Protection of information and personal data

1. Definitions

1.1. Provision – the present “Provision on personal data protection in AO BAYER”.
1.2. Directive/Corporate Directive – Directive of the Bayer Group “Protection of information and personal data in the Bayer Group”.
1.3. Law/Federal Law – Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.
1.4. Personal data – any information relating to directly or indirectly determined or determinable individual (subject of personal data).
1.5. Operator – a state body, municipal body, legal entity or private individual, independently or jointly with other persons organizing and/or processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations), performed with personal data. Under the Directive, the operator is AO BAYER.
1.6. Personal data processing – any action (operation) or a set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including the collection, recording, systematization, accumulation, storage, refinement (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
1.7. Automated processing of personal data – processing of personal data using computer equipment.
1.8. Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons.
1.9. Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons.
1.10. Blocking of personal data – temporary suspension of the processing of personal data (unless it is necessary to process personal data).
1.11. Destruction of personal data – actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and/or as a result of which the material carriers of personal data are destroyed.
1.12. Depersonalization of personal data – actions that make it impossible without the use of additional information to determine the identity of personal data to a specific subject of the personal data.
1.13. Personal Data Information System – a set of personal data contained in databases and information technologies and technical means ensuring their processing.
1.14. Cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state, a foreign state authority, a foreign individual or a foreign legal entity.
1.15. Special categories of personal data are special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, membership in trade unions, state of health, and private life.
1.16. Biometric personal data – information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established.
1.17. Publicly accessible sources of personal data are publicly accessible sources of data in which, with the written consent of the subject of the personal data, personal data may be included that are communicated by the said subject.
1.18. Person responsible for organizing the processing of personal data – a private individual or legal entity appointed by AO BAYER as responsible for organizing the processing of personal data.
1.19. Initiator department – a department of the Operator that makes decisions about the processing of personal data and organizes the processing of personal data within the department.

2. General principles for the processing of personal data

2.1. Data Processing Restrictions
The processing of personal data is permitted only with the consent of the Subject of the Personal Data, or if such processing is permitted by applicable law at the place of processing the information without the subject’s consent.
Consent must be obtained in any form the receipt of which allows confirmation of the fact of its receipt, unless otherwise provided by Federal Law.

In accordance with Federal Law, the written form of consent of the subject of personal data should include, in particular:

  1. surname, given name, patronymic, address of the subject of personal data, number of the main document proving his identity, information on the date of issue of the specified document and issuing authority;
  2. upon receipt of consent from the representative of the subject of the personal data: last name, first name, patronymic, address of the representative of the subject of personal data, the number of the main document proving his identity, information on the date of issue of the said document and issuing authority, details of the power of attorney or other document confirming the authority of this representative;
  3. name or surname, given name, patronymic and address of the operator who obtained the consent of the subject of the personal data;
  4. purpose of processing the personal data;
  5. a list of personal data for the processing of which the consent of the subject of the personal data is given;
  6. name or surname, name, patronymic and address of the person processing the personal data on behalf of the operator, if processing will be entrusted to such a person;
  7. the list of actions with the personal data for which consent is given, a general description of the methods used by the operator for the processing of the personal data;
  8. the period for which the consent of the subject of the personal data is valid, as well as the method of its withdrawal, unless otherwise provided by Federal Law;
  9. signature of the subject of personal data.
    Consent in the form of an electronic document signed with a unique electronic signature filed in accordance with Federal Law is recognized as the equivalent of written consent on paper.

Consent to the processing of personal data may be withdrawn by the subject of the personal data. In the event that the subject of the personal data withdraws consent to the processing of the personal data, the operator is entitled to continue processing the personal data without the consent of the subject of the personal data if there are grounds provided for by law for doing so. The decision, as to whether grounds exist for the continuation of the processing of personal data after the withdrawal of consent, is taken by the legal department of AO BAYER responsible for organizing the processing of personal data.

If personal data is received by AO BAYER, not from the subject of the personal data, the initiator department must provide the following information to the subject of the personal data before processing such personal data:

  1. the name and address of AO BAYER or the surname, first name and patronymic of its representative;
  2. the purpose of processing the personal data and its legal basis;
  3. intended users of the personal data;
  4. the rights of the subject of the personal data established by Federal Law;
  5. the source of the personal data.

In accordance with Federal Law, a company is released from the obligation to provide the subject of personal data with the above information, in particular, in the following cases:

  • the subject of the personal data is notified of the processing of his personal data by AO BAYER;
  • personal data obtained by AO BAYER on the basis of Federal Law or in connection with the execution of a contract, a party of which is either the beneficiary or the guarantor for the subject of the personal data;
  • personal data made publicly accessible by the subject of the personal data or obtained from a publicly available source;
  • the provision to the subject of the personal data of the above information violates the rights and legitimate interests of third parties.

Receipt of personal data not from subjects of personal data is pre-agreed by the head of the initiator’s department with the person responsible for organizing the processing of personal data and the legal department of AO BAYER.

2.2. The purpose of personal data collection

The processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals. The subject of the personal data, in giving consent to the processing of their personal data, should be informed about the purposes the processing of their data. The processing objectives should be included in the consent form of the subject of the personal data. Processing personal data not related to the purposes of collecting the personal data is not allowed.

Merging databases containing personal data that are processed for purposes incompatible with each other is not allowed.

Personal data are subject to processing if they fulfill the purposes of their being processed.

In cases of receiving data from a third party or another division of the group/AO BAYER, the intended purpose of the data should be taken into account by the recipient during further processing and storage. The purpose of the personal data can be changed only if the consent of the subject of the personal data is obtained or the change is admissible according to the local legislation of the respective country from which personal data are obtained.

2.3. The principle of minimum sufficiency of processed data
According to the requirements of the Federal Legislation of the Russian Federation and the Corporate Directive, personal data can be processed only if necessary. Their content and volume should correspond to the declared purposes of processing, and the volume should not be excessive in relation to the declared purposes. If the de-identification of data is possible, appropriate measures should be taken at the earliest stages (for example: carrying out a risk analysis of the project or at the stage of negotiation and verification of the contract). This rule applies in particular to the personal data of the subjects and patients when conducting clinical trials.

2.4. Principle of relevance and accuracy of data
When processing personal data, the accuracy of the personal data must be ensured, its adequacy and, if necessary, its relevance to the purposes of personal data processing. If necessary, the removal or clarification of incomplete or inaccurate data is ensured.

2.5. Collection and processing of biometric and personal data of special categories
Taking into account the rule of precedence of more stringent restrictions, AO BAYER, in addition to the list of personal data of special categories defined by the legislation of the Russian Federation, includes information on membership of trade unions.

The processing of special categories of personal data is prohibited, except in particular the following cases, among others:

  • the subject of the personal data has agreed in writing to the processing of his personal data in compliance with the requirements of the applicable law;
  • the personal data is made publicly accessible by the subject of the personal data;
  • the processing of personal data is necessary to protect the life, health or other vital interests of the subject of the personal data or the life, health or other vital interests of other persons and obtaining the consent of the subject of the personal data is impossible;
  • the personal data is processed for medical and preventive purposes, in order to establish a medical diagnosis, to provide medical and medical social services, provided that the personal data is processed by a person professionally engaged in medical activities and obliged to keep medical secrecy in accordance with the legislation of the Russian Federation.

The processing of personal data of special categories should be immediately terminated if the reasons for processing have been eliminated, unless otherwise provided by Federal Law.

Processing of biometric personal data can be carried out only with the written consent of the subject of the personal data.

The processing of biometric and personal data of special categories can be carried out only after agreement with the person responsible for organizing the processing of personal data of AO BAYER, the legal department and the information security manager of the company and/or the head of the Information Technology Department. This processing entails the adoption of special protection measures in accordance with the requirements of Federal Legislation and corporate policy (for example, the use of dedicated communication channels or the installation of encryption tools, restrictions on physical access, etc.).

2.6. Terms for processing personal data
The storage of personal data should be carried out in a form that allows determining the subject of the personal data not longer than the purpose of processing personal data requires, or unless otherwise established by the legislation of the Russian Federation or the contract to which the subject of the personal data is beneficiary or guarantor.

The processed personal data shall be destroyed or depersonalized upon the achievement of the processing objectives or in case there is no longer a need for such processing, unless otherwise provided by the legislation of the Russian Federation.

2.7. Transfer, cross-border transfer of personal data
Transfer (distribution, provision, access) of personal data is possible only in cases stipulated by the current legislation of the Russian Federation.

The cross-border transfer of personal data to the territory of foreign states that are parties to the Council of Europe Convention on the Protection of Individuals with automated processing of personal data, as well as other foreign states that provide adequate protection of the rights of personal data subjects, is in accordance with the current legislation of the Russian Federation.

Cross-border transfer of personal data to the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in the following cases:

  • with written consent of the subject of the personal data on the cross-border transfer of his personal data;
  • for fulfillment of a contract to which the subject of the personal data is a party.

Any transfer of personal data is possible only subject to the additional compliance with clause 2.1 of these Regulations and if this does not contravene the requirements of the Corporate Directive.

2.8. Making decisions that generate legal consequences for the subjects of the personal data, based on automated processing of the personal data.
Making decisions based solely on automated processing of personal data, which generate legal consequences in relation to the subject of the personal data or otherwise affect his rights and legitimate interests, is prohibited, except in cases where:

  • consent in writing of the subject of personal data is available to make a decision based on automated data processing;
  • it is covered by Federal Laws, which also establish measures to ensure the observance of the rights and legitimate interests of the subject of the personal data.

The operator is obliged to explain to the subject of the personal data the procedure for making a decision on the basis of exclusively automated processing of his personal data and possible legal consequences of such a decision, and to provide an opportunity to state an objection to such a decision, and to clarify the procedure for the protection by the subject of his rights and legitimate interests.

The operator is obliged to consider the objection within thirty days from the date of its receipt and notify the subject of the results of consideration of such objection.

2.9. Protection of personal data
The initiator of personal data processing must implement appropriate technical and organizational measures to ensure an adequate level of data protection. This requirement is most relevant to computer equipment (servers and workstations), networks and communication channels, as well as applications; measures should be implemented as part of the Bayer information security management system. Mandatory measures to prevent unauthorized processing of personal data, among other things, include controls of:

  • physical access to data processing systems;
  • logical access to data processing systems;
  • logical access to data processing applications;
  • data entry in data processing systems;
  • data transmission by means of transmission.

In addition, appropriate measures should be taken to protect data from accidental or unauthorized deletion or loss. These measures are fully described in the Information Security Directive implemented in AO BAYER.

Development and implementation of new local information systems, solutions and databases containing personal data should be coordinated with the information security manager responsible for the processing of personal data and the legal department of AO BAYER, as early as possible (for example, carrying out project risk analysis or at the stage of negotiation and verification of a contract).

2.10. Compliance with data privacy
In the process of processing personal data only authorized employees who have committed themselves to comply with the requirements for data privacy can participate. It is forbidden to use such data for personal purposes or to disclose them to unauthorized persons. In the context of this Instruction, “unauthorized persons” also include employees who do not need access to such data to perform their duties. The confidentiality obligations continue after the termination of the employment contract.

2.11. Processing of personal data under contract
AO BAYER as has the right to entrust the processing of personal data to another person with the consent of the subject of the personal data, unless otherwise provided by Federal Law, on the basis of an agreement concluded with this person. The person performing the processing of personal data on behalf of AO BAYER shall comply with the principles and rules for the processing of personal data provided for by the Law.

The instructions of the operator (contract) should be defined:

  • the list of actions (operations) with the personal data that will be performed by the person performing the processing of personal data;
  • the purposes of processing;
  • this person must be obliged to respect the confidentiality of the personal data and to ensure the security of the personal data during their processing, and the requirements for the protection of personal data in accordance with the requirements of the Federal Law and the responsibility for non-compliance with such requirements.

All orders (contracts) for the processing of personal data should be examined by the legal department of AO BAYER so as to comply with the requirements of the legislation on the processing of personal data.

AO BAYER retains control over the personal data processed on its behalf and is the contact entity for the subjects of the personal data.

3. Rights of the subject of personal data

3.1. The right to receive information
The subject of personal data has the right to receive information concerning the processing of his personal data, including that containing:

  • confirmation of the processing of personal data by AO BAYER;
  • the legal grounds and purposes for the processing of personal data;
  • the objectives and methods of personal data processing applied by the operator;
  • the name and location of the operator, information about persons (except for employees of AO BAYER) who have access to the personal data or to whom the personal data may be disclosed on the basis of an agreement with AO BAYER or on the basis of Federal Law;
  • processed personal data relating to the relevant subject of the personal data, the source of their receipt, unless a different procedure for submitting such data is provided for by Federal Law;
  • the terms of processing the personal data, including the periods of their storage;
  • the procedure for the implementation by a subject of personal data of rights stipulated in Federal Law;
  • information on completed or intended cross-border data transfer;
  • name or surname, name, patronymic and address of the person processing personal data on behalf of the operator, if processing is or will be entrusted to such a person;
  • other information provided for by Federal Law No. 152-FZ or other Federal laws.

The information is provided to the subject of the personal data or his representative upon his request or contacting the Operator or in other cases stipulated by Law,
The request must contain:

  • the number of the main document certifying the identity of the subject of the personal data or his representative, information about the date of issue of the specified document and the issuing authority;
  • information confirming the participation of the subject of the personal data with regard to the operator (contract number, date of conclusion of the contract, specific verbal designation and/or other information), or information otherwise confirming the processing of personal data by AO BAYER;
  • the signature of the subject of the personal data or his representative.

The subject of the personal data has the right to re-apply to AO BAYER or to send him a second request no earlier than thirty days after the initial application or initial request, if a shorter period is not established by the Law or a contract to which neither the beneficiary or the guarantor to the subject of the personal data are party. AO BAYER has the right to reasonably refuse the subject of the personal data to fulfill a second request that does not meet the conditions of the Law.

The right of the subject of the personal data to receive information relating to the processing of his personal data is limited to the cases stipulated in part 8 of Article 14 of the Law.

3.2. The right to require clarification or correction of data
The subject of the personal data has the right to require the operator to clarify his personal data, to block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing.

3.3. Denial of the right of notice or data correction The right of the subject of personal data to receive information relating to the processing of his personal data is limited to cases stipulated by part 8 of Article 14 of Federal Law No. 152-FZ, in particular, if the access of the subject of the personal data to his personal data violates the rights and legitimate interests of third parties.

If the submission of information or making changes to it at the request of the data subject is denied, the subject is notified of the reasons for the refusal.

3.4. Procedure for obtaining information by the subjects of personal data
In order to comply with the rights of personal data subjects as stipulated by Law, AO BAYER has organized the receipt of:

  • written requests and requirements, electronic requests and requirements;
  • personal requests of subjects of the personal data to the person responsible for organizing its processing.

3.5. Data destruction
If the subject of the data provides evidence that in the current situation the goal of data processing has been exhausted, is unreasonable or no longer valid, the relevant personal data is destroyed (unless the law provides otherwise).
The destruction of personal data or media containing personal data is carried out in accordance with the procedure adopted by AO BAYER, by persons authorized to do so.

3.6. Right to appeal
The subject of the personal data has the right to appeal against the actions or inaction of the operator in accordance with Federal Law.

4. The person responsible for organizing the processing of personal data by AO BAYER

The operator designates the person responsible for organizing the processing of personal data. The surname, given name and patronymic of the individual or the name of the legal entity responsible for organizing the processing of personal data, their contact telephone numbers, postal addresses and e-mail addresses are sent by AO BAYER to the authorized body for the protection of subjects of personal data.

Subdivisions and employees of AO BAYER, in accordance with the Federal Law, are obliged to provide the person responsible for organizing the processing of personal data with the following information:

  • name (surname, given name, patronymic), address of the operator;
  • purpose of processing the personal data;
  • personal data categories;
  • categories of subjects whose personal data are processed;
  • legal grounds for the processing of personal data;
  • the list of actions with personal data, and a general description of the methods used by the operator for the processing of personal data;
  • a description of the measures stipulated by Articles 18.1 and 19 of the Federal Law, including information on the availability of encryption (cryptographic) means;
  • start date for the processing of personal data;
  • the term and conditions for stopping the processing of personal data;
  • information on the presence or absence of a cross-border transfer of personal data in the course of their processing;
  • information about the security of personal data in accordance with the requirements for the protection of personal data established by the Directive and the Government of the Russian Federation.
  • Other information necessary for organizing the processing of personal data, if its transfer does not contravene the requirements of the Federal Law and the Directive.

The person responsible for organizing the processing of personal data must, in particular:

  • exercise internal control over the compliance of the operator and his employees with the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data;
  • bring to the notice of the operator’s employees the provisions of the Russian Federation legislation on personal data, local acts on the processing of personal data, and requirements for the security of personal data;
  • organize receipt and processing of requests and requests for personal data subjects or their representatives. At the same time, the receipt and processing of requests and requests for personal data subjects or their representatives by other employees is not allowed. In cases of such appeals, company employees must inform the subjects and their representatives about the methods of processing personal data stipulated by the company (clause 7.4 of the Regulations).

In accordance with the group’s policy, the corporation has appointed a corporate data protection officer and introduced an institution of local representatives, to which the rights and obligations under the Group Directive apply.

If regional officials responsible for data protection also perform the duties of those responsible for data protection in a legal entity, they work closely with the Corporate Data Protection Officer, but are not required to comply with its instructions.

5. Requests, claims and corrective actions

In cases of:

  • identifying illegal processing of personal data by the operator or a person acting on the instructions of the operator;
  • identifying inaccurate personal data;
  • achieve the goals of processing;
  • revocation of processing consent by the subject of personal data
    AO BAYER is obliged to take the measures required by the Law, including blocking, updating, deleting data within the time limits stipulated by Federal Law, unless otherwise stipulated by legislation of the Russian Federation.

In accordance with the legislation of the Russian Federation on the protection of personal data, you have the right to receive information about the processing of your personal data, and to send a request or demands to the following addresses:

  • For electronic downloads: pdff51f8e2f0d242dfaedb4ede3828dda0.bayru@cecd668cc2114087b12bafd0f0eddc63bayer.com
  • To contact the personal data protection officer write to: 107113, Moscow, Sokolnicheskiy Val, d. 24, korp. 3, a/ya 19