POLICY OF ARRANGING PROCESSING AND ENSURING SECURITY OF PERSONAL DATA IN PALITRUMLAB LLC
-
General provisions
-
All intellectual property rights belong to: PalitrumLab LLC © 2023.
-
Information about the enactment, termination and revision of this document shall be communicated to the employees of PalitrumLab LLC (hereinafter the "Operator") in accordance with its documentation management procedure.
-
In order to comply with the statutes of the current legislation of the Russian Federation (hereinafter - the RF) in full, the Operator considers its most important tasks to observe the principles of legality, fairness and confidentiality in processing Personal Data (hereinafter - PD), as well as to ensure the security of procedures of their processing.
-
This Policy on Personal Data Processing and Security (hereinafter - the "Policy") has the following features:
-
it is developed with the aim of implementing requirements of the current legislation of the RF in the area of PD processing and protection;
-
it discloses the methods and principles of PD processing by the Operator, the Operator's rights and obligations in PD processing, the rights of PD subjects, and includes a list of measures applied by the Operator in order to ensure PD security in the course of their processing;
-
it is a publicly available document, which declares the conceptual basis of the Operator's activity in PD processing and protecting.
-
The Operator shall notify the authorized body for the protection of the rights of PD subjects about its intention to process PD prior to processing PD. The Operator shall, in good faith and in due time, update the information specified in the notification.
-
-
-
Legal basis for processing PD
-
The Operator shall process PD in compliance with the RF current legislation on PD and shall be guided by the following legal grounds:
-
The Labor Code of the RF (Art. 3, 8, 9, 56, 62, 64-66, 69, 91, 120-122, 128, 136, 141, Ch. 23, Ch. 24, 179, 189, 196, 212-214, 221, 223, 225, 227, 228, 228.1, 229.2, 230, 230.1, 255-257, 261, 283, 327.2, 327.3);
-
Tax Code of the RF (Art. 217-220, 226, 227.1, 264, 265, 270, 313);
-
The Civil Code of the RF (Art. 19, 49, 52, 67.1, 152.1, 307, 312, 426, 434.1, 435, 437, 438, 447, 448, 452 (Part 2), 797 (Part 1), Ch. 10, 30 (§ 3), 34, 37, 39, 40, 48, 52);
-
The Code on Administrative Offences of the RF (Art. 2.6.1);
-
The Arbitration Procedure Code of the RF (Ch. 5);
-
The Civil Procedure Code of the RF (Ch. 4);
-
The Administrative Court Procedure Code of the RF (Ch. 4);
-
The Criminal Procedure Code of the RF (Sect. II);
-
Law of the RF dated 19.04.1991 No. 1032-1 "On Employment in the Russian Federation" (Art. 25);
-
Law of the RF dated 11.03.1992 No. 2487-1 "On Private Detective and Security Activity in the Russian Federation" (Art. 12, 12.1);
-
Law of the RF dated 27.11.1992 No. 4015-1 "On Organization of Insurance Business in the Russian Federation" (Art. 4, 5, 32.9);
-
Federal Law dated 21.12.1994 No. 68-FZ "On Protection of Population and Territories from Natural and Man-made Emergencies" (Art. 14);
-
Federal Law dated 21.12.1994 No. 69-FZ "On Fire Safety" (Art. 37);
-
Federal Law dated 19.05.1995 No. 81-FZ "On State Benefits to Citizens with Children" (Articles 3, 6);
-
Federal Law dated 24.11.1995 No. 181-FZ "On Social Protection of Disabled Persons in the Russian Federation" (Art. 20, 24);
-
Federal Law dated 12.01.1996 No. 8-FZ "On Burial and Funeral Business" (Art. 10);
-
Federal Law dated 01.04.1996 No. 27-FZ "On Individual (Personified) Accounting in the Compulsory Pension Insurance System" (Art. 7-9, 11, 15);
-
Federal Law dated 31.05.1996 No. 61-FZ "On Defense" (Art. 8);
-
Federal Law dated 26.02.1997 No. 31-FZ "On Mobilization Training and Mobilization in the Russian Federation" (Art. 9);
-
Federal Law dated 28.03.1998 No. 53-FZ "On Military Duty and Military Service" (Art. 4, 6, 8);
-
Federal Law dated 24.07.1998 No. 125-FZ "On Mandatory Social Insurance against Industrial Accidents and Occupational Diseases" (Art. 5, 17, 20.2);
-
Federal Law dated 16.07.1999 No. 165-FZ "On the Fundamentals of Mandatory Social Insurance" (Art. 6, 9, 12);
-
Federal Law dated 07.08.2001 No. 115-FZ "On Counteracting the Legalization (Laundering) of Proceeds of Crime and the Financing of Terrorism" (Art. 6.1);
-
Federal Law dated 08.08.2001 No. 129-FZ "On State Registration of Legal Entities and Individual Entrepreneurs" (Art. 5, Cl. 1, Art. 6);
-
Federal Law dated 15.12.2001 No. 167-FZ "On Compulsory Pension Insurance in the Russian Federation" (Art. 4, 6, 14);
-
Federal Law dated 07.07.2003 No. 126-FZ "On Communications" (cl. 44, art. 2);
-
Federal Law dated 29.12.2006 No. 255-FZ "On Compulsory Social Insurance for Temporary Disability and Cases related to Maternity" (Art. 2, 2.1, 4.1, 4.8);
-
Federal Law dated 26.12.1995 No. 208-FZ (as amended on 07.10.2022) "On Joint-Stock Companies" (Art. 92);
-
Federal Law dated 02.10.2007 No. 229-FZ "On Enforcement Proceedings" (Ch. 6);
-
Federal Law dated 25.12.2008 No. 273-FZ "On Combating Corruption" (Art. 13.3);
-
Federal Law dated 30.12.2008 No. 307-FZ "On Auditing Activities" (Art. 5);
-
Federal Law dated 29.11.2010 No. 326-FZ "On Compulsory Medical Insurance in the Russian Federation" (Art. 10, 11, 17);
-
Federal Law dated 06.04.2011 No. 63-FZ "On Electronic Signature" (Art. 14, 17);
-
Federal Law dated 06.12.2011 No. 402-FZ "On Accounting" (Art. 6, 9);
-
Federal Law dated 29.12.2012 No. 273-FZ "On Education in the Russian Federation" (Art. 54, 60);
-
Federal Law dated 28.12.2013 No. 426-FZ "On Special Assessment of Working Conditions" (Art. 4, 7, 8, 15);
-
Federal Law dated 15.08.1996 No. 114-FZ "On the Procedure for Exit from the Russian Federation and Entry into the Russian Federation" (Art. 25);
-
Federal Law dated 21.11.2011 No. 323-FZ "On the Fundamentals of Public Health Protection in the Russian Federation" (Art. 24);
-
Federal Law of the Russian Federation dated 13.03.2006 No. 38-FZ "On Advertising" (Art. 9);
-
Law of the RF dated 07.02.1992 No. 2300-1 "On Protection of the Rights of Consumers" (Part 2, Art. 1);
-
Federal Law dated 30.03.1999 No. 52-FZ "On Sanitary and Epidemiological Welfare of the Population" (Art. 8, 10, 24);
-
The Operator's Charter;
-
Consents of the PD subjects (employees, family members and other relatives of employees, designated beneficiaries under the relevant insurance contracts of employees, applicants for vacant positions and other persons) to the processing of their PD;
-
Contracts to which PD subjects are parties or beneficiaries or guarantors;
-
Powers of Attorney issued by the Operator to the PD subjects.
-
Note - When using this Policy, it is advisable to check the validity of the reference documents. If a reference document is replaced (amended), the replaced (amended) document shall govern the use of this Policy. If a reference document is canceled without replacement, the provision referencing it shall apply to the extent not affecting the reference.
-
-
Purposes of PD collecting and further processing
-
Carrying out information communication with visitors to brandanalytics.ru and palitrumlab.ru
-
The categories and list of processed PD:
-
name, patronymic, surname
-
contact (communication) information (contact phone number; contact email address)
-
information on position, structural subdivision, and current place of employment
-
subject of appeal
-
text of the appeal
-
-
Categories of subjects, whose PD is processed:
-
visitors to brandanalytics.ru, leaving appeals in the "Demo request" section
-
visitors to palitrumlab.ru, leaving appeals in the "Contact Us" section
-
-
Methods of PD processing:
-
collection, including obtaining from third parties, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction with or without the use of automation means
-
-
Time periods of PD processing:
-
until revocation of such consent or 3 years from the date of consent + 30 days from the date of consent revocation
-
-
Procedure of PD destruction upon achieving the purposes of their processing or upon occurrence of other legal grounds:
-
PD destruction shall be carried out under control of the commission, formed in accordance with the procedure, established by the Operator. In case of necessity to destroy PD in separate subdivisions of the Operator or remote locations of the Operator's employees, the person responsible for arranging PD processing, by issuing a corresponding order, shall form, on a temporary or permanent basis, a local commission consisting of at least two persons on PD destruction.
-
The fact of PD destruction shall be confirmed by the "Report on PD destruction (termination of processing)" or in any other form, which allows confirming the fact of PD destruction.
-
PD destruction shall be carried out in such a way as to exclude the possibility of recovery of these PD. If PD cannot be destroyed without damaging their material medium in such a way as to prevent its further intended use, both PD and its material medium shall be destroyed.
-
PD destruction in PDISs (personal data information systems), on WSs (Workstations) and alienable machine media shall be performed using standard means, and, if necessary, with the use of specialized software or hardware means.
-
-
-
-
Principles, contents and methods of PD processing
-
The Operator shall ensure observance of PD processing principles envisaged by Art. 5 of Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data".
-
The Operator shall process the PD of the following categories of PD subjects:
-
employees of the Operator;
-
family members and other relatives of the Operator's employees;
-
applicants for vacancies in the Operator;
-
persons who have previously been the Operator's employees;
-
family members and other relatives of former employees of the Operator;
-
counterparties of the Operator (including their employees and representatives);
-
potential counterparties of the Operator (including their employees and representatives);
-
owners, including beneficiaries (including their employees and representatives) of the Operator's counterparties;
-
owners, including beneficiaries, (including their employees and representatives) of potential counterparties of the Operator;
-
owners, including beneficiaries (including their employees and representatives) of the Operator;
-
participants in court proceedings and enforcement proceedings in which the Operator is involved;
-
visitors to brandanalytics.ru, leaving appeals in the "Demo request" section
-
visitors to palitrumlab.ru, leaving appeals in the "Contact Us" section
-
persons visiting the Operator's properties.
-
-
The Operator has established the following conditions for terminating the PD processing:
-
achievement of the PD processing objectives and the maximum retention period of the PD;
-
losing the necessity to achieve the objectives of PD processing;
-
submission by the PD subject or his/her legal representative of information, confirming that the PD is illegally obtained or is not necessary for the stated objective of processing;
-
inability to ensure the lawfulness of PD processing;
-
revocation by a PD subject of his/her consent to PD processing, if PD preservation is no longer required for the PD processing purposes;
-
expiry of the limitation period for legal relations, in the framework of which PD processing is being or was being processed;
-
liquidation or reorganization of the Operator.
-
-
Processing of PD by the Operator includes collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction of PD.
-
The Operator shall not process special categories of PD (health information).
-
The Operator shall not process biometric PD.
-
The Operator shall process PD permitted to be distributed by the PD subject for the purposes of participation in tenders (auctions and biddings as well as in other procedures provided for by applicable law) and preparation of documents required for participation in tenders. In particular, the Operator shall distribute PD, authorized by the PD subject for distribution, on the websites of trading platforms on the Internet, where the Operator is registered. On the websites of trading platforms on the Internet, where the Operator is registered, the Operator shall bring to the attention of third parties - the owner of the trading platform on the Internet and potential counterparties - the Declaration on organizational and technical support for prohibitions on processing of personal data, authorized by the subject of personal data for distribution, and conditions for processing of such data.
-
The Operator shall not make any decisions, giving rise to legal consequences in relation to PD subjects or otherwise affecting their rights and legitimate interests, based solely on the automated processing of their PD.
-
The Operator shall process PD with or without the use of automation means.
-
When collecting PD, the Operator shall ensure recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of PD of Russian citizens using databases located in the RF, except for cases directly stipulated by the current Russian legislation on PD. The Operator's server that collects PD of Russian citizens is located at 22s13 Ostapovsky passage, Moscow, 109316
-
-
Actions for adequately arranging PD processing and ensuring security
-
While processing PD, the Operator shall take all necessary legal, organizational and technical measures for their protection from the unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other unauthorized actions in relation to them. The PD security is achieved, in particular, by the following means:
-
appointing a responsible person for arranging PD processing;
-
issuing of documents, determining the Operator's policy in relation to the PD processing, local PD processing regulations, as well as local regulations, establishing the procedures aimed at the prevention and detection of any violations of the RF legislation on PD, and remedial measures for such violations;
-
exercising internal control and/or audit of PD processing compliance with Federal Law dated 27.07.2006 No. 152-FZ «On Personal Data» and regulatory legal acts adopted in compliance therewith, PD protection requirements, the Operator's local documents;
-
making the Operator's employees, directly involved in PD processing, acquainted with the provisions of the RF legislation on PD, including the requirements to PD protection, local documents on the PD processing and/or training the aforementioned employees;
-
determining places of storage of PD material media, and ensuring accounting and safety of PD material media;
-
detecting the facts of unauthorized access to PD and taking appropriate measures;
-
restoring PD modified or destroyed as a result of unauthorized access to them;
-
organization of security procedures in the premises where PD processing is carried out and/or where PDISs are located;
-
applying legal, organizational, and technical measures to ensure PD security during their processing in PDISs, necessary to meet the requirements for PD protection;
-
evaluating the effectiveness of the measures taken to ensure PD security prior to commissioning of PDISs;
-
establishing the rules for access to the PD processed in the PDIS, as well as ensuring registration and accounting of all actions taken with the PD in the PDIS;
-
control over PD security measures taken and the level of PDIS protection.
-
-
Duties of the Operator`s employees carrying out the PD processing and protection, as well as their responsibility, are defined in the Regulation "On arranging processing and ensuring security of personal data in «PalitrumLab» LLC."
-
-
Person responsible for arranging PD processing
-
Rights, obligations and legal responsibility of the person responsible for arranging the PD processing are established by Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data", Regulation of the Operator "On arranging processing and ensuring security of personal data in "PalitrumLab" LLC" and other local documents of the Operator in the area of PD processing and protection.
-
Appointment of a person responsible for arranging the PD processing, and release from the specified duties shall be carried out by the Head of the Operator. When appointing a person responsible for arranging the PD processing, the powers, competencies, and personal qualities of the official, which are designed to enable him/her to properly and fully exercise his/her rights and perform his/her duties, shall be taken into account.
-
The person responsible for arranging the PD processing shall:
-
organize internal control over compliance by the Operator and its employees with the RF legislation on PD, including requirements to PD protection;
-
draw the attention of the Operator's employees to the provisions of the RF legislation on PD, local documents on the PD processing, and requirements to PD protection, or ensure such attention;
-
exercise control over reception and processing of appeals and inquiries from PD subjects or their representatives.
-
-
-
Rights of PD subjects
-
PD subject shall be entitled to receive information about processing of his/her PD by the Operator in the format specified by such PD subject.
-
The PD subject shall be entitled to require the Operator to clarify those PD, block or destroy them if they are incomplete, out-of-date, inaccurate, illegally obtained or cannot be considered necessary for the stated processing purpose, as well as to take statutory measures to protect his/her rights.
-
The right of PD subject to access his/her PD may be restricted in accordance with federal laws, including if the PD subject's access to his/her PD violates the rights and legitimate interests of third parties.
-
In order to exercise and protect their rights and legitimate interests, a PD subject or his/her representatives may apply to the Operator in any way convenient for them, the quickest way being to directly contact the person responsible for arranging the PD processing and ensuring PD security.
-
In order to increase efficiency and speed up consideration of appeals and complaints, the Operator shall suggest PD subjects and their representatives to fill in and submit to the Operator the appropriate form provided in Appendix 1.
-
The Operator shall consider all appeals and complaints from PD subjects, thoroughly investigate acts of infringing and take all necessary steps for their immediate remediation, punish guilty persons and settle disputable and conflict situations in the pre-trial order.
-
A PD subject may appeal against the action or inaction of the Operator by contacting a competent authority for the protection of rights of PD subjects.
-
A PD subject shall be entitled to protect his/her rights and legitimate interests, including the right to claim damages and/or compensation for moral damage in court.
-
A PD subject shall be entitled to exercise other rights provided by current legislation.
-
-
Access to this Policy
-
The valid hard copy version of the Policy is kept at the Operator`s registered address꞉ 10 Bolshaya Sadovaya st., Moscow, Russia ("PalitrumLab" LLC`s Headquarters).
-
The electronic version of the current edition of the Policy is available on the Operator`s websites: https://brandanalytics.ru and https://www.palitrumlab.ru
-
-
Procedure for the Policy approval and amendment
-
The Policy shall be approved and put into effect by the Director General of the Operator and shall be valid until cancelled.
-
The Operator shall have the right to amend the Policy. Amendments shall be approved by order of the Director General of the Operator.
-
The Policy shall be reviewed as necessary, but at least once in three years from the date of previous review of the Policy. The Policy shall be re-approved if the review results in amendments to the Policy.
-
The Policy may be reviewed earlier than the period specified in cl. 9.2.1 of this Policy, as amendments are made:
-
to the RF regulatory legal acts in the area of PD;
-
to local regulatory and individual documents of the Operator, regulating the arranging of PD processing and ensuring PD security;
-
to contracts and agreements regulating the legal relations between the Operator and its counterparties and other persons;
-
to procedures regulating the way the Operator arranges the PD processing and ensures PD security.
-
-
-
Responsibility
-
Persons, guilty in infringement of standards, regulating processing and protection of PD, shall bear responsibility envisaged by the legislation of the RF, local documents of the Operator and contracts, regulating legal relations between the Operator and third parties.
-