POLICY OF COMPLIANCE WITH THE REQUIREMENTS FOR PROCESSING AND PROTECTION OF PERSONAL DATA
This Policy of compliance with the requirements for processing and protection of personal data (hereinafter referred to as the Policy) is an internal normative document of "VEON Armenia" CJSC (hereinafter referred to as the Company), which defines the general provisions of the Company regulating the procedure and terms for processing personal data by the Company and assuring the protection of the processed personal data, as well as the main measures and duties of the Company's officials and authorized persons in fulfilling the relevant requirements.
2.Terms and definitions
Personal data - any information relating to an individual that allows or may give the user an opportunity to directly or indirectly identify a person;
Personal data processing - any action or set of actions that are associated with collection or fixing, or entry, or systematization, or formation, or storage, or use, or transformation, or restoration, or transmission, or correction, or blocking, or destruction of personal data, or performance of other actions with them, regardless of the type and mode of implementation (including, with the use of any tools of automation, technical tools or without them);
The Operator of personal data - the company "VEON Armenia" CJSC, which organizes and (or) performs the processing of personal data;
Data subject - citizens (individuals), subscribers (customers), employees, contractors, who establish contractual and (or) other relations with the Company;
Database - a set of personal data, systematized by certain characteristics
Information system - a set of information technologies or technical tools applied to process personal data included in the database, processing them electronically or in non-electronical way;
Personal data protection - a complex of technical, organizational and organizational-technical measures aimed at protecting information related to a certain or determined on the basis of such information subject of personal data;
Information - information (messages, data) regardless of the form of their presentation;
The Company – «VEON Armenia» CJSC;
Publicly available personal data - information that becomes available to a specific or uncertain scope of persons with the consent of the data subject or in the course of conscious actions aimed at their general availability, as well as information provided by law as publicly available information;
Responsible for the personal data processing - the Company's employee appointed by the Order of the Chief Executive Officer, who ensures security, protection and compliance with the requirements of the current legislation when processing personal data;
Provision of personal data - actions aimed at disclosing personal data to a specific person or a certain scope of persons;
Employees (employees of the Company) - full-time employees of the Company with full or part-time employment, irrespective of their position in the Company.
3.Measures to ensure the safety of processed personal data
1. To ensure the protection of processed personal data the Company takes necessary legal, organizational, technical protection measures in accordance with the regulatory requirements of authorized state authorities (regulators).
2. The requirements and rules for the processing and protection of personal data should be provided for in the course of preparation of corporate documents relating to all areas of the Company's activities, including:
- civil-law contracts of all types;
- agreements on transfer and reception of physical and information objects protected by copyright and related rights, as well as the rights of their holders, including rights on information protection;
- internal and external agreements, provisions, procedures (regulations), instructions;
- design and estimate, procurement, constructional, technological, software and operational documents for information systems, automated systems and (or) databases.
3. Measures to protect personal data are developed in accordance with the requirements of the RA legislation, the Company's Information Security Policy and in accordance with the Company's technical capabilities. The responsibility to include such requirements in corporate documents is assigned to the developers of documents.
4. The requirements for processing and ensuring the security of personal data that employees of the Company, responsible for the processing of personal data, must comply with:
- the consent of the subject to the processing of his/her personal data in all cases provided for by legislation, especially when transmitting and receiving data by third parties;
- the timely processing of the requests of the subject of personal data to the operator and the transfer of responses to his/her requests to the subject;
- the definition and introduction of clear procedures (regulations) for the processing of personal data, taking into account the specific features of each subject area of activity;
- identification and introduction of technical conditions for safe processing and personal data protection measures in information systems based on actual models of threats and violators.
5. The company, while processing personal data, is guided by the following requirements:
- the legitimacy of the purposes, methods of processing and the reliability of the data;
- ensuring the legality of the processing of personal data, that implies the processing of data with the consent of the subject;
- the correspondence of the actual and stated processing objectives;
- the consistency of the scope and nature of personal data, ways of processing them for processing purposes;
- the adequacy of data for processing purposes, and the inadmissibility of processing redundant data with respect to processing objectives;
- notification to users of information systems about the lawful and safe practices of handling personal data;
- accuracy, completeness, reliability and safety of personal data in information systems;
- informing the subject about the processing of his/her personal data and the legally significant consequences of such processing, enabling him to influence the accuracy and completeness of the data;
- permanent internal control of the processing of personal data, readiness for undergoing state audits of processes and systems for processing personal data.
4.The purpose of processing personal data
Processing of personal data is carried out with the purpose of interaction in the scope of executed contracts, fulfillment of requirements of legislative acts, normative documents.
5.Consent of the data subject and the rights of the personal data subjects
1. Processing of personal data is legal if:
- the data has been processed in compliance with the requirements of the law and the data subject has given consent to this, with the exception of cases directly provided for by this Law or other laws, or
- the data being processed is obtained from publicly available personal data sources.
2. The consent of the data subject is considered received and the operator has the right to process the data when:
- personal data are indicated in the document addressed to the Operator and signed by the data subject, with the exception of cases when the document is in its content an objection to the processing of personal data;
- The Operator has received data on the basis of a contract concluded with the data subject and uses them for the purposes of the actions established by this agreement;
- the data subject voluntarily transfers in oral form the information about his/her personal data to the Operator for use.
3. The data subject may give his/her consent in person or through a representative if such power is expressly provided for by a power of attorney.
4. The consent of the data subject is given in written or electronic form with a confirmed electronic digital signature, and in case of oral consent - through such authentic actions that will clearly indicate the consent of the data subject for the use of personal data.
5. Personal data can be processed without the consent of the data subject, if data processing is directly provided for by law.
6. The subject of personal data has the right to receive information concerning the processing of his/her personal data, including as well:
- confirmation of the fact of processing and the purpose of processing personal data;
- means of processing the personal data;
- subjects to which personal data are provided or may be provided;
- the list of personal data processed and the sources of their receipt;
- terms of processing of personal data;
- the possible legal consequences that arise for the data subject due to the processing of personal data.
6.Confidentiality of personal data
- Information relating to personal data that has become known to the Company is considered as confidential information and is protected by law.
- Employees of the Company and other persons who have access to the processed personal data have signed a non-disclosure agreement, as well as are warned of possible disciplinary, administrative, civil and criminal liability in the event of violation of the norms and requirements of the applicable laws of the Republic of Armenia relating to personal data processing.
- This Policy, as well as all amendments to it, are approved by the Company’s Chief Executive Officer and become effective from the date of publication on the Company's website http://www.beeline.am/
- Starting from validity date hereof, all previous versions of this Policy shall be deemed as invalid.
- If the provisions of this Policy are contrary to the Legislation of the Republic of Armenia, the relevant provisions of the Legislation of the Republic of Armenia shall prevail.