1. GENERAL PROVISIONS
1.1. This Personal Data Processing and Protection Policy (hereinafter referred to as the Policy) was developed in pursuance of Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 (hereinafter referred to as the Law on Personal Data) in order to ensure the protection of human and civil rights and freedoms when processing personal data, including the protection of the rights to privacy, personal and family secrets.
1.2. The Policy applies to all personal data processed by the PROJECT GROUP holding company Limited Liability Company (hereinafter referred to as the Operator, the Company).
1.3. In pursuance of Part 2, Article 18.1 of the Law on Personal Data, this Policy is made publicly accessible via Internet on the Operator’s website.
1.4. The Policy compliance monitoring shall be the responsibility of the Company CEO.
2. REGULATORY REFERENCES
2.1. The Company’s personal data processing and protection policy is determined so as to comply with the following regulatory legal acts:
Labor Code of the Russian Federation;
Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 (hereinafter referred to as Law 152-FZ);
Federal Law No. 149-FZ “On Information, Information Technologies and Information Protection” dated July 27, 2006;
Resolution of the Government of the Russian Federation No. 687 “On Approval of the Statute on Special Aspects of Personal Data Processing Without the Use of Automation Technology” dated September 15, 2008;
Decree of the Government of the Russian Federation No. 1119 “On Approval of the Requirements to Personal Data Protection in the Course of Its Processing in Personal Data Information Systems” dated November 1, 2012;
other regulatory legal acts of the Russian Federation and regulatory documents of authorized state bodies.
3. TERMS AND DEFINITIONS
Automated personal data processing means processing of personal data using computer equipment and technologies.
Biometric personal data means information on physiological and biological characteristics of a person which allow establishing identity of the person.
Personal data blocking is a temporary suspension of the personal data processing (unless the processing is required to verify the personal data).
Personal data information system (PDIS) means an array of personal data contained in databases complete with information technologies and technical equipment used for processing.
Personal data privacy means the obligation of the Operator and other parties authorized to access the personal data not to distribute personal data or disclose them to third parties without the consent of the personal data subject, unless otherwise provided for by federal law.
Operator of personal data (operator) means a state body, municipal body, legal entity or an individual that, whether independently or jointly with third parties, arrange and (or) is engaged in personal data processing, as well as determines the purposes of personal data processing, the specifics of personal data to be processed, and actions (operations) involving personal data.
Personal data processing means any action (operation) or a set of actions (operations), whether using computer equipment and technologies or not, involving personal data, including collection, recording, systematization, accumulation, storage, verification (updating, corrections), extraction, use, transfer (provision, access), distribution, anonymization, blocking, deletion, destruction of personal data.
Anonymization of personal data means actions resulting in making it impossible to refer personal data to a specific personal data subject without having additional information.
Personal data (PD) means any information related, directly or indirectly, to a specific or identifiable individual (personal data subject).
Provision of personal data means any actions aimed at disclosing personal data to a specific person or limited audience.
Personal data permitted for distribution by the personal data subject means the personal data made accessible to an unlimited audience by permission from the personal data subject by giving his/her consent to personal data processing and further distribution.
Special categories of personal data mean information related to race, ethnicity, political views, religious or ethical beliefs, health conditions, private life.
Cross-border transfer of personal data means transfer of personal data abroad to a foreign state authority, a foreign individual or a foreign legal entity.
Destruction of personal data means actions making it impossible to restore the personal data content in the information system and (or) resulting in physical destruction of storage media carrying the personal data.
Protection of the rights of personal data subjects is the jurisdiction of the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).
4. PURPOSES OF PERSONAL DATA PROCESSING
4.1. Personal data are subject to processing for intended purposes only.
4.2. Personal data submitted to the Company is processed by the Operator for the following purposes:
4.2.1. ensuring compliance with legislation and other regulations of the Russian Federation, on-site regulations of the Company;
4.2.2. exercising functions, powers and duties legally binding for the Company pursuant to the legislation of the Russian Federation, including the provision of personal data to state bodies, to the Pension Fund of the Russian Federation, Social Insurance Fund of the Russian Federation, Federal Compulsory Health Insurance Fund, and other public authorities;
4.2.3. handling industrial relations with the Company’s employees (assistance in employment; professional training; incentives and motivation; KPI monitoring; safekeeping of property);
4.2.4. arranging outsource services;
4.2.5. preparing, making, fulfilling and terminating contracts with counterparties;
4.2.6. enabling access control for the Company’s premises;
4.2.7. enforcement of court decisions and other instructions issued by competent bodies or authorized officials legally binding pursuant to the Russian legislation on enforcement proceedings;
4.2.8. other lawful purposes.
5. PRINCIPLES OF PERSONAL DATA PROCESSING
5.1.1. is carried out on a fair and legal basis;
5.1.2. is carried out for specific, predetermined and lawful purposes only;
5.1.3. does not allow processing for the purposes incompatible with those of collecting the personal data;
5.1.4. does not allow merging databases containing arrays of personal data being processed for conflicting purposes;
5.1.5. is carried out as long as the content and volume of the processed personal data correlate with the declared purposes of processing;
5.1.6. does not allow processing of personal data excessive to the declared purposes of processing;
5.1.7. ensures that the personal data are accurate and up-to-date for the purposes of personal data processing;
5.1.8. provides for the destruction or anonymization of personal data upon achieving the purposes of processing or when such purposes are no longer relevant, unless otherwise provided for by federal law.
6. TERMS AND CONDITIONS OF PERSONAL DATA PROCESSING
6.1. The personal data submitted to the Company are processed when any of the following conditions is met:
6.1.1. The personal data are processed by the Operator in compliance with the legislation of the Russian Federation.
6.1.2. The personal data are processed with the consent of personal data subjects to their personal data processing, unless otherwise provided for by the legislation of the Russian Federation.
6.1.3. Consent to processing of the personal data permitted for distribution by the personal data subject is registered separately from other consents granted by the personal data subject to personal data processing. The operator shall enable the personal data subject to determine the checklist of personal data for each category of personal data specified in the consent to processing of the personal data permitted for distribution by the personal data subject.
6.1.4. Personal data processing is necessary to achieve the purposes provided for by law, to exercise and perform the functions, powers and obligations legally binding for the Company pursuant to the legislation of the Russian Federation.
6.1.5. The transfer of personal data to prosecuting and investigating agencies, to the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorized executive bodies and organizations is carried out in compliance with the legislation of the Russian Federation.
6.1.6. Personal data processing is necessary to exercise the rights and legitimate interests of the Company or third parties, or to achieve socially significant goals as long as this does not violate the rights and freedoms of the personal data subjects.
6.1.7. Subject to the mandatory anonymization of personal data when personal data are processed for statistical or other research purposes.
6.1.8. When processing the personal data made accessible to an unlimited audience at the request of or by the personal data subject (hereinafter referred to as publicly accessible personal data). Distribution of personal data and disclosure thereof to third parties without the consent of the personal data subject is not allowed, unless otherwise provided for by federal law.
6.2. Considerations for the processing of biometric personal data by the Company when including them in publicly accessible sources:
6.2.1. Information on physiological and biological characteristics of a person which allow establishing identity of the person, i.e. biometric personal data, may be processed by the Company with the written consent of the personal data subject only.
6.2.2. The processing of biometric personal data may be carried out without the consent of the personal data subject when provided for by the laws of the Russian Federation “On Security”, “On Counteraction Against Terrorism”, “On Combating Corruption”.
6.3. Considerations for the processing of personal data when including them in publicly accessible sources:
6.3.1. The Company may compile publicly accessible sources of personal data, including business and address directories, for the purposes of providing information.
6.3.2. The Company may include, with the consent of the personal data subject, his/her last name, first name, patronymic, date and place of birth, occupation, contact phone numbers, e-mail address to its publicly accessible sources of personal data.
6.3.3. The Company shall withdraw the information about the personal data subject from publicly accessible sources of personal data upon request from the personal data subject or by decision of a court or other authorized state bodies.
7. PERSONAL DATA SUBJECT RIGHTS
7.1. A personal data subject is entitled to be informed about the legal consequences of refusing to provide one’s personal data when the provision of personal data is binding by a federal law.
7.2. The procedure for providing consent to personal data processing:
7.2.1. When provided for by a federal law, personal data are only processed with the written consent of the personal data subject.
7.2.2. The personal data subject opts to provide one’s personal data and agrees to their processing voluntarily, of one’s own free will and in one’s interest.
7.2.3. Consent to personal data processing can be given by the personal data subject or his/her representative in any form duly and explicitly confirming its receipt, unless otherwise provided for by a federal law.
7.3. The personal data subject is entitled to demand that the Company update his/her personal data upon providing information evidencing that the personal data are incomplete, inaccurate or out-of-date.
7.4. The personal data subject is entitled to demand that the Company destroy his/her personal data upon providing information evidencing that such personal data has been obtained illegally or used for purposes other than the declared purpose of processing.
8. PERSONAL DATA SECURITY
8.1. The Company is committed to ensuring the compliance with Federal Law No. 152-FZ “On Personal Data”. The relevant measures are taken in view of the harm that may be caused to personal data subjects should Federal Law No. 152-FZ be violated.
8.2. The security of personal data processed by the Company is ensured by implementing legal, administrative, technical and software measures to comply with the personal data legislation of the Russian Federation, including:
8.2.1. appointing a dedicated executive responsible for organizing the personal data processing in the Company;
8.2.2. developing and introducing on-site regulations governing the personal data processing in the Company;
8.2.3. on-site monitoring of the personal data processing for compliance with Federal Law No. 152-FZ “On Personal Data” and the relevant on-site regulations of the Company;
8.2.4. the Company’s employees who are directly engaged in the personal data processing are familiarized with the Company’s personal data processing and protection policy, as well as relevant on-site regulations. A special training has been developed and given for such employees;
8.2.5. a security system has been introduced to prevent unauthorized user access to information resources, software and hardware for information processing and protection;
8.2.6. user access to personal data information systems is password- protected;
8.2.7. measures have been consistently taken to keep the corporate network protected against and safe from virus attacks, malware threats and backdoor attacks;
8.2.8. the equipment for personal data processing is located within the office premises;
8.2.9. access control for the Company’s premises has been introduced.
9. FINAL PROVISIONS
9.1. The Company is registered as a personal data operator with a competent authority responsible for the protection of the rights of personal data subjects.
9.2. Other rights and obligations of the Company as a personal data operator are governed by the personal data legislation of the Russian Federation.
9.3. The Company officials shall be held liable for violation of the rules governing the processing and protection of personal data as established by federal laws.