Policy of the organization of processing and ensuring the security of personal data in Dr. Reddy’s Laboratories LLC :- Medznat
EN | RU
EN | RU

Help Support

Policy of the organization of processing and ensuring the security of personal data in Dr. Reddy’s Laboratories LLC

Dated: 28.02.2023

 

1. General provisions

1.1. In order to comply with the conditions of the current legislation of the Russian Federation in full, LLC "Dr. Reddy's Laboratories” considers its most important tasks to comply with the principles of personal data processing provided for by the legislation of the Russian Federation, confidentiality in the processing of personal data, as well as ensuring the security of their processing processes.

1.2. This policy of the organization of processing and ensuring the security of personal data in LLC "Dr. Reddy's Laboratories" is characterized by the following features:

  • developed in accordance with the current legislation of the Russian Federation in the field of processing and protection of personal data in order to implement the requirements of current legislation in the field of processing and protection of personal data;

  • discloses the methods and principles of personal data processing by the operator, the rights and obligations of the operator when processing personal data, the rights of personal data subjects, and also includes a list of measures applied by the operator to ensure the security of personal data during their processing;

  • is a publicly available document declaring the conceptual foundations of the operator's activities in the processing and protection of personal data.

1.3. Prior to the start of personal data processing, the Operator has notified the Regulatory Authority for the protection of the rights of personal data subjects of its intention to process personal data. The Operator shall update the information specified in the notification in good faith and within the appropriate time.

2. List of abbreviations

The Company or Operator

LLC "Dr. Reddy's Laboratories", registered at the address: Российская Федерация, 115035, г. Москва, Овчинниковская наб.,,д. 20, стр. 1.

(Russian Federation; 115035; Moscow, Ovchinnikovskaya nab., 20 bld.1)

PD

Personal Data.

Policy

Policy «On the organization of processing and ensuring the security of personal data in LLC "Dr. Reddy's Laboratories".

RF

The Russian Federation.


 

3. Terminology of the Policy

Automated processing of personal data is the processing of personal data using computer technology.

Biometric personal data is information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity.

Blocking of personal data is a temporary termination of the processing of personal data (except in cases where processing is necessary to clarify personal data).

The personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

Depersonalization of personal data – actions as a result of which it becomes impossible to determine the identity of personal data to a specific subject of personal data without the use of additional information.

Personal data processing is any action (operation) or a set of actions (operations) with personal data performed using automation tools or without their use. The processing of personal data includes, among others: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.

Personal data operator (operator) is a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

Responsible for the organization of personal data processing – a natural or legal person appointed by the Operator responsible for the organization of personal data processing.

Personal data – any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).

Personal data authorized by the subject of personal data for distribution – personal data to which an unlimited number of persons have access by the subject of personal data by giving consent to the processing of personal data authorized by the subject of personal data for distribution in accordance with the procedure provided for by this Federal Law.

Provision of personal data – actions aimed at disclosure of personal data to a certain person or a certain circle of persons.

Dissemination of personal data – actions aimed at disclosure of personal data to an indefinite circle of persons.

Special categories of personal data – special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, membership in trade unions, health status and intimate life.

The subject of personal data is an individual to whom personal data directly or indirectly relates.

Cross–border transfer of personal data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.


 

4. Basic rights and obligations of the Personal Data Operator

4.1. The Operator has the right to:

  • receive reliable information and/or documents containing personal data from the subject of personal data;

  • require the subject of personal data to timely clarify the provided personal data;

  • entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation, on the basis of a contract concluded with this person;

  •  create publicly available sources of personal data for information purposes with the written consent of the personal data subject;

  • process biometric personal data that is used by the operator to establish the identity of the subject of personal data, with the written consent of the subject of personal data, except in cases provided for by the legislation of the Russian Federation.

4.2. The Operator is obliged to:

  • process personal data in accordance with the procedure established by the current legislation of the Russian Federation;

  • not disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation;

  • provide the subject of personal data, at his request, with information about the processing of personal data when collecting personal data;

  • explain to the subject of personal data the legal consequences of refusal to provide his personal data and (or) consent to their processing, if, in accordance with the legislation of the Russian Federation, the provision of such data and (or) obtaining consent by the operator is mandatory;

  • provide the subject of personal data with information about the processing of his personal data before the start of their processing, if the personal data was not received by the operator from the subject of personal data, except in cases provided for by the legislation of the Russian Federation;

  • inform the personal data subject (his/her legal representative) about the availability of personal data related to the relevant personal data subject, if such personal data was received by the operator not from the personal data subject;

  • consider the requests of the personal data subject (his legal representative) regarding the processing of personal data and give motivated answers;

  • provide the subject of personal data (his legal representative) with the possibility of free access to his personal data, except in cases provided for by the legislation of the Russian Federation;

  • take measures to clarify, destroy the personal data of the personal data subject in connection with his (his legal representative's) treatment with legitimate and reasonable requirements;

  • organize the protection of personal data in accordance with the requirements of the legislation of the Russian Federation;

  • ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation when collecting personal data, including through the Internet information and telecommunications network;

  • exclude information about the subject of personal data from publicly available sources of personal data at the request of the subject of personal data or by a court decision or other authorized state bodies.

5. Basic rights and obligations of personal data subjects

5.1. The subject of personal data has the right to:

  • receive information about the processing of his personal data by the Operator to the extent determined by the legislation of the Russian Federation;

  • access to his personal data and obtaining a copy of any record containing his personal data, except in cases provided for by the legislation of the Russian Federation;

  • clarification of their personal data, their blocking or destruction if they are incomplete, outdated, inaccurate, illegally obtained or cannot be considered necessary for the stated purpose of processing;

  • termination of the processing of his personal data, including by revoking consent to the processing of personal data, except in cases provided for by the legislation of the Russian Federation;

  • contact the Operator to exercise and protect their rights and legitimate interests;

  • appeal against the actions or omissions of the Operator by contacting the authorized body for the protection of the rights of personal data subjects and other competent authorities;

  • protect rights and legitimate interests, including receive compensation for damages and/or compensation for moral damage in a judicial or other manner prescribed by law, as well as the exercise of other rights provided for by the legislation of the Russian Federation in the field of personal data;

  • restrict the transfer (other than granting access) of personal data by the operator to an unlimited number of persons, as well as set prohibitions on processing or conditions for processing (other than obtaining access) of personal data by an unlimited number of persons in consent to the processing of personal data authorized by the subject of personal data for distribution;

  • terminate the transfer (distribution, provision, access) of their personal data previously authorized by the subject of personal data for distribution to any person processing their personal data, in case of non-compliance with the provisions of the legislation of the Russian Federation or to apply to the court with such a request.

5.2. The subject of personal data is obliged to:

  • provide the Operator with only reliable data about himself/herself, as well as provide documents containing personal data to the extent necessary for the purpose of processing;

  • inform the Operator about the clarification (update, change) of their personal data.

5.3. Processing of personal data for the purpose of promoting goods, works, services on the market by making direct contacts with a potential consumer using means of communication is carried out only with the prior consent of the subject of personal data.

5.4. The contract with the subject of personal data, on the basis of which the processing of his personal data will be carried out, may not contain the following provisions:

  • restricting the rights and freedoms of the subject of personal data;

  • establishing cases of processing of personal data of minors, unless otherwise provided by the legislation of the Russian Federation;

  • allowing inaction of the subject of personal data as a condition of the conclusion of the contract.

5.5. It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences with respect to the subject of personal data or otherwise affect his rights and legitimate interests, except in cases provided for by the legislation of the Russian Federation or with the written consent of the subject of personal data.

6. Legal grounds for processing personal data

6.1. The processing of personal data is carried out by the Operator in compliance with the principles and rules provided for by the legislation of the Russian Federation in the field of processing and protection of personal data with the consent of the personal data subject to the processing of his personal data, as well as in cases where the processing of personal data is necessary:

  • to achieve the goals stipulated by an international agreement of the Russian Federation or a law, to carry out and fulfill the functions, powers and duties assigned to the Company by the legislation of the Russian Federation;

  • in connection with the participation of a person in civil, administrative, judicial proceedings in arbitration courts;

  • for the execution of a judicial act, an act of another body or official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;

  • for the execution of an agreement to which the personal data subject is a party or beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the personal data subject or an agreement under which the personal data subject will be the beneficiary or guarantor;

  • to protect the life, health or other vital interests of the personal data subject, if obtaining the consent of the personal data subject is impossible;

  • to exercise the rights and legitimate interests of the operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the personal data subject are not violated;

  • to carry out scientific, literary or other creative activities, provided that the rights and legitimate interests of the subject of personal data are not violated;

  • processing of personal data is carried out for statistical or other research purposes, subject to mandatory depersonalization of personal data;

  • the processing of personal data which is subject to publication or mandatory disclosure in accordance with federal law is carried out.

6.2. The Operator processes PD in accordance with the legislation of the Russian Federation in the field of PD, guided by the following legal grounds:

  • federal laws and regulatory legal acts adopted on their basis regulating relations related to the Operator's activities, including, but not limited to:

The Labor Code of the Russian Federation;

The Tax Code of the Russian Federation;

The Civil Code of the Russian Federation;

The Code of Administrative Offences of the Russian Federation;

The Arbitration Procedural Code of the Russian Federation;

The Civil Procedure Code of the Russian Federation;

The Code of Administrative Procedure of the Russian Federation;

The Customs Code of the Eurasian Economic Union;

Federal Law No. 69-FZ dated 21.12.1994 "On Fire Safety";

Federal Law No. 81-FZ of 19.05.1995 "On State benefits to citizens with children";

Federal Law No. 181-FZ of 24.11.1995 "On Social Protection of Disabled Persons in the Russian Federation";

Federal Law No. 196-FZ of 10.12.1995 "On Road Safety";

Federal Law No. 27-FZ of 01.04.1996 "On Individual (Personalized) accounting in the compulsory pension Insurance system";

Federal Law No. 61-FZ of 31.05.1996 "On Defense";

Federal Law No. 31-FZ of 26.02.1997 "On Mobilization Training and Mobilization in the Russian Federation";

Federal Law No. 14-FZ dated 08.02.1998 "On Limited Liability Companies";

Federal Law No. 53-FZ of 28.03.1998 "On Military Duty and military service";

Federal Law No. 125-FZ of 24.07.1998 "On Compulsory Social Insurance against industrial accidents and occupational diseases";

Federal Law No. 165-FZ of 16.07.1999 "On the Basics of compulsory Social Insurance";

Federal Law No. 115-FZ dated 07.08.2001 "On Countering the Legalization (Laundering) of Proceeds from Crime and the Financing of terrorism";

Federal Law No. 129-FZ dated 08.08.2001 "On State Registration of Legal Entities and Individual Entrepreneurs";

Federal Law No. 167-FZ dated 15.12.2001 "On Compulsory Pension Insurance in the Russian Federation";

Federal Law No. 40-FZ of 25.04.2002 "On Compulsory Insurance of Civil Liability of Vehicle Owners";

Federal Law No. 115-FZ of 25.07.2002 "On the Legal Status of Foreign Citizens in the Russian Federation";

Federal Law No. 115-FZ of 25.07.2002 "On the Legal Status of Foreign Citizens in the Russian Federation";

Federal Law No. 126-FZ dated 07.07.2003 "On Communications";

Federal Law No. 38-FZ of 13.03.2006 "On Advertising";

Federal Law No. 109-FZ of 18.07.2006 "On Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation";

Federal Law No. 149-FZ of 27.07.2006 "On Information, Information Technologies and Information Protection";

Federal Law No. 255-FZ of 29.12.2006 "On Compulsory Social Insurance in Case of Temporary disability and in connection with maternity";

Federal Law No. 229-FZ dated 02.10.2007 "On Enforcement Proceedings";

Federal Law No. 273-FZ dated 25.12.2008 "On Combating Corruption";

Federal Law No. 307-FZ of 30.12.2008 "On Auditing Activities";

Federal Law No. 311-FZ of 27.11.2010 "On Customs Regulation in the Russian Federation";

Federal Law No. 326-FZ of 29.11.2010 "On Compulsory Medical Insurance in the Russian Federation";

Federal Law No. 63-FZ dated 06.04.2011 "On Electronic Signature";

Federal Law No. 323-FZ of 21.11.2011 "On the Basics of Public Health protection in the Russian Federation";

Federal Law No. 402-FZ dated 06.12.2011 "On Accounting";

Federal Law No. 273-FZ of 29.12.2012 "On Education in the Russian Federation";

Federal Law No. 426-FZ of 12/28/2013 "On Special Assessment of working conditions";

Law of the Russian Federation No. 1032-1 of 19.04.1991 "On employment of the population in the Russian Federation";

Law of the Russian Federation No. 2300-1 of 07.02.1992 "On Consumer Rights Protection";

Law of the Russian Federation No. 2487-1 of 11.03.1992 "On Private detective and security activities in the Russian Federation";

Law of the Russian Federation No. 4015-1 of 27.11.1992 "On the organization of insurance business in the Russian Federation";

  • statutory (constituent) documents of the Operator;

  • contracts concluded between the Company and the subjects of personal data, as well as beneficiaries or guarantors for which the subjects of personal data are;

  • Powers of attorney issued by the Operator to personal data subjects;

  • consent of personal data subjects to the processing of personal data.

6.3. In compliance with the Policy, the head of the Operator adopted the "Regulation on the organization of processing and ensuring the security of personal data in LLC "Dr. Reddy's Laboratories", as well as other local acts of the Operator in the field of personal data processing and protection.


 

7. Principles of personal data processing by the Operator

7.1. In its activities, the Operator ensures compliance with the principles of personal data processing provided for by the legislation of the Russian Federation.

7.2. The processing of personal data in the Company is carried out on a legal and fair basis, and is limited to achieving specific, predetermined and legitimate goals.

7.3. Only personal data that meet the purposes of their processing are subject to processing.

7.4. When processing personal data in the Company, it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other.

7.5. The Operator ensures that the content and volume of the processed personal data correspond to the stated purposes of processing and, if necessary, takes measures to eliminate their redundancy in relation to the stated purposes of processing.

7.6. When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing must be ensured. The operator takes the necessary measures or ensures that they are taken to delete or clarify incomplete or inaccurate data.

7.7. The storage of personal data is carried out in a form that allows determining the subject of personal data for a period not longer than the purposes of personal data processing require, except in cases when the period of personal data storage is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor.

7.8. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by the legislation of the Russian Federation.

8. Purposes of personal data collection:

8.1. The processing of personal data in the Company is limited to achieving specific, predetermined and legitimate goals.

8.2. The Company processes general personal data for the following purposes:

1. conclusion of any contracts under which the PD subject is a party or beneficiary, and further fulfillment of obligations under the concluded contracts;

2. search and identification of persons potentially interested in cooperation, including by requesting information about the PD subject to make a decision on cooperation;

3. involvement and consideration of the PD subject, including through requests for additional information;

4. taking due diligence measures and verifying the reliability of PD subjects, including financial ones, by verifying the completeness and reliability of the information provided by PD subjects before the start of cooperation;

5. formation and maintenance of databases containing personal data of individuals interacting with the Operator;

6. inclusion in the database for possible cooperation with the Operator in the future;

7. conducting personnel work (including job succession planning) and organization of accounting of employees (employees) of the Operator;

8. regulation of labor and other directly related relations, including assistance in employment, training and promotion, ensuring the personal safety of employees (employees);

9. use of benefits, compensations and bonuses provided by the Operator, including those provided for by the legislation of the Russian Federation and local regulations of the Operator;

10. organization of business trips (including assistance in obtaining visas, invitations and travel tickets, hotel reservations) or reimbursement of expenses incurred for such trips;

11. assistance in the provision of transport services (including the provision of official vehicles);

12. registration of voluntary insurance (voluntary medical insurance, life and health insurance, etc.);

13. representation, including the execution of powers of attorney and assistance in the execution of powers of attorney;

14. ensuring the legitimate interests of the Operator, including maintaining internal order, protecting property and property;

15. compliance and enforcement of mandatory requirements of the legislation of the Russian Federation;

16. provision of an electronic signature;

17. issuance of communication facilities and provision of mobile communications;

18. carrying out business activities, including sending and receiving correspondence and other mail; translation of documents; production of business cards and other printed products; providing access to the Operator's IT resources, providing support in their use, monitoring and controlling the use of the Operator's IT resources;

19. communication and (or) receipt/provision of necessary information, including reception and processing of requests and appeals of PD subjects;

20. informing, including the implementation of the newsletter;

21. organization and conduct by the Operator of marketing research and other marketing activities, including promotions and loyalty programs, with the participation of PD subjects;

22. conducting surveys, interviews, webinars and other events with the participation of PD subjects;

23. giving out gifts and prizes for participation in marketing activities of the Operator;

24. providing PD subjects, including through newsletters, with information about the Operator's products, including advertising information;

25. investigation of the degree of satisfaction of the PD subject;

26. providing recommendations about the Operator's products;

27. collecting information about consumers of the Operator's products, in particular for marketing activities;

28. prevention and prevention of the spread of infectious diseases;

29. implementation of information disclosure and ensuring compliance with legal requirements when making management decisions;

30. placement of PD of subjects on publicly accessible resources, including official pages on social networks and Internet sites of the Operator and companies belonging to the same group of persons with the Operator, including through publication in print and (or) Internet publications, for information support or as illustrations to promote the brand of the Operator and companies, members of the same group of persons with the Operator, and increasing loyalty to the Operator's brand, as well as in cases provided for by law and local regulations of the Operator;

31. analytics of user actions on the Operator's website/ mobile application (including determining the user's location) and the operation of the Operator's website/ mobile application, as well as registration on the Operator's website/ mobile application;

32. implementation of other functions, powers and duties assigned to the Operator by the legislation of the Russian Federation and local regulations of the Operator;

33. organization of access to the Operator's territory;

34. organization and (or) conduct of scientific research, including clinical studies with the participation of PD subjects;

35. receipt (registration) and storage of PD and their carriers in accordance with the legislation of the Russian Federation and local regulations of the Operator for carrying out activities provided for by the Company's Charter.

8.3. Processing of personal data of a special category in the Company can be carried out for the following purposes:

1. taking due diligence measures and verifying the reliability of PD subjects, including financial ones, by checking the completeness and reliability of the information provided by PD subjects before the start of cooperation; - in cases directly provided for by the legislation of the Russian Federation;

2. formation and maintenance of databases containing personal data of individuals interacting with the Operator;

3. use of benefits, compensations and bonuses provided by the Operator, including those provided for by the legislation of the Russian Federation and local regulations of the Operator;

4. registration of voluntary insurance (voluntary medical insurance, life and health insurance, etc.);

5. ensuring the legitimate interests of the Operator;

6. compliance and enforcement of mandatory requirements of the legislation of the Russian Federation;

7. communication and (or) receipt/provision of necessary information, including reception and processing of requests and appeals of PD subjects;

8. prevention and prevention of the spread of infectious diseases;

9. placement of PD of subjects on publicly available resources, including official pages on social networks and Internet sites of the Operator and companies belonging to the same group of persons with the Operator, including through publication in print and (or) online publications, for information support or as illustrations to promote the brand of the Operator and companies, members of the same group of persons with the Operator, and increasing loyalty to the Operator's brand, as well as in cases provided for by law and local regulations of the Operator;

10. implementation of other functions, powers and duties assigned to the Operator by the legislation of the Russian Federation and local regulations of the Operator;

11. organization and (or) conduct of scientific research, including clinical studies with the participation of PD subjects;

12. receipt (registration) and storage of PD and their carriers in accordance with the legislation of the Russian Federation and local regulations of the Operator for carrying out activities provided for by the Company's Charter.


 

9. Categories of personal data subjects and categories of processed personal data

9.1. The Operator collects and further processes personal data of the following categories of personal data subjects:

Job applicants are applicants for a vacancy in the Company.

Employees are persons working in the Company.

Dismissed employees are persons who worked in the Company.

Relatives of employees are persons who are related or related to employees of the Company.

Individuals — representatives of legal entities, individual entrepreneurs — individuals who are employees of legal entities and individual entrepreneurs, as well as individual entrepreneurs who are in contractual relations with the Company.

Healthcare professionals are individuals who interact with the Company in the course of their professional activities or are in contractual relations with the Company.

Consumers of products and their legal representatives are individuals and their representatives who are buyers, end users of the Company's products.

Applicants for adverse events are individuals and their representatives who report an adverse symptom, complaint or illness that occurred after using the Company's products.

Patients and their legal representatives are individuals who participate in studies to evaluate the effectiveness and safety of a drug, organized/sponsored by the Company. 

Referrers are individuals whose PD was reported by the applicant to the Company in order to receive recommendations.

Users /visitors of the Internet site - individuals who visit and (or) use the Company's Internet sites.

Interested persons are individuals who do not belong to another category of PD subjects, but with whom the PD operator can interact if such persons are:

senders of appeals to the PD operator;

are participants in lawsuits and enforcement proceedings in which the PD operator is involved;

are participants or eyewitnesses of a traffic accident in which a vehicle belonging to the PD operator was involved.

9.2. The Operator processes personal data of personal data subjects in accordance with the purposes specified in Appendix No. 1 to this Policy "Categories of personal data subjects, purposes of processing and volume of processed personal data".

9.3. A detailed list of processed personal data of personal data subjects in the Company is specified in Appendix No. 2 to this Policy.

10. Procedure and conditions of personal data processing

10.1. Personal data processing is carried out by the Operator subject to obtaining the consent of the subject of personal data, except for cases established by the legislation of the Russian Federation when personal data processing can be carried out without such consent.

10.2. The subject of personal data decides on the provision of his personal data and gives consent freely, of his own free will and in his own interest.

10.3. Consent is given in any form that allows you to confirm the fact of its receipt. In cases provided for by the legislation of the Russian Federation, the consent is issued in writing.

10.4. Consent may be withdrawn by written notification sent to the Operator by mail.

10.5. The subject of personal data, giving consent to the processing of his personal data, must be informed about the purposes of their processing.

10.6. The purposes of processing must be included in the consent form of the personal data subject.

10.7. The processing of personal data by the Operator is carried out in the following ways:

  • non-automated processing of personal data;

  • automated processing of personal data with or without transmission of the received information via information and telecommunication networks;

  • mixed processing of personal data.

10.8. The Operator does not make decisions that constitute legal consequences for personal data subjects or otherwise affect their rights and legitimate interests based solely on automated processing of their personal data.

10.9. Processing of personal data by the Operator includes collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), cross-border transfer, blocking, deletion, destruction of personal data.

10.10. The Operator has the right to transfer personal data to the bodies of inquiry and investigation, other authorized bodies on the grounds provided for by the current legislation of the Russian Federation.

10.11. In cases where it is necessary to interact with third parties in order to achieve the goals of personal data processing, the Operator has the right to transfer personal data to authorized third parties in order to achieve the goals of processing.

10.12.The Operator makes a cross-border transfer of personal data (to the territory of a foreign state to a foreign individual or a foreign legal entity) to affiliated third parties belonging to the Dr. Reddy’s Laboratories Group of Companies, including those located on the territory of foreign states that do not provide an adequate level of protection of the rights of personal data subjects, in accordance with Article 12 of Federal Law No. 152-FZ of 27.07.2006 "On Personal Data", namely: Republic of India, Republic of Kazakhstan, Republic of Kazakhstan, Republic of Belarus, Republic of Uzbekistan, Kingdom of Spain, United Kingdom of Great Britain and Northern Ireland, Federal Republic of Germany, Republic of Turkey. 

10.13. The Operator creates publicly available sources of personal data of the Operator (directories, address books). Personal data reported by the subject is included in such sources only with the written consent of the subject of personal data or on the basis of the requirements of the current legislation of the Russian Federation.

10.14. The Operator processes the personal data of the personal data subjects authorized for distribution on the basis of the separately obtained consent of the personal data subject to the processing of such personal data. The operator provides the subject of personal data with the opportunity to determine the list of personal data for each category of personal data specified in the consent to the processing of personal data authorized by the subject of personal data for distribution.

10.15.The Operator has established the following conditions for termination of personal data processing:

  • achievement of personal data processing goals and maximum retention periods;

  • loss of the need to achieve the goals of personal data processing;

  • provision by the subject of personal data or his legal representative of information confirming that personal data is illegally obtained or is not necessary for the stated purpose of processing;

  • inability to ensure the legality of the processing of personal data;

  • revocation by the subject of personal data of consent to the processing of personal data, if the storage of personal data is no longer required for the purposes of personal data processing;

  • the expiration of the limitation period for legal relations within which personal data is being processed or has been processed.

10.16. When storing personal data, the Operator uses personal data databases located on the territory of the Russian Federation.

11. Measures for the proper organization of processing and ensuring the security of personal data

11.1. When processing personal data, the Operator takes all necessary legal, organizational and technical measures to protect them from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to them. Ensuring the security of personal data is achieved, in particular, in the following ways:

appointment of a responsible person for the organization of personal data processing;

  • implementation of internal control and/or audit of compliance of personal data processing with Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" and regulatory legal acts adopted in accordance with it, requirements for personal data protection, local acts of the Operator;

  • familiarization of the Operator's employees directly engaged in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, local acts regarding the processing of personal data and (or) training of these employees;

  • identification of threats to the security of personal data during their processing in personal data information systems;

  • application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to meet the requirements for the protection of personal data;

  • assessment of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;

  • assessment of the harm that may be caused to personal data subjects in case of violation of the legislation of the Russian Federation in the field of personal data, the ratio of this harm and the measures taken by the Operator aimed at ensuring the fulfillment of obligations provided for by the legislation of the Russian Federation in the field of personal data;

  • taking into account machine-based personal data carriers;

  • restriction of the composition of persons who have access to personal data;

  • identifying the facts of unauthorized access to personal data and taking appropriate measures;

  • recovery of personal data modified or destroyed due to unauthorized access to them;

  • establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;

  • organization of access control to the Operator's territory, protection of premises with technical means of personal data processing;

  • control over the measures taken to ensure the security of personal data and the level of security of personal data information systems;

  • provision of unrestricted access to the document defining the policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data, including the publication of this Policy on the website.

11.2. The duties of the Operator's employees who process and protect personal data, as well as their responsibilities, are defined in the "Regulations on the organization of processing and on ensuring the security of personal data" of the Operator.


 

12. The person responsible for organizing the processing of personal data (DPO)

12.1. The rights, obligations and legal responsibility of the person responsible for the organization of personal data processing are established by Federal Law No. 152-FZ of 27.07.2006 "On personal Data" and "Regulations on the organization of processing and on ensuring the security of personal data".

12.2. The appointment of the person responsible for organizing the processing of personal data and the release from these duties is carried out by order of the General Director of the Operator. When appointing a person responsible for organizing the processing of personal data, the powers, competencies and personal qualities of an official are taken into account, designed to allow him to properly and fully exercise his rights and fulfill the duties provided for in the "Regulations on the organization of processing and on ensuring the security of personal data".

12.3. The person responsible for the organization of personal data processing:

organizes the implementation of internal control over the compliance of the Operator and its employees with the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data;

brings to the attention of the Operator's employees the provisions of the legislation of the Russian Federation on personal data, local acts on the processing of personal data, requirements for the protection of personal data, or ensures that;

exercises control over the reception and processing of requests and requests from personal data subjects or their representatives.

12.4. Contact details of the person responsible for the organization of personal data processing:

 + 7985 710 58 69, e-mail: [email protected] 

Russian Federation; 115035; Moscow, Ovchinnikovskaya nab., 20 bld.1


 

13. Updating, correction, deletion and destruction of personal data, responses to requests of subjects for access to personal data

13.1. In case of confirmation of the fact of inaccuracy of personal data or illegality of their processing, personal data are subject to their updating by the Operator, or their processing must be terminated accordingly.

13.2. The fact of inaccuracy of personal data or the illegality of their processing may be established either by the subject of personal data or by the competent state bodies of the Russian Federation.

13.3. At the written request of the personal data subject or his representative, the Operator is obliged to provide information about the processing of the personal data of the specified subject carried out by him.

13.4. The request must contain:

  • the number of the main identity document of the personal data subject and his representative;

  • information about the date of issue of the specified document and the issuing authority;

  • information confirming the participation of the subject of personal data in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;

  • signature of the personal data subject or his representative.

13.5. The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

13.6. If the request of the subject of personal data does not reflect all the necessary information or the subject does not have access rights to the requested information, then a reasoned refusal is sent to him.

13.7. In accordance with the procedure provided for in clause 12.3, the personal data subject has the right to require the Operator to clarify his personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights.

13.8. Upon achieving the purposes of personal data processing, as well as in the case of withdrawal of consent by the subject of personal data, personal data is subject to destruction if:

  • nothing else is provided for in the contract to which the personal data subject is a party, beneficiary or guarantor;

  • the operator is not entitled to process without the consent of the subject of personal data on the grounds provided for by the Federal Law "On Personal Data" or other federal laws;

  • nothing else is provided for by another agreement between the Operator and the subject of personal data.


 

14. Responsibility

14.1. Persons guilty of violating the norms governing the processing and protection of personal data are liable under the legislation of the Russian Federation, local acts of the Operator and contracts regulating the legal relations of the Operator with third parties.

14.2. A person who has provided the Operator with false information about himself or herself, or information about another personal data subject without the latter's consent, is liable in accordance with the legislation of the Russian Federation.


 

15. Access to the Policy

15.1. The current version of the Policy on paper is stored at the address: Russian Federation, 115035, Moscow, Ovchinnikovskaya nab., 20, p. 1.

15.2. The electronic version of the current version of the Policy (in Russian) is publicly available on the Operator's website on the Internet at: https://www.drreddys.com/russia /.

16. Amendments

16.1. The Policy is approved and put into effect by the Operator's CEO.

16.2. The Operator has the right to make changes to the Policy and its appendices specified in section 16 of this Policy. When making changes, the date of approval of the current version of the Policy is indicated in the Policy header.

16.3. The Policy is reviewed on a regular basis — once a year since the previous revision of the Policy. The Policy is re-approved if changes are made to the Policy based on the results of the review.

16.4. The Policy may be revised and re-approved earlier than the deadline specified above, as changes are made:

  • to regulatory legal acts in the field of personal data;

  • in the local regulatory and individual acts of the Operator regulating the organization of processing and ensuring the security of personal data.

16.5. All relations concerning the processing of personal data that are not reflected in this Policy are regulated in accordance with the provisions of the legislation of the Russian Federation.


 

17. Appendices (In Russian) 

17.1. Appendix No. 1. Categories of personal data subjects, purposes of processing and volume of processed personal data.

17.2. Appendix No. 2. List of processed personal data.

17.3. Appendix No. 3. Request form of the subject (representative of the subject) of personal data for access, clarification, blocking or destruction of personal data.

Try: