POLICY FOR THE PROCESSING
OF PERSONAL DATA
Contents
- Information about the personal data operator — p.1
- General provisions — p.1
- Purposes of collecting personal data — p.3
- Legal grounds for processing personal data — p.4
- Categories of personal data subjects — p.4
- Conditions for processing personal data — p.6
- Biometric personal data — p.8
- Updating, correction, deletion of personal data — p.8
- Procedure for processing personal data — p.9
- Transfer of personal data — p.10
- Security measures for processing personal data — p.10
Name | TO BE SPECIFIED |
INN | 7842145923 |
OGRN | 1177847416757 |
Location | 191014, St. Petersburg, Municipal District Liteyny District, Artilleriyskaya St., 1 lit. A, room 26-N, office 444 |
Postal address | 127051, Moscow, 1st Kolobovsky Lane, 13 bldg. 1 |
Operator’s website | |
Page with the personal data processing policy | |
Page with the consent text for personal data processing | |
Email address for inquiries from data subjects |
2. General provisions
2.1. This Policy of the Operator regarding the processing of personal data (hereinafter — the Policy) is developed to ensure the protection of the rights and freedoms of the personal data subject during the processing of their personal data, including the protection of the rights to privacy, personal and family secrets.
2.2. Basic concepts used in the Policy:
2.2.1. Law — Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.
2.2.2. Personal data — any information relating directly or indirectly to an identified or identifiable individual (personal data subject);
2.2.3. Processing of personal data — any action (operation) or set of actions (operations) performed with personal data with or without the use of automation tools. Processing of personal data includes, among other things: collection; recording; systematization; accumulation; storage; clarification (updating, modification); extraction; use; transfer (distribution, provision, access); anonymization; blocking; deletion; destruction.
2.2.4. Automated processing of personal data — processing of personal data using computing equipment;
2.2.5. Distribution of personal data — actions aimed at disclosing personal data to an indefinite circle of persons;
2.2.6. Provision of personal data — actions aimed at disclosing personal data to a specific person or a specific circle of persons;
2.2.7. Blocking of personal data — temporary suspension of personal data processing (except where processing is necessary to clarify personal data);
2.2.8. Destruction of personal data — actions resulting in the impossibility to restore the content of personal data in the personal data information system and/or actions resulting in the destruction of physical carriers of personal data;
2.2.9. Anonymization of personal data — actions resulting in the impossibility to determine, without the use of additional information, whether personal data belong to a specific personal data subject.
2.3. The Operator must maintain the confidentiality of personal data — not disclose to third parties or distribute personal data without the consent of the personal data subject, unless otherwise provided by federal law.
2.4. The personal data subject has the right to obtain information regarding the processing of their personal data, including:
2.4.1. confirmation of the fact of processing of personal data by the Operator;
2.4.2. legal grounds and purposes of personal data processing;
2.4.3. purposes and methods of personal data processing used by the Operator;
2.4.4. name and location of the Operator, information about persons (except for the Operator’s employees) who have access to personal data or to whom personal data may be disclosed under an agreement with the Operator or under federal law;
2.4.5. processed personal data relating to the respective personal data subject, source of their receipt, unless another procedure for providing such data is provided by federal law;
2.4.6. terms of processing of personal data, including storage periods;
2.4.7. the procedure for exercising by the personal data subject the rights provided by the Federal Law;
2.4.8. information about the performed or intended cross-border data transfer;
2.4.9. name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator if the processing is entrusted or will be entrusted to such a person;
2.4.10. other information provided by the Federal Law “On Personal Data” or other federal laws.
2.5. The personal data subject has the right to demand from the Operator the clarification of their personal data, their blocking or destruction if the personal data are incomplete, outdated, inaccurate, illegally obtained or are unnecessary for the declared purpose of processing, as well as to take legal measures to protect their rights.
2.6. The personal data subject has the right to protect their rights and legitimate interests, including compensation for damages and/or moral harm in court.
2.7. The personal data Operator has the right to:
2.7.1. defend its interests in court;
2.7.2. provide personal data of subjects to third parties if provided by current legislation (tax, law enforcement agencies, etc.);
2.7.3. refuse to provide personal data in cases provided for by law;
2.7.4. use the personal data of the subject without their consent in cases provided by law.
2.8. When collecting personal data, the Operator must provide the personal data subject upon their request with the information stipulated by part 7 of Article 14 of the Federal Law “On Personal Data”.
2.9. When collecting personal data, including via the Internet, the Operator must ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.
2.10. The procedure and conditions for processing certain categories of personal data from personal data information systems may also be established in the relevant regulations governing such information systems.
2.10.1. The Policy is mandatory for all employees of the Operator who have access to information containing personal data, as well as for persons working with the Operator’s information under concluded contracts and agreements.
2.10.2. Access to processed personal data is allowed only for authorized employees of the Operator, as well as third parties engaged by the Operator under the relevant agreement.
2.11. The Operator may amend this Policy at any time at its discretion.
2.12. The procedure and conditions for processing personal data are established by this Policy and the Consent to the processing of personal data.
3. Purposes of collecting personal data
3.1. The processing of personal data is limited to achieving specific, pre-defined, and lawful purposes. Processing of personal data incompatible with the purposes of collecting personal data is not permitted.
3.2. The purposes of processing personal data arise, among other things, from an analysis of legal acts regulating the Operator’s activities, the purposes of activities actually carried out by the Operator, as well as activities provided for in the Operator’s founding documents, and specific business processes of the Operator in specific personal data information systems (by the Operator’s structural divisions and their procedures in relation to certain categories of personal data subjects).
3.3. The purposes of processing personal data by the Operator include:
№ | ISPDn | Purpose of processing |
1 | Employees of the Operator, former employees, job candidates, as well as relatives of employees. For this category of subjects, the Operator processes personal data in connection with the implementation of labor relations. | Preparation, conclusion and execution of an employment contract, including: - preparation for conclusion of employment contracts, recruitment (candidates) for vacant positions, conducting interviews; - conclusion and execution of the contract, correspondence exchange; - payment of remuneration and other payments under the contract and law; - organization of HR records management, HR paperwork, assistance with employment; - accounting and tax accounting, compliance with tax legislation requirements for calculating and paying personal income tax, contributions to extra-budgetary funds, filling out statistical documentation in accordance with the law; - protection of the rights of the parties to the contract and compliance with regulatory legal acts. |
2 | Contractors of the Operator (individuals and representatives of legal entities). For this category of subjects, the Operator processes personal data obtained in connection with the conclusion of an agreement to which the personal data subject is a party and used by the Operator to fulfill that agreement. | Preparation, conclusion, and execution of a civil contract, including: conclusion of the contract, correspondence exchange, execution of the contract, payment of remuneration and other payments, transfer of data and/or assignment of processing to third parties to fulfill obligations under the contract, accounting and tax accounting, protection of the rights of the parties to the contract, compliance with regulatory legal acts. |
3 | Clients of the Operator (individuals and representatives of legal entities). For this category of subjects, the Operator processes personal data obtained in connection with the conclusion of an agreement with the Operator. | Preparation, conclusion and execution of an agreement with the Operator, including: booking of goods / works / services, sending feedback, participation in a loyalty program, sending notifications and exchanging correspondence (advertising and marketing mailings), protection of the rights of the parties to the agreement, compliance with regulatory legal acts. |
4 | Website visitors. For this category of subjects, the Operator processes personal data obtained by the Operator in connection with the subject visiting the Operator’s website. | Analysis of user activity on the Operator’s website. |
4. Legal grounds for processing personal data
4.1. The set of legal acts under which and in accordance with which the Operator processes personal data includes: the Constitution of the Russian Federation; the Labor Code of the Russian Federation, the Civil Code of the Russian Federation, federal laws and regulatory legal acts adopted on their basis governing relations related to the activities of the Operator; the Operator’s founding (corporate) documents.
4.2. The legal grounds for processing personal data are:
4.2.1. Conclusion and execution of a contract (paragraph 5 part 1 Article 6 of Federal Law 152-FZ);
4.2.2. Consent to the processing of personal data (paragraph 1 part 1 Article 6 of Federal Law 152-FZ);
4.2.3. Fulfillment of the Operator’s legal obligations (paragraph 2 part 1 Article 6 of Federal Law 152-FZ);
4.2.4. Exercise of the Operator’s rights and legitimate interests (paragraph 7 part 1 Article 6 of Federal Law 152-FZ).
5. Categories of personal data subjects
5.1. The content and scope of processed personal data must correspond to the declared purposes of processing. Processed personal data must not be excessive in relation to the declared purposes of their processing.
5.2. Processing of personal data is permitted in the following cases:
5.2.1. Processing of personal data is carried out with the consent of the personal data subject;
5.2.2. Processing of personal data is necessary to fulfill an agreement to which the personal data subject is a party, beneficiary, or guarantor, as well as to conclude an agreement at the initiative of the personal data subject or an agreement under which the personal data subject will be a beneficiary or guarantor;
5.2.3. Processing of personal data is necessary for the exercise of the rights and legitimate interests of the Operator or third parties;
5.2.4. Processing of personal data is carried out when the data are subject to publication or mandatory disclosure in accordance with federal law.
5.3. The categories of personal data subjects include:
No. | ISPDn | Personal Data | Processing Procedure |
1 | Employees of the Operator, former employees, candidates for vacant positions, as well as relatives of employees. For this category, the Operator processes personal data in connection with the implementation of labor relations. | General personal data: last name, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; social status; property status; income; gender; email address; residential address; registration address; phone number; SNILS (individual insurance account number); TIN (taxpayer identification number); citizenship; identity document details; bank card details; bank account number; profession; position; information about employment (including work experience, current employment data indicating the name and account number of the organization); military status, information on military registration; education details. | Mixed; with transmission over the Internet. Processing is performed in mixed form: non-automated on physical media (personal employee files) and automated on electronic media (computers with Internet access). |
2 | Counterparties of the Operator (individuals and representatives of legal entities). For this category, the Operator processes personal data received in connection with the conclusion of a contract to which the personal data subject is a party, and used by the Operator to fulfill the said contract. | General personal data: last name, first name, patronymic; email address; residential address; registration address; phone number; SNILS; TIN; identity document details; bank account number. | Automated in electronic form; with transmission over the Internet. |
3 | Clients of the Operator (individuals and representatives of legal entities). For this category, the Operator processes personal data received in connection with the conclusion of a contract with the Operator. | General personal data: last name, first name, patronymic; year of birth; month of birth; date of birth; email address; phone number; cookies. | Automated in electronic form; with transmission over the Internet. |
4 | Website visitors. For this category, the Operator processes personal data obtained in connection with the subject visiting the Operator’s website. | General personal data: Cookies (a data fragment sent by the Operator’s server and stored on the personal data subject’s device, the content of which may or may not relate to personal data, depending on whether the file contains personal data or anonymized technical data). | Automated in electronic form; with transmission over the Internet. |
5.4. The processing of special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, or sex life is not carried out. The processing of such data is permitted only if: (1) the personal data subject has given written consent to the processing of their personal data; or (2) in accordance with legislation on state social assistance, labor law, or pension law.
6. Conditions for Processing Personal Data
6.1. The Operator processes personal data — operations performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer, distribution (if permitted by the consent form), anonymization, blocking, deletion, destruction of personal data.
6.2. The processing of personal data is carried out in compliance with the principles and rules established by the Law.
6.3. The Operator’s processing of personal data is limited to achieving specific, pre-defined, and lawful purposes. Only personal data that meet the purposes of processing are subject to processing. The content and scope of the processed personal data must correspond to the declared processing purposes.
6.4. Personal data shall be stored in a form allowing identification of the personal data subject no longer than required to achieve the processing purposes, unless the storage period is set by federal law, a contract involving the personal data subject as a party, beneficiary, or guarantor. Processed personal data shall be destroyed or anonymized upon achievement of the processing purposes or if the need for achieving these purposes ceases, unless otherwise provided by federal law.
6.5. When storing personal data, the Operator must use databases located within the territory of the Russian Federation.
6.6. Personal data processed without automation must be isolated from other information, in particular by recording them on separate physical carriers (hereinafter — material carriers), in special sections or margins of forms (blanks). When recording personal data on material carriers, it is not allowed to record on one carrier personal data whose processing purposes are clearly incompatible. Separate material carriers must be used for different categories of personal data processed without automation.
6.7. Processing of personal data shall cease upon achievement of processing purposes, expiration of consent validity, withdrawal of consent by the personal data subject, or detection of unlawful processing.
6.8. The Operator may entrust the processing of personal data to another party based on a contract concluded with that party, including government or municipal contracts.
6.9. The party processing personal data on behalf of the Operator must comply with the principles and rules of personal data processing established by the Law.
6.10. Additionally, the Operator may transfer personal data to investigative bodies and other authorized authorities on grounds provided by the current legislation of the Russian Federation.
6.11. The Operator and other persons who have access to personal data must not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
6.12. Consent to the processing of personal data permitted for distribution by the personal data subject is executed separately from other consents of the personal data subject to processing of their personal data. The Operator must provide the personal data subject with the ability to determine the list of personal data for each category specified in the consent for processing personal data permitted for distribution.
6.13. The Operator must take necessary and sufficient measures to fulfill obligations established by the Law and relevant regulatory legal acts adopted pursuant thereto. The Operator independently determines the composition and list of such measures.
6.14. In processing personal data, the Operator takes or ensures the adoption of necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as other unlawful actions in relation to personal data.
6.15. The Operator’s personal data protection measures include:
6.15.1. Taking necessary and sufficient measures to ensure compliance with the legislation of the Russian Federation in the field of personal data;
6.15.2. Taking legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, and other unlawful actions;
6.15.3. Appointing a person responsible for organizing personal data processing;
6.15.4. Issuing local regulatory acts defining the policy and issues of personal data processing and protection;
6.15.5. Familiarizing employees of the Operator, its branches, and representative offices who directly process personal data with the provisions of Russian legislation on personal data, including data protection requirements, and training such employees;
6.15.6. Publishing or otherwise ensuring unlimited access to this Policy;
6.15.7. Informing personal data subjects or their representatives about the presence of personal data concerning them, and providing access to such data upon request, unless otherwise established by Russian legislation;
6.15.8. Ceasing processing and destroying personal data as provided by Russian personal data legislation;
6.15.9. Establishing confidentiality regimes for information containing personal data, concluding non-disclosure agreements with contractors;
6.15.10. Performing other actions prescribed by Russian personal data legislation.
6.16. Personal data processing is carried out with the consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation. The source of personal data is the personal data subject and/or another person transmitting data on behalf of the subject.
6.17. If the personal data subject refuses to consent to processing, conclusion of contracts with them is impossible. If consent is withdrawn, contract execution is suspended.
6.18. Processing without consent is possible if necessary for the purposes of contract execution, where the personal data subject is a party or beneficiary, or for concluding a contract on the initiative of the personal data subject or where they will be a beneficiary.
6.19. The Operator may entrust personal data processing to another party based on a contract and/or transfer personal data according to the consent text.
7. Biometric Personal Data
7.1. Biometric personal data refers to information characterizing physiological and biological features of a person by which their identity can be established and which are used by the Operator to identify the personal data subject.
7.2. The Operator does not process biometric personal data.
8. Updating, Correcting, Deleting Personal Data
8.1. The Operator must inform the personal data subject or their representative about the presence of personal data concerning them and provide access upon request within thirty days.
8.2. The Operator must provide free access to personal data concerning the subject. Within seven working days of receiving evidence that data are incomplete, inaccurate, or outdated, the Operator must correct them. Within seven working days of receiving evidence that data are illegally obtained or unnecessary for the stated purpose, the Operator must destroy them. The Operator must notify the subject about changes and measures taken and take reasonable steps to notify third parties to whom the data were disclosed.
8.3. Upon confirming data inaccuracy, the Operator must clarify or ensure clarification of data within seven working days and remove any blocking.
8.4. The Operator must cease processing or ensure cessation by a third party within:
8.4.1. Three working days after detecting unlawful processing;
8.4.2. Upon withdrawal of consent;
8.4.3. Upon achieving processing purpose and destroy personal data within thirty days;
8.4.4. If destruction is impossible within the term, the Operator blocks the data and destroys them within six months, unless otherwise prescribed by law.
8.5. Deletion and destruction are carried out by an authorized Operator employee per legal procedure, with documentary confirmation.
9. Personal Data Processing Procedure
9.1. The source of personal data is the subject or another person transmitting data on their behalf.
9.2. Personal data security is ensured through legal, organizational, and technical measures meeting legislation requirements.
9.3. The Operator ensures the safety of personal data and takes all possible measures to prevent unauthorized access.
9.4. Users can update personal data by notifying the Operator by email.
9.5. Personal data is processed for 10 years from processing start, but at least for:
9.5.1. Duration of contract execution;
9.5.2. Until withdrawal of consent;
9.5.3. Until termination of legal obligations;
9.5.4. Until termination of rights and legitimate interests of the Operator.
9.6. The subject may withdraw consent anytime by notifying the Operator by email. The Operator stops processing within 3 working days and notifies the subject within 10 working days.
9.7. When collecting personal data (including via the Internet), the Operator ensures recording, systematization, accumulation, storage, updating, and extraction of data of Russian citizens using databases located in Russia.
9.8. The Operator may continue processing to comply with laws, law enforcement, or protect rights and interests as long as grounds exist.
10. Transfer of Personal Data
10.1. The Operator may entrust data processing to another party under contract for contract conclusion/execution.
10.2. Transfer (distribution, provision, access) of personal data permitted for distribution must cease on the subject’s demand, which must include personal details and data to be ceased. Only the operator receiving the demand may process these data.
10.3. Personal data will not be transferred to third parties except for contract execution or legal requirements. Cases include:
10.3.1. Transfer to government bodies for labor, tax, and other legal requirements;
10.3.2. Transfer to credit organizations and payment services for labor or civil contract execution (payment);
10.3.3. Transfer to specialized mailing services for technical measures;
10.3.4. Transfer for contract execution.
10.4. Transfer methods include transmission over the Internet.
10.5. Cross-border transfer of personal data is not performed.
11. Security Measures in Personal Data Processing
11.1. Necessary and sufficient measures include:
11.1.1. Appointment of a person responsible for personal data processing;
11.1.2. Legal, organizational, and technical measures to protect data from unlawful or accidental access, destruction, alteration, blocking, copying, distribution;
11.1.3. Local regulatory acts defining policy and issues;
11.1.4. Employee briefing and training on legislation and data protection;
11.1.5. Ensuring unlimited access to this Policy;
11.1.6. Informing data subjects about data presence and access;
11.1.7. Ceasing processing and destroying data as required;
11.1.8. Establishing confidentiality regimes and non-disclosure agreements;
11.1.9. Other actions prescribed by Russian personal data legislation.