. This policy regarding the processing of personal data (Policy) prepared in accordance with the Federal law "On personal data" № 152-FZ of 27 July 2006, as well as other normative legal acts of the Russian Federation in the field of protection and processing of personal data and applies to all personal data (hereinafter – data), which the Organization (hereinafter – the Operator, the company) may obtain from the data subject, who has a civil contract, from the Internet user (hereinafter – User) during use of any of the sites, services, programs of Fastmed24.
1.2. The operator ensures the protection of processed personal data against unauthorized access and disclosure, misuse or loss in accordance with the requirements of the Federal law of 27 July 2006 № 152-FZ "On personal data".
1.3. The operator has the right to make changes in this Policy. When changes are made, the Policy header indicates the date when the revision was updated. The new version of the Policy takes effect from the moment of posting it on the site, unless otherwise provided by the new version of the Policy.
1.4. This Policy does not apply, and the Operator does not control and is not responsible for third person websites to which the User can click on the links available on the Site. On such sites, other personal data may be collected or requested from the User, as well as other actions may be performed.
1.5. This Policy is a publicly available document that declares the conceptual basis of the Operator's activity in the processing of personal data.
1.6. Information about the Operator: limited liability company "MGK-Diagnostics", TIN 7719888620, OGRN 1147746984660, address of the place of activity: 107023, Semenovsky pereulok, 11, phone: 7 (499) 322-36-36
1.7. the User's Use of the Organization's website means acceptance of this Policy for the protection and processing of the User's personal data.
1.8. In case of disagreement with the terms of the Policy, the User must stop using the Organization's website.

2. Terms and accepted abbreviations

Personal data is any information related directly or indirectly to a specific or identifiable individual (personal data subject).
Personal data processing is any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Automated processing of personal data – processing of personal data using computer technology.
Personal data information system (PDIS) – a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Personal data made publicly available by the subject of personal data – personal data that an unlimited number of persons have access to, or at the request, the subject of personal data.
Blocking of personal data – temporary termination of processing of personal data (except for cases when processing is necessary to clarify personal data)
"IP address" is a unique network address of a node in a computer network built over the IP Protocol.
Destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.
Operator is an organization that independently or jointly with other persons organizes the processing of personal data, as well as determines the purposes of processing personal data to be processed, actions (operations) performed with personal data.

3. Processing of personal data

3.1. Receiving personal data.
3.1.1. Personal data authorized for processing under this privacy Policy is provided by the User by filling in the registration form on the Operator's Website.
3.1.2. the Operator must inform the subject of the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid, and the procedure for revoking it, as well as the consequences of the subject's refusal to give written consent to receive them.
3.1.3. Documents containing personal data are created by:

• copying original documents (passport, etc.);
• entering information in accounting forms;

3.2. The processing of personal data.
3.2.1. Principles and conditions of personal data processing:
3.2.2. personal data Processing must be carried out on a legal and fair basis.
3.2.3. the Processing of personal data must be limited to the achievement of specific, pre-defined and legitimate goals.
3.2.4. it is not allowed to combine databases containing personal data that are processed for purposes that are incompatible with each other.
3.2.5. The treatment will be only personal data meeting the purposes of processing.
3.2.6. The content and scope of the personal data processed must correspond to the declared purpose of processing.
3.2.7. when processing personal data, the accuracy of personal data, its sufficiency, and, where necessary, its relevance to the purposes of personal data processing must be ensured.
3.3. personal data is processed by:

• with the consent of the personal data subject to the processing of his / her personal data;
• in cases where the processing of personal data is necessary for the implementation and fulfillment of the functions, powers and duties assigned by the legislation of the Russian Federation;
• in cases where personal data is processed, the access of an unlimited number of people to which is provided by the personal data subject or at his request (hereinafter referred to as personal data made publicly available by the personal data subject).

3.3.1. Purposes of personal data processing:

• implementation of civil law relations;
• to contact the user in connection with filling out the feedback form on the site, including sending notifications, requests and information related to the use of the Company's website, processing, approval of the time of reception, types of services, execution of agreements and contracts;
• processing of personal data is necessary for the exercise of the rights and legitimate interests of the Operator or third person, or for achieving socially significant goals, provided that the rights and freedom of the personal data subject are not violated;
• in medical-prophylactic purposes, in order to establish the medical diagnosis, rendering of medical and medical-social services provided that processing of personal data is carried out by a person professionally engaged in medical activity and obliged in accordance with the legislation of the Russian Federation to keep medical secret;
• identification of the User and / or their representative;
• informing about advertising and (or) marketing campaigns conducted by the Operator and (or) third parties in whose interests the Operator acts, surveys, questionnaires, and market research in relation to services provided by the Operator and/or persons in whose interests the Operator acts.
• communication with the User, if necessary, including sending notifications, requests and information related to their use of the Site, provision of services, as well as processing requests and requests from the User;
• improving the quality of services provided, ease of use, development of new services and services;

3.3.2. the Operator does not verify the accuracy of personal data provided by Users, and does not monitor their legal capacity. However, the Operator assumes that the User provides reliable and sufficient personal data on the issues requested on the Site, and maintains this data up to date. The consequences of providing false data are defined in the User agreement. Users are responsible for providing false data in accordance with the legislation of the Russian Federation.
3.3.3. Categories of personal data subjects. Personal data of the following personal data subjects are processed:

• individuals who have civil relations with the Company;
• individuals who are Users of the Company's Website.
• individuals who receive medical services and their legal representatives;
• individuals who have applied to the Operator with complaints, statements and appeals.

3.3.4. Personal data processed by the Operator:

• data obtained in the course of civil relations;
• data received from the Organization's Users.

3.3.5. The processing of personal data is:

• with the use of automation;
• without using automation tools.

3.3.4. the Operator does not make a cross-border transfer of personal data (to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity).
3.4. Storage of personal data.
3.4.1. Subjects ' personal data can be obtained, to be further processed and transmitted to storage on paper and electronically.
3.4.2. Personal data recorded on paper is stored in locked cabinets or in locked rooms with restricted access rights.
3.4.3. Personal data of the subjects treated with the use of automation for different purposes, stored in different folders.
3.4.4. Storage of personal data in the form that allows to identify the data subject, not longer than required by the purpose of their processing, and they are liable to destruction on reaching the purposes of processing or in case of loss of necessity in them achievement.
3.5. Destruction of personal data.
3.5.1. Personal data on electronic media is destroyed by erasing or formatting the media.
3.5.2. Fact of destruction of personal data is documented by the act of destruction of media.
3.6. Transfer of personal data.
3.6.1. The operator transmits personal data to third parties in the following cases:

• the subject has expressed its consent to such actions;
• the transfer is provided for by Russian or other applicable legislation in accordance with the procedure established by law.

3.6.2. List of persons to whom personal data is transferred.

• medical insurance organizations that provide voluntary health insurance (legally);
• employees of the Company to review the medical condition of the Site user;
• Institution of the Ministry of Internal Affairs of Russia in cases established by law.

4. Personal Data Protection

4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (PDPS) consisting of subsystems of legal, organizational and technical protection.
4.2. the legal protection Subsystem is a set of legal, organizational, administrative and regulatory documents that ensure the creation, operation and improvement of the PDPS.
4.3. Subsystem organizational security includes the organization management structure of PDPS, licensing system, protection of information while working with employees, partners and third parties.
4.4. The technical protection Subsystem includes a set of technical, software, software and hardware tools that ensure the protection of personal data.
4.5. The main measures of personal data protection used by the Operator are:
4.5.1. Appointment of a person responsible for the processing of personal data, who organizes the processing of personal data, training and instruction, internal control over the compliance of the institution and its employees with the requirements for the protection of personal data.
4.5.2. Identification of current threats to the security of personal data during their processing in the PDPS and development of measures and measures to protect personal data.
4.5.3. Policy development in relation to the processing of personal data.
4.5.4. Establishing rules for access to personal data processed in the PDPS, as well as ensuring registration and accounting of all actions performed with personal data in the PDPS.
4.5.5. Setting individual passwords for employees ' access to the information system in accordance with their work responsibilities.
4.5.6. Certified antivirus software with regularly updated databases.
4.5.7. Compliance with the conditions that ensure the safety of personal data and exclude unauthorized access to them.
4.5.8. Detection of unauthorized access to personal data and taking measures.
4.5.9. Reinstatement of personal data modified or destroyed due to unauthorized access to them.
4.5.10. Training of the Operator's employees directly involved in the processing of personal data on the provisions of the legislation of the Russian Federation on personal data, including requirements for personal data protection, documents defining the Operator's policy on personal data processing, and local acts on personal data processing.
4.5.11. Implementation of internal control and audit.

5. Basic rights of the personal data subject and obligations of the Operator

5.1. Basic rights of the personal data subject.
The subject has the right to access his / her personal data and the following information:

• confirmation of personal data processing by the Operator;
• legal grounds and purposes of personal data processing;
• purposes and methods of personal data processing used by the Operator;
• name and location of the Operator, information about people (except employees of the Operator) who have access to personal data or who may be disclosed personal data on the basis of a contract with the Operator or on the basis of Federal law;
• terms of processing of personal data, including the terms of their storage;
• the procedure for the personal data subject to implement the rights provided for by Federal law;
• name or surname, first name, patronymic and address of the person who processes personal data on behalf of the Operator, if the processing is entrusted or will be entrusted to such person;
• contacting the Operator and sending them requests;
• appeal against actions or omissions of the Operator.

5.2. Obligations Of The Operator.
The operator must:

• when collecting personal data, provide information about the processing of personal data;
• if the personal data was not received from the personal data subject, notify the subject;
• in case of refusal to provide personal data to the subject, the consequences of such refusal are explained;
• publish or otherwise provide unrestricted access to the document defining its policy on the processing of personal data, to information about the implemented requirements for the protection of personal data;
• take the necessary legal, organizational and technical measures or ensure that they are taken to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data;
• provide answers to requests and requests of personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.

6. Contact information

6.1. E-mail for requests related to the processing of personal data: help@fastmed24.com
6.2. Technical support site: support@fastmed24.com