Personal Data Processing Policy

  • Cookie notice
  • 1. General provisions

    1.1. The Personal Data Processing Policy of PJSC Gazprom (hereinafter referred to as the “Policy”) sets out the basic principles, purposes, conditions and methods of personal data processing, the lists of data subjects and personal data processed at Gazprom, Gazprom's functions in the processing of personal data, the rights of data subjects, and Gazprom's requirements to personal data protection.

    1.2. The Policy has been developed in accordance with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation regarding personal data, as well as Regulation 2016/679 of the European Parliament and of the Council of the European Union on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “EU Regulation”).

    1.3. The Policy's provisions serve as the basis for the development of local regulations governing the processing of personal data of Gazprom's employees and other data subjects at Gazprom.

    1.4. The Policy serves as the basis for the development of local regulations by Gazprom's subsidiaries and entities to define the personal data processing policies for the aforementioned entities.

    2. Legislative and other statutory acts of Russian Federation governing Gazprom's Personal Data Processing Policy

    2.1. Gazprom's Personal Data Processing Policy is based on the following statutory acts:

    • Labor Code of the Russian Federation;
    • Federal Law No. 152-FZ dated July 27, 2006, on Personal Data;
    • Decree of the President of the Russian Federation No. 188 dated March6,1997, on Approving the List of Confidential Data;
    • Russian Government Directive No. 687 dated September15,2008, onApproving the Provision Regarding the Specifics of Personal Data Processing without Automated Means;
    • Russian Government Directive No. 512 dated July 6, 2008, on Approving the Requirements to Physical Media on which Biometric Personal Data are Stored and Technologies for Storing Such Data Beyond Personal Data Information Systems;
    • Russian Government Directive No. 1119 dated November 1, 2012, onApproving the Requirements to the Protection of Personal Data Undergoing Processing in Personal Data Information Systems;
    • Order of the FSTEC of Russia No. 21 dated February 18, 2013, on Approving the List and Scope of Organizational and Technical Measures for Protection of Personal Data Undergoing Processing in Personal Data Information Systems;
    • Order of the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media No. 996 dated September 5, 2013, onApproving the Requirements and Methods for the Depersonalization of Personal Data;
    • other statutory acts of the Russian Federation and regulatory documents of authorized government bodies.

    2.2. With a view to implementing the Policy, Gazprom develops relevant local regulations and other documents, including:

    • regulation on personal data processing at Gazprom;
    • regulation on the protection of personal data undergoing processing in personal data information systems at Gazprom, its subsidiaries and entities;
    • list of positions at the structural units of Gazprom's administration, branches and representative offices the filling of which involves the processing of personal data;
    • procedures for personal data processing at the structural units of Gazprom's administration, its branches and representative offices;
    • other local regulations and documents governing personal data processing at Gazprom.

    3. Basic terms and definitions used in local regulations of Gazprom governing personal data processing

    Personal data means any information related to a directly or indirectly identified or identifiable natural person (data subject).

    Personal data the dissemination of which is permitted by the data subject means personal data which were made available to the general public by the data subject via giving consent to the processing of personal data the dissemination of which is permitted by the data subject in line with the procedure provided by the applicable laws of the Russian Federation.

    Information means details (reports, data) regardless of their presentation.

    Operator means a government authority, a municipal authority, a legal or private person, which severally or jointly arrange and/or perform the processing of personal data, as well as define the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.

    Personal data processing means any action (operation) or a series of actions (operations) with personal data performed with or without automated means, including collection, recording, systematization, accumulation, storage, refinement (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data.

    Automated personal data processing means the processing of personal data with the use of computers.

    Provision of personal data means actions aimed at disclosing personal data to a specific person or a specific group of persons.

    Dissemination of personal data means actions aimed at disclosing personal data to an indefinite number of persons.

    Trans-border transfer of personal data means a transfer of personal data to a foreign country, specifically to a foreign government body or a foreign natural or legal person.

    Blocking of personal data means a temporary interruption of personal data processing (except where processing is required for personal data refinement).

    Destruction of personal data means actions making it impossible to restore the content of personal data in the personal data information system and/or resulting in the destruction of physical media on which personal data are stored.

    Depersonalization of personal data means actions making it impossible to establish a connection between personal data and a specific data subject without using additional information.

    Personal data information system means a set of personal data contained in personal data databases, as well as information technologies and tools used for their processing.

    4. Principles and purposes of personal data processing

    4.1. Gazprom, in its capacity as a personal data operator, processes the personal data of the employees of Gazprom and other data subjects not employed by Gazprom.

    4.2. The processing of personal data at Gazprom takes into account the need to protect the rights and freedoms of Gazprom's employees and other data subjects, including the protection of the right to privacy, personal and family secrets, based on the following principles:

    • personal data processing at Gazprom is performed on a legal and equitable basis;
    • personal data processing is limited to specific, predetermined and legitimate purposes;
    • personal data processing is not allowed if such processing is incompatible with the purposes of personal data collection;
    • it is not allowed to combine databases containing personal data which are processed for incompatible purposes;
    • personal data are not subject to processing unless they meet the purposes of their processing;
    • the scope and amount of personal data comply with the stated purposes of processing. Data redundancy in relation to the stated purposes is not allowed;
    • personal data undergoing processing must be accurate, sufficient and, if necessary, relevant to the purposes of personal data processing. Gazprom takes the required measures or makes efforts to delete or refine incomplete or inaccurate personal data;
    • personal data are stored in the form that makes it possible to identify the data subject for no longer than required for the purposes of personal data processing unless the personal data retention period is set by federal law or an agreement under which the data subject acts as a party, beneficiary or guarantor;
    • personal data undergoing processing are destroyed or depersonalized as soon as the purposes of processing are achieved or if the achievement thereof is no longer required, unless otherwise provided by federal law.

    4.3. Gazprom processes personal data for the purposes of:

    • complying with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation, and local regulations of Gazprom;
    • exercising the functions, powers and duties imposed upon Gazprom by the Government of the Russian Federation, including those regarding the provision of personal data to government bodies, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund of the Russian Federation, and other state authorities;
    • regulating labor relations with Gazprom's employees (employment support, training and career advancement, personal safety, control over the scope and quality of the work done, safekeeping of property);
    • providing Gazprom's employees and their families with additional guarantees and remunerations, including non-governmental pension coverage, voluntary health insurance, medical services, and other types of social security;
    • protecting lives, health or other vital interests of data subjects;
    • drafting, signing, executing and terminating agreements with counterparties;
    • arranging access and in-house security procedures at Gazprom's facilities;
    • developing reference materials for in-house information support at Gazprom, its branches and representative offices, as well as Gazprom's subsidiaries and entities;
    • executing court rulings and instruments of other bodies and authorities enforceable in compliance with the laws of the Russian Federation concerning enforcement proceedings;
    • exercising the rights and legal interests of Gazprom as part of the activities stipulated by Gazprom's Articles of Association and other local regulations of Gazprom or third parties, or activities aimed at achieving socially desirable purposes;
    • other legitimate purposes.

    5. List of data subjects that have their personal data processed at Gazprom

    5.1. The following categories of data subjects have their personal data processed atGazprom:

    • employees of the structural units of Gazprom's administration, branches and representative offices;
    • employees of Gazprom's subsidiaries and entities;
    • other data subjects (for the processing purposes indicated in Section4 of the Policy).

    6. List of personal data processed at Gazprom

    6.1. The list of personal data processed at Gazprom is drawn up on the basis of the laws of the Russian Federation, the EU Regulation, and local regulations of Gazprom taking into account the purposes of personal data processing indicated in Section4 of the Policy.

    6.2. Special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, and private life are not subject to processing at Gazprom.

    6.3. The processing of biometric personal data at Gazprom is not allowed without written consent from the data subject, except for cases provided by the laws of the Russian Federation.

    6.4. The processing of personal data the dissemination of which is permitted by the data subject is carried out at Gazprom upon obtaining consent from the data subject to disseminate such data in line with the prohibitions and conditions regarding personal data processing as specified by the data subject.

    7. Functions of Gazprom in personal data processing

    While processing personal data, Gazprom:

    • takes essential and sufficient measures to ensure compliance with the laws of the Russian Federation, the EU Regulation, and local regulations on personal data;
    • takes legal, organizational and technical measures to protect personal data against illegal or accidental access, destruction, amendment, blocking, copying, provision, dissemination, as well as against other misconduct with regard to personal data;
    • appoints a person responsible for the arrangement of personal data processing at Gazprom;
    • issues local regulations outlining the policy and issues related to the processing and protection of personal data at Gazprom;
    • familiarizes the employees of Gazprom, its branches and representative offices who are directly involved in personal data processing with the laws of the Russian Federation and local regulations of Gazprom on personal data, including the requirements to personal data protection, and provides training for such employees;
    • publishes or otherwise provides unlimited access to this Policy;
    • informs data subjects or their representatives in due course of the available data related to such subjects, provides access to these personal data upon notification and/or request of the aforementioned data subjects or their representatives, unless otherwise provided by the laws of the Russian Federation;
    • ceases the processing and destroys personal data in the cases provided by the laws of the Russian Federation on personal data and by the EU Regulation;
    • performs other activities provided by the laws of the Russian Federation on personal data and by the EU Regulation.

    8. Conditions of personal data processing at Gazprom

    8.1. The processing of personal data is carried out at Gazprom with consent from the data subject to have his/her personal data processed, unless otherwise provided by the laws of the Russian Federation on personal data.

    8.2. Gazprom shall not disclose or disseminate personal data to third parties without consent of the data subject, unless otherwise provided by federal law.

    8.3. Gazprom has the right to entrust a third party to process personal data with consent from the data subject on the basis of an agreement with such third party. The agreement shall contain a list of actions (operations) to be performed with personal data by the person in charge of personal data processing, the purposes of processing, the obligation of such person to keep the personal data confidential and protected in the course of processing, as well as the requirements to the protection of processed personal data as per Article 19 of the Federal Law on Personal Data.

    8.4. For the purposes of in-house information support, Gazprom may generate reference guides, directories, and other sources containing personal data of the data subject with the subject's written consent, unless otherwise provided by the laws of the Russian Federation.

    8.5. Access to personal data processed at Gazprom is provided exclusively to the employees of Gazprom occupying the positions indicated in the list of positions at the structural units of Gazprom's administration, branches and representative offices the filling of which involves the processing of personal data.

    8.6. The processing of personal data of the data subjects based in the member states of the European Union is carried out in accordance with the EU Regulation in the cases when the personal data processing activities of Gazprom, its branches and representative offices fall under the territorial scope of the EU Regulation.

    9. List of actions with personal data and ways of processing

    9.1. Gazprom carries out the collection, recording, systematization, accumulation, storage, refinement (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data.

    9.2. The processing of personal data at Gazprom is carried out in the following ways:

    • manual processing of personal data;
    • automated processing of personal data with or without further transfer of the obtained information via communication networks;
    • combined processing of personal data.

    10. Rights of data subjects

    Data subjects have the right to:

    • obtain complete information about their personal data undergoing processing atGazprom;
    • access their personal data, including the right to obtain a copy of any record containing their personal data, unless otherwise provided by federal law, as well as access to related medical data with the help of a medical expert of their choosing;
    • refine, block or destroy their personal data if such personal data are incomplete, outdated, inaccurate, illegally obtained or inessential for the stated purpose of processing;
    • revoke their consent to personal data processing;
    • take action to protect their rights as provided by law;
    • appeal against Gazprom's action or inaction violating the laws of the Russian Federation with regard to personal data to a body authorized to protect the rights of data subjects or to a court;
    • exercise other rights provided by law.

    11. Measures taken by Gazprom to fulfill operator duties during personal data processing

    11.1. The measures deemed essential and sufficient to ensure the fulfillment of operator duties by Gazprom in accordance with the laws of the Russian Federation on personal data include the following:

    • appointing a person responsible for the arrangement of personal data processing at Gazprom;
    • adopting local regulations and other documents related to the processing and protection of personal data;
    • arranging training and guidance support for the employees of the structural units of Gazprom's administration, branches and representative offices occupying the positions indicated in the list of positions at the structural units of Gazprom's administration, branches and representative offices the filling of which involves the processing of personal data;
    • obtaining consent from data subjects to process their personal data, unless otherwise provided by the laws of the Russian Federation;
    • separating personal data processed manually from other information, including by recording such data in special sections of separate physical media for personal data;
    • providing for the separate storage of personal data and corresponding physical media processed for different purposes and containing different categories of personal data;
    • ensuring the safety of personal data transmitted via open communication channels;
    • safekeeping physical media on which personal data are stored in accordance with the conditions of preserving the personal data and preventing unauthorized access thereto;
    • exercising internal control over the compliance of personal data processing with the Federal Law on Personal Data and relevant statutory acts, requirements to personal data protection, this Policy, and Gazprom's local regulations;
    • other actions provided by the laws of the Russian Federation on personal data and the EU Regulation.

    11.2. The measures for the protection of personal data undergoing processing in personal data information systems are established in accordance with Gazprom's local regulations, which govern issues related to personal data protection in the course of processing by means of personal data information systems.

    12. Control over compliance with laws of Russian Federation and Gazprom's local regulations on personal data, including requirements to personal data protection

    12.1. Control over the adherence of the structural units of Gazprom's administration, branches and representative offices to the laws of the Russian Federation and local regulations of Gazprom on personal data, including the requirements to personal data protection, is aimed at ensuring compliance of personal data processing by the structural units of Gazprom's administration, branches and representative offices with the laws of the Russian Federation and local regulations of Gazprom on personal data, including the requirements to personal data protection, as well as assessing the measures for the prevention and identification of violations of the laws of the Russian Federation on personal data, identifying potential channels for the leakage of and unauthorized access to personal data, and mitigating the consequences of such violations.

    12.2. Internal control over the adherence of structural units of Gazprom's administration, branches and representative offices to the laws of the Russian Federation and local regulations of Gazprom on personal data, including the requirements to personal data protection, is exercised by the person responsible for the arrangement of personal data processing at Gazprom.

    12.3. Internal control over the compliance of personal data processing with the Federal Law on Personal Data and the relevant statutory acts, the requirements to personal data protection, this Policy, and Gazprom's local regulations is exercised by the Corporate Security Service of Gazprom.

    12.4. Personal responsibility for the adherence of a structural unit of Gazprom's administration, branch or representative office to the laws of the Russian Federation and local regulations of Gazprom on personal data, as well as for ensuring the confidentiality and safety of personal data within the aforementioned units of Gazprom, is vested in the managers of such units.