Personal Data Processing Policy

  1. General Provisions
    1.1. This Personal Data Processing Policy (hereinafter referred to as the Policy) is prepared in accordance with Item 2 Article 18.1 of the Federal Law on Personal Data (No. 152-FZ) implemented on July 27, 2006, as well as other applicable laws and regulations of the Russian Federation concerning protection and processing of personal data. This Policy applies to the processing and protection of personal data (hereinafter referred to as the Data) that Company (hereinafter referred to as the Operator) can obtain from the Personal Data Subject acting as a Party of an independent contractor agreement; an Internet user (hereinafter referred to as the User) visiting this website and using any service or product placed here, or a Data Subject being in an employment relationship with the Operator (hereinafter referred to as the Employee).
    1.2. The Operator ensures personal data protection from unauthorized access, loss, misuse, or unlawful dissemination in compliance with the Federal Law on Personal Data (No. 152-FZ) implemented on July 27, 2006.
    1.3. The Operator has a right to change this Policy in part or in full. The actual revision date is specified in the headline of the Policy. The Revised Policy comes into force on the date of publishing on the Website unless otherwise stipulated herein.
  2. Basic terms and definitions
    Personal data means any information related to a directly or indirectly identified or identifiable natural person (data subject).
    Personal data processing means any action (operation) or a series of actions (operations) with personal data performed with or without automated means, including collection, recording, systematization, accumulation, storage, refinement (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data.
    Automated personal data processing means processing personal data with the use of computers.
    Personal data information system (PDIS) means a set of personal data contained in personal data databases and information technologies and tools used for their processing.
    Personal data permitted by the data subject for dissemination means personal data access to which is granted to the general public by the personal Data Subjects or at their request.
    Blocking of personal data means a temporary interruption of personal data processing (except where processing is required for personal data refinement).
    Destruction of personal data means actions making it impossible to restore the content of personal data in the personal data information system and/or resulting in the destruction of physical media on which personal data are stored.
    Operator means a government authority, a municipal authority, a legal or private person, which severally or jointly arrange and/or perform the processing of personal data, as well as define the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.
  3. Personal data processing
    3.1. Collection of personal data
    3.1.1. Personal data shall be obtained directly from the Data Subjects. If personal data can be collected only from a third party, Data Subjects shall be notified and give their written consent.
    3.1.2. The Operator shall inform the Data Subject about the purposes of the processing for which the personal data are intended as well as the legal basis for the collection and processing of the data, the period for which the written consent for collection of personal data will be valid, the existence of the right to withdraw such consent at any time and the consequences of refusal to provide written permission for collection of personal data.
    3.1.3. Records and documentation containing personal data are created using:
    – copying of original documents (passport, academic credentials, Taxpayer Identification Number certificate, pension certificate, etc.);
    – making entries in books;
    – obtaining the original copies of the documents (employment record book, medical report, performance review, etc.).
    3.2. Personal data processing
    3.2.1. Personal data processing shall be carried out:
    – upon the consent of the Data Subjects for processing of their personal data;
    – in cases where the processing of personal data is necessary to comply with a legal obligation which the Operator is subject to;
    – in cases where personal data permitted by the data subject for dissemination is being processed.
    3.2.2. Purposes of personal data processing:
    – employment relationships of the Company with individuals;
    – civil law relations of the Company with individuals;
    – communication with the user requested for a quotation on the website, including notifications, requests, and other information related to the eCommerce website usage, order processing, approval and shipment as well as execution of contracts and agreements;
    — anonymization of personal data utilized for collection of anonymized statistical data, which are transferred to the third parties for statistical analysis, execution of business activities, or provision of services on behalf of the Company.
    3.2.3. Data Subjects
    Personal data of the following Data Subjects is being processed:
    – individuals who the Company currently employs;
    – individuals resigned from the Company;
    – job applicants;
    – individuals who are currently in civil law relations with the Company;
    – eCommerce website users.
    3.2.4. Personal data processed by the Operator:
    – data obtained in the course of employment relationships with individuals;
    – data obtained for the selection of job applicants;
    – data obtained in the course of civil law relations with individuals;
    – data obtained from the eCommerce website users.
    3.2.5. Personal data processing is carried out:
    – by automated means;
    – by non-automated means of processing.
    3.3. Storage of personal data
    3.3.1. Personal data of Data Subjects can be obtained, processed, and stored in digital files or non-digital format.
    3.3.2. Personal data stored in paper form must be kept in a locked cabinet or in a secure location where unauthorized parties cannot access it.
    3.3.3. Personal data processed by automated means must be stored in different folders.
    3.3.4. Storage of personal data in public access databanks (file hosting services) is strictly prohibited.
    3.3.5. Storage of personal data in the format that allows identifying the Data Subject shall be maintained for no longer than is necessary to fulfill the intended processing purpose and destructed after the processing purposes are achieved or no longer required to be achieved.
    3.4. Destruction of personal data.
    3.4.1. Destruction of records (data carriers) containing personal data shall be carried out by incineration, crushing (grinding), chemical decomposition, shattered into a shapeless mass or a powder. Paper documentation may be destroyed by shredding.
    3.4.2. Personal data stored in electronic form shall be destroyed by erasing or formatting the medium.
    3.4.3. Destruction of the personal data shall be confirmed by a certificate of destruction.
    3.5. Transfer of personal data
    3.5.1. The Operator transfers personal data to the third parties in the following cases:
    – Data Subjects have granted their consent to such transfer;
    – the transfer of personal data is required or required or authorized by the Russian or any other applicable laws under the established procedure.
    3.5.2. The personal data is transferred to the following third parties for the following purposes:
    – to the Pension Fund of the Russian Federation for record purposes (on legal grounds);
    – to the Tax Authorities of the Russian Federation (on legal grounds);
    – to the Social Insurance Fund of the Russian Federation (on legal grounds);
    – to the Federal Compulsory Medical Insurance Fund (on legal grounds);
    – to the Health Maintenance Organizations for the Voluntary and Mandatory Medical Insurance (on legal grounds);
    – to the Banks for payroll accounting purposes (under the terms of the Agreement);
    – to the local authorities of the Ministry of Internal Affairs of the Russian Federation, to the extent permitted under applicable law;
    – anonymized personal data of the eCommerce website Users are transferred to the e-shop contractual partners.
  4. Protection of Personal Data
    4.1. In accordance with the requirements of regulatory documents, the Operator has developed a personal data protection system (PDPS), consisting of subsystems for legal, organizational, and technical protection of personal data.
    4.2. The legal protection subsystem is a set of legal, organizational, administrative, and regulatory documents that ensure the creation, functioning, and improvement of the PDPS.
    4.3. The organizational protection subsystem includes the organization of PDPS management structure, authorization system, information protection when dealing with employees, partners, and third parties.
    4.4. The technical protection subsystem includes technical means of software and hardware that ensure personal data protection.
    4.5. The main measures of personal data protection applied by the Operator are as follows:
    4.5.1. Assigning a person responsible for personal data processing who arranges personal data processing, training, and briefing, internal control of the organization, and its employees’ compliance with personal data protection requirements.
    4.5.2. Identification of immediate threats to personal data security during its processing in PDIS and development of procedures and measures on personal data protection.
    4.5.3. Development of policy regarding the processing of personal data.
    4.5.4. Establishing rules for accessing personal data processed in PDIS and ensuring registration and accounting of all actions performed with personal data in PDIS.
    4.5.5. Generation of individual passwords for employees’ access to the information system in accordance with their job duties.
    4.5.6. Application of information protection means that passed a conformity assessment procedure in due order.
    4.5.7. Certified anti-virus software with regularly updated databases.
    4.5.8. Compliance with the conditions ensuring the safety of personal data and preventing unauthorized access to it.
    4.5.9. Early detection of unauthorized access to personal data and immediate protective measures.
    4.5.10. Recovery of personal data modified or destroyed due to unauthorized access.
    4.5.11. Training of the Operator’s employees directly involved in the processing of personal data on the provisions of the Russian Federation legislation on personal data, including the requirements to personal data protection, documents defining the Operator’s policy regarding the processing of personal data, and local acts on personal data processing.
    4.5.12. Internal control and audit
  5. 5. Fundamental rights of Data Subjects and responsibility of the Operator
    5.1. Fundamental rights of Data Subjects.
    The Data Subjects have the right to get access to their personal data and ask for the following information:
    – proof of the personal data processing by the Operator;
    – legal grounds and purposes of personal data processing;
    – purposes and methods of personal data processing;
    – legal name and registered address of the Operator as well as records of individuals who (aside from the Operator) have access to personal data or to whom personal data can be disclosed based on the Federal Law or agreement with the Operator;
    – period of personal data processing, including storage period;
    – Data Subject Rights Management Procedure prescribed by the Federal Laws;
    – legal or full name of the legal entity of individual processing the personal data on behalf of the Operator, if processing will be entrusted to such legal entity or individual;
    – communication with and forwarding the requests to the Operator;
    – appeal against actions of the Operator or the lack of thereof.
    5.2. Responsibility of the Operator.
    Personal Data Operator is obliged:
    – to provide information on personal data processing when collecting personal data;
    –  to notify the Data Subject if personal data was received from the third parties;
    – to notify the Data Subject about the consequences to refuse to provide personal data;
    – to publish or in any other way provide unrestricted access to the document defining Operator’s personal data processing policy and to the information on the implemented requirements for personal data protection;
    – to take the necessary legal, organizational, and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, and dissemination as well as from other illegal actions concerning personal data;
    – to respond to inquiries and requests from Data Subjects, their representatives, and authorized data protection authorities.