1. GENERAL PROVISIONS

Personal data processing policy (hereinafter referred to as the Policy) has been developed in accordance with Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” (hereinafter referred to as “FZ-152”).

This Policy determines personal data processing procedure and measures to ensure personal data security at “Russkoye Polye Managing Company” LLC (hereinafter referred to as the Company, Operator) with the objectives of procuring the protection of a person's rights and liberties while processing his/her personal data, including the right to privacy, privacy, personal and family secrecy.

The following main terms are used in this Policy:

  • automated personal data processing – personal data processing by means of computer technology;
  • blocking of personal data – the temporary cessation of personal data processing (except for the cases when the processing is needed for personal data specification);
  • personal data information system – a database containing personal data as well as information technologies and hardware used for data processing;
  • information: knowledge (messages, data) regardless of the form of its representation;
  • confidentiality of personal data: a mandatory requirement for the Operator or other persons who gained access to personal data to prevent their dissemination without the consent of the personal data subject or without other legal grounds;
  • depersonalization of personal data: actions resulting in the impossibility to determine, without additional information, whether personal data belongs to a specific personal data subject;
  • personal data processing: any action (operation) or a set of actions (operations) carried out with or without automation tools as to personal data, including collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, distribution, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data;
  • operator: state agency, municipal authority, legal entity or individual who independently or in cooperation with other entities organizes and/or processes personal data as well as determines the objectives of personal data processing, the scope of the personal data subject to processing, actions (operations) as to the personal data.
  • personal data: any information referring directly or indirectly to a particular or identified individual (hereinafter referred to as "personal data subject");
  • personal data provision: actions aimed at disclosing the personal data to a specific person or a specific number of persons;
  • distribution of personal data: actions related to making the data available to an indefinite range of persons (transfer of personal data) or to making an indefinite range of persons familiar with personal data, including publication of personal data in mass media, information and telecommunications networks, or otherwise granting access to personal data;
  • personal data subject: an individual who is directly or indirectly determined or identifiable by means of personal data;
  • cross-border transfer of personal data – cross-border transfer of personal data to a foreign state agency, foreign individual or foreign legal entity;
  • actions performed on personal data in the respective database that prevent such data from being restored and (or) actions aimed at the physical destruction of the tangible medium of personal data.

The Company is to publish or otherwise grand unrestricted access to this Personal Data Processing Policy in accordance with Part 2 of Article 18.1 of FZ-152.

This Policy shall enter into force upon its approval by the General Director of the Company and shall remain in force indefinitely, until the new version of the Policy enters into force.

2. PERSONAL DATA COLLECTION OBJECTIVES

Collection and processing of personal data by the Company is carried out with the following objectives:

  • pursuit of the activities stipulated by the Company's Articles of Association;
  • arrangement and keeping of personnel records and personnel records management;
  • ensuring compliance with laws and other regulations;
  • assistance to employees in employment, education and promotion;
  • ensuring the personal safety of employees, control over and quality of work performed by them and ensuring the safety of property;
  • fulfillment of the Russian legislation requirements related to the provision of statistical and other personalized reporting, with the calculation and payment of taxes, fees and other mandatory payments in relation to individuals being employees of the Company.

3. LEGAL BASIS OF PERSONAL DATA PROCESSING

The Company processes personal data in accordance with:

  • The Company's Articles of Association;
  • Articles 22, 65, 86, 136, 166, 168, Section X of the Labor Code of the Russian Federation;
  • Articles 160, 182, 185, 786, 845-847, 942 of the Civil Code of the Russian Federation;
  • Articles 226 226, 230, Cap. 14 of the Tax Code of the Russian Federation.
  • Article 105 of the Air Code of the Russian Federation
  • Article 82 of Federal Law of 10.01.2003 No. 18-FZ "Regulations of Railway Transport of the Russian Federation";
  • Articles 6, 8 of Federal Law of 01.04.1996 No. 27-FZ "On Individual Personalized Record-Keeping in the Compulsory Pension Insurance System";
  • Article 31 of Federal Law of 05.04.2013 No. 44-FZ “On the Contract System of the Federal and Municipal Procurement of Goods, Works and Services”;
  • Article 8 of Federal Law of 28.03.1998 No. 53-FZ “Concerning Military Duty and Military Service”;
  • Article 7 of Federal Law of 07.08.2001 No. 115-83 "On Counteracting the Legalization (Laundering) of Proceeds of Crime and Financing of Terrorism";
  • Article 6 of Federal Law No. of 27.07.2006 152-FZ “On personal data”;
  • Chapter III.1 of Federal Law of 08.02.1998 No. 14-FZ “On Limited Liability Companies”;
  • Articles 4.1, 4.3, 13 of Federal Law of 29.12.2006 No. 255-FZ "On Mandatory Social Insurance in Case of Temporary Disability and Maternity";
  • Article 9 of Federal Law of 06.12.2011 No. 402-FZ “On Accounting”;
  • Article 12.1 of the Law of the Russian Federation of 11.03.1992 No. 2487-1 "On Private Detective and Security Activity in the Russian Federation";
  • Decree of the Government of the Russian Federation of 09.10.2015 No. 1085 "On approval of Rules for the Provision of Hotel Services in the Russian Federation";
  • Decree of the Government of the Russian Federation dated 27.11.2006 No. 719 "On Approval of the Regulation on Military Registration";
  • Decree of the Government of the Russian Federation dated 13.10.2008 No. 749 "Provisions on the Peculiarities of Sending Employees on Business Trips";
  • Order of the Federal Tax Service of Russia dated 30.10.2015 No. MMV-7-11/485@ "On approval of the form of information on the income of an individual, the filling in procedure, and the format of its submission in electronic form";
  • Resolution of the Board of the Pension Fund of the Russian Federation of 16.01.2014 No. 2п "On approval of the form of calculation of accrued and paid insurance premiums for compulsory pension insurance to the Pension Fund of the Russian Federation and for compulsory medical insurance to the Federal Fund for Compulsory Medical Insurance by the payers of insurance premiums making payments and other remuneration to individuals, and the Procedure for its filling";
  • Resolution of the Board of the Pension Fund of the Russian Federation of 11.01.2017 No. 2п "On approval of the forms of documents used for registration of citizens in the compulsory pension insurance system, and Instructions for their filling";
  • Order of the Ministry of Transportation of the Russian Federation of 29.01.2008 No. 15 "On the establishment of the form of a passenger ticket and baggage receipt for coupon automated registration in civil aviation";
  • Order of the Ministry of Transportation of the Russian Federation of 18.05.2010 No. 116 "On the establishment of the form of an electronic multi-purpose document";
  • Order of the Ministry of Transportation of Russia of 05.08.2008 No. 120 "On approval of forms of transport documents for the transportation of passengers, baggage, cargo baggage used in the provision of railway services to the population";
  • Order of the Ministry of Transportation of the Russian Federation of 08.11.2006 No. 134 "On the establishment of the form of a passenger ticket and baggage receipt in civil aviation";
  • Order of the Ministry of Transportation of the Russian Federation of 21.08.2012 No. 322 "On the establishment of forms of electronic travel documents (tickets) for railway transport";
  • Resolution of the State Statistics Service of the Russian Federation of 05.01.2004 No. 1 "On approval of unified forms of primary accounting documentation for labor and its remuneration accounting", form No. T-2;
  • Instruction of the Bank of Russia dated 30.05.2014 No. 153-И "On the opening and closing of bank accounts, savings (deposit) accounts, deposit accounts";
  • and by contracts entered into by the Operator with personal data subjects or with third parties for the benefit of personal data subjects.

4. DATA SCOPE AND CATEGORIES

The Company processes the following categories of personal data:

  1. General category personal data: surname, name, patronymic, sex, age, year, month, date of birth, place of residence, telephone, marital status, parental status, kinship, facts of biography, social status, property status, information on wages, education, qualifications, information on professional retraining, and profession.
  2. Biometric personal data: images of the personal data subject (photo image, video record). Biometric personal data may only be processed by the Operator with the consent of the relevant subject in writing.
  3. Public personal data: personal data in publicly available sources and accessible to an unlimited range of persons.

Operator's processing of special categories of personal data concerning racial, national origin, political views, religious or philosophical views, intimate life is permitted if:

  • the personal data subject has consented in writing to the processing of his/her personal data;
  • personal data are made publicly available by the personal data subject;
  • processing of personal data is carried out in accordance with the legislation on government social assistance, labor legislation, the legislation of the Russian Federation concerning pensions under the state pension provision, labor pensions;
  • processing of personal data is necessary to protect the life, health, or other vital interests of the personal data subject or life, health, or other vital interests of other persons and it is impossible to obtain personal data subject’s consent;
  • processing of personal data is carried out in accordance with the legislation on mandatory types of insurance, with the insurance legislation.

Processing of special categories of personal data shall be immediately terminated if the reasons for their processing are eliminated, unless otherwise provided by federal law.

The processing of personal criminal record data may be carried out by the Operator only in cases and in the manner determined in accordance with federal laws.

The Operator processes personal data only to the extent necessary to achieve the objectives listed in cl. 2 of this Policy. Collection, use and other actions as to personal data of their subjects to the extent exceeding the extent necessary to achieve the objectives of the Company are not permitted.

The subjects whose personal data may be processed in the Company are:

  • employees of the Company (including former employees) and their relatives;
  • individuals in contractual and other civil relations with the Company;
  • candidates for vacant positions in the Company as well as persons serving internship / working as a trainee in the Company;
  • the Company’s customers and counterparties (individuals), including prospective customers / counterparties as well as employees and representatives of the Company's customers / counterparties (legal entities);
  • visitors (guests) of the Company's office;
  • other persons.

5. PERSONAL DATA SUBJECT'S RIGHTS

A personal data subject shall make a decision to provide his/her personal data and give his/her consent to its processing of his/her own free will and volition and for his/her own benefit. Consent to the processing of personal data can be given by a personal data subject or his/her representative in any form which makes it possible to confirm the fact of such consent receipt, unless otherwise provided by the federal law.

The obligation to provide proof of the personal data subject’s consent to the processing of his/her personal data is imposed on the operator.

The personal data subject shall have the right to:

  • access his/her personal data at any time;
  • receive from the Operator regarding the processing of his/her personal data, unless this right is limited in accordance with the laws.
  • demand from the Operator specification of his/her personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated objective of processing as well as to take measures prescribed by law to protect his/her rights.
  • appeal against the Operator’s actions or omissions to the Authorized Body for Protecting the Rights of Personal Data Subjects or through the courts;
  • protection of its rights and legitimate interests, including compensation for damages and (or) compensation for moral harm in a judicial proceeding.

It is prohibited to decide based on solely automated processing of personal data that give rise to legal consequences in relation to the personal data subject or otherwise affect his/her rights and legitimate interests, except for cases provided for by federal laws, or if the personal data subject gave his/her written consent.

6. OPERATOR’S OBLIGATIONS

In processing personal data, the Operator shall:

  • provide the personal data subject, at his/her request, with information relating to the processing of his/her personal data;
  • if the provision of personal data is mandatory in accordance with federal law, explain to the personal data subject the legal consequences of refusal to provide his/her personal data;
  • if the personal data have been received not from the personal data subject, except as provided by law, provide the personal data subject with the following information prior to the processing of such personal data:
    1. Operator’s name or surname, name, patronymic and address of the Operator's representative;
    2. aim of personal data processing and its legal basis;
    3. the intended users of the personal data;
    4. the rights of the personal data subject established by this Federal Law;
    5. source of personal data.
  • when collecting personal data, including through the information and telecommunications network "Internet", ensure recording, systematization, accumulation, storage, clarification (update, modification), extraction of the Russian Federation citizens' personal data with the use of databases located within the territory of the Russian Federation;
  • take such measures as are necessary and sufficient to ensure the fulfillment of the Operator’s obligations provided for by this Policy and the legislation of the Russian Federation.

7. PERSONAL DATA PROCESSING PROCEDURE AND CONDITIONS

7.1. Principles of personal data processing

Personal data processing at the Company shall be subject to the following principles:

  • legality and equitable basis;
  • restricting the personal data processing scope by achieving specific, predetermined and legitimate objectives;
  • not allowing the personal data processing incompatible with the objectives of personal data collection;
  • not allowing the integration of databases containing personal data to be processed with incompatible objectives;
  • processing only personal data complying with the objectives of their processing;
  • relevance of the content and volume of processed personal data to the intended processing objectives;
  • not allowing the personal data processing over the intended processing objectives;
  • ensuring the accuracy, sufficiency and relevance of personal data in relation to the objectives of processing personal data;
  • destruction or anonymization of personal data upon reaching the processing objectives or, in case of no further need to achieve these objectives, if the Operator fails to mitigate the violations committed in personal data processing, unless otherwise stipulated by the federal law.

7.2. Conditions of personal data processing

The Operator shall process personal data if at least one of the following conditions is met:

  • personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data;
  • personal data processing is necessary for achieving the objectives stated in an international treaty with the Russian Federation or by law, for the implementation and performance of the functions, powers and responsibilities entrusted by the legislation of the Russian Federation to the Operator;
  • personal data processing is necessary for the administration of justice, execution of a judicial act, act of another body or official subject to execution in accordance with the legislation of the Russian Federation regarding enforcement proceedings;
  • personal data processing is necessary for performing an agreement, to which the personal data subject is a party, or a beneficiary, or a guarantor, as well as for concluding an agreement initiated by the personal data subject or an agreement under which the personal data subject will be a beneficiary or guarantor;
  • personal data processing is necessary to exercise the rights and legitimate interests of the Operator or third parties, or for the achievement of socially significant objectives, provided that this does not violate the rights and freedoms of the personal data subject;
  • processing of personal data made accessible to the public by the personal data subject or at his/her request (hereinafter referred to as “publicly available personal data”);
  • processing of personal data subject to publication or mandatory disclosure in accordance with federal law of the Russian Federation.

7.3. Confidentiality of Personal Data

The Operator and other persons who have gained access to personal data, shall not disclose the personal data to third parties and not distribute the personal data without the consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation on personal data.

7.4. Publicly accessible sources of personal data

For the purposes of information support, publicly accessible sources of subjects’ personal data can be created in the Company, including databases, electronic directories, and address books. Subjects’ personal data may be included in such sources only with their written consents.

Personal data in such publicly available sources may include surname, name, patronymic, date of birth, position, contact phone numbers, e-mail address.

Information on the personal data subject shall be at any time excluded from publicly available sources of personal data upon the personal data subject’s request, by a court order, of an order from another authorized state bodies.

7.5. Actions with personal data carried out by the Operator

The operator carries out the following actions with personal data, with and without the use of automated equipment:

  • obtaining personal data from the subject (collection);
  • systematization and accounting of personal data of the subject;
  • personal data storing and accumulation;
  • transfer of personal data to third parties in cases provided for by the legislation of the Russian Federation;
  • alteration, specification, blocking, and destruction of personal data;
  • other actions related to personal data processing and necessary to achieve the objectives specified in cl. 2 of this Policy.

7.6. Delegation of personal data processing to another person

To achieve the objectives specified in cl. 2. of this Policy, the Operator may entrust personal data processing to another person with the personal data subject’s consent, unless otherwise provided by the legislation of the Russian Federation on personal data, based on an agreement concluded with such a person.

The Operator's assignment shall define a list of actions (operations) with personal data to be performed by the person processing personal data, the processing objectives, the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing as well as requirements for protecting processed personal data

The person processing personal data on behalf of the Operator must comply with the principles and rules for personal data processing provided for by this Policy and the legislation of the Russian Federation on personal data.

If the Operator assigns personal data processing to another person, the Operator shall be responsible before the personal data subject for the actions of this person. The person processing personal data on behalf of the Operator is liable to the operator.

7.7. Measures to ensure the security of personal data while they are being processed

The security of the personal data to be processed by the Operator is ensured by implementation of legal, managerial, and technical measures necessary to ensure compliance with requirements of applicable federal legislation in personal data protection.

To prevent unauthorized access to personal data, the Operator applies the following measures:

  • appointment of persons in charge of the organization of personal data processing and protection in the Company;
  • limitation on the composition of persons having access to personal data;
  • familiarization of the subjects whose personal data are processed by the Operator with the requirements of federal legislation and local regulatory documents of the Operator relating to the personal data processing and protection;
  • publication and provision of unrestricted access to the Operator's policy regarding personal data processing, to information about the implemented requirements for personal data protection;
  • organization of registration, storage and circulation of media containing personal data;
  • identification of threats to the security of personal data during their processing, generation of threat-based models, and assessment of the damage that which may be caused to personal data subjects;
  • development of a personal data protection system based on the threat model;
  • checking the readiness and efficiency of information security tools;
  • isolation of users’ access to information resources and software and hardware tools for information processing;
  • registration and accounting of actions of users of the Company's information systems containing personal data;
  • use of anti-virus tools and means of restoring the personal data protection system;
  • use of firewalls, intrusion detection, security analysis and cryptographic information security tools, if necessary;
  • implementation of access control to the Company's territory, security of premises with technical means of personal data processing.

7.8. Updating, correcting, deleting, and destroying personal data

In case of unlawful personal data processing discovery after a personal data subject’s appeal, the Operator shall block illegally processed personal data relating to this subject of personal data immediately upon receipt of such an appeal.

In case of confirmation of the fact of personal data inaccuracy, the Operator shall block the relevant personal data of the subject, and specify (update) the personal data basing on the information provided by the personal data subject or his/her representative, or other necessary documents, within Seven (7) days after receipt of such information. After updating inaccurate information, the blocking of personal data is removed.

In case of detection of unlawful processing of personal data carried out by the Operator, the Operator shall, within a term of maximum three (3) working days from the date of this detection, stop unlawful processing of personal data. If it is impossible to ensure the lawfulness of personal data processing, the Operator shall destroy such personal data within a term of maximum ten (10) working days from the date of detection of unlawful processing of personal data. The Operator shall notify the personal data subject in writing about the elimination of the violations committed or about the destruction of personal data.

In case of achieving the objectives of personal data processing specified in cl. 2. of this Policy, as well as in case of withdrawal by the subject of personal data of consent to their processing, the Operator shall terminate the processing of personal data and destroy personal data within a term of maximum Thirty (30) days from the date of achieving the personal data processing objective, unless:

  • otherwise is provided for by an agreement to which the personal data subject is a party, beneficiary, or guarantor:
  • otherwise is provided for by another agreement between the operator and the personal data subject;
  • or if the operator is not entitled to process personal data without the personal data subject’s consent.

If it is not possible to destroy personal data within the period specified in this clause, the Operator shall block such personal data within a term of maximum six (6) months, unless another period is established by the legislation of the Russian Federation.

7.9. The procedure for responding to requests/appeals of personal data subjects and their representatives, authorized bodies

On receipt of a request from the personal data subject, the Operator is obliged to inform the personal data subject or his/her representative on the availability of personal data relating to the relevant personal data subject as well as to provide him/her an opportunity to study these personal data when the personal data subject appears in person, or within 30 (thirty) days from the date of receipt of the request of the personal data subject in writing or electronically.

The possibility of familiarization with personal data relating to a personal data subject is provided to the subject free of charge.

If there are grounds provided for by the legislation of the Russian Federation for refusing to satisfy the personal data subject’s request, the Operator shall, within Thirty (30) days from the receipt of the request, provide the personal data subject with a substantiated response in writing.

If the personal data subject submits a note of inaccuracy irrelevance, or incompleteness of his/her personal data, the Operator shall make the necessary alternations within a term of maximum seven (7) working days from the date of such submission by the personal data subject or his/her representative of information confirming the personal data incompleteness, inaccuracy, or irrelevance.

If the subject of personal data appeals indicating the illegality of obtaining personal data, the Operator, within a term of maximum seven (7) working days from the date of submission by the personal data subject or his/her representative of information confirming that such personal data are illegally obtained or not necessary for the declared processing objective, the Operator shall destroy such personal data, of which the Operator shall send a notification to the personal data subject.

Requests of the authorized body for protecting the rights of personal data subjects shall be considered by the Operator within thirty (30) days from the date of receipt, on which the Operator shall send a written response within the specified period.

8. FINAL PROVISIONS

All other rights and obligations of the Company as a personal data operator are defined by the legislation of the Russian Federation in the field of personal data.

Operator's officers and employees who are guilty of violating the rules governing the processing and protection of personal data shall be duly liable in accordance with the federal legislation.




© 2022. Managing Company «Russkoye Polye». Confidentiality Policy. Anti-Corruption Policy.

Website developmentАММ-С

Contact Us

Your name*
Telephone*
E-Mail*
Message
    *Required fields

    Message sent

    Our managers will contact you
    shortly

      UP