I. General provisions
1. This Policy is based on the Constitution of Russia, the Labor Code of Russia, the Civil Code of Russia, the federal acts of Russia “On the Ratification of the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data”, “On Personal Data”, “On Information, Information Technologies and Information Protection” and other regulations of Russia.
2. This Policy stipulates a set of principles and rules that regulates the activities related to the processing and protection of personal data by ROSEXPERT-PERSONAL JSC (the Company).
3. The Company shall to publish this Policy or otherwise provide unlimited access to the hereto.
4. Terms and definitions:
Personal data – any information related to directly or indirectly specified individual (Data Subject).
Special Categories of Personal Data– personal information of Data Subjects related to race, nationality, political views, religious or philosophical beliefs, state of health, private life and record of conviction;
Biometric Personal Data – information that contains physiological and biological identifiers of an individual, which is used by the Operator to establish the identity of the Data Subject;
Operator – a state authority, a municipal authority, a legal entity or an idividual, who severally or jointly arranges and/or performs Personal Data Processing, as well as defines the purposes of Personal Data Processing, the scope of Personal Data subject to processing and actions (operations) performed with Personal Data;
Personal Data Processing – any action (operation) or a set of actions (operations) performed with Personal Data, weather autumated or non-automated, including collection, recording, filing, accumulation, storage, modification (updating and revision), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and distructiono of Personal Data.
Automated Personal Data Processing – Personal Data Processing using computer software.
Personal Data Provision - disclosure of Personal Data to a particular person or a group of persons.
Personal Data Blocking - temporary suspension of Personal Data Processing (except where processing is required for Personal Data modification).
Personal Data Destruction – actions making it impossible to retrieve the Personal Data contained in the Personal Data System and/or destructing the tangible carriers of Personal Data.
Personal Data System – a set of Personal Data contained in the personal data bases, as well as the software and technical facilities used their processing.
Transborder Transfer of Personal Data– a transfer of Personal Data to a foreign country, foreign state of authority, a foreign individual or a foreign legal entity.
Company Service User– an individual or a legal entity that uses the services rendered by the Company;
Personal Data Confidentiality- an obligation undertaken by the Operator to disclose no Personal Data to third parties and prevent any dissemination thereof, unless there is a consent available from the Data Subject or another legal ground thereof;
Data Subject Representative – a representative or an empoyee asa defined by Art. 89 of the Labor Code of Russia, and of other Datat Subjects as defined by the applicable law.
5. Personal Data of Personal Data Subjects is treated as confidential information, save for the information that shall be published in the mass media pursuant to the applicable federal acts.
II. Purposes of Personal Data Processing
6. The purposes of Personal Data Processing is as follows:
- ensure the compliance with the Labor Code of Russia, the Civil Code of Russia, the Tax Code of Russia and other regulations of Russia;
- make a decision concerning the hiring of a candidate by the Company or a Company Service User;
- undertake and perform obligations under job contracts, non-state pension scheme contracts, and compulsory pension insurance contracts;
- undertake and perform obligations under civil law contracts for the provision of services by the Company.
III. Principles and Terms of Personal Data Processing
7. When processing the Personal Data, the Company undertakes to protect the rights and freedoms of the Data Subjects, including the right to privacy, personal and family secrets, in line with the following principles:
- Personal Data Processing shall be carried out in a legal and fair manner.
- Personal Data Processing shall be limited to achieving specific, predefined and legitimate purposes. Personal Data may not be processed for purposes other than those declared for collection thereof.
- databases containing Personal Data processed for different purposes may not be merged.
- Personal Data corresponding to the purposes of processing can be processed.
- the content and scope of the processed Personal Data shall correspond to the declared processing purposes. The scope of processed Personal Data shall not exceed the declared purposes of their processing.
- Personal Data subject to processing shall be accurate and sufficient and where appropriate relevant for the processing purposes. The Company shall take actions required to remove or clarify incomplete or inaccurate Personal Data or ensure such actions are taken.
- Personal Data shall be stored in such a way as to ensure identification of the Data Subject, however for a period no longer than needed for the purposes of Personal Data Processing, unless the Personal Data storage period is stipulated by a federal act or a contract whereby the Data Subject acts as a party, a beneficiary or a guarantor.
- the processed Personal Data shall be destructed or depersonalized upon achievement of the processing purposes or in the event it is no longer necessary to achieve these purposes, unless otherwise is provided for by the applicable federal act.
8. The Company processes Personal Data in the cases as follows:
- when Personal Data Processing is needed to perform a contract whereby the Data Subject acts as a party, or a beneficiary, or a guarantor, as well as to conclude a contract initiated by the Data Subject or a contract whereby the Data Subject acts as a beneficiary or a guarantor.
- subject to the consent of the Data Subject to the processing of its Personal Data.
- when Personal Data Processing is needed for the administration of justice, execution of a judicial act or that of another body or official subject to enforcement in accordance with the Russian law on enforcement proceedings, and for the exercising and performance of the functions, powers and duties imposed on the Company by the Russian law.
- when Personal Data Processing is needed to protect the life, health or other vital interests of the Data Subject and no consent from the Data Subject can be obtained.
- when the Data Subject provides or requests to provide access to the processed Personal Data to an unlimited number of persons.
- when the processed Personal Data is subject to publication or mandatory disclosure in accordance with the applicable federal act.
- in other cases provided for by the Russian law.
9. Processing of Special Categories of Personal Data related to the race, ethnicity, political views, religious or philosophical beliefs, state of health, and private life is not permitted, except in the following cases:
- the Data Subject has consented in writing to the processing of their Personal Data.
- The Personal Data is made publicly accessible by the Data Subject.
- The Personal Data is processed pursuant to the legislation on state social assistance, labor legislation, pension legislation of Russia.
- Personal Data Processing is needed to protect the life, health or other vital interests of third parties and no consent of the Data Subject can be obtained.
- Personal Data Processing is needed to exercise the rights of the Data Subject or third parties, as well as in connection with the administration of justice.
- Personal Data is processed pursuant to the legislation on certain types of insurance and insurance legislation.
- in other cases provided for by the Russian law.
10. The Company may process Biometric Personal Data provided always there is a consent in writing from the Data Subject, except when Biometric Personal Data is processed in connection with the performance of international treaties of Russia on readmission, in connection with administration of justice and judicial acts, and in cases provided for by the legislation of Russia on defense, security, countering terrorism, transport security, countering corruption, criminal intelligence, state service, criminal enforcement, on entering and leaving Russia, and on the nationality of Russia.
The Company does not process Biometric Personal Data, except for the photographic image of the Data Subject, pursuant to the terms stipulated by the applicable law.
11. When collecting Personal Data, including by means of the information and telecommunication network Internet, the Company ensures that Personal Data of Russian nationals is recorded, filed, accumulated, stored, modified (updated and revised), and extracted using the databases located within Russia.
The Company may perform cross-border transfer of Personal Data subject to the restrictions set forth by the applicable law.
12. The Company may use publicly accessible sources of Personal Data (including directories, reference books) for information purposes. Such publicly accessible sources of Personal Data may include, by written consent of the Data Subject, their surname, first name, patronymic, year and place of birth, address, subscriber number, occupation and other Personal Data made available by the Data Subject.
Information about the Data Subject shall be at any time removed from the publicly accessible sources of Personal Data upon request of the Data Subject or following the ruling of the court or other authorities.
13. The Company may process Personal Data upon instruction from another person (operator), unless otherwise is stipulated by the applicable federal act, on the basis of an agreement entered into with this person (operator), including a state or municipal contract, or on the basis of the respective act adopted by a state or municipal authority (the Operator’s Instruction).
A company processing Personal Data upon the Operator’s Instruction shall comply with principles and rules for Personal Data Processing set forth by Federal Act No.152-FZ dated July 27, 2006 on Personal Data (the Personal Data Act).
The Operator’s Instruction shall:
- define a list of actions (operations) to be performed with the Personal Data by the Company, as well as the purposes of Personal Data Processing.
- establish the Company’s obligation to keep the Personal Data confidential and ensure the security of Personal Data when processing.
- state the requirements for the protection of Personal Data processed in accordance with Art. 19 of the Personal Data Act.
14. A company that processes Personal Data upon instructions of another person being an operator of Personal Data is not obliged to obtain a consent from the Data Subject to the processing of their Personal Data.
15. In the event that another party being an operator of Personal Data entrusts the Company with Personal Data Processing, the liability to the Data Subject for the Company’s actions shall be borne by this party. The Company shall be liable to the party who has entrusted the Company with Personal Data Processing.
16. When processing Personal Data, the Company shall ensure its confidentiality, i.e. non-disclose to third parties and non-dissemination of Personal Data without a consent from the Data Subject, unless otherwise is provided for by the applicable federal act.
IV. Data Subjects
17. The Data Subjects, whose Personal Data is processed by the Company, include:
- The Company's current and former employees and job applicants.
- Company Service Users (individuals).
- employees or job applicants at a legal entity (private entrepreneur) being Company Service Users (employees or job applicants of the Company's counterparty).
- employees of a legal entity (private entrepreneur) being Company Service Users (employees of the Company`s counterparty) provided there is an instruction.
- any other individual whose personal data becomes known to the Company by virtue of receiving social benefits, guarantees and compensations from the Company.
V. Personal Data Processed by the Company
18. The Company processes the following categories of Personal Data: surname, first name, patronymic; date, month, year of birth; residence address; family status; property status; education; occupation; tax identification number; insurance certificate details and other Personal Data processed by the Company pursuant to the Russian law.
The Company may also process other Personal Data of Company Service Users, considering the Personal Data Processing purposes specified in Section 6 hereof.
19. The employees’ Personal Data processed by the Company is defined by the Labor Code of Russia and Company's regulations.
VI. Processing and Protection of Personal Data in the Company
20. Personal Data is processed upon consent of the Data Subjects, unless otherwise is provided for by the Russian law.
21. The Personal Data contained in the Personal Data System or extracted from such a system is processed by means of computer technology; however, such operations with Personal Data as usage, modification, distribution, and destruction with respect to each of the Data Subjects, shall be performed with a person directly involved.
22. Only those employees of the Company whose duties include Personal Data Processing are allowed to process Personal Data. These employees may access Personal Data to the extent they need it to fulfill their duties.
23. Personal Data is processed by way of:
- receiving information containing Personal Data directly from the Data Subjects in oral and written form.
- obtaining the required original documents from the Data Subjects.
- receiving duly certified copies of documents containing Personal Data or copying thereof.
- receiving Personal Data when making requests to public authorities, state extrabudgetary funds, other state authorities, local government agencies, commercial and non-profit organizations, private individuals in cases and in the manner provided for by the Russian law.
- obtaining Personal Data from the publicly accessible sources.
- recording (registering) Personal Data in logs, books, registers, etc.
- inputting Personal Data in the Company’s information systems.
- using other means and methods of recording Personal Data obtained in the course of the Company’s operations.
24. Personal Data may be transferred to third parties upon written consent from the Data Subject, unless it is needed to prevent threats to life and health of the Data Subject, as well as in other cases stipulated by the Russian law. When transferring Personal Data to third parties under executed agreements, the Company shall ensure compliance with the Russian law and the Company's regulations on Personal Data.
25. The Company may transfer Personal Data to competent executive authorities (Federal Tax Agency of Russia, Pension Fund of Russia, Federal Fund for Mandatory Medical Insurance of Russia, etc.) in accordance with the Russian law.
26. The Company shall store Personal Data in such a way as to ensure the Data Subject can be identified for no longer period than needed for the purpose of processing. Upon achievement of the processing purposes or in the event such achievement is no longer necessary, Personal Data shall be destructed. The Company shall keep Personal Data for the time stipulated by the Russian law and the Company's regulations.
27. The Company shall make no decisions based exclusively on the Automated Personal Data Processing if such decisions may cause legal implications to the Data Subject or may otherwise affect their rights and legitimate interests, unless otherwise is provided for by the applicable federal acts.
28. The Company takes necessary and sufficient organizational and technical measures to protect Personal Data, including the use of information security facilities, detection of unauthorized access, retrieval of Personal Data, establishment of Personal Data access rules, as well as monitoring of measures undertaken to ensure security and evaluation of the effectiveness of such measures.
29. The Company comprehends the need for and aspires to provide the appropriate security level of Personal Data processed in the course of the Company’s operations as required by the regulations of Russia and as results from business risks assessment.
VII. Rights of Data Subjects
30. The Data Subject may:
- in accordance with the Russian law, information concerning the processing of their Personal Data within the Company, unless otherwise is provided for by the Russian law.
- require rectification of incorrect or incomplete Personal Data, as well as data processed in violation of the Russian law.
- require blocking or destruction of their Personal Data in the event that the Personal Data is incomplete, obsolete, inaccurate, illegally obtained or is not needed for the stated purpose of processing.
- require notifying all persons who have previously received their Personal Data, which is incorrect or incomplete, of all the changes made thereto.
- withdraw their consent to the processing of their Personal Data.
- appeal against action or inaction of the Company when processing their Personal Data in accordance with the Russian law.
- exercise other rights provided for by the Russian law.
VIII. Obligations of the Company as a Personal Data Operator
31. When processing Personal Data, the Company shall:
- take necessary actions to fulfill its Operator duties as stipulated by the Russian law in the field of Personal Data Processing and protection.
- clarify to the Data Subject the legal implications of refusing to provide Personal Data when this is a mandatory requirement of the Russian law.
- block Personal Data processed in an illegitimate way.
- discontinue the Personal Data Processing in accordance with the Russian law.
- notify the Data Subject of the eliminated breaches or destruction of their Personal Data.
- provide, upon request of the Data Subject or Data Subject Representative, information regarding the processing of their Personal Data, in accordance with the procedure established by the Russian law and the Company's regulations.
32. In order to fulfill the obligations established by the Russian law and the Company's regulations, a person responsible for organizing the Personal Data Processing shall be appointed within the Company by CEO order.
33. A person responsible for organizing the Personal Data Processing in the Company shall receive instructions directly from the CEO and report to CEO.
34. A person responsible for organizing the Personal Data Processing in the Company shall:
- ensure that legal, organizational and technical measures are taken to protect the Personal Data processed by the Company from unauthorized or accidental access, destruction, modification, blocking, copying, dissemination, as well as other illegal actions in respect to Personal Data.
- establish internal control over the Company’s compliance with the Russian law and the Company's regulations in the field of Personal Data, including the requirements for Personal Data protection.
- ensure the Company’s employees are aware about the provisions of the Personal Data Act, the Company's regulations related to Personal Data Processing, as well as the requirements for Personal Data protection.
- organize the handling of queries and requests from Data Subjects or Data Subject Representatives, as well as exercise control over the handling of such requests in the Company.
35. The liability for breach of the Personal Data processing and protection requirements established by the Russian law and the Company's regulations shall be determined in accordance with the Russian law.