Personal data processing policy of the Sole Proprietor Rak I.G.

1. General provisions

1.1. Personal Data Processing Policy of the Sole Proprietorship Rak I.G. (hereinafter referred to as “Policy”) stipulates the basic principles, objectives, conditions and methods for personal data processing, lists of data subjects and personal data processed in Sole Proprietorship Rak I.G. (hereinafter referred to as “SP Rak I.G.”), it’s functions while processing personal data, rights of data subjects, as well as requirements to the personal data protection established in the Sole Proprietorship Rak I.G.

1.2. The Policy is developed based on the requirements of the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation related to personal data.

1.3. The Policy provisions serve as the basis for developing corporate statutory acts, which stipulate processing personal data of SP Rak I.G.’s employees and other data subjects.

2. Legislative and other statutory acts of Russian Federation stipulating Personal Data Processing Policy of the SP Rak I.G.

2.1. SP Rak I.G.’s Personal Data Processing Policy is based on the following statutory acts:

• The Labor Code of the Russian Federation;
• The Federal Law No. 152-FZ "On Personal Data", dated July 27, 2006;
• The Decree of the Russian President No. 188 ‘On Approving the List of Confidential Data’, dated March 6, 1997;
• The Russian Federation Government Resolution No. 687 ‘On Approving the Provision Regarding Properties of Personal Data Processing without Software’, dated September 15, 2008;
• The Russian Federation Government Resolution No. 512 ‘On Approving the Requirements to Biometric Personal Data Tangible Carrier and Such Data Storage Beyond Personal Data Information Systems’, dated July 6, 2008;
• The Russian Federation Government Regulation No. 1119 ‘On Approving the Requirements to the Personal Data Protection While Processing in Personal Data Information Systems’, dated November 1, 2012;
• other statutory acts of the Russian Federation and legal documents of authorized government bodies.

2.2. In order to implement the Policy provisions, SP Rak I.G. develops relevant corporate statutory acts and other documents, including:

• provision on personal data processing in SP Rak I.G.;
• other corporate statutory acts and documents related to personal data processing in SP Rak I.G.
• иные локальные нормативные акты и документы, регламентирующие в ИП Рак И.Г. вопросы обработки персональных данных.

In addition to the above-mentioned acts the following documents can be the legal basis for personal data processing:

• contracts signed between the SP Rak I.G. and the subjects which have their personal data processed by SP Rak I.G.
• statements of consent from the persons concerned.

3. Basic terms and definitions used in corporate statutory acts of SP Rak I.G related to personal data processing.

Personal data – any information related to directly or indirectly specified natural person (data subject).

Information – details (reports, data) regardless their presentation form.

Operator – state authority, municipal authority, legal or private person, who autonomously or jointly arranges and/or performs personal data processing, as well as defines the aims of personal data processing, the volume of personal data subject to processing and the actions on personal data.

Personal data processing – any action or a series of actions performed towards personal data with or without the software, including the personal data acquisition, recording, systematization, accumulation, storage, update and alteration, extraction, use, transfer (distribution, presentation, providing access), depersonalization, blocking, deleting and annihilation.

Automated personal data processing – personal data processing via PC software.

Personal data presentation – personal data disclosure to particular person or certain group of persons.

Personal data distribution – actions aimed to personal data disclosure to uncertain group of persons.

Trans-border personal data transfer – personal data transfer to the territory of any foreign country to the foreign state authority and foreign natural or legal person.

Personal data blocking – temporary interruption of personal data processing (unless the processing is required for personal data update or alteration).

Personal data annihilation – actions that make it impossible to restore personal data substance in the data information system and/or resulting in the elimination of tangible personal data carriers.

Personal data depersonalization – actions that make it impossible to identify personal data as related to a certain data subject without using an additional information.

Personal data information system – a set of personal data contained in the personal data databases, as well as the software and tools used for their processing.

4. Principles and purposes for personal data processing.

4.1. SP Rak I.G. as a personal data operator performs personal data processing for the employees of SP Rak I.G. and other personal data subjects not employed by SP Rak I.G.

4.2. SP Rak I.G. performs data processing with due regard for the protection of rights and freedoms of SP Rak I.G. employees as well as other data subjects, including the protection of privacy right, personal and family secrets, based on the following principles:

• personal data processing in SP Rak I.G. is performed on a legitimate equitable basis;
• personal data processing is limited to reaching specific predetermined legitimate aims;
• personal data processing incompatible with the purposes of personal data acquisition is not allowed;
• combining databases that contain personal data processed for the purposes incompatible with each other is not allowed;
• personal data consistent with the purposes of their processing may only be processed;
• content and volume of personal data comply with the stated purposes of processing. The personal data redundancy towards the stated purposes is not allowed;
• while processing personal data, accuracy, adequacy and actuality (if necessary) of personal data are provided in relation to the purposes of personal data processing. SP Rak I.G. makes all reasonable efforts to delete or adjust incomplete or inaccurate personal data;
• personal data are to be stored in the form that enables to define the data subject no longer than it’s required for the purposes of personal data processing if the personal data retention period is not established by a federal law or an agreement under which the data subject acts as a party, beneficiary or guarantor;
• personal data under processing are to be deleted or depersonalized once the aims of processing are achieved or in case achieving these aims is not required anymore, unless otherwise provided by a federal law.

4.3. SP Rak I.G. processes personal data for the purpose of:

• complying with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation and corporate statutory acts of SP Rak I.G.;
• execution of functions, powers and requirements imposed upon SP Rak I.G. by the Government of the Russian Federation, including the personal data provision to the government bodies, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, Federal Mandatory Medical Insurance Fund of the Russian Federation, and other state bodies;
• regulating the employment relationships with SP Rak I.G.’s employees (assistance in employment, training and career development, personal security, control over the scope and quality of the work done, safekeeping of property);
• protecting lives, health or other vital interests of personal data subjects;
• arranging access procedures and in-house schedule at SP Rak I.G.’s facilities;
• обеспечения пропускного и внутриобъектового режимов на объектах ИП Рак И.Г.;
• developing reference materials for in-house information support of the activities of SP Rak I.G., its branches and representative offices, as well as its subsidiaries and entities;
• exercising rights and legal interests of SP Rak I.G. while carrying out activities stipulated by local statutory acts of SP Rak I.G. or third parties or with a view to achieve socially desirable purposes;
• other legitimate purposes.

5. List of subjects, which have their personal data processed at SP Rak I.G.

5.1. SP Rak I.G. provides personal data processing of the following data subjects:

• current and former employees of SP Rak I.G. Candidates for employment in SP Rak I.G.
• clients and counterparties of SP Rak I.G. (natural or legal persons).
• authorized representatives of the clients and counterparties of SP Rak I.G.
• other personal data subjects (with a view to achieve the processing purposes stated in Section 4 of the Policy).

6. List of personal data processed at SP Rak I.G.

6.1. The list of personal data processed by SP Rak I.G. is stipulated by the Law of the Russian Federation and corporate statutory acts considering the personal data processing purposes stated in Section 4 of the Policy.

6.2. Special personal data categories concerning race and national identity, political commitment, religious or philosophic views and private life are not subject to processing at SP Rak I.G.

7. Functions of SP Rak I.G. in personal data processing

7.1. While processing personal data, SP Rak I.G.:

• takes relevant measures to ensure compliance with the Law of the Russian Federation and corporate statutory acts related to personal data;
• establishes legal, planning and technical procedures to protect personal data against illegal or accidental access, annihilation, alteration, blocking, copying, presentation, distribution, as well as against other misconduct in relation to personal data;
• appoints a person responsible for the arrangement of personal data processing at SP Rak I.G.;
• issues corporate statutory acts stipulating the policy and personal data processing and protection procedures at SP Rak I.G.;
• familiarizes the employees of SP Rak I.G. directly involved in personal data processing with the provisions of the Law of the Russian Federation and corporate statutory acts of SP Rak I.G. related to personal data, including the requirements to the personal data protection, as well as provides for certain employees training;
• publishes or otherwise provides unlimited access to this Policy;
• informs personal data subjects or their representatives in due course of the available data related to the relevant subjects, provides the access to these personal data upon notification and/or request of the mentioned data subjects or their representatives, unless otherwise provided by the Law of the Russian Federation;
• terminates the processing and annihilates personal data as stipulated by the Law of the Russian Federation related to personal data;
• performs other activities stipulated by the Law of the Russian Federation related to personal data.

8. Conditions of personal data processing at SP Rak I.G.

8.1. Personal data is processed at SP Rak I.G. with consent of a data subject to have his/her personal data processed, unless otherwise is provided by the Law of the Russian Federation related to personal data.

8.2. SP Rak I.G. shall not disclose or distribute personal data to third parties without consent of the data subject, unless otherwise is provided by the Law of the Russian Federation.

8.3. SP Rak I.G. is entitled to entrust personal data processing to a third party with the data subject consent and upon an agreement with such a third party. An agreement shall include the list of personal data operations to be accomplished by a person in charge for the data processing, processing purposes, liabilities of such a person to keep personal data confidential and protected in course of processing, as well as requirements to the processed personal data protection as per Article 19 of the Federal Act On Personal Data.

8.4. For the purpose of in-house data support SP Rak I.G. is entitled to develop corporate reference documents, which include the subject name, family name, occupation, position, date of birth, address, subscriber number, e-mail address, other personal data associated with (SP Rak I.G. employee)personal data subject.

8.5. Access to personal data processed in is only allowed to SP Rak I.G.’s employees covered by the list of positions for structural units of SP Rak I.G., substitution of which is subject to personal data processing.

9. Actions with personal data and ways of its processing

9.1. SP Rak I.G. provides for acquisition, logging, ranging, accumulation, storage, update and alteration, extraction, usage, depersonalization, blocking, deletion and annihilation of personal data.

9.2. Personal data processing in SP Rak I.G. is provided in the following ways:

• combined personal data processing

10.   Rights of personal data subjects

10.1. Data subjects are entitled for:

• obtaining complete information on their personal data under processing in SP Rak I.G.;
• accessing their personal data, including copies of any records which contain their personal data, unless otherwise is provided by the Federal Law;
• adjusting their personal data, as well as data blocking or annihilation in case of personal data are incomplete, outdated, inaccurate, illegally obtained or inessential for processing purpose declared;
• revoking the consent given for personal data processing;
• taking statutory actions to protect their rights;
• appealing against SP Rak I.G.’s action or inaction infringing the requirements of the Law of the Russian Federation related to personal data to the body authorized for the protection of data subject rights or to the court;
• exercising other rights provided for by the Law of Russian Federation.

11. Actions taken by SP Rak I.G. to ensure proper personal data processing.

Actions, essential and sufficient to ensure proper personal data processing by SP Rak I.G. in accordance with the Law of the Russian Federation related to personal data, are as following:

• appointing a person in charge for the arrangement of personal data processing in SP Rak I.G.;
• adopting corporate statutory acts and other regulations related to personal data processing and protection;
• arranging the training for the employees of structural units of SP Rak I.G.’s administration, which occupy the positions covered by the list of positions for structural units of SP Rak I.G.’s administration, its branches and representative offices, substitution of which is subject to personal data processing;
• obtaining consents of data subjects to their personal data processing, unless otherwise is provided by the Law of the Russian Federation;
• isolating personal data processed manually from other data, including their storage at the separate personal data carriers and/or within separate sections;
• ensuring the separate storage of personal data and its carriers processed for different purposes and comprising different personal data categories;
• storing tangible personal data carriers that ensures the personal data safety and prevents unauthorized access to them;
• exercising in-house control over the compliance of personal data processing with the Federal Law ‘On Personal Data’ and relevant statutory acts, personal data protection requirements, the Policy and SP Rak I.G.’s corporate statutory acts;
• other actions provided by the Law of the Russian Federation related to personal data.

12. Control over compliance with Law of Russian Federation and SP Rak I.G.’s corporate statutory acts related to personal data, including personal data protection requirements

12.1. Control over the adherence of structural units of SP Rak I.G. to the Law of the Russian Federation and corporate statutory acts of SP Rak I.G. related to personal data, including the personal data protection requirements, is aimed at ensuring the compliance of personal data processing by structural units of SP Rak I.G.’s administration, its branches and representative offices to the Law of the Russian Federation and corporate statutory acts of SP Rak I.G. related to personal data, including the personal data protection requirements, as well as to measures aimed at prevention and identification of infringements of the Law of the Russian Federation related to personal data, identification of potential channels for the leakage of and the unauthorized access to personal data and the removal of consequences of such infringements.

12.2. In-house control over the adherence of structural units of SP Rak I.G.’s administration, its branches and representative offices to the Law of the Russian Federation and corporate statutory acts of SP Rak I.G. related to personal data, including the personal data protection requirements, is exeсuted by a person in charge for the arrangement of personal data processing in SP Rak I.G.

12.3. In-house control over the compliance of personal data processing to the Federal Law ‘On Personal Data’ and relevant statutory acts, the personal data protection requirements, the Policy and SP Rak I.G.’s corporate statutory acts is exercised by the legal consultant of SP Rak I.G.

12.4. Personal liability for the adherence of a structural unit of SP Rak I.G.’s administration to the Law of the Russian Federation and corporate statutory acts of SP Rak I.G. related to personal data, as well as for ensuring the personal data confidentiality and safety within the mentioned divisions of SP Rak I.G. is imposed upon their executives.