Effective: July 27, 2019
on organization of processing and ensuring security of personal data
1.1. In order to comply with the norms of the current legislation of the Russian Federation in full, AIG, JSC considers as its most important tasks compliance with the principles of legality, fairness and confidentiality when processing personal data, as well as ensuring security of their processing.
1.2. This policy on the organization of processing and security of personal data (hereinafter — Policy) is characterized by the following features:
(1) developed in order to implement the requirements of the current legislation of the Russian Federation in the field of processing and protection of personal data;
(2) discloses the methods and principles of personal data processing by AIG, JSC, the rights and obligations of AIG, JSC in the processing of personal data, the rights of personal data subjects, and also includes a list of measures used by AIG, JSC in order to ensure the security of personal data during their processing;
(3) this is a publicly available document that declares the conceptual basis of AIG, JSC activity in personal data processing and protection.
1.3. before the beginning of personal data processing AIG, JSC has carried out notification of the authorized body for protection of personal data subjects' rights about its intention to process personal data. AIG, JSC in good faith and in due time carries out updating of the information specified in the notification.
2.1. The following acronyms and abbreviations are used in this document:
information system of personal data;
this Policy of AIG, JSC on the organization of processing and security of personal data.
3.1. The operator performs PD processing in accordance with the current legislation of the Russian Federation on PD, guided by the following legal grounds:
(1) Constitution of the Russian Federation (arts. 23, 24);
(2) Labour Code of the Russian Federation (arts. 65, 66, 86-90, 166);
(3) Tax Code of the Russian Federation (art. 226);
(4) Civil Code of the Russian Federation (chapters 39, 40, 52);
(5) Federal Law No. 152-FZ dated 27.07.2006, “On Personal Data” (part 1 of art. 6);
(6) Federal Law No. 167-FZ of 15.12.2001 “On Compulsory Pension Insurance in the Russian Federation” (art. 11);
(7) Federal Law No. 27-FZ of 01.04.1996 “On individual (personified) accounting in the system of compulsory pension insurance” (arts. 6, 9, 11);
(8) Federal Law No. 326-FZ of 29.11.2010 “On Compulsory Health Insurance in the Russian Federation” (art. 38);
(9) Federal Law No. 255-FZ of 29.12.2006 “On compulsory social insurance in case of temporary disability and maternity” (part 13, art. 4);
(10) Federal Law of 28.12.2013 № 426-FZ “On special assessment of working conditions” (part 2 of art. 4, arts. 7, 8);
(11) Resolution of the State Committee on Statistics of the Russian Federation of 05.01.2004 No. 1 “On approval of unified forms of primary accounting records on labor accounting and its payment” (clause 2);
(12) Resolution of the Ministry of Labor of the Russian Federation of 24.10.2002 No. 73 “On approval of forms of documents necessary for investigation and accounting of accidents at work and provisions on the specifics of investigation of accidents at operations in certain industries and organizations” (clause 2 of Annex №2);
(13) Resolution of the Ministry of Labor of the Russian Federation and the Ministry of Education of the Russian Federation of 13.01.2003 No. 1/29 “On approval of the procedure for training on labor protection and knowledge verification of labor protection requirements of organizations' employees” (clause 1.2);
(14) Federal Law No. 4015-I of November 27, 1992 “On the organization of insurance business in the Russian Federation”;
(15) Federal Law No. 172-FZ of 10.12.2003 (ed. 23.07.2013) “On amendments and additions to the Law of the Russian Federation “On organization of Insurance business in the Russian Federation and recognition as expired of certain legislative acts of the Russian Federation”;
(16) Federal Law of 29.11.2010 № 326-FZ “On compulsory health insurance in the Russian Federation”;
(17) Federal Law No. 225-FZ dated 27.07.2010 “On compulsory insurance of civil liability of the owner of a hazardous object for damage as a result of accident at hazardous object”;
(18) Federal Law of 25.04.2002 № 40-FZ “On compulsory insurance of vehicle owners' civil liability;
(19) Resolution of the Government of the Russian Federation № 263 of May 7, 2003 “On approval of the Rules of compulsory insurance of vehicle owners' civil liability;
(20) Order of the Ministry of Finance of the Russian Federation № 67n from July 1, 2009 “On establishing the form of application for conclusion of compulsory insurance of vehicle owners' civil liability contract, the form of insurance policy of compulsory insurance of vehicle owners' civil liability, the form of the document containing information on insurance of vehicle owners' civil liability under the contract of compulsory insurance”;
(21) Resolution of the Government of the Russian Federation №739 of December 8, 2005 “On approval of insurance rates for compulsory insurance of vehicle owners' civil liability, their structure and procedure of application by insurers in determining insurance premiums” ;
(22) Order of the Ministry of Internal Affairs of Russia of April 1, 2011 No. 154 “On approval of the Certificate on road traffic accident form”;
(23) Order of Russia's Ministry of Internal Affairs of May 23, 2008 N 449 “On approval of the Road Traffic Accident Notification form”;
(24) Federal Law of 07.08.2001 N 115-FZ (ed. 29.06.2015) “On counteraction to legalization (laundering) of proceeds of crime and financing of terrorism”;
(25) Charter of the Operator;
(26) the consent of PD subjects (employees, applicants, participants of stimulating events and other persons) to the processing of their PD;
(27) agreements to which either the beneficiary or guarantor of which are the subjects of PD.
4.1. The operator in its activities ensures compliance with the principles of PD processing specified in art. 5 of the Federal Law No. 152-FZ “On Personal Data” dated 27.07.2006.
4.2. The Operator carries out the collection and further processing of PD for the following purposes:
(1) conclusion, support, execution and termination of contracts and other transactions, including insurance and reinsurance contracts, including the process of analysis and assessment of insurance risks, including conducting business negotiations;
(2) settlement of claims in case of insurance events occurrence under insurance and reinsurance contracts, including acceptance of statements and appeals, implementation of insurance payments in case of occurrence of insurance events under insurance and reinsurance contracts;
(3) interaction with insurance intermediaries engaged in the acquisition of insured persons, including conducting business negotiations with the said insurance intermediaries, conclusion, maintenance, change, termination of agency contracts, support of claims settlement processes, as well as control of the activities of insurance intermediaries in fulfillment of obligations stipulated by these contracts;
(4) delivery of goods, performance of works and services by counterparties and their subcontractors, as well as procurement procedures from the said parties and conducting business negotiations with the said counterparties;
(5) mutual settlements with clients, other counterparties and beneficiaries;
(6) consideration and accounting of appeals (requests, orders, applications, suggestions, comments, claims, gratitude, etc.) received from state, control, supervisory, judicial, law enforcement and other authorities, as well as clients and other persons, and the implementation of information services to these persons, as well as the implementation of quality control of customers' and other persons' service;
(7) offer of services to customers and potential customers, as well as participation of the Operator in procurement procedures of these persons and conducting business negotiations with the said persons by the Operator;
(8) organization and conducting stimulating activities aimed at increasing awareness and customer loyalty, as well as promotion of services;
(9) taking due diligence measures by the Operator when interacting with current and potential customers, other counterparties, their subcontractors, insured persons, beneficiaries and other third parties, including assessment of relevant legal, financial, reputational and other risks;
(10) registration of powers of attorney within the framework of granting employees (hereinafter the term “employee” includes employees, members of management bodies and other officials) and other persons special powers for performance of assigned labor functions and (or) representation of the Operator's interests;
(11) participation in civil, arbitration, criminal and administrative proceedings, as well as execution of judicial acts;
(12) filling vacant positions at the Operator by applicants most fully meeting the requirements of the Operator;
(13) assistance to persons who are citizens of foreign countries in obtaining work permits in the Russian Federation and in obtaining entry visas to the Russian Federation;
(14) compliance with labor legislation and other acts containing mandatory norms of law, accounting of labor and its payment, adoption of managerial and personnel decisions concerning employees, control and accounting of working time and labor discipline;
(15) calculation and payment of salaries or other payments, compensations and bonuses due to employees, implementation of pension and tax deductions, and settlement with accountable persons;
(16) organization and (or) implementation of training, professional advancement and testing of knowledge;
(17) assistance to employees in public recognition of their professional achievements and personal merits, talents, abilities, as well as motivation of employees;
(18) fulfillment of their social obligations towards staff members and their relatives by providing them with the opportunity to participate in voluntary health insurance programs, life insurance, accident insurance and critical disease insurance;
(19) preparation of travel documents for employees, as well as implementation by the Operator of organization and management of employees' business trips;
(20) Organization by the Operator of training, briefing, verification of employees' and other persons' knowledge on labor protection and safety, as well as carrying out special assessment of working conditions;
(21) Assisting employees in facilitating and improving communication between them;
(22) Operator's assistance to employees in the proper performance of their labor and other functions, including by issuing business cards and providing taxi and corporate mobile phones and other means of communication;
(23) ensuring personal safety and protection of life, health of employees and other persons visiting real estate objects (premises, buildings, territory), as well as ensuring safety of material and other valuables;
(24) provision of official vehicles to employees to support the operational activities of the Operator, for accounting and reimbursement of the provided vehicles' operation cost, for control of proper use and safety of the vehicles provided;
(25) allocation (connection) of computer facilities and office equipment under the control of the Operator, as well as access control to the resources of the Operator's information systems;
(26) solving problems arising in the process of working with computer equipment and office equipment, as well as access to resources of information systems;
(27) provision of services to employees on the use of mobile radio communication and on access to the information and telecommunication network Internet, as well as ensuring effective management and control costs of providing these services;
(28) organization and implementation of independent audit of the accounting (financial) statements of the Operator in order to express opinion on the reliability of such statements;
(29) organization and implementation by the Operator (independently or with the involvement of third parties) of external and internal control (including inspections, audits, etc.) of activities, business processes and quality services provided and/or labor and other duties of the Operator, its employees, officers, its counterparties and subcontractors, checks on their compliance with the requirements of local and global policies and Operator's procedures, Russian and international legislation, as well as applicable professional rules and standards;
(30) organization and implementation of measures for the prevention, detection and suppression of acts related to the legalization (laundering) of proceeds of crime and financing of terrorism, and (a) as well as other illegal acts in accordance with the requirements of Russian legislation and/or internal documents, including identification and confirmation of compliance of counterparties, employees, officials, shareholders (and their beneficiaries) of AIG, JSC and/or clients and other counterparties of AIG, JSC to the requirements for business reputation and other requirements and norms;
(31) implementation of correct accounting, proper storage and destruction after the expiration of the period of storage of certain categories of material media;
(32) Ensuring security and proper functioning of information systems, databases, software and/or technical and other means, as well as data and information contained therein, including those associated with the information and telecommunications network.
4.3. The operator has set the following conditions for stopping PD processing:
(1) Achievement of PD processing goals and maximum storage time;
(2) loss of the need to achieve the goals of PD processing;
(3) provision by PD subject or its legal representative of the information confirming that PD is illegally obtained or is not necessary for the stated purpose of processing;
(4) impossibility of ensuring the lawfulness of PD processing;
(5) withdrawal by PD subject of consent to PD processing, if PD preservation is no longer required for PD processing purposes;
(6) expiration of limitation periods for legal relations within which PD processing is carried out or has been carried out.
4.4. Processing of PD by the Operator includes collection, recording, systematization, accumulation, storage, rectification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, removal, destruction of PD.
4.5. The operator performs processing of special categories of PD (health information) in compliance with the requirements of the current labor legislation of the Russian Federation.
4.6. The operator performs the processing of biometric PD (data that characterize the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which are used by the Operator for identification of PD subject).
4.7. The Operator carries out cross-border transfer of PD (transfer PD to the territory of a foreign state to the authority of a foreign state, to a foreign natural person or to a foreign legal entity ).
4.8. The operator creates public sources of PD (directories, address books). PD reported by the subject are included in such sources only with the written consent of the PD subject or on the basis of the requirements of the current legislation of the Russian Federation.
4.9. The Operator does not make decisions that generate legal consequences in relation to subjects of PD or otherwise affect their rights and legitimate interests on the basis of exclusively automated processing of their PD.
4.10. The Operator performs PD processing with the use of automation equipment and without the use of automation equipment.
4.11. When collecting PD, the Operator provides recording, systematization, accumulation, storage, rectification (updating, change), extraction of the Russian Federation citizens' PD using databases located on the territory of the Russian Federation, except for cases expressly provided for by the current legislation of the Russian Federation on PD.
 Information services — providing users with the necessary information, carried out by information bodies and services through the provision of information services (clause 184.108.40.206 GOST 7.0-99).
5.1. During the processing of PD, the Operator takes all necessary legal, organizational and technical measures to protect them from illegal or accidental access, destruction, alteration, blocking, copying, provision, distribution or other unlawful acts against them. Security of PD is achieved, in particular, in the following ways:
(1) appointment of a responsible person for the organization of PD processing;
(2) internal control and (or) audit of compliance of PD processing with the Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data” and regulatory legal acts, requirements for PD protection, local acts of the Operator;
(3) familiarization of the Operator's employees directly engaged in PD processing, with the provisions of the legislation of the Russian Federation on PD, including the requirements for PD protection, local acts in regard to PD processing and (or) training of specified employees;
(4) determination of security threats to PD during their processing in ISPD;
(5) application of organizational and technical measures to ensure safety of PD during their processing in ISPD, necessary to meet the requirements for PD protection;
(6) evaluation of the effectiveness of measures taken to ensure safety of PD prior to the commissioning of ISPD;
(7) organization of security regime of the premises in which PD processing is carried out and (or) where the Operator's ISPD is located;
(8) determination of storage places of material carriers of PD, as well as ensuring accounting for and safety of material carriers of PD;
(9) detection of facts of unauthorized access to PD and taking appropriate measures;
(10) restoration of PD modified or destroyed as a result of unauthorized access to them;
(11) establishing the rules of access to PD processed in ISPD, as well as ensuring that all acts performed with PD are registered and accounted for in ISPD;
(12) monitoring of measures taken to ensure safety of PD and the level of protection of ISPD.
5.2. Duties of the Operator's employees performing processing and protection of PD, as well as their responsibility, are defined in the “Regulations on the organization of processing and ensuring security of personal data” of the Operator.
6.1. The rights, obligations and legal liability of the person responsible for the organization of PD processing are established by Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data”, the Operator's regulation “On organization of processing and ensuring security of personal data”, the management of the employee according to the rules of processing and ensuring security of personal data processed by the Operator, the management of the Operator on ensuring security of personal data and other local acts of the Operator in the field of processing and protection of PD.
6.2. Appointment of the person responsible for the organization of PD processing and exemption from these duties shall be carried out by the Operator's head. When appointing the person responsible for the organization of PD processing, the powers, competencies and personal qualities of the officer are taken into account, intended to allow him/her properly and in full to exercise his/her rights and fulfill his/her duties.
6.3. The person responsible for the organization of PD processing:
(1) organizes internal control over compliance by the Operator and its employees with the legislation of the Russian Federation on PD, including the requirements for PD protection;
(2) brings to the attention of the Operator the provisions of the legislation of the Russian Federation on PD, local acts on PD processing, requirements for PD protection or provides communication;
(3) controls the receipt and processing of appeals and requests of PD subjects or their representatives.
6.4. Contact details of the person responsible for the organization of processing and ensuring safety of PD: Nagornaya Natalya Alekseevna Tel +7 495 935 8950, ext. (701-1099) firstname.lastname@example.org.
6.5. Questions regarding the organization of PD processing processes may also be sent to the Operator to a specially created e-mail box email@example.com.
7.1. The PD subject has the right to receive information about the processing of his PD by the Operator.
7.2. The PD subject has the right to demand from the Operator to rectify these PD, block or destroy them in case they are incomplete, outdated, inaccurate, illegally obtained or cannot be recognized necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his rights.
7.3. The right of PD subject to access to his PD may be restricted in accordance with federal laws, including if the PD subject's access to his PD violates the rights and legitimate interests of third parties.
7.4. In order to exercise and protect his rights and legitimate interests, the PD subject has the right to appeal to the Operator. The Operator considers any appeals and complaints from PD subjects that meet the requirements of the law, thoroughly investigates the facts of violations and takes all necessary measures for their immediate elimination, punishment of those responsible and resolves contentious and conflict situations in a pre - judicial manner.
7.5. The PD subject has the right to appeal against the actions or omissions of the Operator by applying to the authorized body for the protection of PD subjects' rights.
7.6. The PD subject has the right to protection of his rights and legitimate interests, including compensation of damages and/or compensation of moral harm in court.
8.1. The current version of the Policy on paper shall be kept at the location of the Operator's executive body at the address: 125315, Moscow, Leningradsky project, house 72, page 2, floor 3.
8.2. The electronic version of the current version of the Policy is publicly available on the Operator's website on the Internet: https://www.aig.ru/privacy-policy
9.1. The policy is approved and put into effect by the order of the Operator's head and is valid until its cancellation.
9.2. The Operator has the right to make changes to the Policy. Changes are approved by the order of the Operator's head.
9.2.1. The Policy shall be reviewed as necessary, but at least every three years from the previous revision of the Policy.
9.2.2. The Policy may be revised earlier than the period specified in clause 9.2.1 of the Policy, as changes are made:
(1) in regulatory legal acts of the Russian Federation in the field of PD;
(2) local regulatory and individual acts of the Operator regulating the organization of processing and ensuring PD security;
(3) in contracts and agreements regulating the legal relations of the Operator with counterparties and other persons;
(4) in the order of organization of processing and ensuring PD security by the Operator.
10.1. Persons guilty of violation of norms regulating the processing and protection of PD shall bear responsibility provided for by the legislation of the Russian Federation, local acts of the Operator and contracts, regulating the Operator's legal relations with third parties.
When a person visits AIG JSC website, cookie files are saved by the visitor's browser on the hard drive; AIG JSC receives the information sent by the browser and the visitor's computer to AIG JSC website. AIG JSC uses such information only for statistical purposes and to improve AIG JSC website in accordance with requirements of its visitors.
The information thus obtained is not transmitted and is not disclosed to third parties. Cookies do not contain any information that would allow identifying the visitor, and is automatically deleted a few weeks after visiting the website. The visitor can also delete cookies from the browser.