TERMS AND DIFINITIONS
Automated personal data processing shall mean the personal data processing by means of computer technologies.
Personal data information system shall mean a set of available personal data contained in the system and means and technologies to ensure its processing.
Personal data processing shall mean any action (operation) or a set of actions (operations) on personal data performed by both, using the automated tools and facilities and such means as collecting, recording, organizing, storing, restoring, adapting or changing, extracting, consulting, using, disclosure by transfer, distribution or provision of other access, grouping or combination, blocking, deletion or destruction.
- Personal data shall mean any information related to an identified or identifiable individual person or physical entity (subject of personal data) that can be identified directly or indirectly, in particular by reference to an identification number or to one or several factors specific to his physical, physiological, mental, economic, cultural or social identity.
Subject of personal data shall mean an individual person, physical entity, individual entrepreneur or representative of a legal entity that has signed and entered into agreement with the Holding.
1. GENERAL PROVISIONS
1.1. Regulatory references
- Data Protection Act (2018) UK
1.2. Territory of validity
This Policy is applicable to all processes of the Operator within the framework of which the personal data is processed both, by using automated tools and facilities, including in information networks, and without using such.
The Operator's services usage shall mean the consent of the subject of personal data with this Policy and with terms and conditions for personal data processing specified herein.
1.3. Approval and revision
This Policy comes into force from the moment it was approved by the General Manager, and remains in force without limit of time until it will be replaced by a new Policy. The providing of unlimited access to the Policy is implemented by publishing it on the Operator’s website on the Internet, or by any other way.
2. PERSONAL DATA PROCESSED BY THE OPERATOR
2.1. General processing order
When organizing the personal data processing, the Operator shall comply with the following principles and conditions:
2.1. the personal data is processed legally;
2.2. the personal data processing is limited by achievement of specific, predetermined and legitimate purposes;
2.3. it is not permitted to combine the databases with personal data, the processing of which is carried out for purposes incompatible with each other;
2.4. when personal data processing, the accuracy of personal data, its sufficiency and relevance in relation to the purposes of such personal data processing, must be ensured;
2.5. the content and the volumes of the processed personal data shall respond the stated processing purposes;
2.6. personal data is the subject to destruction or depersonalization upon achievement of processing purposes, or in case of loss of need to achieve these purposes.
The Operator in his activity proceeds from the fact that the subject of personal data provides accurate and reliable information, and during interaction with the Operator notifies the Operator’s representatives about any changes in his personal data.
3. PURPOSES FOR COLLECTING AND PROCESSING OF PERSONAL DATA
The Operator processes personal data necessary to fulfill contractual obligations (execution of agreements and contracts with the Operator's entity, fulfillment of obligations before the counterparty and employees) and to conduct the Operator's activities for meeting the requirements of the current law.
The Operator processes personal data of the following categories of entities:
- Physical entities, employees of the Operator;
- Physical entities, employees of the Operator’s counterparties;
- Physical entities, counterparties of the Operator;
- other individual persons and physical entities.
The purposes of personal data processing by the Operator are as follows:
- implementation of the document turnover of the Operator;
- conclusion of contracts;
- match candidates for the position;
- interaction between the employees of the Operator;
- fulfillment of obligations under a labor agreement;
- interaction with agents/counterparties of the Operator;
- compliance with terms and conditions of the User Agreement and bilateral treaties with the Operator;
- HR record management;
- payroll and other payments management;
- accounting and tax records management;
- preparation of reports;
- publication of information about the Operator;
- the Operator's software use.
TERMS AND CONDITIONS OF PERSONAL DATA PROCESSING AND ITS TRANSFER TO THIRD PARTIES
The Operator processes and stores the personal data of the entities in accordance with the internal regulatory documents and current law.
Relating to personal data, its confidentiality, integrity and availability must be ensured. The transfer of personal data to third parties for purposes of contractual obligations fulfillment is carried out only with the consent of the subject of personal data. In the event of reorganization, sale or other transfer of the Operator’s business (in whole or in part), all obligations on complying with terms and conditions of this Policy are also transferred to the buyer.
The Operator may entrust the personal data processing to another person if the following conditions are met:
- the consent of the subject onto the assignment of personal data processing to another person is obtained;
- an instruction to process personal data is carried out on the basis of an agreement concluded with this perso
A person who processes personal data on the instructions of the Operator is obliged to comply with the principles and rules for personal data processing, and bears responsibility before the Operator. The Operator bears responsibility before the subject of personal data for the actions of an authorized person whom the Operator has entrusted the personal data processing to.
When processing personal data of entities, the applicable law must be the one to rely upon.
5. RIGHTS OF THE SUBJECT TO ACCESS AND CHANGE OF HIS PERSONAL DATA
The Operator ensures the observance of the following rights of subjects of personal data:
- the right to receive information regarding the processing of his personal data, including the one that contains the following:
- confirmation of the fact of personal data processing;o
- legal grounds and purposes for personal data processing;
- methods of personal data processing;
- name and location of the Operator, information about the individual persons (except for the employees of the Operator) who have an access to personal data, or to which personal data may be disclosed on the basis of an agreement with the Operator or on the basis of current law;
- processed personal data related to the relevant subject of personal data and the source of its receipt;
- terms of personal data processing, including terms of it storage;
- the procedure for the subject of personal data to exercise his rights stipulated by the current law;
- information on completed or suspected cross-border data transfer;
- name or full name (surname, name, patronymic) and address of the person or entity who processes personal data on the instructions of the Operator, if the processing is or will be entrusted to such person or entity;
- other information required by the current law.
- The right to clarify, to block or to destroy personal data that is incomplete, outdated, inaccurate, illegally obtained or unnecessary for the stated purposes of personal data processing.
6. OPERATOR’S RESPONSIBILITIES
The Operators’ responsibilities include the following:
- To carry out the personal data processing in compliance with the principles and rules provided by the current law;
- Not to disclose to third parties or to distribute personal data without the consent of the subject;
- To provide the evidences of receipt the consent on personal data processing from the subject of personal data, or proof of existence of grounds for which such consent is not required;
- To provide the subject of personal data at his request the information regarding the processing of his personal data, or legally refuse to provide this information, and to give a reasoned response in writing containing a reference to the law which is the basis for such a refusal, in a period not exceeding 30 (thirty) days from the date the subject of personal data or his authorized representative has appealed, or from the date the request from the subject of personal data or his authorized representative was received;
- If the provision of personal data is mandatory in accordance with the current law, to explain to the subject of personal data the legal consequences of the refusal to provide his personal data;
- To take the necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access to it, its destruction, modification, blocking, copying, provision and distribution, as well as from other illegal actions in relation to such personal data. A description of the taken measures is given below in clause 7 of this Policy;
- at the request of the subject of personal data, to enter changes to the processed personal data, or to destroy it if the personal data is incomplete, inaccurate, irrelevant, illegally obtained or is unnecessary for the stated purposes of personal data processing, within a period not exceeding 7 (seven) business days from the date the subject of personal data or his authorized representative has submitted the information confirming these facts;
- To notify the subject of personal data about his personal data processing if such personal data was not obtained from him. The following cases are an exception:
- the subject of personal data is notified of his personal data processing by the Operator;
- personal data is received by the Operator on the basis of the current law, or in connection with the execution of an agreement, where one Party is either the beneficiary or the guarantor, and the other Party is the subject of personal data himself;
- personal data was made publicly available data by the subject of personal data, or was obtained from a public source;
- the Operator processes personal data for statistical or other research purposes, if thereat no rights and legitimate interests of the subject of personal data are violated.
- if an illegal personal data processing or an inaccurate personal data was discovered, to eliminate the revealed violations;
- in case of achieving the purposes of personal data processing, to immediately stop processing personal data and to destroy it;
- in case of withdrawal by the subject of personal data his consent onto processing, to stop the personal data processing and to destroy it. The Operator is obliged to notify the subject of personal data about the destruction of his personal data;
- in the event of a request from the subject of personal data to stop processing his personal data for purposes to promote goods, works and/or services on the market, to immediately stop personal data processing.
7. MEASURES FOR PERSONAL DATA PROTECTION
The Operator uses the following methods and ways to ensure the security of personal data:
- constant identification of threats to the security of personal data during its processing in information systems;
- application of organizational and technical measures to ensure the security of personal data during its processing in information systems;
- personal data is stored in a database that does not have direct access to the Internet;
- the keeping of records on machine-readable personal data storage devices;
- personal data is stored on paper and is located in a secure facility in cabinets protected from an unauthorized access;
- the restoration of personal data modified or destroyed due to unauthorized access to it, is made;
- the establishing of rules for access to personal data processed in personal data information systems, and registration and accounting of all actions performed with personal data in the information system for actions record;
- the monitoring of measures taken to ensure the security of personal data itself and the level of security of its processing in information systems.