Personal Data Processing and Security Policy
of Limited Liability Company "LAVOROSOLUTIONS" Private Employment Agency
1. Application area
This Policy of processing and ensuring the security of personal data of the Limited Liability Company "LAVOROSOLUTIONS" Private Employment Agency (hereinafter referred to as the Policy) is a local regulatory act that determines the basis for the activities of the Limited Liability Company "LAVOROSOLUTIONS" Private Employment Agency (hereinafter referred to as the Company, Operator) when processing and protecting personal data.
The policy has been developed taking into account the requirements of the legislation of the Republic of Uzbekistan in the field of processing and protection of personal data.
The policy discloses the legal grounds for the processing of personal data (PD), the principles and purposes of such processing, processing rules, information on the measures taken to protect personal data, information on the rights of personal data subjects.
The provisions of this Policy are binding on all employees of LLC "LAVOROSOLUTIONS" Private Employment Agency, processing personal data.
2. Purposes and principles of personal data processing
2.1. Purposes of personal data processing
The Company processes personal data in order to:
- conclusion, support, modification, termination of employment contracts;
- assistance to employees in training and career growth;
- assistance in obtaining social benefits and compensations;
- provision of information at the request of state bodies;
- fulfillment of obligations under labor contracts;
- conducting the process of agreeing contracts and fulfilling the requirements under contracts with counterparties;
- communication with employees;
- communication with suppliers;
- informing employees about the corporate life of the Company;
- assistance to employees in the organization of internal communications;
- providing access to IT infrastructure;
- conclusion, modification, termination of contracts of voluntary medical insurance and life insurance;
- conducting other types of activities within the framework of the legislation of the Republic of Uzbekistan, with the obligatory fulfillment of the requirements of the legislation of the Republic of Uzbekistan in the field of personal data.
- conclusion, modification, termination of contracts of voluntary medical insurance and life insurance;
- assistance in obtaining social benefits and compensations;
- consideration of resumes and selection of candidates for vacant positions for further employment in "LAVOROSOLUTIONS" Private Employment Agency and in client companies;
- maintaining a database of candidates;
- fulfillment of obligations under contracts with counterparties;
- conclusion, support, modification, termination of contracts;
- fulfillment of obligations stipulated by federal legislation, local regulations and other regulatory legal acts (including in the field of labor protection).
2.2. Scope and categories of personal data subjects
The content and scope of the processed personal data correspond to the stated purposes of their processing. It is not allowed to process excessive personal data in relation to the stated purposes.
The Company processes personal data of the following personal data subjects:
- employees;
- candidates for vacant positions;
- former employees;
- contractors-individuals;
- representatives of counterparties-legal entities.
As part of the processing of personal data, the Company collects, records, systematizes, accumulates, stores, clarifies (updates, changes), uses, transfers (provides, grants access to a limited number of persons in accordance with applicable law), depersonalizes, blocks, deletes personal data.
2.3. Principles of personal data processing
For the purpose of effective functioning of personal data processing processes, the Company is guided by the following principles:
- legality – the processing of personal data is carried out on a legal and fair basis;
- limitation of the purposes of processing – the processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes and in the future personal data should not be processed in ways incompatible with these purposes. It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other. Only personal data that meet the purposes of their processing are subject to processing;
- minimization of processing – the content and volume of processed personal data correspond to the stated purposes of processing, personal data are adequate in relation to the purposes of processing;
- accuracy of data – the Company takes adequate measures to ensure the immediate deletion or correction of personal data that is inaccurate in relation to the purposes of their processing;
- limitation of the storage period – the storage of personal data is carried out in a form that allows you to determine the subject of personal data, no longer than required by the purposes of processing personal data, if the period of storage of personal data is not established by federal law, an agreement to which a party, beneficiary or guarantor is subject of personal data. The processed personal data is subject to destruction or depersonalization upon reaching the goals of processing or in case of loss of the need to achieve these goals, unless otherwise provided by federal law;
- confidentiality, integrity, availability – personal data is processed in a manner that guarantees a reasonable level of their security, which involves the use of acceptable and adequate organizational and technical measures to protect against unauthorized or illegal processing of personal data and against accidental loss, destruction or destruction of data.
3. Procedure and conditions for processing personal data
3.1. Grounds for processing personal data of subjects
The Company has the right to process personal data if one of the following processing grounds applies:
- consent of the subject to the processing of these data;
- the need to process these data in order to fulfill a contract to which the subject is a party, or to take measures at the request of the subject before entering into such an agreement;
- the need to process this data in order to fulfill the obligations of the owner and (or) operator, determined by law;
- the need to process this data to protect the legitimate interests of the subject or another person;
- the need to process this data in order to exercise the rights and legitimate interests of the owner and (or) operator or a third party, or to achieve socially significant goals, provided that the rights and legitimate interests of personal data subjects are not violated;
- processing of these data for statistical or other research purposes, subject to mandatory depersonalization of personal data;
- if these data are obtained from publicly available sources.
If it is necessary to process personal data in order to protect the rights and legitimate interests of the subject, their processing is allowed without the consent of the latter until the moment when obtaining consent becomes possible.
The form of consent to the processing of personal data was developed by the Company in compliance with providing the subject with the most complete and sufficient information in an accessible form on the procedure for processing his personal data and includes the following information:
- name and contact details of the company that is the operator of personal data;
- the purposes of performing specific operations for the processing of personal data;
- composition or categories of data collected;
- the subject has the right to withdraw consent;
- the period for which consent is given.
Persons admitted to the processing of personal data are required to sign an obligation not to disclose information containing personal data.
3.2. Methods of processing personal data
The Company processes the personal data of the funds in accordance with the requirements of the current legislation.
The processing of personal data is carried out in compliance with data confidentiality.
Providing access to personal data is regulated by the Company's internal documents and is provided only to those employees who need personal data to perform their job duties.
The Company does not make decisions that give rise to legal consequences in relation to the subjects of personal data or otherwise affect their rights and legitimate interests, based on the automated processing of their personal data.
The Company has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, subject to the provision of appropriate guarantees for the application of appropriate technical and organizational measures.
The procedure for processing personal data without the use of automation tools.
The processing of personal data without the use of automation tools (hereinafter referred to as non-automated processing of personal data) can be carried out in the form of documents on paper and in electronic form (files, databases) on electronic media. In the non-automated processing of various categories of personal data, a separate material carrier is used for each group of personal data.
In case of non-automated processing of personal data on paper:
- it is not allowed to record on one paper carrier personal data, the processing purposes of which are obviously incompatible;
- personal data are separated from other information, in particular by fixing them on separate paper media, in special sections or on the fields of forms;
- documents containing personal data are formed into files depending on the purpose of personal data processing.
When using standard forms of documents, the nature of the information in which implies or allows the inclusion of personal data in them (hereinafter referred to as standard forms), the following conditions are observed:
- a standard form or related documents (instructions for filling it out, cards, registers and magazines) contain information about the purpose of non-automated processing of personal data, the name (name) and address of the operator, last name, first name, patronymic and address of the subject of personal data, source of receipt personal data, the terms for processing personal data, a list of actions with personal data that will be
- performed in the process of their processing, a general description of the methods used by the operator to process personal data;
- the standard form is designed in such a way that each of the subjects of personal data contained in the document has the opportunity to familiarize themselves with their personal data contained in the document without violating the rights and legitimate interests of other subjects of personal data;
- the standard form excludes the combination of fields intended for entering personal data, the processing purposes of which are obviously incompatible.
If the purposes of non-automated processing of personal data recorded on one material medium are incompatible, if the material medium does not allow the processing of personal data separately from other personal data recorded on the same medium, measures are taken to ensure separate processing of personal data.
When storing documents containing personal data, conditions are observed that ensure the safety of personal data and exclude unauthorized access to them.
Destruction or depersonalization of a part of personal data, if this is allowed by a material medium, can be carried out in a way that excludes further processing of this personal data while maintaining the possibility of processing other data recorded on a material medium (deletion).
Cross-border transfer of personal data.
Cross-border transfer of personal data is carried out on the territory of foreign states that provide adequate protection of the rights of personal data subjects. Cross-border transfer of personal data to the territory of foreign states that do not provide adequate protection of personal data may be carried out in the following cases:
- consent of the subject to the cross-border transfer of his personal data;
- to protect the constitutional order of the Republic of Uzbekistan, the protection of public order, the rights and freedoms of citizens, the health and morality of the population;
- provided for by international treaties of the Republic of Uzbekistan.
Cross-border transfer of personal data may be prohibited or limited in order to protect the foundations of the constitutional order of the Republic of Uzbekistan, morality, health, rights and legitimate interests of citizens of the Republic of Uzbekistan, to ensure the country's defense and state security.
3.3. Conditions for termination of personal data processing
The Company stops processing PD in the following cases:
- achievement of the purposes of personal data processing or loss of the need to achieve them;
- withdrawal of the consent of the subject to the processing of his personal data (if the withdrawal of consent entails the destruction of personal data);
- receipt of an appropriate order from the authorized body for the protection of the rights of subjects of personal data.
4. Organization of personal data protection
The Company provides comprehensive protection of personal data based on:
- applicable legislation in the field of ensuring the security of personal data;
- the nature, context and purposes of the processing of personal data;
- processes and scope of personal data processing;
- economic assessment of the implementation of means and methods of personal data protection;
- risk assessment of severity of possible consequences for personal data subjects (risks of accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to transferred, transferred or otherwise processed personal data).
The Company, when processing personal data to protect it from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data, takes all necessary legal, organizational and technical measures.
Ensuring the security of personal data is achieved, in particular, in the following ways:
- ensuring the confidentiality, integrity, availability and sustainability of personal data processing systems;
- recovery of personal data modified or destroyed due to unauthorized access to them;
- establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system;
- detection of facts of unauthorized access to personal data and the adoption of appropriate protection measures;
- determination of threats to the security of personal data during their processing in information systems;
- adoption of local regulations and other documents regulating the processing and protection of personal data;
- taking into account machine carriers of personal data;
- assessment of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
- appointment of a person responsible for organizing the processing and ensuring the security of personal data;
- performing regular testing, evaluating the effectiveness of technical and organizational measures to ensure the security of personal data;
- implementation of internal control and / or audit of the compliance of the processing of personal data with the legislation of the Republic of Uzbekistan in the field of processing and protection of personal data;
- familiarization of employees directly involved in the processing of personal data with the provisions of the legislation of the Republic of Uzbekistan on personal data, including the requirements for the protection of personal data, documents defining the policy regarding the processing of personal data, local acts on the processing of personal data.
5. Rights of the subject of personal data
The subject of personal data confirms consent to the processing of data by performing a specific action, which clearly indicates that the subject, in the specified context, consents to the planned processing of his personal data.
The subject of personal data has the right to demand from the Company the clarification of his personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect their rights.
The right of the subject of personal data to access his personal data may be limited in accordance with federal laws, including if the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties.
The subject of personal data has the right to appeal against the actions or inaction of the Company, as an operator, to the authorized body for the protection of the rights of subjects of personal data or in court.
The subject of personal data has the right to protect his rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
In accordance with the legislation of the Republic of Uzbekistan, the subject of personal data has the right to receive information regarding the processing of his personal data, including:
- confirmation of the fact of personal data processing;
- legal grounds and purposes of personal data processing;
- purposes and methods used by the Company to process personal data;
- the name and location of the operator, information about persons (excluding employees of the operator) who have access to personal data and / or to whom personal data may be disclosed on the basis of an agreement with the company and / or on the basis of the legislation of the Republic of Uzbekistan;
- processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for the submission of such data is provided by federal law;
- terms of personal data processing, including terms of their storage;
- the procedure for the exercise by the subject of personal data of the rights provided for by the legislation of the Republic of Uzbekistan;
- information about the performed or proposed cross-border data transfer;
- the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the Company, if the processing is or will be entrusted to such a person.
Information is provided to the subject of personal data or his representative by the legal representatives of the company upon receipt of a request from the subject of personal data or his representative in writing.
To exercise and protect their rights and legitimate interests, the subject of personal data has the right to contact the Company.
6. Policy review order and liability
This Policy is reviewed on a regular basis. This Policy is valid until it is canceled or suspended by the management of LLC "LAVOROSOLUTIONS" Private Employment Agency.
Persons guilty of violating the rules governing the processing and protection of personal data bear disciplinary, financial and administrative liability in accordance with applicable law and local regulations.