1. General Provisions
1.1. Policy Purpose
1.1.1. In order to comply with the legislation of the Russian Federation regulating relations related to the processing and ensuring the security of personal data, as well as maintaining the business reputation of the State Budgetary Healthcare Institution of the City of Moscow “V.M. Buyanov City Clinical Hospital of the Moscow Department of Healthcare” (abbreviated name: State Budgetary Healthcare Institution “V.M. Buyanov City Clinical Hospital of the Moscow Department of Healthcare” (hereinafter referred to as the Budgetary Institution), INN: 7724598966, KPP: 772401001, OGRN: 7724598966, legal address: 115516, Moscow, Bakinskaya St., Bldg. 26, mailing address for inquiries: 115516, Moscow, Bakinskaya St., Bldg. 26), considers its tasks to be compliance with the principles of legality, fairness and confidentiality in the processing of personal data, as well as ensuring the security of their processing processes.
1.1.2. This Policy regarding the processing of personal data in the Budgetary Institution (hereinafter referred to as the Policy) has been developed in accordance with the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the Law on Personal Data).
1.1.3. The policy defines:
– basic principles, purposes, conditions and methods of processing personal data;
– lists of subjects and personal data processed in the Budgetary Institution, functions of the Budgetary Institution in processing personal data;
– rights of personal data subjects;
– requirements for the protection of personal data implemented in the Budgetary Institution.
1.1.4. The requirements of this Policy serve as the basis for the development of internal documents regulating the processing of personal data in the Budgetary Institution.
1.1.5. This Policy is a public document. Pursuant to the requirements of Part 2 of Article 18.1 of the Law on Personal Data, this Policy is published in the public domain and at each location where personal data is collected on the Budgetary Institution’s website https://gkb-buyanova.ru/ on the Internet (hereinafter referred to as the Website) within 10 days of its approval.
1.1.6. This policy applies to all personal data processed by the Budgetary Institution.
1.1.7. The invalidity of any part of this Policy shall not entail the invalidity of the entire Policy.
1.1.8. A budgetary institution is an operator of personal data; it independently or jointly with other persons organizes and carries out the processing of personal data, determines the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data, and also ensures the protection of the rights and freedoms of subjects when processing their personal data and takes measures to ensure the fulfillment of obligations stipulated by the Law on Personal Data and other regulatory legal acts in the field of personal data protection.
1.1.9. The Policy may not contain provisions that limit the rights and freedoms of the personal data subject, as well as provisions that allow the User’s inaction as a condition for concluding an agreement/expressing consent.
1.1.10. The policy comes into force from the moment of its approval by the chief physician of the Budgetary Institution.
1.1.11. The policy is subject to revision during periodic analysis by the management of the Budgetary Institution, as well as in cases of changes in the legislation of the Russian Federation.
1.1.12. Compliance with the requirements of this Policy shall be monitored by authorized persons responsible for organizing the processing of personal data in the Budgetary Institution.

1.2. Objectives of the Policy
1.2.1. The purpose of the Policy is to ensure the protection of the rights and freedoms of personal data subjects during the processing of their personal data by the Budgetary Institution, including the protection of the rights to privacy, personal, family and medical secrets, as well as establishing the liability of the Institution’s employees who have access to personal data for failure to comply with the requirements of the rules governing the processing and protection of personal data.

1.3. Basic concepts
1.3.1. For the purposes of the Policy, the following concepts are used:
automated processing of personal data – processing of personal data using computer technology;
blocking of personal data – temporary cessation of processing of personal data (except in cases where processing is necessary to clarify personal data);
website – a collection of graphic and informational materials, as well as computer programs and databases, ensuring their availability on the Internet at the operator’s network address https://gkb-buyanova.ru/;
access to personal data – familiarization of certain persons (including employees) with the personal data of subjects processed by the Budgetary Institution, subject to maintaining the confidentiality of this information;
confidentiality of information – a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner;
medical activity – professional activity in providing medical care, conducting medical examinations, medical examinations and medical examinations, sanitary and anti-epidemic (preventive) measures and professional activity related to the transplantation (replantation) of organs and (or) tissues, circulation of donor blood and (or) its components for medical purposes.
processing of personal data – any action (operation) or set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction of personal data;
operator – a state body, a municipal body, a legal entity or an individual who, independently or jointly with other persons, organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed with personal data;
patient – an individual who is receiving medical care or who has applied for medical care, regardless of whether he has an illness or his condition;
personal data – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data);
personal data permitted by the subject of personal data to be distributed – personal data, access to which by an unlimited number of persons is granted by the subject of personal data by giving consent to the processing of personal data, permitted by the subject of personal data to be distributed in the manner prescribed by the Federal Law “On Personal Data”;
Website user (hereinafter referred to as the User) – a legally competent individual who uses the website of the Budgetary Institution and its Services.
visitor – an individual occupying the guarded office buildings and premises of a Budgetary Institution, who does not have the right of permanent entry to them, and who requires a one-time pass;
provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons;
employee – an individual who has entered into an employment relationship with a Budgetary Institution;
dissemination of personal data – actions aimed at disclosing personal data to an indefinite number of persons;
Relative of an employee – close relatives of employees of a Budgetary Institution, the processing of whose personal data is provided for by federal laws, and is also carried out by the Budgetary Institution as an employer in accordance with the requirements of state statistical authorities.
applicant (candidate) – an individual applying for vacant positions in a Budgetary Institution.
subject of personal data – an individual who is directly or indirectly identified or identifiable using personal data;
cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state to a foreign government body, a foreign individual or a foreign legal entity;
destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;
Cookies are text files, usually small in size, or pieces of information that may be stored in your computer’s memory when you visit a website.

1.4. Scope
1.4.1. The provisions of the Policy apply to all relationships related to the processing of personal data carried out by the Budgetary Institution:
– using automation tools, including in information and telecommunications networks, or without using such tools, if the processing of personal data without using such tools corresponds to the nature of the actions (operations) performed with personal data using automation tools, that is, it allows, in accordance with a given algorithm, to search for personal data recorded on a tangible medium and contained in card indexes or other systematized collections of personal data, and (or) access to such personal data;
– without the use of automation tools.
1.4.2. All employees of the Budgetary Institution who process personal data or have access to it must be guided by this Policy.

2. Purposes of personal data processing
2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes.
2.2. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.
2.3. The Budgetary Institution processes personal data for the following purposes:
– Ensuring compliance with Russian labor legislation;
– Maintaining personnel and accounting records;
– Ensuring compliance with Russian legislation in the field of healthcare;
– Ensuring compliance with the legislation on state social assistance of the Russian Federation;
– Ensuring compliance with Russian pension legislation;
– Ensuring compliance with Russian tax legislation;
– Selection of personnel (applicants) for vacant operator positions;
– Compliance with military registration legislation;
– Preparation, conclusion and execution of a civil law contract;
– Organization of employees receiving vocational education, as well as their completion of vocational training, advanced training, retraining, and training in short-term programs;
– Sending notifications to personal data subjects regarding services provided by the Budgetary Institution;
– Ensuring the functional and analytical capabilities of the institution’s website through the use of cookies;
– Publication of data on the organization’s website for the purpose of providing information about medical specialists;
– Posting a review on the website of the Budgetary Institution.

3. Legal grounds for processing personal data
– Constitution of the Russian Federation;
– Civil Code of the Russian Federation of November 30, 1994 No. 51-FZ;
– Tax Code of the Russian Federation of 05.08.2000 No. 117-FZ;
– Labor Code of the Russian Federation of 30.12.2001 No. 197-FZ;
– Federal Law of 19.12.2005 No. 160-FZ “On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”;
– Resolution of the Government of the Russian Federation of 01.11.2012 No. 1119 “On approval of requirements for the protection of personal data when processing them in personal data information systems”;
– Resolution of the Government of the Russian Federation of September 15, 2008 No. 687 “On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools”;
– Resolution of the Board of the Pension Fund of the Russian Federation dated July 31, 2006 No. 192p “On the forms of individual (personalized) accounting documents in the compulsory pension insurance system and instructions for filling them out”;
– Federal Law of July 27, 2006 No. 149-FZ “On Information, Information Technologies and Information Protection”;
– Federal Law of 06.12.2011 No. 402-FZ “On Accounting”;
– Federal Law of 21.11.2011 No. 323-FZ “On the Fundamentals of Health Protection of Citizens in the Russian Federation”, including paragraph 7 of part 1 of article 79;
– Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”;
– Federal Law of November 29, 2010 No. 326-FZ “On Compulsory Medical Insurance in the Russian Federation”;
– Order of the Ministry of Health of the Russian Federation dated 30.12.2014 N 956n “On information necessary for conducting an independent assessment of the quality of services provided by medical organizations, and requirements for the content and form of providing information on the activities of medical organizations posted on the official websites of the Ministry of Health of the Russian Federation, state authorities of the constituent entities of the Russian Federation, local governments and medical organizations in the information and telecommunications network “Internet””;
– Federal Law of 15.12.2001 No. 167-FZ “On Compulsory Pension Insurance in the Russian Federation”;
– Federal Law of 05.04.2013 No. 44-FZ “On the contract system in the sphere of procurement of goods, works, services to meet state and municipal needs”;
– Federal Law of 12.04.2010 No. 61-FZ “On the Circulation of Medicines”;
– Federal Law of 06.04.2011 No. 63 – F3 “On Electronic Signature”;
– Federal Law of March 28, 1998 No. 53-F3 “On military duty and military service”;
– Federal Law of 02.05.2006 No. 59-FZ “On the procedure for considering appeals from citizens of the Russian Federation”;
– Law of the Russian Federation of 07.02.1992 No. 2300-I “On the Protection of Consumer Rights”;
– Order of the Ministry of Health of the Russian Federation dated August 3, 2012 No. 66n “On approval of the Procedure and terms for improving the professional knowledge and skills of medical workers and pharmaceutical workers through training in additional professional educational programs in educational and scientific organizations”;
– Resolution of the Government of the Russian Federation of 11.05.2023 N 736 “On approval of the Rules for the provision of paid medical services by medical organizations, amendments to certain acts of the Government of the Russian Federation and recognition of the Resolution of the Government of the Russian Federation of October 4, 2012 N 1006 as invalid”);
– Order of the Ministry of Health of the Russian Federation dated November 12, 2021 No. 1050n “On approval of the procedure for familiarizing a patient or his legal representative with medical documentation reflecting the patient’s health status”;
– Resolution of the Government of the Russian Federation of May 20, 2022 No. 911 “On the admission of persons to work with narcotic drugs and psychotropic substances, as well as to activities related to the circulation of precursors of narcotic drugs and psychotropic substances”;
– Order of the Ministry of Health of the Russian Federation dated September 7, 2020 No. 947n “On approval of the Procedure for organizing a document management system in the field of healthcare in terms of maintaining medical records in the form of electronic documents”;
– Order of the Ministry of Health of the Russian Federation dated August 3, 2023 No. 408 “On approval of the list of documents generated in the activities of the Ministry of Health of the Russian Federation and organizations subordinate to it, indicating storage periods”;
– Order of the Federal Archival Agency dated 20.12.2019 No. 236 “On approval of the List of standard management archival documents generated in the course of activities of state bodies, local governments and organizations, indicating their storage periods”;
– Code of the Russian Federation on Administrative Offenses of 30.12.2001 No. 195-FZ;
– License L041-01137-77/00555076 dated 01/25/2021 for medical activities;
– Charter of the Budgetary Institution;
– Local regulations of the Budgetary Institution;
– Agreements concluded between the Budgetary Institution and the subject of personal data;
– Consent of personal data subjects to the processing of personal data (in cases not expressly provided for by the legislation of the Russian Federation, but corresponding to the powers of the operator);
– and other regulatory legal acts established by the legislation of the Russian Federation.
The processing of personal data shall cease upon reorganization or liquidation of the Budgetary Institution.

4. Volume and categories of personal data processed, categories of personal data subjects
4.1. Information on the categories of subjects whose personal data is processed by the Budgetary Institution, the categories and list of personal data processed, the methods, terms of their processing and storage are presented in Appendix 1 to this Policy.
4.2. The composition of personal data is determined by the documentation procedure and accounting forms approved by the legislation of the Russian Federation and other regulatory legal acts governing the activities of the Budgetary Institution.
4.3. The storage periods for personal data in the Budgetary Institution are determined in accordance with the list of standard management archival documents generated in the course of activities of state bodies, local government bodies and organizations, indicating the storage periods, approved by Order of the Federal Archival Agency dated 20.12.2019 No. 236, as well as the list of documents generated in the activities of the Ministry of Health of the Russian Federation and organizations subordinate to it, indicating the storage periods, approved by Order of the Ministry of Health of Russia dated 03.08.2023 No. 408.

5. Composition and ownership of personal data
5.1. The subjects of personal data whose personal data is processed in the Budgetary Institution include:
– Employees, former employees, members of their families and close relatives;
– Candidates for vacant positions;
– Site visitors;
– Patients, their relatives;
– Relatives of deceased patients who have applied for the issuance of material assets, documents, personal belongings of the deceased patient);
– Citizens who have applied to review medical documentation reflecting the patient’s health status in accordance with Order No. 1050n of the Ministry of Health of the Russian Federation dated November 12, 2021 “On approval of the procedure for familiarizing a patient or his legal representative with medical documentation reflecting the patient’s health status”;
– The legal representative of the patient who has requested the provision of medical documents (their copies) and extracts from them;
– Representatives of the parties to contracts and agreements – legal entities;
– Citizens who have sent appeals and requests to the Budgetary Institution.
– Parties to contracts and agreements are individuals.
6. List of actions with personal data, description of access to personal data processing
6.1. List of actions performed with personal data:
– collection of personal data;
– recording of personal data;
– systematization of personal data:
– accumulation of personal data;
– storage of personal data;
– clarification (updating, changing) personal data;
– use of personal data;
– transfer (distribution, provision, access) of personal data;
– blocking of personal data;
– deletion of personal data;
– destruction of personal data.
The processing of personal data is carried out by:
– obtaining information containing personal data in oral and (or) written form directly from subjects of personal data;
– provision by subjects of personal data of originals and copies of necessary documents;
– copying documents;
– obtaining personal data when sending requests to government bodies, state extra-budgetary funds, other government bodies, commercial and non-commercial organizations, individuals in cases and in the manner stipulated by the legislation of the Russian Federation;
– receiving (transferring) personal data from other healthcare institutions;
– recording (registration) of personal data in journals, books, registers and other accounting forms;
– entering personal data into personal data information systems;
– the use of other means and methods of recording personal data obtained within the framework of the activities carried out.
6.2. Access to personal data processing
Only those employees of the Budgetary Institution whose access to personal data is necessary for the performance of their job duties are permitted to process personal data. These employees have the right to receive only the personal data and to the extent necessary for the performance of their job duties.
Employees of the Budgetary Institution authorized to process personal data are informed of the terms and conditions for processing personal data, the protection modes of personal data information systems, and the procedure for storing tangible media of personal data.
Employees of the Budgetary Institution give written commitments to non-disclosure of personal data and observance of medical confidentiality.
The dissemination of personal data to an indefinite number of persons is carried out in accordance with the requirements of the Russian Federation legislation or with the consent of the personal data subject.

7. Procedure and conditions for processing personal data
7.1. Principles of personal data processing
The processing of personal data is carried out by the Budgetary Institution in accordance with the following principles and rules stipulated by the Law on Personal Data, and takes into account the need to ensure the protection of the rights and freedoms of personal data subjects, including the protection of the right to privacy, personal and family secrets, namely:
– the processing of personal data is carried out on a lawful and fair basis;
– the processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes; processing of personal data that is incompatible with the purposes of collecting personal data is not permitted;
– it is not permitted to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
– only personal data that meet the purposes of their processing are subject to processing;
– the content and volume of personal data processed correspond to the stated purposes of processing; the personal data processed are not excessive in relation to the stated purposes of their processing;
– when processing personal data, the accuracy of the personal data, its sufficiency, and, where necessary, relevance in relation to the purposes of processing the personal data are ensured; the Budgetary Institution takes the necessary measures or ensures their adoption to delete or clarify incomplete or inaccurate data;
– ensuring the confidentiality of processed personal data;
– the reliability of personal data, their sufficiency for the purposes of processing, the inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data;
– personal data is stored in a form that allows the identification of the subject of personal data, for no longer than is required for the purposes of processing personal data, unless the storage period for personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor;
– processed personal data are subject to destruction upon achievement of the processing purposes or in the event of loss of the need to achieve these purposes, unless otherwise provided by federal law.
7.2. Terms of personal data processing
7.2.1. The processing of other categories of personal data of personal data subjects is carried out with the consent of the personal data subject to the processing of his personal data, unless otherwise provided by the legislation of the Russian Federation.
7.2.2. The processing of personal data of subjects undergoing medical examinations, medical research and treatment is carried out without the consent of the subjects of personal data in accordance with the requirements of the Law on Personal Data in the following cases:
7.2.2.1. In accordance with the requirements of the Law on Personal Data:
– the processing of personal data is necessary for the performance of an agreement to which the personal data subject is a party, beneficiary, or guarantor, as well as for the conclusion of an agreement at the initiative of the personal data subject or an agreement under which the personal data subject will be a beneficiary or guarantor. An agreement concluded with a personal data subject may not contain provisions restricting the rights and freedoms of the personal data subject, establishing cases of processing the personal data of minors, unless otherwise provided by the legislation of the Russian Federation, as well as provisions allowing inaction of the personal data subject as a condition for concluding an agreement;
– the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
– the processing of personal data is carried out for medical and preventive purposes, for the purpose of establishing a medical diagnosis, providing medical and medical-social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obliged, in accordance with the legislation of the Russian Federation, to maintain medical confidentiality;
– the processing of personal data is carried out in accordance with the legislation on state social assistance, labor legislation, the legislation of the Russian Federation on pensions under state pension provision, on labor pensions;
– the processing of personal data is carried out in accordance with the legislation on compulsory types of insurance, with insurance legislation.
7.2.2.2. In accordance with the requirements of the Labor Code of the Russian Federation of December 30, 2001, No. 197-F, the processing of personal data of employees of the Budgetary Institution is carried out without their consent in order to ensure compliance with laws and other regulatory legal acts, assist employees in finding employment, obtaining education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property.
7.2.3. Disclosure and dissemination to third parties of personal data, as well as information about the fact of a citizen’s request for medical assistance, his health status and diagnosis, and other information obtained during his medical examination and treatment, is carried out with the consent of the subject of personal data, unless otherwise provided by federal legislation of the Russian Federation.
7.2.4. The processing of personal data of students, postgraduate students, and residents is carried out with the consent of the subject of personal data to the processing of his or her personal data, unless otherwise provided by the federal legislation of the Russian Federation.
7.3. Conditions for processing special categories of personal data
7.3.1. The budgetary institution does not process special categories of personal data of subjects regarding their race, nationality, political views, religious or philosophical beliefs, or intimate life. The budgetary institution does not process personal data of employees regarding their membership in associations or their trade union activities, except in cases stipulated by the Labor Code of the Russian Federation or other federal laws.
7.3.2. The processing of a special category of personal data on the health status of subjects is carried out in the Budgetary Institution with the written consent of the subjects or without their consent in cases stipulated by the legislation of the Russian Federation.
7.3.3. The processing of special categories of personal data shall be immediately terminated if the reasons for which the processing was carried out have been eliminated, unless otherwise provided by the legislation of the Russian Federation.
7.4. The Budgetary Institution does not use databases located outside the borders of the Russian Federation for processing personal data.
7.5. Conditions for processing biometric personal data
7.5.1. Personal data obtained as a result of the mathematical transformation of biometric personal data of an individual, on the basis of which it is possible to create a vector and establish his identity, are not processed by the Budgetary Institution.
7.5.2. The processing of biometric personal data may be carried out only with the written consent of the personal data subject, except in cases related to the implementation of international treaties of the Russian Federation on readmission, in connection with the administration of justice and the execution of judicial acts, in connection with mandatory state fingerprinting, as well as in cases stipulated by the legislation of the Russian Federation on defense, security, counter-terrorism, transport security, counter-corruption, operational-investigative activities, civil service, criminal-executive legislation of the Russian Federation, the legislation of the Russian Federation on the procedure for leaving the Russian Federation and entering the Russian Federation, on citizenship of the Russian Federation.
7.6. Instruction for processing personal data
7.6.1. A budgetary institution may, on the basis of a concluded agreement, entrust the processing of personal data to another legal entity or individual entrepreneur with the consent of the personal data subjects. The legal entity or individual entrepreneur processing personal data on behalf of the institution is obligated to comply with the principles and rules for processing personal data stipulated by Russian legislation in the field of personal data and to ensure the confidentiality and security of personal data during its processing.
7.6.2. The person processing personal data on behalf of the Budgetary Institution shall comply with the principles and rules for processing personal data stipulated by this Policy, shall maintain the confidentiality of personal data, and shall take the necessary measures aimed at ensuring the fulfillment of obligations stipulated by the Federal Law “On Personal Data”. The Budgetary Institution’s instruction defines the list of personal data, the list of actions (operations) with personal data that will be performed by the person processing the personal data, the methods and purposes of their processing, establishes the obligation of such person to maintain the confidentiality of personal data, the requirements provided for in Part 5 of Article 18 and Article 18.1 of the Law on Personal Data, the obligation, at the request of the Budgetary Institution, during the term of the Budgetary Institution’s instruction, including before the processing of personal data, to provide documents and other information confirming the adoption of measures and compliance with the requirements established in accordance with Part 3 of Article 6 of the Law on Personal Data for the purpose of executing the Budgetary Institution’s instruction, to ensure the security of personal data during their processing, and also specifies the requirements for the protection of the personal data being processed, including the requirement to notify the Budgetary Institution of the cases provided for in Part 3.1 of Article 21 of the Law on Personal Data.
7.6.3. When entrusting the processing of personal data to another person, the Budgetary Institution shall be responsible to the personal data subject for the actions of said person. The person processing personal data on behalf of the Budgetary Institution shall be responsible to the Budgetary Institution.
7.6.4. If the Budgetary Institution entrusts the processing of personal data to a foreign individual or a foreign legal entity, the Budgetary Institution and the person processing the personal data on behalf of the Budgetary Institution shall be liable to the subject of the personal data for the actions of the said persons.
7.7. Confidentiality of personal data
7.7.1. Employees of the Budgetary Institution who have received access to personal data, as well as information about the fact of a citizen’s request for medical assistance, his health status and diagnosis, and other information obtained during his medical examination and treatment, shall not disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law of the Russian Federation.

7.8. Transfer of personal data
7.8.1. The transfer of personal data of employees of a Budgetary Institution without their consent is carried out in the following cases:
– in accordance with the requirements of the Labor Code of the Russian Federation of December 30, 2001 No. 197-FZ in cases where this is necessary in order to prevent a threat to the life and health of the employee, as well as in other cases provided for by this Code or other federal laws.
– in accordance with the requirements of the Tax Code of the Russian Federation of August 5, 2000 No. 117-FZ, information on the income of individuals for the past tax period and the amounts accrued, withheld and transferred to the budget system of the Russian Federation for this tax period is submitted to the tax authority at the place of their registration.
– in accordance with the requirements of paragraph 15, part 2, article 22 of the Labor Code of the Russian Federation, clause 2, article 12 of the Federal Law of 16.07.1999 No. 165-FZ “On the Fundamentals of Compulsory Social Insurance”, part 2, article 15 of the Federal Law of 01.04.1996 No. 27-FZ “On Individual (Personalized) Accounting in the Systems of Compulsory Pension Insurance and Compulsory Social Insurance”, clause 2, article 14 of the Federal Law of 15.12.2001 No. 167-FZ “On Compulsory Pension Insurance in the Russian Federation”, information is provided to the Social Fund of Russia in the amount stipulated by law;
– at the request of trade unions for the purpose of monitoring compliance with labor legislation by the employer;
– upon a reasoned request from the prosecutor’s office;
– in accordance with paragraph 5 of Article 19 and paragraph 1 of Article 21 of the Federal Law of November 21, 2011, No. 323-FZ “On the Fundamentals of Health Protection of Citizens in the Russian Federation”, in order to provide information to patients, a Budgetary Institution may create publicly available sources of personal data on medical specialists (notice board, information on the website, etc.). Publicly available sources of personal data may include the last name, first name, patronymic, structural unit, position, information on the medical specialist’s qualifications, and length of service without the consent of the personal data subject.
– to military commissariats;
– at the reasoned request of law enforcement agencies and security agencies;
– at the request of state labor inspectors when they carry out supervisory and control activities;
– at the request of the court;
– Roskomnadzor and its territorial bodies (Part 4 of Article 20 of the Law on Personal Data)
– to the authorities and organizations that must be notified of a serious accident, including a fatal one. The list of authorities to be notified and the deadlines for sending notifications of an accident are established by Article 228.1 of the Labor Code of the Russian Federation;
– in cases related to the employee’s performance of job duties (for example, when sent on a business trip);
– to provide information to a credit institution servicing employees’ payment cards, if the relevant form and system of remuneration is specified in a collective agreement or other local regulatory act of the employer.
7.8.2. The transfer of personal data of personal data subjects undergoing medical examinations, medical research and treatment to third parties without the consent of the personal data subject is carried out in the following cases:
7.8.2.1. In accordance with the requirements of the Federal Law of November 29, 2010 No. 326 “On Compulsory Medical Insurance in the Russian Federation” and the agreements concluded by entities (employers) with insurance companies, for the purpose of maintaining personalized records of information on medical care provided to insured persons, information about the subject of personal data is transferred to territorial funds of compulsory medical insurance, voluntary medical insurance, and non-governmental insurance companies.
7.8.2.2. In accordance with the requirements of the Federal Law of November 21, 2011 No. 323-FZ “On the Fundamentals of Health Protection of Citizens in the Russian Federation”:
– for the purpose of conducting a medical examination and treatment of a citizen who, as a result of his condition, is unable to express his will;
– in case of threat of spread of infectious diseases, mass poisoning and injuries;
– at the request of the bodies of inquiry and investigation, the court in connection with the investigation or trial, at the request of the prosecutor’s office in connection with the exercise of prosecutorial supervision, at the request of the body of the penal system in connection with the execution of a criminal sentence and the exercise of control over the behavior of a conditionally sentenced person, a convicted person in respect of whom the serving of the sentence has been deferred, and a person released on parole;
– in the case of providing medical assistance to a minor, to inform one of his parents or other legal representative;
– for the purpose of informing the internal affairs agencies about the admission of a patient in respect of whom there are sufficient grounds to believe that harm to his health was caused as a result of illegal actions;
– for the purpose of conducting military medical examinations at the request of military commissariats, personnel services and military medical (medical-flight) commissions of federal executive bodies in which military and equivalent service is provided for by federal law;
– for the purpose of investigating an industrial accident and occupational disease, as well as an accident involving a student during their stay in an organization carrying out educational activities;
– when exchanging information between medical organizations, including information posted in medical information systems, for the purpose of providing medical care, taking into account the requirements of the legislation of the Russian Federation on personal data;
– for the purpose of accounting and control in the compulsory social insurance system;
– for the purpose of monitoring the quality and safety of medical activities in accordance with this Federal Law (to the Regional Directorate of Medical Support, to the Regional Medical Expert Commission, to the Central Medical Expert Commission);
– for the purpose of submitting reports in the types, forms, timeframes and volumes established by the authorized federal executive body.
7.9. Publicly available sources of personal data.
7.9.1. The budgetary institution does not create publicly available sources of personal data.
7.10. Consent of the personal data subject to the processing of his personal data.
7.10.1. If it is necessary to ensure the conditions for processing the personal data of the subject, the consent of the subject of personal data to the processing of his personal data may be provided.
7.10.2. The personal data subject makes the decision to provide their personal data and consents to its processing voluntarily, of their own free will, and in their own interests. Consent to the processing of personal data must be specific, objective, informed, conscious, and unambiguous.
7.10.3. Consent to the processing of personal data may be given by the personal data subject or their representative in any form that allows for confirmation of its receipt, unless otherwise provided by federal law. If consent to the processing of personal data is received from a representative of the personal data subject, the authority of such representative to grant consent on behalf of the personal data subject shall be verified by the Budgetary Institution.
7.10.4. Consent to the processing of personal data may be revoked by the personal data subject. If the personal data subject revokes consent to the processing of personal data, the Budgetary Institution has the right to continue processing the personal data without the consent of the personal data subject if there are grounds specified in paragraphs 2–11 of Part 1 of Article 6, paragraphs 2–10 of Part 2 of Article 10, and Part 2 of Article 11 of the Personal Data Law.
7.10.5. The obligation to provide proof of obtaining the consent of the personal data subject to the processing of his personal data or proof of the existence of the grounds specified in paragraphs 2–11 of Part 1 of Article 6, paragraphs 2–10 of Part 2 of Article 10 and Part 2 of Article 11 of the Law on Personal Data, shall be assigned to the Budgetary Institution.
7.10.6. In cases stipulated by the Personal Data Law, personal data may only be processed with the written consent of the personal data subject. Consent in the form of an electronic document signed with an electronic signature in accordance with federal law is considered equivalent to written consent on paper containing the personal data subject’s handwritten signature. Written consent from the personal data subject to the processing of their personal data must include, in particular:
– the last name, first name, patronymic, address of the subject of personal data, the number of the main document certifying his identity, information about the date of issue of the said document and the authority that issued it;
– the last name, first name, patronymic, address of the representative of the personal data subject, the number of the main document certifying his identity, information about the date of issue of the said document and the body that issued it, details of the power of attorney or other document confirming the authority of this representative (upon receipt of consent from the representative of the personal data subject);
– name or surname, first name, patronymic and address of the Budgetary Institution;
– the purpose of processing personal data;
– a list of personal data for the processing of which the subject of personal data consents;
– the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Budgetary Institution, if the processing is entrusted to such person;
– a list of actions with personal data for which consent is given, a general description of the methods of processing personal data used by the Budgetary Institution;
– the period during which the consent of the personal data subject is valid, as well as the method of its revocation, unless otherwise established by federal law;
– signature of the personal data subject.
7.10.7. In the event of incapacity of the personal data subject, consent to the processing of his personal data is given by the legal representative of the personal data subject.
7.10.8. In the event of the death of the personal data subject, consent to the processing of his personal data is given by the heirs of the personal data subject, unless such consent was given by the personal data subject during his lifetime.
7.10.9. Personal data may be received by a Budgetary Institution from a person who is not the subject of the personal data, provided that the Budgetary Institution is provided with confirmation of the existence of the grounds specified in paragraphs 2–11 of Part 1 of Article 6, paragraphs 2–10 of Part 2 of Article 10 and Part 2 of Article 11 of the Law on Personal Data.
7.11. Cross-border transfer of personal data
7.11.1. The Budgetary Institution does not carry out cross-border transfer of personal data.
7.12. Features of processing personal data permitted for distribution by the subject of personal data.
7.12.1. The processing of personal data permitted for distribution by the subject of personal data is carried out on the basis of the relevant consent of the subject of personal data.
7.12.2. Consent to the processing of personal data, permitted by the subject of personal data for distribution, is drawn up separately from other consents of the subject of personal data to the processing of his personal data.
7.12.3. The consent contains a list of personal data for each category of personal data specified in the consent to the processing of personal data, permitted for distribution by the subject of the personal data.
7.12.4. Consent to the processing of personal data, permitted by the subject of personal data for distribution, is provided directly to the Budgetary Institution.
7.12.5. Silence or inaction of the personal data subject shall not be considered consent to the processing of personal data permitted by the personal data subject for distribution.
7.12.6. In consenting to the processing of personal data permitted for dissemination by the personal data subject, the personal data subject has the right to establish prohibitions on the transfer (except for granting access) of such personal data by the Budgetary Institution to an unlimited number of persons, as well as prohibitions on the processing or conditions of processing (except for obtaining access) of such personal data by an unlimited number of persons. The Budgetary Institution may not refuse the personal data subject the prohibitions and conditions stipulated by Article 10.1 of the Law on Personal Data.
7.12.7. Prohibitions established by the personal data subject on the transfer (except for providing access), as well as on the processing or conditions of processing (except for obtaining access) of personal data permitted for distribution by the personal data subject, do not apply to cases of processing personal data in the state and other public interests determined by the legislation of the Russian Federation.
7.12.8. The transfer (dissemination, provision, access) of personal data authorized for dissemination by the personal data subject must be terminated at any time upon the personal data subject’s request. This request must include the last name, first name, patronymic (if any), contact information (phone number, email address, or postal address) of the personal data subject, as well as a list of personal data whose processing is subject to termination. The personal data specified in this request may only be processed by the Budgetary Institution.
7.12.9. The consent of the personal data subject to the processing of personal data, permitted by the personal data subject for distribution, shall terminate upon receipt by the Budgetary Institution of the relevant request.
7.12.10. The requirements specified above shall not apply in the case of processing personal data for the purpose of fulfilling the functions, powers, and duties imposed by the legislation of the Russian Federation on state bodies, municipal bodies, as well as on organizations subordinate to these bodies.
7.12.11. Publication of information about medical activities and medical workers.
7.12.11.1. In accordance with paragraph 7 of part 1 of article 79 of the Federal Law of 21.11.2011 No. 323-FZ “On the Fundamentals of Health Protection of Citizens in the Russian Federation”, a budgetary institution is obliged to inform citizens in an accessible form, including using the Internet, about the medical activities carried out and about the medical workers of medical organizations, about their level of education and their qualifications, and also provide other information necessary for an independent assessment of the quality of services provided by medical organizations.
7.12.11.2. In derogation of this legal provision, Order No. 956n of the Russian Ministry of Health dated 30.12.2014 approved requirements for the content and format of information on the activities of medical organizations posted on the official websites of the Russian Ministry of Health, state authorities of constituent entities of the Russian Federation, local governments, and medical organizations on the Internet. The processing of personal data of individuals not covered by this legal act, as well as the processing of categories of personal data in excess of the volume specified in the order, is permitted only with the consent of the personal data subject.
• The volume of personal data determined by the order of the Ministry of Health of Russia dated 30.12.2014 No. 956n:
• last name, first name, patronymic (if any) of the medical worker, position held;
• information from the educational document (level of education, organization that issued the educational document, year of issue, specialty, qualification);
• information from the specialist certificate (specialty corresponding to the position held, validity period);
• work schedule and reception hours of the medical worker.
7.13. Processing of personal data carried out without the use of automation tools
7.13.1. General Provisions.
7.13.1.1. The processing of personal data contained in a personal data information system or extracted from such a system is considered to be carried out without the use of automation tools (non-automated) if such actions with personal data as the use, clarification, distribution, and destruction of personal data in relation to each of the personal data subjects are carried out with the direct participation of a person.
7.13.2. Features of the organization of personal data processing carried out without the use of automation tools.
7.13.2.1. Personal data, when processed without the use of automation tools, are separated from other information, in particular by recording them on separate tangible personal data carriers (hereinafter referred to as tangible carriers), in special sections or in the fields of forms (blanks).
7.13.2.2. When recording personal data on tangible media, it is prohibited to record on the same tangible media personal data whose processing purposes are clearly incompatible. For processing different categories of personal data without the use of automation, a separate tangible media is used for each category of personal data.
7.13.2.3. Persons processing personal data without the use of automation tools (including employees of the Budgetary Institution or persons carrying out such processing under an agreement with the Budgetary Institution) are informed of the fact that they are processing personal data, the processing of which is carried out by the Budgetary Institution without the use of automation tools, the categories of personal data being processed, as well as the features and rules for carrying out such processing established by regulatory legal acts of federal executive bodies, executive bodies of constituent entities of the Russian Federation, as well as local legal acts of the Budgetary Institution.
7.13.2.4. When using standard forms of documents, the nature of the information in which presupposes or allows the inclusion of personal data (hereinafter referred to as the standard form), the following conditions are observed:
– a standard form or documents related to it (instructions for filling it out, cards, registers and journals) contain information on the purpose of processing personal data carried out without the use of automation tools, the name (title) and address of the Budgetary Institution, the last name, first name, patronymic and address of the subject of personal data, the source of obtaining personal data, the terms of processing personal data, a list of actions with personal data that will be performed in the process of their processing, a general description of the methods of processing personal data used by the Budgetary Institution;
– the standard form provides a field in which the subject of personal data can indicate his consent to the processing of personal data carried out without the use of automation tools, if it is necessary to obtain written consent to the processing of personal data;
– the standard form is drawn up in such a way that each of the subjects of personal data contained in the document has the opportunity to become familiar with their personal data contained in the document without violating the rights and legitimate interests of other subjects of personal data;
– the standard form excludes the combination of fields intended for entering personal data, the purposes of processing of which are obviously incompatible.
7.13.2.5. In the event of incompatibility of the purposes of processing personal data recorded on one tangible medium, if the tangible medium does not allow for the processing of personal data separately from other personal data recorded on the same medium, measures shall be taken to ensure separate processing of personal data, in particular:
– if it is necessary to use or distribute certain personal data separately from other personal data located on the same tangible medium, the personal data subject to distribution or use is copied in a manner that excludes the simultaneous copying of personal data not subject to distribution and use, and a copy of the personal data is used (distributed);
– if it is necessary to destroy or block part of the personal data, the physical medium is destroyed or blocked with preliminary copying of the information that is not subject to destruction or blocking, in a manner that excludes the simultaneous copying of the personal data subject to destruction or blocking.
7.13.2.6. Destruction of some personal data, if permitted by the tangible medium, may be accomplished in a manner that precludes further processing of this personal data while preserving the ability to process other data recorded on the tangible medium (deletion, erasure). These rules also apply if it is necessary to ensure separate processing of personal data recorded on the same tangible medium and information that is not considered personal data.
7.13.2.7. Personal data shall be updated during processing without the use of automated means by updating or changing the data on a tangible medium, and if this is not permitted by the technical features of the tangible medium, by recording on the same tangible medium information about the changes made to them or by producing a new tangible medium with the updated personal data.
7.13.2.8. Measures to ensure the security of personal data during their processing carried out without the use of automation tools
7.13.2.8.1. The processing of personal data carried out without the use of automation tools is carried out in such a way that, for each category of personal data, it is possible to determine the storage locations of personal data (material media) and establish a list of persons processing personal data or having access to them.
7.13.2.8.2. Separate storage of personal data (material media) processed for various purposes is ensured.
7.13.2.8.3. When storing tangible media, conditions must be observed that ensure the security of personal data and prevent unauthorized access. The list of measures necessary to ensure such conditions, the procedure for their adoption, and the list of persons responsible for implementing these measures are established by the Budgetary Institution.
7.14. Cookie processing.
7.14.1. The processing of cookies by the Budgetary Institution is carried out in a generalized form and is never associated with the personal information of Users.
7.14.2. The Budgetary Institution’s website utilizes web analytics tools that may utilize cookie technologies (listed in Table 1). Web analytics tools are used to analyze the use of the Budgetary Institution’s website and improve its performance.
Website Address Web Analytics Tools
https://gkb-buyanova.ru/ Yandex.Metrica

Table 1. Web analytics tools
7.14.3 . Using the functionality of metric systems, such as Yandex.Metrica (https://yandex.ru/legal/confidential, YANDEX LLC, 119021, Russia, Moscow, L. Tolstoy St., 16), allows us to identify unique website visitors and generate information about their preferences and behavior on the website.
7.14.4. When using the website, the following personal data is processed:
– Full name;
– Phone number;
– Email address;
– Postal address;
– Information collected through metric programs.
7.14.5. Actions that may be performed in relation to personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), use, transfer, blocking, deletion, destruction of personal data using databases located on the territory of the Russian Federation.
7.14.6. The Budgetary Institution processes the User’s personal data only if it is completed and/or submitted by the User independently through special forms located on the Budgetary Institution’s Website.
7.14.7. By visiting the website https://gkb-buyanova.ru/, the User consents to the processing of cookies and metric data under the terms set forth in this Policy by clicking the “Accept” button in the information window during their initial visit to https://gkb-buyanova.ru/. This consent is valid from the moment it is provided and continues throughout the User’s use of the website.
7.14.8. Users of the Budgetary Institution’s website have the right to prohibit their equipment from receiving this data or limit its reception by selecting the appropriate settings in their browser. If you refuse to receive this data or limit its reception, some features of the https://gkb-buyanova.ru/ website may not function properly.
7.14.9. By filling out the relevant forms and/or sending your personal data to the Budgetary Institution, consent to the processing of personal data is considered to be provided by the User through the performance of implicit actions, namely, by placing a special sign – a “web tag” in a special field when filling out a form on the Website next to the text “I consent to the processing of personal data”, provided that the User is given the opportunity to familiarize himself with the full text of this Policy at each point of collection of personal data.
7.14.1. The use of Google Analytics and other analytics systems of foreign countries is prohibited on the Budgetary Institution’s website.
7.14.2. About cookie technology.
7.14.2.1. A cookie is a fragment of data sent by the Budgetary Institution’s server and stored on the User’s device. The contents of such a file may or may not constitute personal data, depending on whether the file contains personal data or anonymized technical data. The User has the right to prohibit their equipment from receiving this data or to limit its reception. If they refuse to receive such data or limit their reception, some functions of the Website may not function properly. The User undertakes to configure their equipment to ensure the operating mode and level of cookie data protection appropriate to their preferences, and the Budgetary Institution does not provide technological or legal advice on such matters.
7.14.2.2. A budgetary institution may use the following types of cookies for the following purposes:
• technical cookies: these files are necessary for the normal operation of the Site and the provision of its functions; among other things, they allow the identification of hardware and software, including the browser type, so that the Site works correctly on the equipment of a specific User.
• cookies for storing settings and preferences: these cookies allow you to save the User’s preferences, such as the selected language, location, and settings for the appearance of the Site.
• statistical/analytical cookies: these cookies allow us to recognize users, count their number and collect information such as transactions performed on the Site, including information about the pages of the Site visited and the content that is most interesting to the User. Such cookies are used by the Operator to collect, analyze and organize statistics and analytics of the Site and improve the Site;
• behavioral cookies: these cookies collect information about how Users interact with the Site, which allows us to identify errors and test new features to improve the performance of the Site;
• form cookies: when you submit data through a contact form, cookies may be used to remember the User for future correspondence.
The use of cookies is regulated as follows:
• cookies, the content of which is determined and processed exclusively by the Operator, are processed in accordance with the terms of this Policy;
• cookies, the content of which is determined and processed by a third party – for example, a provider of third-party software or a service used by the Operator – are processed in accordance with the terms of this Policy, as well as in accordance with the terms of the privacy documents of such third party, which contain, among other things, the name of that party, the procedure and conditions for working with cookies and contact information for inquiries from personal data subjects.
7.14.3. The location of the sites is given in Table 2.

Website address Name and address of the organization that owns the hosting
https://gkb-buyanova.ru/ Joint-Stock Company “Regional Network Information Center” (125315, Moscow, inner-city municipal district Aeroport, Leningradsky Ave., 72, bldg. 3)
Table 2

8. Updating, correcting, deleting and destroying personal data, responding to requests from subjects for access to personal data, rights of the subject of personal data, responsibilities of the operator.
8.1. The right of the personal data subject to access his personal data.
8.1.1. The subject of personal data has the right to receive information (hereinafter referred to as the information requested by the subject) concerning the processing of his personal data, including containing:
– confirmation of the fact of processing of personal data by a budgetary institution;
– legal grounds and purposes of processing personal data;
– the purposes and methods of processing personal data used by the Budgetary Institution;
– the name and location of the Budgetary Institution, information about persons (except for employees of the Budgetary Institution) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Budgetary Institution or on the basis of federal law;
– processed personal data related to the relevant subject of personal data, the source of their receipt, unless another procedure for submitting such data is provided for by federal law;
– the terms of processing personal data, including the terms of their storage;
– the procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law “On Personal Data”;
– information on completed or intended cross-border data transfer;
– the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Budgetary Institution, if the processing is or will be entrusted to such person;
– information on the methods of fulfilling the Budgetary Institution’s obligations established by Article 18.1 of the Law on Personal Data;
– other information provided for by the Federal Law “On Personal Data” or other federal laws.
8.1.2. The personal data subject has the right to receive the information requested by the subject, with the exception of the following cases:
– the processing of personal data, including personal data obtained as a result of operational-search, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and the protection of law and order;
– the processing of personal data is carried out by the authorities that have detained the subject of personal data on suspicion of committing a crime, or brought charges against the subject of personal data in a criminal case, or applied a preventive measure to the subject of personal data before charges are brought, with the exception of cases provided for by the criminal procedure legislation of the Russian Federation, if the suspect or accused is allowed to become familiar with such personal data;
– the processing of personal data is carried out in accordance with the legislation on combating the legalization (laundering) of proceeds from crime and the financing of terrorism;
– access of the personal data subject to his personal data violates the rights and legitimate interests of third parties;
– the processing of personal data is carried out in cases stipulated by the legislation of the Russian Federation on transport security, in order to ensure the stable and safe functioning of the transport complex, to protect the interests of the individual, the Budgetary Institution and the state in the sphere of the transport complex from acts of illegal interference.
8.1.3. The subject of personal data has the right to demand from the Budgetary Institution clarification of his personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, and also to take measures provided by law to protect his rights.
8.1.4. The information requested by the subject must be provided to the subject of personal data by the Budgetary Institution in an accessible form, and it must not contain personal data related to other subjects of personal data, except in cases where there are legal grounds for disclosure of such personal data.
8.1.5. The requested information shall be provided to the personal data subject or their representative by the Budgetary Institution within ten business days of the request or receipt by the Budgetary Institution of the personal data subject’s or their representative’s request. This period may be extended, but not more than by five business days, if the Budgetary Institution sends the personal data subject a reasoned notice stating the reasons for extending the deadline for providing the requested information.
8.1.6. The request must contain the number of the main document certifying the identity of the personal data subject or his representative, information on the date of issue of the said document and the issuing authority, information confirming the participation of the personal data subject in relations with the Budgetary Institution (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Budgetary Institution, the signature of the personal data subject or his representative (hereinafter referred to as the information required for the request).
8.1.7. A request may be submitted in the form of an electronic document and signed with an electronic signature in accordance with Russian Federation law. The budgetary institution will provide the requested information to the personal data subject or their representative in the form in which the relevant request or inquiry was submitted, unless otherwise specified in the request or inquiry.
8.1.8. If the information requested by the subject, as well as the personal data being processed, were provided for review to the personal data subject at his request, the personal data subject has the right to re-apply to the Budgetary Institution or send a repeat request in order to receive the information requested by the subject and review such personal data no earlier than thirty days (hereinafter referred to as the standard request period) after the initial request or sending of the initial request, unless a shorter period is established by federal law, a regulatory legal act adopted in accordance with it, or an agreement to which the personal data subject is a party, a beneficiary, or a guarantor.
8.1.9. The personal data subject has the right to reapply to the Budgetary Institution or submit a follow-up request in order to obtain the information requested by the subject, as well as to review the personal data being processed, before the expiration of the standard request period, if such information and/or the personal data being processed were not provided to them for review in full following the review of the initial request. The follow-up request, along with the information required for the request, must include a justification for the follow-up request.
8.1.10. A budgetary institution has the right to refuse a personal data subject’s request to fulfill a repeated request that does not meet the conditions of the repeated request. Such refusal must be reasoned. The budgetary institution is responsible for providing evidence justifying the refusal to fulfill the repeated request.
8.1.11. Rights of personal data subjects when processing their personal data for the purpose of promoting goods, works, and services on the market, as well as for the purposes of political campaigning
8.1.11.1. The Budgetary Institution does not process personal data for the purpose of promoting goods, works, and services on the market by means of direct contact with potential consumers via communication tools, or for the purpose of political campaigning.
8.1.12. Rights of personal data subjects when making decisions based solely on automated processing of their personal data.
8.1.12.1. The Budgetary Institution shall not make decisions based solely on automated processing of personal data that generate legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.
8.1.13. The right to appeal the actions or inactions of a Budgetary Institution.
8.1.13.1. If the personal data subject believes that the Budgetary Institution processes his/her personal data in violation of the requirements of the Law on Personal Data or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal the actions or inaction of the Budgetary Institution to the authorized body for the protection of the rights of personal data subjects or in court.
8.1.14. The personal data subject has the right to protect his or her rights and legitimate interests, including compensation for damages and/or moral harm, in court.
8.2. Responsibilities of the Budgetary Institution
8.2.1. Responsibilities of the Budgetary Institution when collecting personal data.
8.2.1.1. When collecting personal data, the Budgetary Institution shall provide the personal data subject, at his request, with the requested information regarding the processing of his personal data in accordance with Part 7 of Article 14 of the Law on Personal Data.
8.2.1.2. If, in accordance with federal law, the provision of personal data and (or) the receipt by the Budgetary Institution of consent to the processing of personal data are mandatory, the Budgetary Institution shall explain to the subject of personal data the legal consequences of refusing to provide his personal data and (or) to give consent to their processing.
8.2.1.3. If personal data are not received from the personal data subject, the Budgetary Institution shall, prior to commencing processing of such personal data, provide the personal data subject with the following information (hereinafter referred to as information communicated upon receipt of personal data not from the personal data subject):
– the name or surname, first name, patronymic and address of the Budgetary Institution or representative of the Budgetary Institution;
– the purpose of processing personal data and its legal basis;
– list of personal data;
– intended users of personal data;
– the rights of the subject of personal data established by the Federal Law “On Personal Data”;
– source of personal data.
8.1.2.4. A budgetary institution shall not provide the subject with information communicated upon receipt of personal data not from the subject of the personal data in cases where:
– the subject of personal data is notified of the processing of his personal data by the Budgetary Institution;
– personal data were received by a Budgetary Institution on the basis of a federal law or in connection with the execution of an agreement to which the subject of personal data is a party, beneficiary or guarantor;
– the processing of personal data permitted by the subject of personal data for distribution is carried out in compliance with the prohibitions and conditions provided for in Article 10.1 of the Law on Personal Data;
– A budgetary institution processes personal data for statistical or other research purposes, for the implementation of professional activities of a journalist or scientific, literary or other creative activities, if this does not violate the rights and legitimate interests of the subject of personal data;
– provision to the subject of personal data of information communicated upon receipt of personal data not from the subject of personal data violates the rights and legitimate interests of third parties.
8.2.2. Measures aimed at ensuring the fulfillment of the Budgetary Institution’s duties.
8.2.2.1. A budgetary institution shall take measures necessary and sufficient to ensure the fulfillment of its obligations. A budgetary institution shall independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of its obligations, unless otherwise provided by federal laws. Such measures shall include, in particular:
8.2.2.2. Appointment of a person responsible for organizing the processing of personal data;
8.2.2.3. Publication of the Policy, local regulations on personal data processing, as well as local regulations establishing procedures aimed at preventing and identifying violations of Russian Federation legislation and eliminating the consequences of such violations. Such documents and local regulations may not contain provisions limiting the rights of personal data subjects or imposing powers and obligations on the Budgetary Institution not provided for by Russian Federation legislation;
8.2.2.4. Application of legal, organizational and technical measures to ensure the security of personal data;
8.2.2.5. Implementation of internal control and (or) audit of compliance of personal data processing with the requirements for the protection of personal data, the Policy, and local acts of the Budgetary Institution;
8.2.2.6. Assessment of the harm that may be caused to personal data subjects in the event of a violation of the Law on Personal Data, the relationship between the said harm and the measures taken by the Budgetary Institution aimed at ensuring the fulfillment of the obligations stipulated by the Federal Law “On Personal Data”;
8.2.2.7. Familiarization of employees of the Budgetary Institution directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents, the Policy, local acts on issues of processing personal data, and (or) training of these employees.
8.2.3. Measures to ensure the security of personal data during their processing.
8.2.3.1. When processing personal data, a budgetary institution shall take the necessary legal, organizational, and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.
8.2.3.2. Ensuring the security of personal data is achieved, in particular:
– identification of threats to the security of personal data when processing them in personal data information systems;
– the application of organizational and technical measures to ensure the security of personal data when processed in personal data information systems, necessary to meet the requirements for the protection of personal data, the implementation of which ensures the levels of protection of personal data established by the Government of the Russian Federation;
– the use of information security tools that have undergone the established procedure for assessing the conformity of information;
– assessment of the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system;
– taking into account machine-readable media of personal data;
– detection of facts of unauthorized access to personal data and taking measures;
– restoration of personal data modified or destroyed due to unauthorized access to them;
– establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system;
– control over the measures taken to ensure the security of personal data and the level of protection of personal data information systems.
8.2.3.3. The use and storage of biometric personal data outside of personal data information systems may only be carried out on such tangible information carriers and using such storage technology that ensure the protection of these data from unauthorized or accidental access to them, their destruction, modification, blocking, copying, provision, and distribution.
8.2.3.4. Obligations of the Budgetary Institution when a personal data subject applies to it or when receiving a request from a personal data subject or his representative, as well as the authorized body for the protection of the rights of personal data subjects.
8.2.3.4.1. The budgetary institution shall, in accordance with the established procedure, notify the personal data subject or their representative of the availability of personal data relating to the relevant personal data subject, and shall also provide access to this personal data upon request by the personal data subject or their representative, or within ten business days from the date of receipt of the request from the personal data subject or their representative. This period may be extended, but by no more than five business days, if the budgetary institution sends a reasoned notice to the personal data subject stating the reasons for extending the period for providing the requested information.
8.2.3.4.2. In the event of a refusal to provide information on the availability of personal data about the relevant personal data subject or personal data to the personal data subject or their representative upon their request or upon receipt of a request from the personal data subject or their representative, the Budgetary Institution shall provide a reasoned written response within a period not exceeding ten business days from the date of the request from the personal data subject or their representative or from the date of receipt of the request from the personal data subject or their representative. This period may be extended, but by no more than five business days, if the Budgetary Institution sends a reasoned notice to the personal data subject stating the reasons for extending the period for providing the requested information.
8.2.3.4.3. The Budgetary Institution shall provide the personal data subject or their representative with the opportunity to access personal data relating to this personal data subject free of charge. Within a period not exceeding seven business days from the date the personal data subject or their representative provides information confirming that the personal data are incomplete, inaccurate, or outdated, the Budgetary Institution shall make the necessary changes to them. Within a period not exceeding seven business days from the date the personal data subject or their representative provides information confirming that such personal data were illegally obtained or are not necessary for the stated purpose of processing, the Budgetary Institution shall destroy such personal data. The Budgetary Institution shall notify the personal data subject or their representative of the changes made and the measures taken and shall take reasonable measures to notify third parties to whom the personal data of this subject was transferred.
8.2.3.4.4. The budgetary institution shall notify the authorized body for the protection of the rights of personal data subjects, at the request of such body, of the required information within ten business days of the date of receipt of such request. This period may be extended, but not more than by five business days, if the budgetary institution sends a reasoned notice to the authorized body for the protection of the rights of personal data subjects, stating the reasons for the extension of the deadline for providing the requested information.
8.2.3.5. Obligations of the Budgetary Institution to eliminate violations of the law committed during the processing of personal data, to clarify, block and destroy personal data.
8.2.3.5.1. In the event that unlawful processing of personal data is detected upon an application by a personal data subject or his/her representative, or at the request of a personal data subject or his/her representative, or an authorized body for the protection of the rights of personal data subjects, the Budgetary Institution shall block the unlawfully processed personal data relating to this personal data subject or ensure their blocking (if the personal data are processed by another person acting on behalf of the Budgetary Institution) from the moment of such application or receipt of the said request for the verification period. In the event that inaccurate personal data is detected upon an application by a personal data subject or his/her representative, or at their request, or at the request of an authorized body for the protection of the rights of personal data subjects, the Budgetary Institution shall block the personal data relating to this personal data subject or ensure their blocking (if the personal data are processed by another person acting on behalf of the Budgetary Institution) from the moment of such application or receipt of the said request for the verification period, unless blocking the personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
8.2.3.5.2. In the event that the fact of inaccuracy of personal data is confirmed, the Budgetary Institution, on the basis of information provided by the personal data subject or his representative or the authorized body for the protection of the rights of personal data subjects, or other necessary documents, clarifies the personal data or ensures their clarification (if the processing of personal data is carried out by another person acting on behalf of the Budgetary Institution) within seven working days from the date of submission of such information and removes the blocking of the personal data.
8.2.3.5.3. In the event of detection of unlawful processing of personal data carried out by a Budgetary Institution or a person acting on behalf of a Budgetary Institution, the Budgetary Institution shall, within a period not exceeding three business days from the date of such detection, cease the unlawful processing of personal data or ensure the cessation of the unlawful processing of personal data by the person acting on behalf of the Budgetary Institution. If it is impossible to ensure the lawfulness of the processing of personal data, the Budgetary Institution shall, within a period not exceeding ten business days from the date of detection of the unlawful processing of personal data, destroy such personal data or ensure their destruction. The Budgetary Institution shall notify the subject of the personal data or their representative of the rectification of the violations committed or of the destruction of personal data, and if the appeal of the subject of the personal data or their representative or the request of the authorized body for the protection of the rights of subjects of personal data were sent by the authorized body for the protection of the rights of subjects of personal data, also the said body.
8.2.3.5.4. In the event of establishing the fact of unlawful or accidental transfer (provision, distribution, access) of personal data, resulting in the violation of the rights of personal data subjects, the Budgetary Institution, from the moment of detection of such incident, the Budgetary Institution, the authorized body for the protection of the rights of personal data subjects, or another interested party shall notify the authorized body for the protection of the rights of personal data subjects:
– within twenty-four hours about the incident that occurred, about the alleged reasons that led to the violation of the rights of personal data subjects, and the alleged harm caused to the rights of personal data subjects, about the measures taken to eliminate the consequences of the relevant incident, as well as about the person authorized by the Budgetary Institution to interact with the authorized body for the protection of the rights of personal data subjects on issues related to the identified incident;
– within seventy-two hours, about the results of the internal investigation of the identified incident, as well as about the persons whose actions caused the identified incident (if any).
8.2.3.6. If the purpose of processing personal data is achieved, the Budgetary Institution shall cease processing the personal data or ensure its termination (if the processing of personal data is carried out by another person acting on behalf of the Budgetary Institution) and shall destroy the personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Budgetary Institution) within a period not exceeding thirty days from the date of achieving the purpose of processing the personal data, unless otherwise provided by an agreement to which the subject of personal data is a party, beneficiary or guarantor, or by another agreement between the Budgetary Institution and the subject of personal data, or if the Budgetary Institution does not have the right to process personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law “On Personal Data” or other federal laws.
8.2.3.7. In the event that the personal data subject revokes their consent to the processing of their personal data, the Budgetary Institution shall cease processing them or ensure the termination of such processing (if the personal data are processed by another person acting on behalf of the Budgetary Institution) and, if the storage of personal data is no longer required for the purposes of processing the personal data, shall destroy the personal data or ensure their destruction (if the personal data are processed by another person acting on behalf of the Budgetary Institution) within a period not exceeding thirty days from the date of receipt of the said revocation, unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor, or another agreement between the Budgetary Institution and the personal data subject, or if the Budgetary Institution is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by the Federal Law “On Personal Data” or other federal laws.
8.2.3.8. If a personal data subject requests that the processing of personal data be terminated, the Budgetary Institution shall, within a period not exceeding ten working days from the date of receipt of the relevant request, cease processing the personal data or ensure the termination of such processing (if such processing is carried out by the person processing the personal data), except for the cases provided for in paragraphs 2–11 of Part 1 of Article 6, Part 2 of Article 10, and Part 2 of Article 11 of the Law on Personal Data. This period may be extended, but by no more than five working days, if the Budgetary Institution sends a reasoned notice to the personal data subject stating the reasons for extending the period for providing the requested information.
8.2.3.9. If it is impossible to destroy personal data within the specified period, the Budgetary Institution shall block such personal data or ensure their blocking (if the processing of personal data is carried out by another person acting on behalf of the Budgetary Institution) and ensure the destruction of personal data within a period of no more than six months, unless another period is established by federal laws.
8.2.4. Notification of processing (intention to process) personal data
8.2.4.1. A budgetary institution, with the exception of cases stipulated by the Federal Law “On Personal Data”, shall notify the authorized body for the protection of the rights of personal data subjects of its intention to process personal data before commencing the processing of personal data.
8.2.4.2. The notification shall be sent in hard copy or electronic form and shall be signed by an authorized person. The notification shall contain the following information:
– name (last name, first name, patronymic), address of the Budgetary Institution;
– the purpose of processing personal data;
– description of measures, including information on the availability of encryption (cryptographic) means and the names of these means;
– the last name, first name, patronymic of the individual or the name of the legal entity responsible for organizing the processing of personal data, and their contact telephone numbers, postal addresses and email addresses;
– the date of commencement of personal data processing;
– the term or condition for termination of the processing of personal data;
– information on the presence or absence of cross-border transfer of personal data during their processing;
– information about the location of the database of information containing personal data of citizens of the Russian Federation;
– the last name, first name, patronymic of an individual or the name of a legal entity that has access to and (or) processes personal data contained in state and municipal information systems on the basis of an agreement;
– information on ensuring the security of personal data in accordance with the requirements for the protection of personal data established by the Government of the Russian Federation.
8.2.5. If the specified information changes, the Budgetary Institution shall, no later than the 15th day of the month following the month in which such changes occurred, notify the authorized body for the protection of the rights of personal data subjects of all changes that occurred during the specified period. If the Budgetary Institution ceases processing personal data, it shall notify the authorized body for the protection of the rights of personal data subjects within ten business days of the date of cessation of processing.

9. Areas of responsibility.
9.1. Persons responsible for organizing the processing of personal data.
The budgetary institution appoints a person responsible for organizing the processing of personal data.
The person responsible for organizing the processing of personal data, in particular, performs the following functions:
– carries out internal control over the compliance of the Budgetary Institution and employees of the Budgetary Institution with the legislation of the Russian Federation on personal data, including requirements for the protection of personal data;
– brings to the attention of the employees of the Budgetary Institution the provisions of the legislation of the Russian Federation on personal data, local acts on the processing of personal data, and requirements for the protection of personal data;
– organizes the reception and processing of requests and inquiries from personal data subjects or their representatives and (or) exercises control over the reception and processing of such requests and inquiries.

9.2. Responsibility
– Persons guilty of violating the requirements of the Law on Personal Data shall bear liability as provided for by the legislation of the Russian Federation.
– Moral damages caused to a personal data subject as a result of a violation of their rights, a breach of the personal data processing rules established by the Federal Law “On Personal Data,” or the personal data protection requirements established in accordance with the Federal Law “On Personal Data” are subject to compensation in accordance with the legislation of the Russian Federation. Compensation for moral damages is provided independently of compensation for property damages and losses incurred by the personal data subject.

10. Key results
10.1. Upon achievement of the objectives, the following results are expected:
– ensuring the protection of the rights and freedoms of personal data subjects during the processing of their personal data by a Budgetary Institution;
– increasing the overall level of information security of the Budgetary Institution;
– minimization of legal risks of the Budgetary Institution.

11. Connected politicians.
There are no coherent policies.

12. Final provisions.
12.1. The provisions of this Policy are mandatory for all employees of the Budgetary Institution who have access to personal data.
12.2. The subject of personal data may obtain any clarifications on issues of interest regarding the processing of his or her personal data, as well as request written information regarding the processing of personal data by contacting the Budgetary Institution in printed or electronic form, signed with an electronic signature, by sending a notification to the e-mail address gkb12@zdrav.mos.ru, indicating in the notification the full name, contact information, number of the main identity document, information on the date of issue of the specified document and the issuing authority, information confirming the participation of the subject of personal data in relations with the Budgetary Institution, or information otherwise confirming the fact of processing of personal data by the Budgetary Institution, signed by the subject of personal data.
12.3. The budgetary institution shall provide information concerning the processing of personal data within ten working days from the date of receipt of the request from the personal data subject in the form in which the relevant request was sent.
12.4. The budgetary institution reserves the right to make changes to this Policy.
12.5. When changes are made, the current version includes the date of the last update. The new version of the Policy takes effect upon its posting on the Budgetary Institution’s Website. Revoked versions are available in the archive at the address specified in the Policy.
12.6. The provisions of this Policy may be revised for the following reasons:
– in case of changes in the regulatory acts of the Russian Federation governing relations in the field of personal data processing;
– when changing internal regulations;
– in cases where discrepancies are identified affecting the processing of personal data;
– based on the results of monitoring compliance with requirements for the processing and protection of personal data.
12.7. When new regulations are adopted or existing ones are amended, governing the procedure for processing personal data, this Policy shall remain in effect until the relevant amendments and additions are made to the extent that it does not contradict them.
12.8. A budgetary institution, as well as its employees, in accordance with the legislation of the Russian Federation, bear civil, administrative, and criminal liability for failure to comply with the principles and conditions for the processing of personal data, as well as for the disclosure or illegal use of personal data.
12.9. The current version of the Policy is located on the Budgetary Institution’s Website https://gkb-buyanova.ru/.