Personal Data Processing policy

2.1. This Policy uses the following definitions and concepts:

• personal data - any information related directly or indirectly to an identified or identifiable natural person (personal data subject);
• personal data subject - an individual that was directly or indirectly identified or potentially identifiable by means of personal data;
• operator - a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) with the personal data;
• personal data processing - any action (operation) or a set of actions (operations) performed with personal data using automation equipment or without such equipment, including collection, recording, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
• automated personal data processing - personal data processing by means of computer equipment;
• distribution of personal data - actions aimed at disclosure of personal data to an indefinite number of persons;
• provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain group of people;
• blocking of personal data - temporary suspension of processing of personal data (except in cases where the processing is necessary to clarify the personal data);
• destruction of personal data – actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which the physical storage media of personal data are destroyed;
• impersonalization of personal data - actions, as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific personal data subject;
• personal data information system - a set of personal data contained in databases, information technologies and technical means for their processing;
• transboundary transfer of personal data - a transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.

3.1. Processing of personal data by the Company is performed for the following purposes:

• In order to provide compliance with the Constitution of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation;
• In order to provide execution of judicial acts, acts of other bodies or officials which should be executed in accordance with the legislation of the Russian Federation on enforcement proceedings;
• In order to carry out educational and pre-diploma practice;
• In order to assist candidates in employment, workers in education and career development , provide internships and mentoring, provide personal safety of employees, control the quantity and quality of work performed and ensure safety of a property;
• In order to provide keeping of HR records and employee's personal files;
• In order to form personnel reserve of the Operator.
• In order to provide employees with vacations and send them on business trips;
• Organization and registration of awards and incentives for employees;
• Registration of foreign passports and visas, as well as medical insurance for traveling abroad;
• Organization of individual (personified) accounting of employees in the system of mandatory pension insurance;— Providing employees and their families with additional guarantees and compensations, including non-state pension benefits, voluntary medical insurance, medical care and other types of social security;
• Filling in and transferring to the executive authorities and other authorized organizations the required reporting forms;
• Analysis of local legal acts regulating the activities of the Operator;
• Implementation by the Operator of the activities stipulated by the Company’s constituent documents;
• Improvement of the business processes of the Company as a whole, including structural divisions of the Operator and their procedures in relation to certain categories of personal data subjects;
• Registration of participants of promotional activities of the Company;
• In order to conduct opinion polls, marketing and other researches;
• In order to obtain statistical data;
• Mailing of information, advertising and other materials about different directions of activity of the Company, its partners and counterparties, as well as activity of the Company;
• Consideration of appeals, applications, letters from visitors of the Company on issues related to activities of the Company;
• Settlement of insurance claims;
• Preparation, conclusion, execution and termination of civil contracts;
• Formation of reference materials for internal information support activities of thE Company;
• In order to provide access control for the Company;— Other purposes not prohibited by the legislation of the Russian Federation, subject to prior written consent of the personal data subjects.

3.2. The Company will limit the personal data processing to achievement of specific, predetermined and legitimate goals that are communicated in each case to the personal data subject.

3.3. The Company does not allow processing of the personal data that is incompatible with the purposes of personal data processing.

4.1. Legal grounds for processing of personal data is a set of regulations, pursuant to which, and in accordance with which the Company performs processing of personal data, including:

• Constitution of the Russian Federation;
• Civil Code of the Russian Federation;
• Labor Code of the Russian Federation;
• Tax Code of the Russian Federation;
• Federal Law of July 27, 2006 No. 149-ФЗ “About Information, Information Technologies and Information Protection”;
• Decree of the Government of the Russian Federation of 01.11.2012 No. 1119 “On approval of requirements for protection of personal data when they are processed in personal data information systems”;
• Articles of association of the Company and other local regulatory acts of the Operator;
• Other regulatory legal acts of the Russian Federation and regulatory documents of the authorized state bodies;— Contracts concluded between the Operator and the personal data subject;
• Contracts concluded between the Operator and persons engaged in processing of personal data on behalf of the Operator;
• Subjects' consent to processing of their personal data.

5.1. Depending on the purposes stipulated in section 3 of this Policy, the Company can process personal data of the following categories of subjects:

5.1.1. Applicants for positions in the Company:

• Full Name;
• Year and place of birth;
• Contact details;
• Information about profession and other personal data reported by the applicant in the CV and cover leters.

5.1.2. University students:

• Full Name;
• Sex;
• Age;
• Education, qualification, vocational training and information on advanced training;
• Other personal data reported by students in the CV and cover letters.

5.1.3. Employee of the Company:

• Full Name;
• Sex;
• Age;
• Image (photo);
• Passport data;
• Address of registration and actual residence;
• Individual taxpayer number;
• Insurance number of individual personal account (SNILS);
• Education, qualification, vocational training and information on advanced training;
• Marital status, children, family ties;
• Information about employment, including incentives, awards and/or disciplinary actions;
• Information on registration of marriage;
• Information on military registration;
• Information on disability;
• Information on maintenance deduction;
• Information about income from a previous job;
• Other personal data provided by the employees in accordance with the requirements of labor legislation.

5.1.4. Persons included in the governing bodies of the Company:

• Full Name;
• Information on labor activity;
• Education;
• Individual taxpayer number;
• Address of residence;
• Photo;
• Phone number;
• E-mail address.

5.1.5. Candidates for the position of the sole executive body of the Company:

• Full Name;
• Image (photo);
• Day, month, year and place of birth;
• Information on citizenship;
• Information on education;
• Information on labor activity;
• Presence of an academic degree, academic title (when assigned, the number of diplomas, certificates);
• Marital status;
• Information on convictions;
• Information on state awards, other awards and distinctions (including dates of awards);
• Home address (address of registration, actual residence);
• Phone number.

5.1.6. Foreign citizens who are employees of the Company, as well as their family members:

• Surname, first name, middle name in Russian and Latin transcriptions;
• Sex;
• Photo;
• Information on citizenship;
• Date of birth;
• Passport number, date of issue and validity of the passport;
• Number and validity of the visa for stay in the Russian Federation;
• Address in the country of residence;
• Actual address of residence in the Russian Federation;
• Information on higher education (name of higher education institution, city and country of its location, year of graduation, specialty);
• Information about relatives on the territory of the Russian Federation (if any - last name, first name, patronymic, degree of kinship, date of birth and residential address of the relative in the Russian Federation);
• Place of birth (country, town);
• Information about employment (names of previous employers, their location, periods of work, positions held);
• Information on marital status;
• Number and validity of the certificate of personal accreditation of the employee;
• Number and duration of the work permit;
• Details of valid work visa (multiplicity, number, date of issue, expiration date, visa ID, invitation number);
• Surname, first name, middle name, dates of birth of the spouse and children;
• Contact numbers abroad and in the Russian Federation;
• Address of migration registration in the Russian Federation.

For family members of foreign employees:

• Surname, first name, middle name in Russian and Latin transcriptions;
• Sex;
• Photo;
• Information on citizenship;
• Date of Birth;
• Passport number, passport validity period;
• Number and validity of the visa for stay in the Russian Federation (if any);
• Degree of kinship with the foreign employee;
• Surname, first name, second name in Russian and Latin transcriptions of the foreign employee.

5.1.7. Persons involved in execution of works/services under civil law contracts:

• Full Name;
• Passport data;
• Insurance number of an individual personal account (SNILS);
• Individual taxpayer number (if any).

5.1.8. Persons who are tenants under lease agreements:

• Surname, name, patronymic of the tenant; 
• Passport details of the tenant; 
• Sex; 
• Age; 
• Image (photo); 
• Address of registration and actual residence of the tenant; 
• Insurance number of an individual personal account (SNILS); 
• Individual taxpayer number (if any);

For conclusion of a long-term lease agreement:

• Surname, name, patronymic of the spouse of the tenant; 
• Sex; 
• Age; 
• Passport details of the tenant’s spouse; 
• Address of registration and actual residence of the spouse of the tenant;

5.1.9. The persons included in the mailing list of informational, advertising and other materials about directions of activity of the Company, its partners and counterparties, as well as about activities of the Company:

• Full Name; 
• Date of birth and/or age; 
• Address of registration at the place of residence/stay; 
• Education level; 
• Income level; 
• E-mail address; 
• Contact phone number.

5.1.10. Persons who are participants of promotional activities of the Company, opinion polls, marketing and other researches conducted by the Company:

• Full Name; 
• Sex; 
• Date of birth and/or age; 
• Citizenship; 
• Passport data; 
• Address of registration at the place of residence/stay; 
• Marital status (having a spouse, children); 
• Education level; 
• Income level; 
• E-mail address; 
• Contact phone number; 
• Interests; 
• Interesting channels of communication; 
• Information on participation in promotional activities of the Company; 
• Information about active participation in promotional activities of the Company;

5.2. The Company may create internal reference materials (directories) which, on condition of prior written consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation, may include:

• Full Name; 
• Position; 
• Image (photo);
• Name of the department; 
• E-mail address; 
• Contact phone number; 
• Other personal data reported by the personal data subject for the specified purposes.

5.3. Processing of biometric personal data by the Company (information that characterize physiological and biological characteristics of a person, on the basis of which you can establish his/her identity) will be carried out in accordance with the legislation of the Russian Federation.

5.4. The Company does not carry out processing of personal data of special categories related to racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual life, criminal records, except for paragraph 5.1.5. of this policy.

5.5. When processing personal data the Company ensures that the content and volume of personal data processed corresponds the stated processing goals.

5.6. The Company does not allow the processed personal data to be redundant in relation to the stated purposes of their processing.

6.1. The processing of personal data is carried out with the consent of the personal data subjects, unless otherwise provided by the legislation of the Russian Federation.

6.2. The processing of personal data can be carried out using computer technology (automated processing) or with the direct participation of the person without a computer technology (non-automated processing).

6.3. Only those employees of the Company are allowed to process personal data, whose job duties include the personal data processing. These employees have the right to receive only the personal data they need to perform their duties.

6.4. The personal data processing is carried out by the way of:

• obtaining information containing personal data, verbally and in writing, directly from the personal data subjects;
• submission by the personal data subjects of the original copies of the necessary documents;
• receipt of copies of documents containing personal data or copies of original documents certified in the prescribed manner;
• obtaining personal data when sending requests to state authorities, state extra-budgetary funds, other state bodies, local governments, commercial and non-profit organizations, individuals in cases and procedures stipulated by the legislation of the Russian Federation;
• obtaining personal data from publicly available sources;
• fixation (registration) of personal data in logs, books, registers and other accounting forms;
• entering the personal data to information systems of the Company;
• use of other means and methods of recording personal data obtained in the framework of the activities carried out by the Company.

6.5. Transfer of personal data to third parties (including cross-border transfer) is allowed on condition of prior written consent of the personal data subjects, except for the cases when it is necessary to prevent threats to life and health of personal data subjects, as well as in other cases established by the legislation of the Russian Federation.

6.6. When transferring personal data to third parties in accordance with signed agreements the Company provides mandatory fulfillment of the Russian Federation laws and the local regulations of the Company in the field of personal data.

6.7. Transfer of personal data to authorized executive bodies and organizations (the Ministry of the Interior of the Russian Federation, the Ministry of Foreign Affairs of the Russian Federation, the Federal Tax Service, the Pension Fund of the Russian Federation, the Federal Mandatory Medical Insurance Fund of the Russian Federation and others) will be carried out in accordance with the requirements of the legislation of the Russian Federation.

6.8. Transboundary transfer of personal data to the territory of foreign states that are parties to the Convention for the protection of individuals with regard to automatic processing of personal data, as well as other foreign states that provide adequate protection of the rights of personal data subjects, will be carried out in accordance with the Federal Law About Personal Data and may be banned or restricted in order to protect the bases of the constitutional system of the Russian Federation, morality, health, rights and legitimate interests of citizens, ensuring the defense of the country and the security of the state. The cross-border transfer of personal data to the territory of a foreign state that is not a party to the said Convention will be carried out in accordance with the legislative acts of the Russian Federation, provided that the law in force in that state and the personal data security measures used comply with the Convention.

6.9. The Company has the right to assign the personal data processing to another legal entity or individual entrepreneur with the consent of the personal data subjects on the basis of an agreement concluded. A legal entity or an individual entrepreneur who processes personal data on behalf of the Company must comply with the principles and rules for personal data processing provided for by the legislation of the Russian Federation in the field of personal data.

6.10. In the case if the Company, on the basis of a contract, transfers or assigns the personal data processing to another legal entity or individual entrepreneur, the essential condition of the contract should be the obligation of the said person to provide confidentiality conditions and security of personal data during their transfer or processing.

6.11. Storage of personal data in the Company will be carried out in the form that allows determination of the personal data subject for the period no longer than is required by the purpose of their processing. When achieving the purposes of processing personal data, as well as in case of a withdrawal by the personal data subject of his/her consent to their processing, personal data are subject to destruction if:

• otherwise provided by contract, a party, beneficiary or guarantor is the personal data subject, other agreements with the Company and the personal data subject;
• the Company is not entitled to process personal data without the consent of the subject on the grounds provided for by the Federal Law About Personal Data or other federal laws.

6.12. When collecting personal data, including through the Internet information and telecommunications network, Общество provides recording, organizing, accumulating, storing, clarification (updating, changing), extracting personal data of citizens of the Russian Federation using on the territory of the Russian Federation.

6.13. Archival life of personal data in the Company will be defined in accordance with the legislation of the Russian Federation and local regulations and the Company in the field of document management.

7.1. The information specified in Part 7 of Article 14 of the Federal Law “About Personal Data” will be provided to the personal data subject or his/her representative by the Operator when contacting or upon receipt of a request from the personal data subject or his/her representative. The information is provided in an accessible form, it does not include personal data relating to other personal data subjects, except for the cases when there are legal grounds for disclosing such personal data.

If the application (request) of the personal data subject does not contain in accordance with the requirements of the Federal Law “About Personal Data”, all necessary information or the subject does not have rights of access to the requested information, then a reasoned refusal is sent to him/her.

The request must contain data of the main document certifying the identity of the personal data subject or his/her representative, information confirming participation of the personal data subject in relations with the Company (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information) or information that otherwise confirms the processing of personal data by the Company, the signature (including electronic) of the personal data subject or his/her representative.

The information specified in Part 7 of Article 14 of the Federal Law “About Personal Data” will be provided to the personal data subject or his/her representative by the Operator when contacting or upon receipt of a request from the personal data subject or his/her representative. The request should contain the number of the main document certifying the identity of the personal data subject or his/her representative, information on the date of issue of the specified document and the issuing authority, information confirming the participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact that the Operator has processed personal data, the signature of the personal data subject or his/her representative. The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

The right of the personal data subject to access his/her personal data may be limited in accordance with Part 8 of Article 14 of the Federal Law “About Personal Data”, including the cases when the access of the personal data subject to his/her personal data violates the rights and legitimate interests of third parties.

7.2. Within the period not exceeding seven working days from the date of submission by the personal data subject or his/her representative an information confirming that the personal data are incomplete, inaccurate or irrelevant, the Company will make the necessary changes to them.

Within a period not exceeding seven working days from the date of submission by the personal data subject or his/her representative information confirming that such personal data were illegally obtained or not necessary for the stated purpose of processing, the Company will destroy such personal data.

The Company will notify the personal data subject or his/her representative about the changes made and measures taken and will take reasonable measures to notify third parties to whom the personal data of this subject were transferred.

The Company is obliged to inform the authorized body for protection of the rights of personal data subjects at the request of this body and provide it with the necessary information within thirty days from the date of receipt of such a request.

The forms of requests (appeals) of the personal data subjects and their representatives are given in Appendices No. 1, No. 2, No. 3, No. 4 to this Policy.

7.3. Consent to processing of personal data may be withdrawn by the personal data subject.

In case of a withdrawal by the personal data subject of consent to processing of his/her personal data , the Company terminates their processing or ensures that such processing is terminated (if the processing of personal data is carried out by another person acting on behalf of the Operator) and if storing of the personal data is no longer required for the purposes of personal data processing, destroys personal data or ensures their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the specified recall, unless otherwise provided by the contract, which party, beneficiary or surety is the personal data subject, other agreement between the Operator and the personal data subject or if the Company has no right to carry out processing of the personal data without the consent of the personal data subject on the grounds , stipulated by the Federal law "About Personal Data" or other federal laws.

If it is not possible to destroy the personal data during the aforementioned period, the Company performs blocking of such personal data or ensures their blocking (if the processing of the personal data is carried out by another person acting on behalf of the Operator) and provides the destruction of the personal data within a period not exceeding six months, unless otherwise established by federal laws.

In case of a withdrawal by the personal data subject of consent to processing of the personal data, the Company has the right to continue processing of personal data without the consent of the personal data subject if there are grounds specified in paragraph 2 of Article 9 of the Federal Law " About Personal Data".

Provision of security of personal data during their processing at the Company is carried out in accordance with the legislation of the Russian Federation and the requirements of the authorized state body for protection of the rights of personal data subjects, the federal executive body authorized in the field of security, and the federal executive body authorized in the field of counteraction to technical intelligence and in the field of technical information protection.

The Company will take all necessary organizational and technical measures to protect personal data against accidental or unauthorized access, destruction, alteration, blocking of access and other unauthorized actions.

Protection measures implemented by the Company in the processing of personal data include:

• adoption of local regulations and other documents in the field of processing and protection of personal data; 
• appointment of officials responsible for ensuring the security of personal data in the divisions and information systems of the Company; 
• organization of training and conduction of methodological work with employees engaged in processing of personal data in the Company; 
• creation of necessary conditions for working with physical storage media and information systems in which personal data are processed; 
• organization of registration of physical storage media for personal data and information systems in which personal data are processed; 
• storage of physical storage media for personal data in compliance with the conditions providing protection of personal data and eliminating an opportunity of unauthorized access to them; 
• separation of personal data processed without the use of automation, from other information; 
• providing separate storage of physical storage media of personal data, which contain personal data of different categories or contain personal data, which is processed for different purposes; 
• imposing a ban on a transfer of personal data through open communication channels, computer networks and the Internet without applying measures to provide security of personal data established in the Company; 
• to provide protection of documents containing personal data on paper and other tangible media when they are transferred to third parties using postal services or courier services; 
• implementation of internal control over the compliance of the Company with the legislation of the Russian Federation and local regulations of the Company when processing personal data.

Liability for violation of the requirements of the legislation of the Russian Federation and normative acts of the Company in the field of processing and protection of personal data will be determined in accordance with the legislation of the Russian Federation.