Personal Data Protection and Processing Policy

1. General Provisions

    1.1. This Policy regarding the processing of personal data (hereinafter referred to as the “Policy”) is drawn up in accordance with paragraph 2 of Article 18.1 of the Federal Law “On Personal Data” No. 152-ФЗ dated July 27, 2006, as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data and applies to all personal data (hereinafter referred to as the Data) that the Organization (hereinafter referred to as the Operator, Company) can receive from the subject of personal data being a party to a civil law contract, as well as from KTA personal data held with the Operator in relations governed by labor legislation (hereinafter - the workers).

    1.2. The operator protects the processed personal data from unauthorized access and disclosure, misuse or loss in accordance with the requirements of Federal Law of July 27, 2006 No. 152-ФЗ “On Personal Data”.

    1.3. Policy Change

    1.3.1. The operator has the right to make changes to this Policy. When making changes, the heading of the Policy indicates the date of the last update of the editorial office. The new version of the Policy comes into force from the moment it is posted on the site, unless otherwise provided by the new version of the Policy.

2. Terms and Acronyms

    Personal data (PD) - any information relating directly or indirectly to a specific or determinable individual (subject of personal data).

    Personal data processing - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

    Automated processing of personal data - processing of personal data using computer technology.

    Personal data information system (ISPD) - a set of personal data contained in databases and processing of information technologies and technical means.

    Personal data made publicly available by the subject of personal data is PD, access to an unlimited number of persons to which is provided by the subject of personal data or at his request.

    Blocking of personal data - temporary termination of the processing of personal data (unless the processing is necessary to clarify personal data).

    Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.

    Operator - an organization that independently or jointly with other persons organizes the processing of personal data, as well as defines the goals of processing personal data to be processed, actions (operations) performed with personal data. The operator is LLC Vostok Asset Management, located at the address: Tyumen, st. Republic, d.159.

3. Processing personal data

    3.1. Obtaining PD.

    3.1.1. All PD should be obtained from the subject itself. If the PD of the subject can only be obtained from a third party, then the subject must be notified of this or consent must be obtained from him.

    3.1.2. The operator must inform the subject about the goals, the alleged sources and methods of obtaining the PD, the nature of the PD to be received, the list of actions with the PD, the period during which the consent is valid, and the procedure for its withdrawal, as well as the consequences of the refusal of the subject to give written consent to receive them.

    3.1.3. Documents containing PD are created by:

    - copying the original documents (passport or other identification document, certificate of education, TIN certificate, pension certificate, birth certificate of a child, etc.);

    - entering information into accounting forms;

    - receipt of the originals of the necessary documents (work book, medical report, description, etc.).

    3.2. PD processing.

    3.2.1. The processing of personal data is carried out:

    - with the consent of the personal data subject to the processing of his personal data;

    - in cases where the processing of personal data is necessary for the implementation and implementation of the functions, powers and duties assigned by the legislation of the Russian Federation;

    - in cases where personal data is being processed, access to an unlimited number of persons to which is provided by the subject of personal data or at his requestbe (hereinafter - personal data made publicly available by the subject of personal data).

    3.2.2. Purpose of processing personal data:

    - implementation of labor relations;

    - implementation of civil law relations.

    3.2.3. Categories of personal data subjects.

    PD processed the following subjects PD:

    - individuals who are in labor relations with the Company;

    - individuals resigned from the Company;

    - individuals who are candidates for work;

    - individuals who are in civil law relations with the Company.

    3.2.4. PD processed by the Operator:

    - data obtained during the implementation of labor relations;

    - data obtained for the selection of candidates for work;

    - data obtained in the implementation of civil law relations.

    3.2.5. The processing of personal data is carried out:

    - using automation tools;

    - without using automation tools.

    3.3. PD storage.

    3.3.1. PD subjects can be obtained, undergo further processing and transferred to storage both on paper and in electronic form.

    3.3.2. PDs fixed on paper are stored in lockable cabinets or in locked rooms with limited access.

    3.3.3. Subject PDs processed using automation tools for different purposes are stored in different folders.

    3.3.4. Storage and placement of documents containing PD in open electronic directories (file sharing) in ISPD is not allowed.

    3.3.5. Storage of PD in a form that allows to determine the subject of PD is carried out no longer than the goals of their processing require, and they must be destroyed upon achievement of the processing goals or in case of loss of need to achieve them.

    3.4. Destruction of PD.

    3.4.1. Destruction of documents (carriers) containing PD is carried out by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass or powder. For the destruction of paper documents allowed the use of a shredder.

    3.4.2. PDs on electronic media are destroyed by erasing or formatting the media.

    3.4.3. The fact of the destruction of PD is documented by the act on the destruction of carriers.

    3.5. PD transmission.

    3.5.1. The operator transfers the PD to third parties in the following cases:

    - the subject has expressed his consent to such actions;

    - the transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by law.

    3.5.2. The list of persons to whom PD is transmitted.

    Third parties to whom PD is transferred:

    - The Pension Fund of the Russian Federation for accounting (legally);

    - tax authorities of the Russian Federation (legally);

    - The Social Insurance Fund of the Russian Federation (legally);

    - Territorial fund of compulsory medical insurance (legally);

    - insurance medical organizations for compulsory and voluntary medical insurance (legally);

    - banks for payroll (based on the contract);

    - bodies of the Ministry of Internal Affairs of Russia in cases established by law.

4. Personal Data Protection

    4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (SZPD), consisting of subsystems of legal, organizational and technical protection.

    4.2. The legal protection subsystem is a complex of legal, organizational, administrative and regulatory documents that ensure the creation, operation and improvement of the CPA.

    4.3. The organizational protection subsystem includes the organization of the management structure of the CPAA, the licensing system, and the protection of information when working with employees, partners, and third parties.

    4.4. The subsystem of technical protection includes a complex of technical, software, software and hardware tools that provide protection for PD.

    4.4. The main PD protection measures used by the Operator are:

    4.5.1. Appointment of a person responsible for processing PD, which organizes processing of PD, training and briefing, internal control over compliance by the institution and its employees with requirements for the protection of PD.

    4.5.2. Identification of current threats to security of PD during their processing in ISPD and development of measures and measures to protect PD.

    4.5.3. Develop a policy regarding the processing of personal data.

    4.5.4. Establishing rules for access to PD processed in ISPD, as well as ensuring the registration and recording of all actions performedwith PD in ISPD.

    4.5.5. The establishment of individual passwords for employees to access the information system in accordance with their production responsibilities.

    4.5.6. The use of the procedures for assessing the conformity of information protection facilities that have passed in the prescribed manner.

    4.5.7. Certified antivirus software with regularly updated databases.

    4.5.8. Compliance with the conditions ensuring the safety of PD and excluding unauthorized access to them.

    4.5.9. Detection of facts of unauthorized access to personal data and taking measures.

    4.5.10. Recovery of PD modified or destroyed due to unauthorized access to them.

    4.5.11. Training of the Operator’s employees who directly process personal data, the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, documents that determine the Operator’s policy regarding the processing of personal data, local acts on the processing of personal data.

    4.5.12. Implementation of internal control and audit.

5. Fundamental rights of the subject of PD and obligations of the Operator

    5.1. Fundamental rights of the subject of PD.

    The subject has the right to access his personal data and the following information:

    - confirmation of the fact of processing PD by the Operator;

    - legal grounds and goals of processing PD;

    - goals and methods used by the Operator for processing PD;

    - the name and location of the Operator, information about persons (except for the employees of the Operator) who have access to the PD or to whom the PD can be disclosed on the basis of an agreement with the Operator or on the basis of federal law;

    - the processing time for personal data, including the storage period;

    - the procedure for the implementation by the PD subject of the rights provided for by this Federal Law;

    - name or surname, name, patronymic and address of the person carrying out the processing of PD on behalf of the Operator, if the processing is entrusted or will be entrusted to such a person;

    - appeal to the Operator and sending him inquiries;

    - appeal of actions or inaction of the Operator.

    5.2. Responsibilities of the Operator.

    The operator must:

    - when collecting PD, provide information on processing PD;

    - in cases where PDs were received not from the PD subject, notify the subject;

    - in case of refusal to provide PD, the subject is explained the consequences of such refusal;

    - publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of PDs, to information about the implemented requirements for the protection of PDs;

    - take the necessary legal, organizational and technical measures or ensure their adoption to protect the PD from unlawful or accidental access to them, destroy, modify, block, copy, provide, distribute the PD, as well as from other illegal actions in relation to the PD;

    - provide answers to requests and appeals of PD subjects, their representatives and the authorized body for the protection of the rights of PD subjects.