Clients: 3 727
Inspections: 60 652 797
Inspection points: 8 821
Refreshed: 11/12/2023 14:08:39
Clients: 900
Inspections: 13 000 000
Inspection points: 2000
Refreshed: 11/12/2023 14:08:39

8 800 100 90 37

Personal account
8 800 100 90 37

Agreement on the processing of personal data

PERSONAL DATA PROCESSING POLICY
AT JSC MEDBANK

1. Preamble

1.1. This policy of Medbank Joint Stock Company (Medbank JSC, INN (Taxpayer Identification Number) 7713488270, OGRN (Primary State Registration Number) 1227700191487, legal address: 127422, Moscow, Timiryazevskaya Str., House 1, Building 3, Floor 6, Room 4, website: https://medbank.rf, https://medbank.pro, hereinafter referred to as the Operator) regarding the processing and protection of personal data is the Privacy Policy (hereinafter referred to as the Policy) developed in accordance with the Constitution of the Russian Federation, Federal Law No. 152-FZ of July 27, 2006 «On Personal Data» (hereinafter referred to as the Federal Law «On Personal Data»), Federal Law No. 149-FZ of July 27, 2006 «On Information, Information Technologies and the Protection of Information», Recommendations for drafting a document defining the Operator’s policy regarding the personal data processing of personal data subjects (hereinafter referred to as the Subject/Subjects). The policy is intended to inform Subjects about who, how, for what purpose, and to what extent collects and processes their data.

2. Terms and definitions

«Personal Data» means any information directly or indirectly related to a specific or identifiable Subject.

«Operator» means a government agency, municipal authority, legal entity, or individual that, independently or jointly with others, organizes and/or processes personal data, and determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data. For the purposes of this Policy, the Operator is Medbank JSC.

«Subject» means an identified or identifiable individual whose personal data is processed by the Operator in accordance with this Policy.

«Personal data processing» means any action (operation) or set of actions (operations) performed with or without automated means with personal data. Personal data processing includes: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.

 «Automated processing of personal data» means the processing of personal data using computer technology.

«Non-automated processing of personal data» means actions with personal data, including use, clarification, distribution, and destruction, carried out with the direct participation of a person.

«Confidentiality of personal data» means a regime of personal data use under which it is not disclosed to third parties or not distributed without the consent of the personal data subject, unless otherwise provided by federal law.

«Personal Data Information System» is the collection of personal data contained in databases and the information technologies and technical means used to process it.

«Website» is the collection of graphic and informational materials, as well as computer programs and databases, making them available online at the following addresses: https://medbank.rf and https://medbank.pro/.

«Cookie» is a small piece of data that the Website requests from a user’s device (computer, mobile device, smartphone, etc.). Cookie technology allows the Website to «remember» a user’s actions or preferences. Cookies are stored locally on the user’s device. Users can delete stored cookies at his/her discretion through the browser settings.

«User» means any visitor to the Website who is a Subject.

«Employee» means an individual who is a Subject and is employed by the Operator under an employment contract, as well as:

  • an employee with whom a fixed-term employment contract has been concluded;
  • a contractor hired under a civil law contract (engaged by the Operator to perform temporary necessary work);
  • a former employee whose personal data is stored in accordance with the requirements of Russian legislation).

For the purposes of this Policy, the term «Employee» also includes applicants and candidates for employment with the Operator, whose personal data is subject to processing during the selection process.

«Cross-border transfer of personal data» refers to the transfer of personal data to a foreign government authority, foreign individual, or foreign legal entity.

«Personal data blocking « refers to the temporary cessation of the personal data processing (except in cases where processing is necessary to clarify the personal data).

«Personal data anonymization» refers to actions that make it impossible to determine the ownership of personal data by a specific subject or another subject of the personal data without the use of additional information.

«Personal data provision» refers to actions aimed at disclosing personal data to a specific person or a specific group of persons.

«Personal data distribution » means any actions aimed at disclosing personal data to an indefinite number of persons (transfer of personal data) or familiarizing an unlimited number of persons with personal data, including the publication of personal data in the media, posting on information and telecommunications networks, or providing access to personal data in any other way.

«Personal data destruction » means any actions as a result of which personal data are irrevocably destroyed with the impossibility of further restoration of the personal data content in the personal data information system and (or) the destruction of tangible media containing personal data.

3. Grounds and principles for personal data processing

3.1. Personal data shall be processed lawfully and fairly.

3.2. Personal data shall be processed only to achieve specific, predetermined, and legitimate purposes. Processing of personal data that is incompatible with the purposes for which it was collected, or that is excessive in relation to the purposes for which it was collected, is prohibited.

3.3. Combining databases containing personal data processed for incompatible purposes is prohibited.

3.4. Only personal data that is relevant to the purposes for which it is processed shall be processed.

3.5. The content and volume of personal data processed correspond to the stated purposes of processing.

3.6. The personal data processed are not excessive in relation to the stated purposes of processing.

3.7. When processing personal data, the accuracy, sufficiency, and, where necessary, relevance of the personal data to the purposes of processing must be ensured.

3.8. Personal data shall be stored for no longer than required for the purposes of the personal data processing, unless the storage period for personal data is established by the Federal Law «On Personal Data» or by an agreement to which the Personal Data Subject is a party.

3.9. Processed personal data shall be destroyed upon achieving the processing purposes or when the need to achieve these purposes is no longer necessary, unless otherwise provided by the Federal Law «On Personal Data.»

3.10. The Operator is a Russian legal entity and conducts its activities within the Russian Federation. The Operator’s activities are aimed at Russian users, citizens of the Russian Federation, or individuals residing in the Russian Federation, and are not intended to generate profit or conduct other activities outside the Russian Federation. Therefore, the Operator is guided by:

— The Constitution of the Russian Federation;

— The Federal Law «On Personal Data»;

— The Civil Code of the Russian Federation;

— The Labor Code of the Russian Federation;

— The Tax Code of the Russian Federation;

— Other laws and delegated legislation governing the processing of personal data in the Russian Federation;

— The Operator’s Charter;

— Consents of the Subjects;

— Agreements to which the Subjects are a party, beneficiary, or guarantor.

3.11. The Operator’s activities are based on the following principles:

— legality;

— fairness;

— data minimization;

— targeted data processing;

— urgency of data processing;

— data confidentiality;

— localization of data processing;

— the Operator does not carry out the cross-border transfer of personal data.

3.12. The Operator processes the Subject’s personal data only in the following cases:

— the Subject completes personal data and/or submits personal data independently by completing special forms located on the Website.

— the Subject completes personal data and/or provides personal data independently by completing special forms on paper.

By completing the relevant forms and/or submitting (providing) his/her personal data to the Operator, the Subject expresses his/her consent to this Policy.

4. Volume and categories of personal data processed, categories of personal data subjects:

4.1. The content and volume of Subjects’ personal data processed by the Operator correspond to the processing purposes specified in this section of the Policy for each category of Subjects. The personal data processed by the Operator is not excessive in relation to the stated purposes of processing.

The Operator does not verify the accuracy of personal data provided by the Subject and is not in a position to assess its accuracy, but assumes that the Subject provides accurate and sufficient personal information about himself/herself and maintains this information up to date.

4.2. Purposes, types and volume of personal data processed:

Purpose of processing № 1 Ensuring compliance with labor laws
List of personal data • Last name, first name, patronymic

• Date of birth

• Place of birth

• Income

• Gender

• Email address

• Residential address

• Registration address

• Telephone number

• Insurance Number of Individual Ledger Account

• Taxpayer Identification Number

• Citizenship

• Identity document details

• Identity

• Occupation

• Position

• Employment history (including length of service, current employment information, including the organization’s name and bank account)

• Education details

• Military Status

• Military service details
Categories of Subjects Employees
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary to achieve the goals provided for by law, for the implementation and performance of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 2 Maintaining personnel and accounting records
List of personal data • Last name, first name, patronymic

• Date of birth

• Place of birth

• Income

• Gender

• Email address

• Residential address

• Registration address

• Telephone number

• Insurance Number of Individual Ledger Account

• Taxpayer Identification Number

• Citizenship

• Identity document details

• Identity

• Occupation

• Position

• Employment history (including length of service, current employment information, including the organization’s name and bank account)

• Education details

• Military Status

• Military service details

• Bank card details

• Information about last name, first name, and patronymic name change (if any)

• Health information

• Employee identification number

• Type of job (primary, part-time)

• Length of service

• Family composition

• Information about hiring and transfer to another job

• Structural unit

• Specialty

• Certification

• Wage rate (salary)

• Allowances

• Income information

• Advanced training

• Professional retraining (retraining start date)

• Retraining end date

• Specialty

• Vacation (type of vacation; period of work; number of calendar days of vacation; start and end dates)

• Reason for termination of employment contract (dismissal)

• Dismissal date

• Employment contract number and date

• Information about business trips (date, destination, duration, purpose, funding source, assignment)
Categories of Subjects Employees, counterparties, representatives of counterparties (signatory, receiver, sole executive body, authorized person)
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary to achieve the goals provided for by law, for the implementation and performance of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Third parties involved in the processing OOO «PROFECOUNT» (TIN 6154159377, PSRN 1206100039617)
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 3 Promotion of goods, works, and services on the market
List of personal data • Last name, first name, patronymic

• Email address

• Occupation

• Position
Categories of Subjects Employees, contractors, clients
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 4 Recruitment of personnel (applicants) for vacant positions of Operator
List of personal data • Last name, first name, patronymic

• Date of birth

• Place of birth

• Marital status

• Gender

• Email address

• Residential address

• Registration address

• Telephone number

• Taxpayer Identification Number (TIN)

• Citizenship

• Identity document details

• Occupation

• Position

• Military Status

• Military service details

• Information about last name, first name, and patronymic changes (if any)

• Employment history (including length of service, current employment information with the organization’s name)

• Work experience (month, year of start/end)

• Employer name

• Location (city)

• Job title, reason for dismissal

• Education details (name of educational institution and its location)

• Year of admission/graduation from educational institution

• Mode of study

• Specialty according to educational document, diploma number and series

• Information about professional retraining and/or advanced training

• Information about Proficiency in foreign languages, including proficiency level

• Information on change of citizenship (if any)

• Grounds for exemption from conscription or from military service in the event of failure to complete military service

• Information on financial obligations and debts

• Information on state and/or municipal service over the past two years (period, position, organization) (if any)

• Results of assessment activities

• Information on desired salary

• Information on professional, business, and personal qualities

• Place of work
Categories of Subjects Applicants, relatives of applicants, recommenders of applicants
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 5 Implementation of corporate governance procedures
List of personal data • Last name, first name, patronymic

• Date of birth

• Place of birth

• Marital status

• Gender

• Email address

• Residential address

• Registration address

• Telephone number

• Taxpayer Identification Number (TIN)

• Insurance Number of Individual Ledger Account

• Identity document details

• Signature

• Document details confirming the authority of a representative (if a representative is present)

• Information on legal capacity not related to health status

• Criminal record

• Information on participation in other legal entities

• Information on holding a position in the management bodies of legal entities
Categories of Subjects Shareholders of the Operator, beneficiaries of the Operator, individuals who are members of the management bodies of the Operator, including the sole executive body, as well as affiliates of the said persons, representatives of the said persons acting on the basis of a power of attorney or agreement, representatives in accordance with the requirements of the applicable legislation of the Russian Federation)
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the processing of personal data is carried out with the consent of the personal data subject to the processing of his/her personal data

• the processing of personal data is necessary to achieve the purposes provided by law, for the implementation and fulfillment of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 6 Interaction with clients, contractors, partners
List of personal data • Last name, first name, patronymic

• Date of birth

• Place of birth

• Email address

• Telephone number

• Identity document details

• Signature

• Document details confirming the authority of the representative (if a representative is present)

• Place of work
Categories of Subjects Counterparties, clients, employees of clients, counterparties, partners, representatives of clients, counterparties, partners (signatory, shareholder, participant (founder), receiver, sole executive body, supplier, contractor), third parties, representatives of potential clients, counterparties, partners
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary to achieve the goals provided for by law, for the implementation and performance of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 7 Sale of goods, works, services
List of personal data • Last name, first name, patronymic

• Email address

• Telephone number

• Bank account number

• Other bank details

• Delivery address
Categories of Subjects Potential clients, counterparties, partners, representatives of potential clients, counterparties, partners (signatory, sole executive body, responsible person)
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 8 Providing access to the Operator’s website
List of personal data • Last name, first name, patronymic

• Email address

• Phone number
Categories of Subjects Website visitors, any website user
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 9 Providing access to the Operator’s application “MEDBANK”
List of personal data • Last name, first name, patronymic

• Email address

• Phone number

• Name equivalent (login/nickname/fictitious name)
Categories of Subjects Individuals using the Operator’s application MEDBANK: patients, legal representatives of patients, representatives of the counterparty, employers of patients, employees of the Operator, representatives of the Operator
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 10 Providing access to the platform MEDBANK through the Operator’s website (including registration on the platform)
List of personal data • Last name, first name, patronymic

• Date of birth

• Gender

• Email address

• Phone number

• Identity document details

• Place of birth

• Insurance Number of Individual Ledger Account

• Name equivalent (login/nickname/fictitious name)
Categories of Subjects Individuals using the Operator’s platform MEDBANK: patients, legal representatives of patients, representatives of the counterparty, employers of patients, employees of the Operator, representatives of the Operator
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 11 Providing technical support to users of the Operator’s platform “MEDBANK”
List of personal data • Last name, first name, patronymic

• Date of birth

• Gender

• Email address

• Phone number

• Identity document details

• Place of birth

• Insurance Number of Individual Ledger Account

• Name equivalent (login/nickname/fictitious name)
Categories of Subjects Individuals using the Operator’s platform MEDBANK: patients, legal representatives of patients, representatives of the counterparty, employers of patients, employees of the Operator, representatives of the Operator
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor.
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 12 Ensuring compliance with legislation of the Russian Federation in the field of healthcare
List of personal data • Last name, first name, patronymic

• Date of birth

• Gender

• Email address

• Residential address

• Registration address

• Telephone number

• Insurance Number of Individual Ledger Account

• Taxpayer Identification Number

• Citizenship

• Identification document details

• Driver’s license details

• Occupation

• Position

• Health information
Categories of Subjects Counterparties, representatives of counterparties, employees of counterparties, legal representatives of patients, patients
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary to achieve the goals provided for by law, for the implementation and performance of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor. An agreement concluded with a personal data subject may not contain provisions that limit the rights and freedoms of the personal data subject, establish cases of processing the personal data of minors, unless otherwise provided by the legislation of the Russian Federation, as well as provisions that allow the inaction of the personal data subject as a condition for concluding an agreement
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»
Purpose of processing № 13 Provision of medical services
List of personal data • Last name, first name, patronymic

• Date of birth

• Gender

• Email address

• Residential address

• Registration address

• Telephone number

• Insurance Number of Individual Ledger Account

• Taxpayer Identification Number

• Citizenship

• Identification document details

• Driver’s license details

• Occupation

• Position

• Health information
Categories of Subjects Counterparties, representatives of counterparties, employees of counterparties, legal representatives of patients, patients
List of actions performed with personal data Collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer, blocking, deletion, destruction, distribution
Legal grounds for processing personal data • the personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data

• the personal data processing is necessary to achieve the goals provided for by law, for the implementation and performance of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation

• the personal data processing is necessary for the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or guarantor. An agreement concluded with a personal data subject may not contain provisions that limit the rights and freedoms of the personal data subject, establish cases of processing the personal data of minors, unless otherwise provided by the legislation of the Russian Federation, as well as provisions that allow the inaction of the personal data subject as a condition for concluding an agreement
Processing period and conditions for processing ceasing The personal data processing shall cease:

1) upon expiration of the period stipulated by law, contract, or the consent of the personal data subject to the processing of his/her personal data;

2) upon achievement of the personal data processing purposes, as well as upon receipt of a request from the personal data subject to cease processing of his/her personal data and/or to revoke consent to the processing of his/her personal data, and in the absence of legal grounds for the processing of his/her personal data stipulated by law, including Federal Law No. 125-FZ of October 22, 2004, «On Archival Affairs in the Russian Federation.»

5. Use of the Website and Cookies

5.1. This Policy applies, insofar as it relates to this section, only to the Operator’s Website and does not regulate third-party websites that the User may access via links posted on the Website (if any).

5.2. Using the Website constitutes the User’s full and unconditional agreement with all terms of this Policy regarding the use of the Operator’s Website. If the User does not agree with any terms of the Policy regarding the use of the Operator’s Website, in whole or in part, or with the terms of the Policy as a whole, the User must refrain from using the Website.

5.3. When using the Website, the User is prohibited from taking any actions that may disrupt the functionality of the Website.

5.4. Purposes of personal data processing on the Website:

— identifying Website Users;

— providing access to the personal account on the Website in the manner and subject to the restrictions stipulated by Russian Federation law and the Operator’s local regulations, to ensure the information security of Users and the Operator;

— monitoring the activity of Website Users. Anonymized data collected using internet statistics services (including Yandex.Metrica) is used to collect information about visitor actions on the Website and improve the quality of the Website and its content;

— providing technical support to Users when using the Website;

— sending news and advertising newsletters, including sending Users informational messages about new products and services, special offers, and various events;

— for other purposes stipulated by Russian Federation law.

5.5. The Operator processes anonymized data about the User if this is permitted in the User’s browser settings (cookie storage and JavaScript technology are enabled).

5.6. The following cookies are collected from the Website User:

— Strictly Necessary Cookies/Technical Cookies: These cookies are essential for the operation of the Website and allow us to identify the User’s hardware and software, including the User’s browser type;

— Statistical/Analytical Cookies: These cookies allow us to recognize the User(s), to count their number, and to collect information such as the User’s actions on websites and services, including information about the web pages visited and the content the User accesses;

— Technical Cookies: These cookies collect information about how the User interacts with websites and/or services, which allows us to identify errors and to test new features to improve the performance of websites and services;

— Functional cookies: These cookies enable certain features to facilitate the User’s use of websites, for example, by storing the User’s preferences (such as language and location);

— Third-party tracking/advertising cookies: These cookies collect information about the User, traffic sources, pages visited, and advertisements displayed to the User, as well as the page that led the User to the advertised page. They allow the display of advertisements that may be of interest to the User based on the analysis of personal information collected about the User. They are also used for statistical and research purposes.

5.7. The Website uses cookies to:

— help the User stay logged in to the Website;

— ensure the functionality and security of the Website;

— improve the quality of the Website;

— display information that is prioritized for the User;

— collect information about the number of ad views and clicks on advertising links (conversion measurement), personalize offers and advertising for the User (for example, the User will not be shown the same ads that the User recently saw again);

— navigate from third-party advertising services to a relevant page;

—collect information about the user session, generate statistics on the use of the Website (e.g., counting visitors to the Website, identifying peak hours of user activity), and analyze the user experience of interaction with the Website (e.g., determining the individual user «path» when using the Website), i.e., to optimize the design and structure of the Website in terms of its ease of use, the rapid search for necessary information, and the overall improvement of the user experience.

5.8. Storage period of cookies on the User’s device:

5.8.1. The Website uses session cookies to enhance the User’s experience. Session cookies expire at the end of the session (when the User closes the page or browser window).

5.8.2. The Operator may also use cookies that persist for a longer period, for example, to remember the User’s preferences on the Website. The data retention period depends on the type of cookie. Such cookies will be automatically deleted after they have served their purpose.

5.9. Cookie Management:

5.9.1. When first visiting the Website, the User may be prompted in a pop-up window to select the types of cookies to be stored on the User’s device. Technical cookies are installed automatically when the page loads, unless otherwise specified in the browser settings. If the User has approved the use of cookies but later wishes to change his/her mind, he/she can do it independently by deleting the saved files in his/her browser.

5.9.2. The Website does not require mandatory consent to install cookies on the User’s device. The User can control the collection of cookie information by adjusting the appropriate settings in his/her web browser. For instructions on how to block or delete any cookies, the User should visit the «Help» or «Support» section of his/her browser. If the cookie function is disabled or blocked, the Operator cannot guarantee the functionality of the Website and the full availability of its functionality.

5.10. Third parties with access to information contained in cookies:

5.10.1. The Operator’s partners and services used by the Website may also collect information about Users using cookies or pixel tags as part of the Website use. The use of cookies and other technologies allows the Operator and partners to analyze Website activity by counting visits or displaying advertising tailored to the Website’s services.

5.10.2. The web analytics tool Yandex.Metrica used by the Website collects anonymized information about traffic sources, Website traffic, and evaluates advertising effectiveness. To track visitors, Yandex.Metrica uses anonymous browser identifiers, which are stored in cookies.

For more information about Yandex.Metrica cookies, please visit https://yandex.ru/support/metrica/general/cookie-usage.html.

6. Using the application “MEDBANK”

6.1. The Policy applies, insofar as it relates to this section, only to the Operator’s application “MEDBANK” and does not regulate third-party applications to which the Subject may go in any way.

6.2. The developer of the application “MEDBANK” is the Operator.

6.3. The use of the application “MEDBANK” constitutes the Subject’s full and unconditional agreement with all terms of the application “MEDBANK” Use Policy. If the Subject does not agree with any terms of the application “MEDBANK” Use Policy in whole or in part, or with the terms of the Policy in general, the Subject must refrain from using the application “MEDBANK”.

6.4. When using the application “MEDBANK”, the Subject is prohibited from taking any actions that may impair the application’s functionality.

6.5. The functional purpose of the application “MEDBANK” is to view and manage data in the system for conducting pre-shift, pre-trip, post-shift, and post-trip medical examinations.

7. Procedure and Conditions for Personal Data Processing

7.1. The source of personal data is the Subject.

7.2. The Subject of personal data consents to its processing voluntarily, of his/her own free will, and in his/her own interests.

If the Subject’s personal data is obtained from a third party, the Subject’s consent to its processing must be obtained.

Consent to the processing of personal data must be specific, informed, and conscious.

Consent to the processing of personal data in electronic form is considered to be personally signed by the Subject.

If the consent to the personal data processing is signed by a representative of the Subject on behalf of the Subject, the authority of such representative to grant consent on behalf of the Subject must be confirmed and verified by the Operator.

7.3. If personal data is processed by third parties, the Subject consents to the processing of his/her personal data by third parties who, by virtue of their civil law relationship with the Operator, have access to the personal data, solely on the condition that confidentiality, as well as the protection and security of the personal data, are ensured.

7.4. The transfer of personal data to inquiry and investigative bodies, the Federal Tax Service, the Social Fund of Russia, and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

7.5. The Operator processes personal data using a mixed (both automated and non-automated) method.

7.6. The Operator is obligated to publish on the Website or otherwise ensure unrestricted access to a document defining the Policy and information on the implemented personal data protection requirements.

7.7. The condition for termination of the personal data processing is:

— expiration of the period stipulated by law, contract, or the Subject’s consent to the personal data processing;

— achievement of the purposes of the personal data processing, as well as in the event of a request from the Subject to cease the personal data processing and/or to revoke consent to the personal data processing, and in the absence of legal grounds for the personal data processing stipulated by law, including Federal Law No. 125-FZ «On Archival Affairs in the Russian Federation» of October 22, 2004.

7.8. Personal Data Storage Procedure:

7.8.1 In accordance with Part 5 of Article 18 of the Federal Law «On Personal Data,» the Operator, when collecting personal data, ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located within the Russian Federation.

7.9. Personal data shall be clarified, deleted, and destroyed as follows:

7.9.1. If inaccuracies are discovered in personal data, the Subject may update it independently by sending a notification to the Operator’s email address info@medbank.pro with the subject line «Updating personal data.»

7.9.2. Processed personal data shall be destroyed within 30 (thirty) days after the processing purposes have been achieved or if the need to achieve these purposes is no longer necessary, unless otherwise provided by law.

The data Subject may revoke his/her consent to the personal data processing at any time by sending a notification to the Operator via email to info@medbank.pro with the subject line «Revocation of consent to the personal data processing.»

7.9.3. The destruction of personal data shall be carried out directly by the person responsible for the personal data processing, appointed by the Operator’s order.

7.9.4. Personal data on paper media shall be destroyed by shredding, while personal data on electronic media shall destroyed by cancellation or formatting, making it impossible to recover or use the personal data.

7.9.5. Each instance of personal data destruction shall be confirmed by a Certificate of Destruction of paper or other media. The person responsible for the personal data processing ensures the recording and storage of certificates of personal data destruction.

7.10. Procedure for Personal Data Transferring:

7.10.1. The Operator transfers personal data to third parties in the following cases:

— the Subject has expressed his/her consent to such actions;

— the transfer shall be carried out within the scope of cases provided for by Russian Federation legislation.

8. Personal data protection procedure

8.1. The Operator shall take all necessary measures to ensure the security and confidentiality of personal data.

8.2. The primary measures to protect personal data are:

— identifying threats to the security of personal data when processed in personal data information systems;

— appointing a person responsible for the personal data processing, who will organize the processing of personal data and ensure internal control over employee compliance with personal data protection requirements;

— developing measures and activities to protect personal data;

— assessing the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;

— maintaining records of machine-readable media of personal data;

— establishing rules for accessing personal data, as well as ensuring the registration and accounting of all actions performed with personal data;

— establishing individual, limited employee access to personal data in accordance with their job responsibilities;

—use of certified antivirus software;

— control of access to premises where personal data is processed;

— ensuring of the security of personal data and preventing unauthorized access;

— detection of unauthorized access to personal data and taking appropriate actions;

— taking immediate actions upon detection of unauthorized access to personal data;

— restoring of personal data destroyed or altered as a result of unauthorized access;

— monitoring of the effectiveness of measures and tools used to ensure personal data security, as well as monitoring of the level of the personal data information systems protection;

— training of the Operator’s employees directly involved in the personal data processing in personal data protection requirements, familiarization with documents defining the Operator’s Policy on the personal data processing, and with local regulations on personal data processing.

8.3. Personal data may not be used for purposes that conflict with the requirements of the Federal Law «On Personal Data,» violate the rights and legitimate interests of citizens, or pose a threat to state security.

8.4. All Operator’s employees involved in the personal data processing are obligated to maintain the confidentiality of information containing personal data in accordance with this Policy and the requirements of Russian Federation law.

8.5. Persons found guilty of violating the requirements of this Policy shall bear administrative, civil, and criminal liability, as provided for by current Russian Federation law.

9. Basic rights of the Subject and obligations of the Operator

9.1. Basic rights of the Subject:

9.1.1. The Subject has the right to access his/her personal data and the following information:

— confirmation of the processing of his/her personal data. The processing of personal data is confirmed by a civil law contract concluded between the Operator and the Personal Data Subject, as well as by the consent to the personal data processing signed by Personal Data Subject;

— the legal grounds and purposes of personal data processing;

— the methods of personal data processing used by the Operator;

— the personal data being processed and the source thereof;

— the name and location of the Operator, information about persons who have access to personal data or to whom personal data may be disclosed under an agreement with the Operator or under federal law;

— the name and location of the organization, or the last name, first name, patronymic, and address of the person processing the personal data on behalf of the Operator, if the processing has been or will be entrusted to such person;

— the timeframes for personal data processing (determined in accordance with the validity period of the civil law contract, consent to the personal data processing, or other document defining the legal relationship between the Operator and the Subject);

— the storage periods of personal data (determined in accordance with the storage periods of tangible media containing personal data, taking into account Order of the Federal Archive Service of Russia dated December 20, 2019 No. 236 «On Approval of the List of Standard Management Archival Documents Generated in the Course of Activities of State Bodies, Local Governments, and Organizations, Indicating Their Storage Periods»);

— other information stipulated by the Federal Law «On Personal Data» or other federal laws.

9.1.2. The Subject has the right to:

— receive information from the Operator regarding the processing of his/her personal data;

— request that the Operator clarify his/her personal data, block it, or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing, and to take measures provided by law to protect his/her rights;

— demand the cessation of the transfer (distribution, provision, access) of personal data previously permitted for distribution by the Personal Data Subject;

— appeal the Operator’s actions or inactions to the Office of the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) for the Central Federal District or through the courts if the Operator processes his/her personal data in violation of the Federal Law «On Personal Data» or otherwise violates his/her rights and freedoms;

— send appeals and requests, including repeated requests, to the Operator.

9.2. Operator’s responsibilities:

— Upon request from the Subject or his/her authorized representative, to notify him/her of the availability of the information listed in paragraph 9.1.1. of this Policy, and to provide access to such information within a period not exceeding ten (10) days from the date of receipt of the corresponding request from the Subject or his/her authorized representative;

— To provide a written, reasoned response concerning the refusal to provide information regarding the availability of the Subject’s personal data, with reference to the specific provisions of the Federal Law «On Personal Data» that form the basis for such refusal, upon request or upon receipt of a request from the Subject or his/her representative, within a period not exceeding ten (10) days from the date of receipt of the corresponding request from the Subject or his/her authorized representative;

— if the purpose of personal data processing is achieved, to immediately cease the personal data processing and to destroy or to anonymize the relevant personal data within a period not exceeding 30 (thirty) days from the date of achieving the purpose of personal data processing, unless otherwise provided by federal laws. Or to ensure destruction or anonymization if the personal data is processed by another person acting on behalf of the Operator. To notify the Subject or his/her legal representative thereof, and if the request or inquiry was sent by an authorized body for the protection of the Personal Data Subjects rights, also that body;

— if the Subject revokes consent to the processing of his/her personal data, to cease the personal data processing and to destroy the personal data within a period not exceeding 30 (thirty) days from the date of receipt of such revocation, unless otherwise provided by an agreement between the Operator and the Subject. Or to ensure cessation of the personal data processing and its destruction if the personal data is processed by another person acting on behalf of the Operator. The Operator is obliged to notify the Subject of the destruction of personal data;

— in the event of a request from the Subject to cease the personal data processing for the purpose of promoting goods, works, or services on the market, to immediately cease the personal data processing. Or to ensure that the processing of the personal data ceases if the personal data is processed by another person acting on behalf of the Operator;

— in the event of a request from the Subject to cease transfer (dissemination, provision, access) of personal data previously authorized for distribution by the Subject, the Operator is obligated to cease transfer (dissemination, provision, access) of such personal data within 3 (three) business days of receipt of the Subject’s request;

— when collecting personal data, including via the Internet, to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases specifically specified in the Federal Law «On Personal Data»;

— to amend the Subject’s personal data if the Subject or his/her authorized representative provides confirmation that the personal data is incomplete, inaccurate, or outdated. The amendments must be made within 7 (seven) business days from the date the Subject or his/her authorized representative provides the relevant information;

— to destroy the Subject’s personal data if the Subject or his/her authorized representative provides confirmation that the personal data was obtained illegally or is not necessary for the stated purpose of processing. Personal data must be destroyed within a period not exceeding 7 (seven) working days from the date of provision of the relevant information by the Subject or his/her authorized representative;

— to notify the Subject or his/her authorized representative of the changes made and the measures taken, and to take reasonable steps to notify third parties if the personal data of this Subject has been transferred to them;

— to block the Subject’s personal data if it is discovered that it is being processed illegally, upon request from the Subject, his/her authorized representative, or at the request of Roskomnadzor, or to ensure its blocking (if the personal data is being processed by another person acting on behalf of the Operator) from the moment of such request or receipt of such request for the duration of the verification;

— to block the Subject’s personal data if it is discovered that it is inaccurate, upon request from the Subject, his/her authorized representative, or at the request of Roskomnadzor, or to ensure its blocking (if the personal data is being processed by another person acting on behalf of the Operator) from the moment of such request or receipt of such request for the duration of the verification, unless blocking the personal data violates the rights and legitimate interests of the Subject or third parties.

If the inaccuracy of personal data is confirmed, the Operator, based on information provided by the Subject, his/her authorized representative, or Roskomnadzor, is obligated to clarify the personal data or to ensure its clarification (if the personal data is processed by another person acting on behalf of the Operator) within a period not exceeding seven (7) business days from the date of submission of such information and to unblock it (to ensure the blocking);

— to cease the personal data processing or to ensure that the person acting on behalf of the Operator ceases processing it if the illegality of such processing is discovered, within a period not exceeding three (3) business days from the date of discovery.

If the legality of personal data processing cannot be established, the Operator is obligated to destroy or to ensure the destruction of such personal data within a period not exceeding ten (10) business days from the date of discovery of its illegal processing. To notify the Subject, his/her authorized representative and Roskomnadzor (if they sent a request to the Operator) of the changes made and the measures taken and to take reasonable measures to notify third parties if the personal data of this Subject were transferred to them;

— to destroy personal data or to ensure its destruction (if personal data is processed by another person acting on the Operator’s instructions) within a period not exceeding 30 (thirty) days from the date of achieving the purpose of processing or the date of receipt of the Subject’s revocation of consent to processing;

— to notify the Subject of the receipt of his/her personal data if such data was not obtained from himself/herself;

— if the Subject refused to provide personal data, to explain to the Subject the consequences of such refusal;

— to ensure the storage of personal data using databases located in the Russian Federation;

— to publish or otherwise to provide unrestricted access to the document defining the Operator’s Policy regarding the personal data processing, and to information on the implemented requirements for the protection of personal data.

10. Cross-border transfer of personal data

10.1. Prior to commencing the cross-border transfer of personal data, the Operator is obliged to ensure that the foreign state to which the personal data is to be transferred ensures reliable protection of the rights of the Personal Data Subjects.

10.2. Cross-border transfer of personal data to the territory of foreign states that do not meet the above requirements may only be carried out with the Personal Data Subject’s written consent to the cross-border transfer of his/her personal data and/or the execution of an agreement to which the Personal Data Subject is a party.

11. Final Provisions

11.1. This Policy shall enter into force upon approval and remain in effect indefinitely until a new Policy is adopted. The Operator reserves the right to amend this Policy unilaterally. The new version of the Policy shall enter into force upon its posting on the Operator’s Website.

11.2. This Policy shall be immediately published on the Website.

11.3. If, for any reason, one or more provisions of this Policy are deemed invalid or unenforceable, such circumstances shall not affect the validity or applicability of the remaining provisions of the Policy.

11.4. The Operator provides unrestricted access to this Policy.

11.5. The requirements of this Policy are mandatory for all Operator Employees with access to personal data.

11.6. This Policy applies to all Employees of the Operator who, within the meaning of this Policy, are Subjects of Personal Data Processing.

11.7. Subjects may obtain any clarifications regarding the processing of his/her personal data by contacting the Operator in writing at info@medbank.pro.

Link to PDF version of the document: Personal Data Policy.