I. General provisions

1.1. These Rules for Processing Personal Data in the Transport Committee (hereinafter referred to as the Rules) define the purposes and procedure for processing personal data( hereinafter referred to as the PD), measures aimed at protecting PD, as well as procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of PD in the Transport Committee (hereinafter referred to as the Committee).
1.2. These Rules define the policy of the Committee as an operator that processes personal data in relation to the processing and protection of personal data.
1.3. These Rules are developed in accordance with:
The Labor Code of the Russian Federation (hereinafter referred to as the Labor Code);
The Federal Law "On Information, Information Technologies and Information Protection";
The Federal Law "On Personal Data";
The Federal Law "On the Civil Service System of the Russian Federation";
the Federal Law "On the State Civil Service of the Russian Federation";
The Federal Law "On Countering Corruption". corruption";
Federal Law "On the organization of the provision of state and municipal services";
Federal Law "On the procedure for consideration of Appeals of Citizens of the Russian Federation";
Decree of the President of the Russian Federation of 30.05.2005 No. 609 "On Approval of the Regulation on Personal Data of a State Civil servant of the Russian Federation and the management of his personal file";
Decree of the Government of the Russian Federation No. 687 "On Approval of the Regulation on the Specifics of processing Personal Data performed without the use of automation tools";
Decree of the Government of the Russian Federation No. 211 " On Approval of the list of measures Federal Law "On Personal Data" and regulatory legal acts adopted in accordance with it by operators that are state or municipal bodies";
Resolution of the Government of the Russian Federation No. 1119 of 01.11.2012 "On Approval of Requirements for the protection of Personal Data when Processing them in Personal Data Information Systems";
by order of the Federal Service for Technical and Expert Control dated 11.02.2013 No. 17 "On approval of Requirements for the protection of information not constituting a state secret contained in state information systems";
order of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications of 05.09.2013 No. 996"On approval of requirements and methods for depersonalization of Personal data".
1.4. Processing of personal data in the Committee is carried out in compliance with the principles and conditions stipulated by the legislation of the Russian Federation in the field of personal data, as well as these Rules.
1.5. Terms not defined in these Terms are used in accordance with the basic definitions established by the Federal Law "On Personal Data".
1.6. PD processed by the Committee is information that is restricted in accordance with federal laws, with the exception of information that is subject to dissemination in accordance with the current legislation of the Russian Federation.
1.7. Violation of the procedure for processing personal data established by the Federal Law "On Personal Data" entails liability of state civil servants of the Committee who hold positions in the state civil service.‑Members of the Committee (hereinafter referred to as the Committee's civil servants), and employees of the Committee holding positions other than those of the State Civil Service of Saint Petersburg.‑St. Petersburg, in accordance with the legislation of the Russian Federation.

II. Measures and procedures aimed at detecting and preventing
violations of the legislation of the Russian Federation in the field of PD

2.1. The processing of personal data must be carried out on a legal and fair basis.
2.2. In order to identify and prevent violations of the legislation of the Russian Federation in the field of PD, the Committee shall:
- appointment of those responsible for organizing the processing of PD and ensuring the security of PD in the Committee's PD information systems (hereinafter referred to as the PD Processing Officer, Responsible for the security of PD);
- publication of local legal acts on the processing of PD,
as well as the protection of PD during their processing in PD information systems;
- application of legal, organizational and technical measures measures to ensure the security of personal data in accordance with Article 19 of the Federal Law "On Personal Data";
- implementation of internal control over the compliance of PD processing with the Federal Law "On Personal Data" and the requirements for PD protection established by the current legislation;
- assessment of the harm that may be caused to PD subjects in the event of a violation of the Federal Law "On Personal Data", correlation of this harm and the measures taken by the Committee aimed at ensuring the fulfillment of obligations stipulated by the Federal Law"On Personal Data";
- familiarization of civil servants and employees of the Committee directly engaged in PD processing with the provisions of the legislation of the Russian Federation on PD, including requirements for the protection of PD, and legal acts of the Committee on PD processing.

III. Categories of PD subjects

3.1. PD subjects whose PD is processed by the Committee in accordance
with these Rules include:
1) state civil servants of the Committee holding positions in the State civil service of Saint Petersburg‑
2) citizens applying for positions in the State civil service of Saint Petersburg in the Committee;‑
3) employees of the Committee holding positions other than those of the State Civil Service of Saint Petersburg in the Committee;‑
4) citizens applying for positions other than those of the State civil service of Saint Petersburg;‑
5) working committees financed from the budget of Saint Petersburg;‑
6) citizens applying to replace the professions of workers of the Committee financed from the budget of St. Petersburg;‑St. Petersburg;
7) persons holding the positions of heads and deputy heads of organizations subordinate to the Committee (hereinafter referred to as heads and deputy heads of subordinate organizations);
8) citizens applying for the positions of heads and deputy heads of subordinate organizations;
9) individuals and representatives of organizations who have applied to the Committee:
in connection with the provision of a state service;
in connection with the performance of a state function;
10) citizens who have applied to the Committee in accordance with the Federal Law "On the Procedure for Considering Appeals of Citizens of the Russian Federation".

IV. Purposes, conditions and procedure for processing PD of PD subjects in connection with the implementation of official or labor relations

4.1. The PD of the PD subjects specified in subclauses 1-8 of clause 3.1 of these Rules is processed in order to ensure the tasks of personnel work, including personnel accounting, office management, assistance in the implementation of official (labor) activities, formation of a personnel reserve, training and official growth, accounting for the results of performing official duties, ensuring personal safety of PD subjects security of property belonging to them, calculation and payment of taxes, fees and contributions for compulsory social and pension insurance provided for by the legislation of the Russian Federation, ensuring working conditions, guarantees and compensations established by the legislation of the Russian Federation, maintaining military records, access to state secrets, payment of monetary support (wages), safety of property belonging to them, calculation and payment of taxes, fees and contributions for compulsory social and pension insurance provided for by the legislation of the Russian Federation; submission by the Committee of reports established by law in respect of individuals, including personal accounting information to the Pension Fund of the Russian Federation, income tax information to the Federal Tax Service, information to the Social Insurance Fund of the Russian Federation, submission of tax deductions, as well as for anti-corruption purposes in accordance with paragraph 1 of Appendix No. 1 to these Rules.
4.2. For the purposes specified in clause 4.1 of these Rules, PD processing is carried out with the consent of the PD subject to the processing of its PD. The list of PD processed by the Committee for the purposes specified in clause 4.1 of these Rules is defined in clause 1 of Appendix No. 1 to these Rules.
4.3. Consent to the PD processing of a PD subject whose data is processed for the purposes specified in Clause 4.1 of these Rules is not required when processing PD in accordance with clause 2 of Part 1 of Article 6 of the Federal Law"On Personal Data".
4.4. Consent to the processing of special categories of PD, as well as biometric PD of PD subjects whose data is processed for the purposes specified in Paragraph 6 of these Rules, is not required when processing PD in accordance with subparagraph 2.3 of paragraph 2 of Part 2 of Article 10 and Part 2 of Article 11 of the Federal Law "On Personal Data"
and the provisions of the Labor Code , except for cases when the employee's PD is obtained from a third party.
4.5. It is necessary to obtain the consent of the PD subject to process their PD in the following cases:
during transmission (distribution, provision) PD to third parties in cases
not provided for by the current legislation of the Russian Federation
on state civil service and anti-corruption;
in the case of cross-border transfer of PD;
when making decisions that give rise to legal consequences in relation to these persons or otherwise affect their rights and legitimate interests, based solely on automated processing of their PD.
4.6. In the cases provided for in clause 4.5 of these Rules, the consent of the PD subject is drawn up in writing, unless otherwise established by the Federal Law "On Personal Data" in accordance with the Standard Form of Consent to the processing of PD by a state civil servant.‑Members of the Committee, as well as other PD subjects (Appendix No. 2 to these Rules).
4.7. The PD processing of the Committee's PD subjects, whose data is processed for the purposes specified in clause 4.1, includes the following actions:: collection, recording, systematization, accumulation, storage, refinement (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction of PD.
4.8. Collection( receiving), recording, systematization, accumulation and refinement (updating, modification) PD of PD subjects whose data is processed for the purposes specified in clause 4.1 of these Rules is carried out by:
receiving the original documents required;
copying the original documents;
entering information in accounting forms (on paper and electronic media);
formation of personal data in the course of personnel work;
making PD in automated information systems, the operator of which is the Committee (hereinafter-AIS).
4.9. Collection( receiving), recording, systematization, accumulation and refinement (updating, modification) PD operations are performed by receiving personal data directly from PD subjects, whose data is processed for the purposes specified in clause 4.1 of these Rules.
4.10. It is prohibited to receive, process and attach to the personal file of a subject PD of the Committee PD that is not provided for by the Federal Law "On the State Civil Service of the Russian Federation", other federal laws and these Rules for the formation of personal files, including those related to race, nationality or other affiliation, private life, political, religious or other beliefs membership in public associations and trade unions.
4.11. When collecting PD, an employee of the Committee authorized to process PD who collects (receives)it. The PD directly from the PD subject of the Committee, whose data is processed for the purposes specified in clause 4.1 of these Rules, must explain to the specified PD subject of the Committee the legal consequences of refusing to provide their PD. The explanation is drawn up in writing, according to the Standard Form of explaining to the PD subject the legal consequences of refusing to provide their PD (Appendix No. 3 to the Rules).
4.12. Transmission (distribution, provision) and use of PD of PD subjects whose data is processed for the purposes specified in Clause 4.1 of these Rules is carried out only in cases and in accordance with the procedure provided for by the legislation of the Russian Federation.
4.13. PD subjects have the right to receive information related to the processing of their PD in accordance with the Rules for Considering requests from PD subjects or their representatives in the Transport Committee.

V. Purpose, conditions and procedure for processing personal data of subjects in connection with the provision of public services and the performance of public functions

5.1. In the Committee, the processing of personal data of individuals and representatives of organizations (hereinafter referred to as Applicants) who have applied to the Committee for the provision of public services and in connection with the performance of public functions is carried out for the purpose of providing public services and performing public functions.
5.2. For the purposes specified in clause 5.1 of these Rules, PD is processed in accordance with the list specified in clause 2 of Appendix No. 1 to these Rules.
5.3. The processing of personal data specified in clause 5.1 of these Rules is carried out without the consent of the subjects of personal data in accordance with clause 4 of Part 1 of Article 6 of the Federal Law "On Personal Data", federal laws "On the organization of the provision of state and Municipal services", "On the Procedure for considering Appeals of citizens of the Russian Federation" and other regulatory legal acts which determine the provision of state services and the performance of state functions in the established area of competence of the Committee.
5.4. PD processing for the purposes specified in clause 5.1 of these Rules is carried out by the Committee's structural divisions that provide relevant public services and (or) perform public functions, and includes the following actions:: collection, recording, systematization, accumulation, storage, refinement (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction of PD.
5.5. Collection( receiving), recording, systematization, accumulation and refinement (updating, modification) PD for the purposes specified in clause 5.1 of these Rules is performed by:
receiving the originals of required documents (applications);
certifying copies of documents;
entering information in accounting forms (on paper and electronic media);
entering PD in AIS.
5.6. Collection( receiving), recording, systematization, accumulation and refinement (updating, modification) PD is implemented by obtaining PD directly from PD subjects (applicants).
5.7. When providing a state service or performing a state function, the Committee is prohibited from requesting and processing personal data from subjects of PD and third parties in cases not provided for by the legislation of the Russian Federation.
5.8. When collecting (receiving) PD an authorized official of the Committee's structural subdivision who receives PD directly from PD subjects (applicants) who have applied to the Committee in connection with the provision of a public service or in connection with the performance of a public function must explain to the specified PD subjects (applicants) the legal consequences of refusing to provide PD.
5.9. Transfer (distribution, provision) and use of PD of PD subjects (applicants) is carried out only in cases and in accordance with the procedure provided for by the legislation of the Russian Federation.
5.10. PD subjects (applicants) have the right to receive information related to the processing of their PD in accordance with the Rules for Considering Requests from PD Subjects or their representatives in the Committee.

VI. Purpose, conditions and procedure for processing personal data of personal data subjects in connection with the consideration of citizens ' appeals

6.1. The Committee processes personal data of citizens in order to ensure timely and full consideration of their oral and written appeals in accordance with the procedure established by the Federal Law "On the Procedure for Consideration of Appeals of Citizens of the Russian Federation".
6.2. Personal data of citizens who have applied to the Committee in person, as well as those who have sent individual or collective written requests or requests in the form of an electronic document, are processed for the purpose of considering these requests, with subsequent notification of citizens about the results of consideration.
In accordance with the legislation of the Russian Federation, the Committee is subject to consideration of applications from citizens of the Russian Federation, foreign citizens and stateless persons.
6.3.In accordance with Articles 7 and 13 of the Federal Law "On the Procedure for Consideration of Appeals of Citizens of the Russian Federation" in connection with the consideration of citizens ' appeals received by the Committee, personal data is subject to processing in accordance with the list specified in item 3 of Appendix No. 1 to the Rules.
6.4. The processing of personal data required in connection with the consideration of citizens ' appeals is carried out without the consent of the subjects of personal data in accordance with paragraph 2 of Part 1 of Article 6 of the Federal Law "On Personal Data" and the Federal Law "On the Procedure for Considering Appeals of Citizens of the Russian Federation".
6.5. The transfer (distribution, provision) and use of personal data specified in clause 6.3 of these Rules is carried out only in cases and in accordance with the procedure provided for by the legislation of the Russian Federation.
6.6. Citizens have the right to receive information concerning the processing of their personal data in accordance with the Rules for Considering Requests from Personal data Subjects or their representatives in the Transport Committee.

VII. Procedure for processing personal data of personal data subjects
in automated information systems

7.1. The Committee may process personal data using automated information systems (hereinafter referred to as AIS).
7.2. Access to the AIS of the Committee's civil servants who process personal data in the AIS is provided through an account consisting of a user name and password.
7.3. Access to AIS is provided in accordance with the functions provided for in the official regulations of civil servants of the Committee.
7.4. Information may be entered into the AIS either automatically when receiving personal data from the Unified Portal of Public Services or the official website of the Committee, or manually when receiving information on paper or in any other form that does not allow its automatic registration.
7.5. Ensuring the security of personal data processed in the AIS of the Committee is carried out by the information protection sector of the Information Technology Department of the Committee and is achieved by excluding unauthorized, including accidental, access to personal data, as well as taking the following security measures:
identification of threats to the security of personal data when processing them in the AIS of the Committee;
application of organizational and technical measures to ensure the security of personal data when processing them in the AIS of the Committee, which are necessary to meet the requirements for personal data protection, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;
application of procedures for assessing compliance with information security tools that have passed in accordance with the established procedure;
evaluation of the effectiveness of measures taken to ensure the security of personal data before of the Committee's Automated Information System (AIS);
registration of machine data carriers of personal data;
detection of unauthorized access to personal data
and taking measures to exclude further unauthorized access to personal data;
recovery of personal data modified or deleted or destroyed as a result of unauthorized access to them;
establishment of rules for access to personal data developed in the AIS of the Committee, as well as ensuring registration and accounting of all actions performed with personal data in the AIS of the Committee;
monitoring the measures taken to ensure the security of personal data and the levels of security of AIS.
7.6. In case of detection of violations of the procedure for processing personal data, authorized officials immediately take all measures to establish the causes of violations and eliminate them.

VIII. Procedure for processing personal data of personal data subjects performed without the use of automation tools

8.1. The processing of personal data contained in the AIS or extracted from such a system is carried out in accordance with the requirements of the Decree of the Government of the Russian Federation No. 687 of 15.09.2008 "On Approval of the Regulation on the Specifics of processing personal Data performed without the use of automation tools" and is considered to be performed without the use of automation tools (non-automated), if such actions with personal data are performed without the use of automation tools. personal data, such as the use, clarification, dissemination, and destruction of personal data in relation to each of the subjects of personal data, are carried out with the direct participation of a person.
8.2. The processing of personal data is carried out both on paper and in electronic form on tangible media.
Non-automated processing of personal data in electronic form should be carried out on removable material storage media. If there is no technological possibility to carry out non-automated processing of personal data in electronic form on removable material storage media, it is necessary to take organizational (security of premises) and technical (installation of certified information security tools) measures that exclude the possibility of unauthorized access to personal data of persons who are not allowed
to process them.
8.3. The processing of personal data cannot be recognized as carried out using automation tools only on the basis that the personal data is contained in the AIS or was extracted from it.
8.4. The processing of personal data carried out without the use of automation tools should be carried out in such a way that for each category of personal data it is possible to determine the places of storage of personal data (material carriers) and establish a list of persons who process personal data or have access to them.
8.5. Personal data, when processed without the use of automation tools, must be separated from other information, in particular by recording them on separate material carriers of personal data (hereinafter referred to as material carriers), in special sections or in the fields of forms (forms).
It is not allowed to record personal data on a single material carrier, the purposes of processing of which are obviously incompatible. For processing different categories of personal data, each category of personal data must use a separate physical medium.
8.6. Persons who process personal data without the use of automation tools (including employees of the Committee or persons who perform such processing under an agreement with the Committee) must be informed about the fact that they process personal data that is processed without the use of automation tools, the categories of personal data being processed, as well as about the specifics and rules for such processing.
8.7. When exercising the powers assigned to the Committee, standard forms of documents, the nature of information in which allows the inclusion of personal data, must comply with the following conditions:
they must contain information about the purpose of processing personal data performed without the use of automation tools, the address of the Committee, the surname, first name, patronymic and address of the personal data subject, the terms of processing personal data, a list of actions with personal data that will be performed during their processing;
must contain a field in which the personal data subject can put a mark on his consent to the processing of personal data carried out without the use of automation tools, if it is necessary to obtain consent to the processing of personal data;
it is not allowed to process personal data that is not compatible with the purposes of collection personal data.
8.8. When maintaining a journal (book) containing personal data necessary for a single admission of a personal data subject to the Committee's territory, the following conditions
must be met:the composition of information requested from personal data subjects, recorded in the journal (book), the list of officials who have access to material media, etc
. information contained in such a journal (book) is not allowed to be copied;personal data of
each personal data subject may be entered in such a journal (book, register) no more than once in each case of a personal data subject's admission to the Committee's territory.
8.9. Destruction or depersonalization of a part of personal data, if this is allowed by the material carrier, may be carried out in a way that excludes further processing of this personal data while preserving the possibility of processing other data recorded on the material carrier (deletion, erasure).
8.10. Clarification of personal data when processing them without the use of automation tools is performed by updating or changing the data on a tangible medium, and if this is not allowed by the technical features of the tangible medium, by recording information about changes made to them on the same tangible medium, or by making a new tangible medium with updated personal data.

IX. Organization and terms of personal data storage

9.1. Personal data is stored in hard copy in the structural divisions of the Committee, whose functions include the processing of personal data.
9.2. Personal data is stored electronically in the AIS.
9.3. The terms of storage of personal data in hard copy are determined by regulatory legal acts regulating the procedure for their collection (receipt) and processing.
9.4. The period of storage of personal data entered in the AIS must correspond to the period of storage of personal data on paper.
9.5. Personal data, when processed without the use of automated information systems, must be separated from other information, in particular by recording them on different material carriers of personal data, in special sections or in the fields of forms (forms).
9.6. It is necessary to ensure separate storage of personal data on different material carriers of personal data, the processing of which is carried out for the purposes defined by these Rules.
9.7. Subject to the provisions of the legislation of the Russian Federation, the following terms for processing and storing personal data are established:
9.7.1. personal data contained in orders on the personnel of civil servants of the Committee and employees of the Committee (on admission, on transfer, on dismissal, on the establishment of allowances) are subject to storage in the personnel division of the Committee for three years, followed by the formation and transfer of these documents to the Committee's archive, where they are stored for 75 years;
9.7.2. personal data contained in the personal files and personal cards of civil servants of the Committee, employees of the Committee and heads of organizations subordinate to the Committee are stored in the personnel division of the Committee for three years, followed by the formation and transfer of these documents to the Committee's archive, where they are stored for 75 years;
9.7.3. personal data contained in incentives, material assistance to civil servants of the Committee, employees of the Committee and heads of organizations subordinate to the Committee, are subject to storage for three years in the personnel division of the Committee, followed by the formation and transfer of these documents to the Committee's archive, where they are stored for 75 years;
9.7.4. personal data contained in orders for granting vacations, on short-term domestic and foreign business trips, on disciplinary actions of civil servants of the Committee, are subject to storage in the personnel division of the Committee for five years with subsequent destruction;
9.7.5. personal data contained in the documents of applicants for filling a vacant position of the state civil service in the Committee,
9.7.6. personal data of Applicants who have applied to the Committee in person, as well as those who have sent individual or collective written requests or requests in the form of an electronic document, are stored in the personnel department of the Committee for three years from the date of completion of the competition, after which they are subject to destruction. for five years.
9.8. Control over the storage and use of tangible personal data carriers, which does not allow unauthorized use, clarification, dissemination and destruction of personal data stored on these carriers, is carried out by the heads of the relevant structural divisions of the Committee.

X. Procedure for the destruction of personal data when the purposes of processing are achieved or when other legal grounds arise

10.1. Documents containing personal data whose retention periods have expired are subject to destruction.
10.2. Documents containing personal data in hard copy are transferred to the Committee's archive for destruction in accordance with the procedure established by the legislation of the Russian Federation on archival affairs.
10.3. The structural division of the Committee responsible for document management and archiving carries out systematic control and allocation of documents containing personal data with expired storage periods that are subject to destruction.
10.4. The official of the Committee responsible for archival activities organizes work on the destruction of documents containing personal data.
10.5. At the end of the processing period, personal data on electronic media is destroyed by mechanical violation of the integrity of the media, which does not allow reading or restoring personal data, or by deleting residual information from electronic media by methods and means of guaranteed deletion.
10.6. Upon completion of the destruction procedure, a corresponding act on the destruction of documents containing personal data is drawn up.