1. GENERAL PROVISIONS

1.1. This Privacy Policy (“Policy”) is developed in accordance with Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, in order to ensure the protection of human and civil rights and freedoms during the processing of their personal data, including the right to privacy, personal and family confidentiality.

1.2. This Privacy Policy applies to the following categories of personal data subjects whose data are processed by the Operator: employees; job applicants; counterparties; clients; representatives of counterparties; website visitors.

1.3. Key terms used in this Privacy Policy:

Personal data: any information relating to a directly or indirectly identified or identifiable individual (personal data subject);

Personal data operator (Operator): JSC “GK Rusredmet”, OGRN 1187847362350, INN/KPP 7807217460/780701001, 198320, Saint Petersburg, Kingisepp Highway, 47, litera R, premises 3-N, room 1, which alone or jointly with others organizes and (or) performs the processing of personal data, as well as determines the purposes and scope of processing, and the actions (operations) performed with personal data;

Processing of personal data: any action (operation) or a set of actions (operations) performed with personal data, with or without automated means. Processing of personal data includes, among other things: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction;

Automated processing of personal data: processing of personal data using computer technology;

Dissemination of personal data: actions aimed at disclosing personal data to an indefinite group of persons;

Provision of personal data: actions aimed at disclosing personal data to a specific person or a specific group of persons;

Blocking of personal data: temporary termination of processing of personal data (unless processing is necessary for clarification);

Destruction of personal data: actions, as a result of which it is impossible to restore the content of personal data in the information system or as a result of which the tangible carriers of personal data are destroyed;

Anonymization of personal data: actions as a result of which it is impossible to identify the ownership of personal data with a specific personal data subject without the use of additional information;

Personal data information system: a set of personal data contained in databases and information technologies and technical means ensuring its processing;

Cross-border transfer of personal data: transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual, or a foreign legal entity;

Website: a set of computer software and other information contained in an information system, access to which is provided via the Internet at: https://rusredmet.com/.

1.4. Key rights and duties of the Operator:

1.4.1. The Operator is entitled to:

●      independently determine the scope and list of measures necessary and sufficient for ensuring fulfillment of its obligations as stipulated by Federal Law No. 152-FZ “On Personal Data” and applicable regulations, unless otherwise required by Russian law;

●      entrust the processing of personal data to another person with the consent of the data subject, unless otherwise provided by federal law, based on a contract with such person. The person entrusted with personal data processing on behalf of the Operator shall comply with the principles and rules of processing established by law;

●      in case the data subject withdraws consent for personal data processing, continue processing these data without consent if grounds for processing exist as specified in Federal Law No. 152-FZ “On Personal Data”.

1.4.2. The Operator must:

●      organize the processing of personal data in accordance with Federal Law No. 152-FZ “On Personal Data”;

●      respond to requests from personal data subjects and their legal representatives in accordance with requirements of Federal Law No. 152-FZ “On Personal Data”;

●      provide the authorized data protection authority (Roskomnadzor) with required information upon request within 10 working days of receipt of such request.

1.5. Basic rights of personal data subjects:

Personal data subjects have the right to:

●      receive information regarding the processing of their personal data, except in cases stipulated by federal laws. The information is provided by the Operator in an accessible form and shall not contain personal data of other subjects, except for cases where there are legal grounds for such disclosure. The list of information and the procedure for its receipt are established by Federal Law No. 152-FZ “On Personal Data”;

●      require the Operator to clarify, block, or delete their personal data if it is incomplete, outdated, inaccurate, illegally received or unnecessary for the stated purpose of processing, as well as undertake legal actions to protect their rights;

●      appeal against unlawful actions or inaction of the Operator in the processing of their personal data to Roskomnadzor or in court.

The personal data subject may exercise their rights to obtain information regarding the processing, as well as to clarify, block, or delete their personal data by contacting the Operator with a relevant request at: 198320, Saint Petersburg, Kingisepp Highway, 47, litera R, premises 3-N, room 1, or by email secretar@rusredmet.ru . In both cases, the request must comply with the requirements of Section 8 of this Privacy Policy.

1.6. Compliance with this Privacy Policy is supervised by the person authorized to organize personal data processing at the Operator.

1.7. Responsibility for violations of Russian Federation legislation and internal acts of the Operator concerning personal data processing and protection is established by Russian Federation law.

2. PRINCIPLES OF PERSONAL DATA PROCESSING

2.1. The Operator processes personal data in accordance with Russian Federation law and based on the following principles:

2.1.1. Lawfulness and fairness of personal data processing.

2.1.2. Limitation of processing to the achievement of specific, predetermined and lawful purposes.

2.1.3. No combining of databases containing personal data processed for incompatible purposes.

2.1.4. Processing only of personal data relevant to processing purposes.

2.1.5. The content and volume of processed data must correspond to the stated purposes (processed data shall not be excessive relative to stated purposes).

2.1.6. Ensuring accuracy, sufficiency, and, where necessary, relevance of personal data to the declared processing purposes.

2.1.7. Taking measures, including removal or clarification, with respect to incomplete or inaccurate personal data.

2.1.8. Storage of personal data in a manner permitting identification of the subject, no longer than required for the purposes of processing unless a different period is stipulated by law or an agreement.

2.1.9. Destruction of processed personal data upon achieving processing purposes or if the necessity to achieve such purposes is lost, unless otherwise required by law.

2.1.10. The Operator assumes the subject provides accurate and reliable data when interacting with the Operator and notifies the Operator about changes.

2.1.11. Agreements between the Operator and the subject do not include provisions restricting the rights and freedoms of the subject or providing for the processing of minors’ personal data, nor do they condition contracts on the subject’s inaction.

2.1.12. Operator’s internal documents do not contain provisions restricting subjects’ rights and do not impose undue powers or obligations on the Operator.

3. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING

3.1. Legal grounds for personal data processing are the aggregate of regulatory acts pursuant to and following which the Operator processes data, including:

●      Constitution of the Russian Federation;

●      Labour Code of the Russian Federation;

●      Civil Code of the Russian Federation;

●      Tax Code of the Russian Federation;

●      Federal Law No. 402-FZ "On Accounting";

●      other applicable acts relevant to the Operator's activities.

3.2. Additional grounds include:

●      the Operator’s Charter;

●      agreements with personal data subjects;

●      consent of the personal data subject for processing.

4. SCOPE, CATEGORIES, PROCESSING CONDITIONS, DATA SUBJECT CATEGORIES FOR STATED PURPOSES

4.1. Processing is limited to achieving specific, predetermined lawful purposes.

4.2. The volume and categories of processed personal data must correspond to the purposes outlined here. Processing includes (but is not limited to):

●      ensuring compliance with labour law;

●      arranging voluntary medical insurance;

●      reviewing job applicants and hiring decisions;

●      preparing, signing, and executing contracts;

●      offering and marketing products and brand through marketing (advertising, PR) and sales promotion;

●      processing website inquiries;

●      compiling website visit statistics.

4.3. Personal data processing for the purpose of ensuring compliance with the labour legislation of the Russian Federation.

4.3.1. Under this Section of the Policy, the Operator determines the categories and list of processed personal data, the categories of subjects whose personal data are processed, the methods, сроки (periods) of processing and storage, and the procedure for destroying personal data upon achievement of the purpose of processing or upon occurrence of other lawful grounds in relation to the purpose of “ensuring compliance with the labour legislation of the Russian Federation (including assisting employees with employment, education and career progression, ensuring personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property, ensuring compliance with laws and other regulatory legal acts)”.

4.3.2. To achieve the purpose specified in this Section, the Operator processes personal data belonging to the following category(ies) of personal data subjects:

●      employees of the Operator.

4.3.3. The Operator processes the following categories and list of employees’ personal data to achieve the purpose specified in this Section:

a) processing of general (other) categories of employees’ personal data is carried out in accordance with the following list:

●      last name, first name, patronymic

●      year of birth

●      month of birth

●      date of birth

●      place of birth

●      marital status

●      income

●      gender

●      registration address

●      email address

●      phone number

●      SNILS (individual insurance account number)

●      TIN (taxpayer identification number)

●      citizenship

●      identity document details

●      driver’s licence details

●      details of an identity document used outside the Russian Federation

●      details contained in a birth certificate

●      bank card details

●      current account number

●      personal account number

●      profession

●      job title/position

●      length of service (work experience)

●      отношение к воинской обязанности, military registration status and military records details

●      education details

●      photograph

b) special categories of employees’ personal data are not processed;

c) the Operator does not process employees’ biometric personal data (information characterizing physiological and biological features of a person that make it possible to establish their identity).

4.3.4. The Operator performs mixed processing of employees’ personal data for the purpose specified in this Section, with transfer via the internal network and via the Internet.

4.3.5. The list of actions performed by the Operator on employees’ personal data for the purpose specified in this Section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, destruction.

4.3.6. Processing of employees’ personal data does not require obtaining separate consent provided that the scope of personal data processed by the Operator corresponds to the purpose of ensuring compliance with the labour legislation of the Russian Federation specified in this Section, on the basis of Clause 2, Part 1, Article 6 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.

4.3.7. When entering into an employment agreement, employees provide the Operator with the following documents containing their personal data:

●      passport or other identity document;

●      employment record book and/or information on employment activity, except where an employment agreement is concluded for the first time;

●      a document confirming registration in the system of individual (personalized) records, including in electronic form;

●      military registration documents — for persons liable for military service and persons subject to conscription;

●      an education and/or qualification document or evidence of specialized knowledge — when taking up a position requiring such knowledge or special training;

●      other documents as required by law.

4.3.8. Where other documents are required by law for employment, the Operator requests that candidates provide such documents containing their personal data.

4.3.9. The Operator stores employees’ personal data in a form enabling identification of personal data subjects no longer than required by the purpose specified in this Section, unless a storage period is established by federal law.

4.3.10. The Operator processes personal data of former employees in cases and within time limits established by the laws of the Russian Federation. Such cases include, inter alia, processing within accounting and tax records, including to ensure preservation of documents necessary for calculation, withholding and remittance of tax.

4.3.11. The Operator must store accounting documentation for the periods established in accordance with the rules for organization of state archival affairs; however, the minimum storage period may not be less than 5 (five) years.

4.3.12. Upon expiration of the periods established by the laws of the Russian Federation, employees’ personal files and other documents are transferred for archival storage for a period of 50 years.

4.3.13. Employees’ consent to the processing of their personal data in cases provided for in Clauses 4.3.11–4.3.13 of the Policy is not required.

4.3.14. Without employees’ consent, the Operator does not disclose to third parties and does not disseminate employees’ personal data for the purpose specified in this Section unless otherwise provided by the laws of the Russian Federation.

4.3.15. When transferring employees’ personal data, the Operator must comply with the following requirements:

●      it is prohibited to provide employees’ personal data to a third party without employees’ written consent, except where this is necessary to prevent threats to employees’ life and health, and in cases established by applicable laws of the Russian Federation;

●      an employee transferring employees’ personal data of the Operator must warn recipients that such data may only be used for the purposes for which they were provided and must require recipients to confirm compliance with this rule. Persons receiving employees’ personal data of the Operator must maintain confidentiality. This does not apply to exchange of employees’ personal data in the manner established by applicable laws of the Russian Federation;

●      an employee transferring employees’ personal data of the Operator has the right to transfer such personal data to employees’ representatives in the manner established by the Labour Code of the Russian Federation and to limit such information to the personal data necessary for such representatives to perform their functions;

●      transfer of employees’ personal data to the Pension and Social Insurance Fund of the Russian Federation (Social Fund of Russia) in the manner established by federal laws, including Federal Law “On Mandatory Pension Insurance in the Russian Federation”, Federal Law “On the Basics of Mandatory Social Insurance”, and Federal Law “On Mandatory Medical Insurance in the Russian Federation”, is carried out without employees’ consent;

●      employees’ consent is not required where the Operator transfers employees’ personal data to tax authorities, military commissariats, trade union bodies as provided by applicable laws of the Russian Federation, as well as upon receipt, within established powers, of reasoned requests from прокуратура (prosecutor’s authorities), law enforcement authorities, security authorities, state labour inspectors in carrying out state supervision and control over compliance with labour legislation, and other authorities authorized to request information about employees within the компетенция (scope of competence) established by applicable laws of the Russian Federation.

4.3.16. The Operator does not perform cross-border transfer of employees’ personal data for the purpose specified in this Section.

4.4.  Personal data processing for the purpose of arranging voluntary health insurance.

4.4.1. Under this Section of the Policy, the Operator determines the categories and list of processed personal data, the categories of subjects whose personal data are processed, the methods, periods of processing and storage, and the procedure for destroying personal data upon achievement of the purpose of processing or upon occurrence of other lawful grounds in relation to the purpose of “arranging voluntary health insurance”.

4.4.2. To achieve the purpose specified in this Section, the Operator processes personal data belonging to the following category(ies) of personal data subjects:

●      employees of the Operator.

4.4.3. The Operator processes the following categories and list of employees’ personal data to achieve the purpose specified in this Section:

a) processing of general (other) categories of employees’ personal data is carried out in accordance with the following list:

●      last name, first name, patronymic

●      year of birth

●      month of birth

●      date of birth

●      place of birth

●      marital status

●      income

●      gender

●      registration address

●      email address

●      phone number

●      SNILS (individual insurance account number)

●      TIN (taxpayer identification number)

●      citizenship

●      identity document details

●      driver’s licence details

●      details of an identity document used outside the Russian Federation

●      details contained in a birth certificate

●      bank card details

●      current account number

●      personal account number

●      profession

●      job title/position

●      length of service (work experience)

●      military registration status and military records details

●      education details

●      photograph

b) special categories of employees’ personal data are not processed;

c) biometric personal data of employees are not processed.

4.4.4. The Operator performs mixed processing of employees’ personal data for the purpose specified in this Section, with transfer via the internal network and via the Internet.

4.4.5. The list of actions performed by the Operator on employees’ personal data for the purpose specified in this Section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, destruction.

4.4.6. Personal data processing for the purpose specified in this Section is carried out subject to obtaining prior consent for such processing.

4.4.7. Without the personal data subject’s consent, the Operator does not disclose to third parties and does not disseminate employees’ personal data for the purpose specified in this Section unless otherwise provided by the laws of the Russian Federation.

4.4.8. The Operator does not perform cross-border transfer of employees’ personal data for the purpose specified in this Section.

4.5. Personal data processing for the purpose of reviewing an applicant for a vacant position and making a decision on hiring or refusal to hire.

4.5.1. Under this Section of the Policy, the Operator determines the categories and list of processed personal data, the categories of subjects whose personal data are processed, the methods, periods of processing and storage, and the procedure for destroying personal data upon achievement of the purpose of processing or upon occurrence of other lawful grounds in relation to the purpose of “reviewing an applicant for a vacant position and making a decision on hiring or refusal to hire”.

4.5.2. To achieve the purpose specified in this Section, the Operator processes personal data belonging to the following category(ies) of personal data subjects:

●      applicants for vacant positions at the Operator.

4.5.3. The Operator processes the following categories and list of applicants’ personal data to achieve the purpose specified in this Section:

a) processing of general (other) categories of applicants’ personal data is carried out in accordance with the following list:

●      last name, first name, patronymic

●      year of birth

●      month of birth

●      date of birth

●      place of birth

●      marital status

●      social status

●      property status

●      income

●      gender

●      residential address

●      email address

●      phone number

●      SNILS (individual insurance account number)

●      TIN (taxpayer identification number)

●      citizenship

●      profession

●      job title/position

●      length of service (work experience)

●      education details

●      photograph

b) special categories of applicants’ personal data are not processed;

c) biometric personal data of applicants are not processed.

4.5.4. The Operator performs mixed processing of applicants’ personal data for the purpose specified in this Section, with transfer via the internal network and via the Internet.

4.5.5. The list of actions performed by the Operator on applicants’ personal data for the purpose specified in this Section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, destruction.

4.5.6. Personal data processing for the purpose specified in this Section is carried out subject to obtaining prior consent for such processing. Consents are obtained from applicants when they are invited for an interview.

4.5.7. Posting of applicants’ data on online resources (job aggregators) is performed in accordance with the rules of such resources. By sending a resume to the Operator’s email address, applicants thereby provide implied consent to the processing of their personal data.

4.5.8. During interviews, personal data contained in questionnaires and resumes may be verified by documents. Copies of supporting documents may be stored by the Operator, but no longer than until the purposes of their processing are achieved or the need to achieve such purposes is lost. After the purpose of processing is achieved, applicants’ personal data shall be deleted within 30 days.

4.5.9. Without the personal data subject’s consent, the Operator does not disclose to third parties and does not disseminate applicants’ personal data for the purpose specified in this Section unless otherwise provided by the laws of the Russian Federation.

4.5.10. The Operator does not perform cross-border transfer of applicants’ personal data for the purpose specified in this Section.

4.6. Personal data processing for the purpose of preparing, executing and performing agreements.

4.6.1. Under this Section of the Policy, the Operator determines the categories and list of processed personal data, the categories of subjects whose personal data are processed, the methods, periods of processing and storage, and the procedure for destroying personal data upon achievement of the purpose of processing or upon occurrence of other lawful grounds in relation to the purpose of “preparing, executing and performing agreements”.

4.6.2. To achieve the purpose specified in this Section, the Operator processes personal data belonging to the following category(ies) of personal data subjects:

●      counterparties of the Operator;

●      clients of the Operator;

●      representatives of the Operator’s counterparties.

4.6.3. The Operator processes the following categories and list of personal data of counterparties, clients, and representatives of counterparties to achieve the purpose specified in this Section:

a.1) processing of general (other) categories of personal data of counterparties and clients is carried out in accordance with the following list:

●      last name, first name, patronymic

●      gender

●      registration address

●      email address

●      phone number

●      TIN (taxpayer identification number)

●      citizenship

●      bank card details

●      current account number

●      personal account number

a.2) processing of general (other) categories of personal data of representatives of counterparties is carried out in accordance with the following list:

●      last name, first name, patronymic

●      registration address

●      email address

●      phone number

●      TIN (taxpayer identification number)

●      citizenship

●      identity document details

●      driver’s licence details

●      details of an identity document used outside the Russian Federation

●      bank card details

●      current account number

●      personal account number

●      profession

●      job title/position

●      length of service (work experience)

●      education details

●      photograph

b) special categories of personal data of counterparties, clients, and representatives of counterparties are not processed;

c) biometric personal data of counterparties, clients, and representatives of counterparties are not processed.

4.6.4. The Operator performs mixed processing of personal data of counterparties, clients, and representatives of counterparties for the purpose specified in this Section, with transfer via the internal network and via the Internet.

4.6.5. The list of actions performed by the Operator on personal data of counterparties, clients, and representatives of counterparties for the purpose specified in this Section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, destruction.

4.6.6. Processing of personal data of counterparties, clients, and representatives of counterparties does not require obtaining separate consent provided that the scope of personal data processed by the Operator corresponds to the purpose of preparing, executing and performing a civil-law agreement specified in this Section, on the basis of Clause 5, Part 1, Article 6 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, and provided that such processing is also necessary for exercising the rights and legitimate interests of the Operator or third parties on the basis of Clause 7, Part 1, Article 6 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.

4.6.7. Without the personal data subject’s consent, the Operator does not disclose to third parties and does not disseminate personal data of counterparties, clients, and representatives of counterparties for the purpose specified in this Section unless otherwise provided by the laws of the Russian Federation.

4.6.8. The Operator does not perform cross-border transfer of personal data of counterparties, clients, and representatives of counterparties for the purpose specified in this Section.

4.7. Personal data processing for the purpose of offering and promoting the Operator’s products and brand on the market through marketing (advertising, PR) activities and sales promotion.

4.7.1. Under this Section of the Policy, the Operator determines the categories and list of processed personal data, the categories of subjects whose personal data are processed, the methods, periods of processing and storage, and the procedure for destroying personal data upon achievement of the purpose of processing or upon occurrence of other lawful grounds in relation to the purpose of “offering and promoting the Operator’s products and brand on the market through marketing (advertising, PR) activities and sales promotion”.

4.7.2. To achieve the purpose specified in this Section, the Operator processes personal data belonging to the following category(ies) of personal data subjects:

●      counterparties of the Operator;

●      clients of the Operator;

●      visitors of the Operator’s Website.

4.7.3. The Operator processes the following categories and list of personal data of counterparties, clients, and visitors to achieve the purpose specified in this Section:

a.1) processing of general (other) categories of personal data of counterparties and clients is carried out in accordance with the following list:

●      last name, first name, patronymic

●      gender

●      registration address

●      email address

●      phone number

●      TIN (taxpayer identification number)

●      citizenship

●      bank card details

●      current account number

●      personal account number

a.2) processing of general (other) categories of personal data of visitors is carried out in accordance with the following list:

●      last name, first name, patronymic

●      gender

●      email address

●      phone number

●      bank card details

●      current account number

●      personal account number

●      profession

●      job title/position

●      length of service (work experience)

●      photograph

●      data collected via web analytics/metrics tools

b) special categories of personal data of counterparties, clients, and visitors are not processed;

c) biometric personal data of counterparties, clients, and visitors are not processed.

4.7.4. The Operator performs mixed processing of personal data of counterparties, clients, and visitors for the purpose specified in this Section, with transfer via the internal network and via the Internet.

4.7.5. The list of actions performed by the Operator on personal data of counterparties, clients, and visitors for the purpose specified in this Section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, destruction.

4.7.6. Personal data processing for the purpose specified in this Section is carried out subject to obtaining prior consent for such processing.

4.7.7. Without the personal data subject’s consent, the Operator does not disclose to third parties and does not disseminate personal data of counterparties, clients, and visitors for the purpose specified in this Section unless otherwise provided by the laws of the Russian Federation.

4.7.8. The Operator does not perform cross-border transfer of personal data of counterparties, clients, and visitors for the purpose specified in this Section.

4.8. Personal data processing for the purpose of processing incoming requests submitted via the Website.

4.8.1. Under this Section of the Policy, the Operator determines the categories and list of processed personal data, the categories of subjects whose personal data are processed, the methods, periods of processing and storage, and the procedure for destroying personal data upon achievement of the purpose of processing or upon occurrence of other lawful grounds in relation to the purpose of “processing incoming requests submitted via the Website”.

4.8.2. To achieve the purpose specified in this Section, the Operator processes personal data belonging to the following category(ies) of personal data subjects:

●      visitors of the Operator’s Website.

4.8.3. The Operator processes the following categories and list of visitors’ personal data to achieve the purpose specified in this Section:

a) processing of general (other) categories of visitors’ personal data is carried out in accordance with the following list:

●      last name, first name, patronymic

●      gender

●      email address

●      phone number

●      bank card details

●      current account number

●      personal account number

●      profession

●      job title/position

●      photograph

●      data collected via web analytics/metrics tools

b) special categories of visitors’ personal data are not processed;

c) biometric personal data of visitors are not processed.

4.8.4. The Operator performs mixed processing of visitors’ personal data for the purpose specified in this Section without transfer via the internal network, with transfer via the Internet.

4.8.5. The list of actions performed by the Operator on visitors’ personal data for the purpose specified in this Section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, destruction.

4.8.6. Personal data processing for the purpose specified in this Section is carried out subject to obtaining prior consent for such processing.

4.8.7. Without the personal data subject’s consent, the Operator does not disclose to third parties and does not disseminate visitors’ personal data for the purpose specified in this Section unless otherwise provided by the laws of the Russian Federation.

4.8.8. The Operator does not perform cross-border transfer of visitors’ personal data for the purpose specified in this Section.

4.9. Personal data processing for the purpose of maintaining statistics on Website visits.

4.9.1. Under this Section of the Policy, the Operator determines the categories and list of processed personal data, the categories of subjects whose personal data are processed, the methods, periods of processing and storage, and the procedure for destroying personal data upon achievement of the purpose of processing or upon occurrence of other lawful grounds in relation to the purpose of “maintaining statistics on Website visits”.

4.9.2. To achieve the purpose specified in this Section, the Operator processes personal data belonging to the following category(ies) of personal data subjects:

●      visitors of the Operator’s Website.

4.9.3. The Operator processes the following categories and list of visitors’ personal data to achieve the purpose specified in this Section:

a) processing of general (other) categories of visitors’ personal data is carried out in accordance with the following list:

●      data collected via web analytics/metrics tools

b) special categories of visitors’ personal data are not processed;

c) biometric personal data of visitors are not processed.

4.9.4. The Operator performs mixed processing of visitors’ personal data for the purpose specified in this Section without transfer via the internal network, with transfer via the Internet.

4.9.5. The list of actions performed by the Operator on visitors’ personal data for the purpose specified in this Section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, destruction.

4.9.6. Personal data processing for the purpose specified in this Section is carried out subject to obtaining prior consent for such processing.

4.9.7. Without the personal data subject’s consent, the Operator does not disclose to third parties and does not disseminate visitors’ personal data for the purpose specified in this Section unless otherwise provided by the laws of the Russian Federation.

4.9.8. With visitors’ consent and within the Russian Federation, the Operator may transfer their personal data for the purpose specified in this Section to LLC Yandex (TIN 7736207543), address: 16, Lev Tolstoy St., Moscow, 119021.

4.9.9. The content of visitors’ consent must be specific, explicit, informed, conscious and unambiguous, i.e., contain information that makes it possible to unambiguously determine the purposes and methods of processing, indicating the actions performed on personal data, and the scope of personal data being processed.

4.9.10. The Operator does not perform cross-border transfer of visitors’ personal data for the purpose specified in this Section.

5. DATA PROCESSING USING COOKIES

5.1. Cookies transferred to user devices may be used for personalizing website functions, personalized advertising, statistical and research purposes, and to improve the website.

5.2. Users are aware that their devices/software may provide for disabling cookies for some/all websites, and may remove cookies received earlier.

5.3. The Operator may determine that certain website features require cookies to be enabled.

5.4. Technical cookie file parameters are defined by the Operator and may change without prior notice.

5.5. Website counters may be used for cookie analysis, collection and processing of access statistics, and ensuring website operability. Technical settings may be changed by the Operator without prior notice.

5.6. The Operator uses “Yandex.Metrica” to identify unique visitors and monitor their preferences and behavior.

6. COLLECTION AND STORAGE OF PERSONAL DATA

6.1.When collecting personal data, including via the Internet, the Operator ensures data is recorded, systematized, accumulated, stored, clarified, and retrieved using databases located within the Russian Federation.

6.2. Individuals providing information about another subject without consent are liable under Russian law.

6.3. Personal data is stored in an identifiable form no longer than required for stated purposes unless otherwise set by law or agreement.

6.4. Strict principles of data minimization and retention limitation apply. Data is destroyed upon:

●      achievement of processing purposes;

●      withdrawal or expiry of consent;

●      loss of necessity for data processing;

●      Operator’s deletion from the Unified State Register of Legal Entities.

6.5. The Operator may continue data processing after these periods if required by law.

7. PERSONAL DATA SECURITY

7.1. The Operator implements legal, organizational, and technical measures for data security and confidentiality per Russian law, including:

●      develops and implements organizational and administrative documents and other documents in the field of personal data processing and protection;

●      conducts briefings and training for employees on personal data processing and protection measures;

●      ensures physical security of premises and locations where personal data are stored;

●      appoints persons responsible for organizing personal data processing and ensuring personal data security;

●      identifies threats to personal data security when processing personal data in personal data information systems;

●      assesses the harm that may be caused to personal data subjects in the event of violation of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;

●      uses information security tools that have passed conformity assessment in the установленном порядке (prescribed manner);

●      restricts access to premises where technical equipment used to process personal data is located and where information media are stored;

●      detects and investigates unauthorized access to personal data, including implements measures to detect, prevent and mitigate the consequences of computer attacks on information systems and to respond to computer incidents therein;

●      notifies Roskomnadzor of a personal data breach in accordance with the procedure established by Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;

●      restores personal data modified or destroyed as a result of unauthorized access;

●      establishes rules for access to personal data;

●      maintains records of persons admitted to personal data processing;

●      maintains records of physical media containing personal data;

●      monitors implemented personal data security measures and the level of protection of personal data information systems;

●      applies other legal, organizational and technical measures to ensure personal data security.

8. RESPONSES TO PERSONAL DATA SUBJECT REQUESTS

8.1. Confirmation of processing, legal grounds and purposes, and other data required by law shall be provided by the Operator to the data subject or their authorized representative upon request within 10 business days, extendable by 5 business days with appropriate notification.

8.2. The request must contain:

●      number of the main identity document and issuing details;

●      information proving relations with the Operator (contract number/date, passphrase, etc.) or other confirmation of data processing;

●      subject signature (including electronic, as allowed by Russian law).

8.3. The request may be submitted as an electronic document and signed with an electronic signature in accordance with the laws of the Russian Federation.

8.4. If an inquiry (request) from a personal data subject does not contain all information required under Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, or the subject does not have access rights to the requested information, the Operator sends a reasoned refusal.

8.5. The personal data subject’s right of access to their personal data may be restricted in accordance with Part 8, Article 14 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, including where such access would violate the rights and legitimate interests of third parties.

9. UPDATING, CORRECTING, DELETING AND DESTROYING PERSONAL DATA

9.1. If inaccurate personal data are identified upon обращение (inquiry) of the personal data subject or their representative, or upon their request, or upon a request from Roskomnadzor, the Operator blocks the personal data relating to such subject from the moment of such inquiry or receipt of such request for the period of verification, provided that blocking does not violate the rights and legitimate interests of the personal data subject or third parties.

9.2. If the inaccuracy of personal data is confirmed, the Operator, based on information provided by the personal data subject or their representative, or Roskomnadzor, or other necessary documents, rectifies the personal data within seven business days from the date such information is provided and unblocks the personal data.

9.3. Personal data shall be destroyed by the Operator in the following cases:

●      achievement of the purposes of personal data processing;

●      withdrawal by the personal data subject of their consent to the processing of their personal data;

●      receipt of information that personal data were unlawfully obtained or are not necessary for the stated processing purpose;

●      identification of unlawful processing of personal data.

9.4. Upon achievement of the purpose of personal data processing, the Operator undertakes to cease personal data processing or ensure its cessation (if processing is carried out by another person acting on behalf of the Operator) and to destroy personal data or ensure their destruction (if processing is carried out by another person acting on behalf of the Operator) within a period not exceeding 30 (thirty) days from the date the purpose of processing is achieved, unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary, or guarantor, or by another agreement between the Operator and the personal data subject, or unless the Operator is entitled to process personal data without the personal data subject’s consent.

9.5. If the personal data subject withdraws their consent to personal data processing, the Operator undertakes to cease processing or ensure cessation of such processing (if processing is carried out by another person acting on behalf of the Operator) and, if retention of personal data is no longer required for the purposes of processing, to destroy personal data or ensure their destruction (if processing is carried out by another person acting on behalf of the Operator) within a period not exceeding 30 (thirty) days from the date of receipt of such withdrawal, unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary, or guarantor, or by another agreement between the Operator and the personal data subject, or unless the Operator is entitled to process personal data without the personal data subject’s consent.

9.6. If the personal data subject states and/or provides information confirming that their personal data were unlawfully obtained or are not necessary for the stated processing purpose, the Operator must destroy such personal data within a period not exceeding 7 (seven) business days from the date of receipt of the relevant information.

9.7. If unlawful processing of personal data carried out by the Operator or a person acting on behalf of the Operator is identified and it is impossible to ensure lawfulness of such processing, the Operator, within a period not exceeding 10 (ten) business days from the date of identifying such unlawful processing, undertakes to destroy such personal data or ensure their destruction. The Operator undertakes to notify the personal data subject or their representative of the destruction, and where the inquiry/request of the personal data subject or their representative or the request of the authorized authority for the protection of the rights of personal data subjects was submitted by such authority, to also notify that authority.

10. FINAL PROVISIONS

10.1. In accordance with Article 18.1(2) of Federal Law No. 152-FZ “On Personal Data”, this Privacy Policy is available at the Operator’s registered address and online on the Website.