Personal Data Policy » IXcellerate, powering your digital infrastructure in Russia

Personal Data Policy

1. GENERAL PROVISIONS

1.1. This document lays down a personal data processing procedure and lays down a system of key principles applicable to personal data processing at IXCELLERATE LLC (hereinafter referred to as the “Company”).
1.2. This Policy applies to all transactions involving at the Company with personal data using automation tools or without use thereof.
1.3. This Policy shall be notified to and be binding on all persons authorized to process personal data at the Company and the persons involved in managing personal data processing and security processes at the Company.
1.4. Full access hereto shall be provided through the publication hereof on the Company’s website or by any other means.
1.5. This Policy has been developed in accordance with Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”.
1.6. This Policy shall be updated upon:

  • a change in the RF legislation on personal data (PD);
  • identification of non-compliances affecting the PD processing and (or) security by a PD processing and (or) security compliance review;
  • a decision of the Company’s management.

2. INTRODUCTION

2.1. Pursuant to subclause 2, article 3 of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”, the Company is a controller, i.e. a legal entity that in-house organizes and (or) performs the processing of personal data, as well as determining the purposes of personal data processing, the scope of the personal data to be processed and the actions (operations) involving personal data.
2.2. An important aspect of the Company’s business operations is ensuring the rights and freedoms of an individual and a national, the data subject, in the context of processing of his personal data.
2.3. The Company has developed and put in place bylaws and documents that set out personal data processing and security arrangements to ensure compliance with the requirements of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”, and its subordinate legislation.

3. PRINCIPLES AND ARRANGEMENTS FOR IN-HOUSE PERSONAL DATA PROCESSING

3.1. The Company processes the personal data legally and fairly.
3.2. The time frame of personal data processing is determined with due regard to:

  • the established purposes of personal data processing;
  • the lives of the contracts with the data subjects and the consents of the data subjects to the processing of their personal data;
  • the time limits set by the Federal Archival Agency of Russia Order of 20.12.2019, No. 236, “On approving a List of standard administrative archival documents generated in the course of the activities of central and local governments and organizations, with storage periods specified”, as well as other RF laws and regulations;
  • the documentation storage periods prescribed by the Company’s bylaws;
  • liquidation and reorganization of the Company.

3.3. When personal data are processed, it is made sure that they are accurate, sufficient and, where necessary, also relevant to the purposes of personal data processing.
3.4. The Company discloses employee personal data through the Company’s website to the public at large pursuant to the consents of PD subjects to the dissemination of their personal data. In doing so, the Company complies with the requirements for the processing of disclosable personal data that are imposed in art. 10.1 of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”.
3.5. The Company does not set up public domain sources of the PD of PD subjects.
3.6. The Company performs the processing of special categories of employee personal data (medical records) pursuant to legislation, by virtue whereof the written consent of the PD subject is not required.
3.7. The Company does not perform the processing of criminal records.
3.8. The Company does not perform the processing of biometric data.
3.9. The Company performs cross-border transfer of personal data. In this context, the Company complies with the requirements for the cross-border transfer of personal data that are imposed by the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”.
3.10. The Company performs the processing of personal data with a view of promoting the Company’s goods, works and services in the market by engaging in direct contacts with the data subject using communication technology. In so doing, the Company complies with the requirements for personal data processing with a view of promoting goods, works and services that are imposed by the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”.
3.11. The Company does not engage in the processing of personal data for purposes of propaganda.
3.12. The Company does not make decisions that may have legal implications for the data subject or otherwise affect his rights and legitimate interests based solely on automated processing of personal data.
3.13. The Company outsources the processing of personal data. In this context, the Company complies with the requirements for the outsourcing of personal data processing that are imposed by the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”.
3.14. The Company performs the processing of personal data with and without automation tools. In this context, the Company complies with the requirements for automated and non-automated personal data processing that are imposed by the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”, and its subordinate legislation.

4. THE RIGHTS OF THE SUBJECTS OF PERSONAL DATA PROCESSED BY THE COMPANY

4.1. The data subject is entitled to receive information pertaining to the processing of his personal data. To obtain said information, the data subject can send a written enquiry to the following address: No. 33G Altufyevskoye shosse, 127410 Moscow, attention: HR Director, following the procedure laid down in art. 14 of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”.
4.2. The data subject shall be entitled to demand that the Company update, block or destroy his personal data where the personal data are incomplete, outdated, inaccurate, illegally obtained or not required for the stated purpose of processing. To obtain compliance with said demands, the data subject can send a written enquiry to the following address: No. 33G Altufyevskoye shosse, 127410 Moscow, attention: HR Director, following the procedure laid down in art. 21 of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”.

5. PERFORMANCE OF CONTROLLER’S DUTIES BY THE COMPANY

5.1. The procedure for the destruction of personal data:
The destruction of personal data processed within the framework of the purposes specified in Appendix 1 hereto shall be performed in the following situations:

  • upon achieving the purposes of processing thereof, or where the achievement thereof is no longer required;
  • upon request from the data subject if the personal data being processed by the Company are incomplete, outdated, inaccurate, illegally obtained or are not required for the stated purpose of processing;
  • in the event that irregularities are discovered in personal data processing if it is impossible to make the processing of personal data legal;
  • in the event that the data subject withdraws consent to the processing of his personal data (where personal data are processed by the Company pursuant to the data subject’s consent);
  • the reasons for the personal data processing no longer apply unless otherwise provided for by the federal law;
  • in the event of liquidation of the Company.

The personal data destruction options shall be determined by the Company’s bylaws on personal data processing and security depending on the personal data processing procedures and personal data physical media used for the saving and storage of personal data.
Personal data destruction shall be documented as per the following procedure.
In the event that the Company has no legal grounds for the processing of personal data (terms of personal data processing), the Company shall follow the procedure laid down in Federal Law of 27 July 2006, No. 152-FZ, “On personal data”, to perform the destruction of personal data or cause the destruction thereof (where the personal data processing is carried out by an entity contracted by the Company). The destruction shall be performed through actions rendering it impossible to recover the contents of personal data in an PDIS [Personal Data Information System] and/or resulting in the destruction of the personal data physical media. Once completed, the destruction shall be documented with a certificate of destruction of personal data, and an entry shall be made in the electronic event log in the PDIS in compliance with the requirements of the Order of 28.10.2022, No. 179, “On approving the Personal Data Destruction Confirmation Requirements”, imposed by the Federal Service for Supervision of Communications, Information Technology and Mass Media for the documentation of personal data destruction.

5.2. To enable the performance of the duties imposed by the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”, and its subordinate legislation, the Company has put in place the following measures:

  • there has been appointed a personal data processing manager;
  • there have been published bylaws on personal data processing and security, as well as bylaws establishing procedures to prevent and detect breaches of the RF legislation and to initiate remedial action:
    • Personal Data Processing Policy;
    • List of data subjects’ personal data;
    • Personal Data Security Management Policy;
    • other bylaws on personal data processing and security.
  • legal, organizational and technical measures have been implemented to ensure the security of personal data;
  • internal monitoring is conducted for compliance of personal data processing with the requirements of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”, and its subordinate legislation, with this Policy and with the Company’s bylaws;
  • an assessment has been made of the harm that can be caused to data subjects in the event of non-compliance with the requirements of the federal legislation on personal data, a comparison has been made between said harm and the measures being adopted by the Company in furtherance of the duties stemming from the requirements of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”, and its subordinate legislation;
  • the Company’s personal data operators have been briefed on the provisions of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”, and its subordinate legislation, this Policy and the Company’s bylaws on personal data processing.

5.3. The Company implements the following requirements for personal data security provided for in art. 19 of the Federal Law of 27 July 2006, No. 152-FZ, “On Personal Data”:

  • it has identified threats to the security of the personal data processed in personal data systems;
  • it has put in place such organizational and technical measures as may be necessary to ensure the security of personal data while processed in personal data systems and to meet the personal data protection requirements compliance with which ensures the personal data security levels set by the Government of the Russian Federation;
  • it uses information security tools certified for compliance with the requirements of the RF information security legislation where the use of such tools is needed for the neutralization of current threats
  • it has made an assessment of the effectiveness of the personal data security measures put in place prior to the commissioning of the personal data system;
  • it keeps records of machine-readable personal data storage media;
  • it identifies personal data breaches and takes remedial action;
  • it recovers personal data if modified or destroyed as a result of unauthorized access thereto;
  • it has established rules for access to personal data processed in a personal data system, as well as ensuring the recording and management of all operations involving personal data in the personal data system;
  • it follows up on the measures being taken to ensure the security of personal data and the security level of personal data systems;
  • it has complied with the requirements laid down by the RF Government Decree of 15 September 2008, No. 687, “On enacting the Regulation on specific procedures for non-automated processing of personal data”;
  • the Company is willing and ready to set up an interface with the national system for identifying, preventing and remedying the consequences of computer attacks on the information resources of the Russian Federation, including reporting computer incidents resulting in wrongful access to and submission, dissemination and transfer of personal data.

5.4. The Company implements the following requirements for personal data security provided for in the Russian Federation Government Decree of 01.11.2012, No. 1119, “On enacting the requirements for the security of personal data when processed in personal data management systems”:

  • server room security arrangements have been put in place to prevent uncontrolled unauthorized access;
  • personal data storage media security has been implemented;
  • a list has been approved of persons granted access to the personal data processed in the information system on a need-to-know basis;
  • there are used information security tools certified for compliance with the Russian Federation statutory requirements for information security where the use of such tools is necessary for the neutralization of immediate threats.

6. PURPOSES OF PERSONAL DATA PROCESSING, CATEGORIES AND A LIST OF PROCESSABLE PERSONAL DATA, CATEGORIES OF SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED, AND OPTIONS AND TIME LIMITS FOR PERSONAL DATA PROCESSING AND STORAGE

6.1. Processing of the personal data of data subjects shall be performed by the Company according to predetermined purposes. Depending on the specific purposes of personal data processing, such processing can include, without limitation, the performance of all or some of the following actions (operations) involving personal data: collection (obtainment), recording, organization, accumulation, storage, updating (refreshing, modification), retrieval, use, transfer (dissemination, disclosure, access), blocking, deletion and destruction of personal data.
For every purpose of personal data processing, the Company has established:

  • the relevant categories and list of processable personal data;
  • the categories of data subjects whose personal data are processed by the Company;
  • arrangements and time limits for personal data processing and storage;
  • the procedure for the destruction of personal data.

6.2. The purposes of personal data processing and the relevant categories and list of processable personal data and the categories of data subjects are provided in Appendix 1 hereto, which constitutes an integral part hereof.
6.3. For every purpose of personal data processing specified in Appendix 1 hereto are provided the following personal data processing options: automated processing of personal data (using computer technology) and non-automated personal data processing (without the use of computer technology), with personal data to be saved on storage media. The Company’s automated (in PDIS) and non-automated processing of personal data shall be carried out in compliance with the RF statutory requirements and the provisions of the Company’s bylaws regulating personal data processing and security. In the context of automated personal data processing, the Company shall take the necessary measures to ensure the security of the personal data being processed. Non-automated personal data processing, including the storage of personal data physical media, shall take place in secure rooms, with the option of locating personal data storage spaces (tangible media) as statutorily provided in the RF, including by the Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media of 28.10.2022, No. 179, “On approving Personal Data Destruction Confirmation Requirements”.
6.4. The personal data processing and storage time limits for every purpose of personal data processing specified in Appendix 1 hereto shall be established with due regard to the requirements, including the terms of personal data processing determined by RF legislation, and/or with due regard to the provisions of the contract where the data subject is a party, beneficiary or surety, and/or the data subject’s consent to the processing of their personal data, with the personal data processing and storage not to last longer than required by the purposes of personal data processing, unless otherwise provided for by RF law.

7. STATUTORY AUTHORITY FOR PERSONAL DATA PROCESSING

7.1. Statutory authority for processing of personal data of data subjects shall be established with due regard to the terms of personal data processing specified by the Federal Law of 27 July 2006, No. 152-FZ, “On personal data”. The legal grounds for personal data processing that allow personal data processing at the Company are as follows:

  • the data subject’s consent to personal data processing in compliance with the requirements imposed by the RF legislation for the relevant category of personal data;
  • a contract where the data subject is a party, beneficiary or surety, if personal data processing is required for the conclusion of the specified contract or for contractual performance;
  • the rights and legitimate interests of the Company, third parties, affiliates or others on condition that this does not infringe the rights and freedoms of the data subject;
  • the provisions of statutes and regulations in furtherance whereof and in compliance wherewith the Company performs personal data processing, including, but not limited to:
    • The Civil Code of the Russian Federation (pt. 1-4).
    • The Tax Code of the Russian Federation (pt. 1-2).
    • The Labour Code of the Russian Federation.
    • The Federal Law of 07.08.2001, No. 115-FZ, “On countering the legitimization (laundering) of illegal earnings and the financing of terrorism”.
    • The Federal Law of 08.08.2001, No. 129-FZ, “On public registration of incorporated and unincorporated businesses”.
    • The Federal Law of 29.11.2010, No. 326-FZ, “On compulsory medical insurance in the Russian Federation”.
    • The Federal Law of 06.04.2011, No. 63-FZ, “On the electronic signature”, etc.

Appendix 1

to the IXCELLERATE LLC

Personal Data Processing Policy

The list of personal data processing purposes and relevant categories and the list of processable personal data, the categories of Subjects whose personal data are processed, the options and time limits for personal data processing and storage, and the procedure for the destruction thereof

This Appendix determines the purposes of personal data processing by the Company and the relevant categories and list of processable personal data, the categories of subjects whose personal data are processed, the options and time limits for personal data processing and storage, and the procedure for the destruction thereof upon the accomplishment of the purposes of the processing thereof or upon other statutory grounds (hereinafter referred to as the “Appendix”).
The list of personal data provided herein has been generated with due regard to the requirements of the Federal Law of 27 July 2006, No. 152-FZ, “On personal data”, for reporting on personal data whose processing is allowed in the context of the personal data processing purposes specified in the Appendix. A specific list of personal data shall be determined by the relevant contract, personal data processing consent and RF legislative requirements with due regard to the specifics of the process and/or product or service(s).

1. The personal data processing purpose “Review of job seeker’s application”

As part of the contents of “Review of job seeker’s application”, the Company shall process the personal data of the following categories of data subjects: Job Seekers.
In respect of Job Seekers, in the context of the purpose specified in cl. 1 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); date of birth, residence address, educational background (name of school, number of diploma, degree type and field of study), professional experience (place of employment, job title, employment period), contact information (email address, contact telephone number), employment history details as provided from the information resources of the Pension and Social Insurance Fund of the Russian Federation, other details specified in the CV, as well as the registered residence address (city, street, street number, flat); the results of GIA\DISC testing (if applicable).

The personal data processing options for the purpose specified in cl. 1 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 1 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 1 hereof is set out in cl. 5.1 of the Policy.

2. The personal data processing purpose “Execution and performance of an employment contract”
As part of the contents of “Execution and performance of an employment contract” the Company shall process the personal data of the following categories of data subjects: Employees, Relatives of Employees.
In respect of Employees in the context of the purpose specified in cl. 2 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); sex, date of birth, place of birth, citizenship, details of passport or other ID (serial number and details such as the date of issue and issuer), reference details of certificates of education, qualifications or specialist knowledge (name of school, year of graduation, qualifications and field of study), details of employment record book (profession and speciality, employment details: place of employment, job title, awards if any), number of certificate of compulsory pension insurance (SNILS), INN [Taxpayer Identification Number], marital status, domicile address, residence address, contact information (contact telephone number, email address), employee ID, details of transfers, details of certification, details of refresher and advanced training, details of occupational retraining, details of awards and honorary titles, details of leaves and social benefits, details in the employment contract and in the supplementary agreements thereto (job title, business unit, rate of remuneration (salary and extra pay), work schedule and conditions, other particulars, information about employment contract termination), military service records (military rank, field of military specialization, military service fitness category, entry of registration/deregistration with military authorities), other details in the personnel file (details of applications and written submissions, details of commendation decisions and disciplinary action decisions, reference details of orders and other documents), information about children, including details of birth certificates of children, bank details, details of the international passport, photo image, video image, signature.

In respect of Relatives of Employees in the context of the purpose specified in cl. 2 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); kinship, date of birth, place of employment.

The personal data processing options for the purpose specified in cl. 2 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 2 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 2 hereof is set out in cl. 5.1 of the Policy.

3. The personal data processing purpose “Implementation of external and in-house events/organizational matters, publication under an avatar on in-house IT services/messaging services, on a portal, in email, in handout materials, on the company’s website, on hh.ru (as necessary), in a Telegram channel, when in attendance at corporate functions, and specifically with subsequent publication by a contractor (as necessary)”
As part of the contents of “Implementation of external and in-house events/organizational matters, publication under an avatar on in-house IT services/messaging services, on a portal, in email, in handout materials, on the company’s website, on hh.ru (as necessary), in a Telegram channel, when in attendance at corporate functions, and specifically with subsequent publication by a contractor (as necessary)” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 3 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); place of employment, job title, contact information (contact telephone number, email address), photo image, video image.

The personal data processing options for the purpose specified in cl. 3 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 3 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 3 hereof is set out in cl. 5.1 of the Policy.

4. The personal data processing purpose “Organization of the receipt/dispatch/processing of correspondence”
As part of the contents of “Organization of the receipt/dispatch/processing of correspondence” the Company shall process the personal data of the following categories of data subjects: Employees, Representatives of Counterparties.
In respect of Employees and Representatives of Counterparties in the context of the purpose specified in cl. 4 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); place of employment, job title, residence address, contact information (contact telephone number, email address), signature.

The personal data processing options for the purpose specified in cl. 4 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 4 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 4 hereof is set out in cl. 5.1 of the Policy.

5. The personal data processing purpose “Manufacture of business cards”
As part of the contents of “Manufacture of business cards” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 5 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); place of employment, job title, contact information (contact telephone number, email address).

The personal data processing options for the purpose specified in cl. 5 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 5 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 5 hereof is set out in cl. 5.1 of the Policy.

6. The personal data processing purpose “Transport service and organization of business travel and trips”
As part of the contents of “Transport service and organization of business travel and trips” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 6 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); sex, date of birth, place of birth, citizenship, details of passport or other ID (serial number and details such as the date of issue and issuer), domicile address, residence address, contact information (contact telephone number, email address), details of the international passport, photo image.

The personal data processing options for the purpose specified in cl. 6 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 6 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 6 hereof is set out in cl. 5.1 of the Policy.

7. The personal data processing purpose “Assessment and payment of remuneration and other benefits, and assessment and payment of taxes and insurance charges”
As part of the contents of “Assessment and payment of remuneration and other benefits, and assessment and payment of taxes and insurance charges” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 7 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); sex, date of birth, details of passport or other ID (serial number and details such as the date of issue and issuer), domicile address, residence address, contact information (contact telephone number, email address), details in the employment contract and in the supplementary agreements thereto (job title, business unit, rate of remuneration (salary and extra pay), bank details, signature.

The personal data processing options for the purpose specified in cl. 7 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 7 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 7 hereof is set out in cl. 5.1 of the Policy.

8. The personal data processing purpose “Controller’s compliance with statutory requirements and auditing”
As part of the contents of “Controller’s compliance with statutory requirements and auditing” the Company shall process the personal data of the following categories of data subjects: All categories of PD subjects.
In respect of PD subjects in the context of the purpose specified in cl. 8 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); sex, date of birth, place of birth, citizenship, details of passport or other ID (serial number and details such as the date of issue and issuer), reference details of certificates of education, qualifications or specialist knowledge (name of school, year of graduation, qualifications and field of study), details of employment record book (profession and speciality, employment details: place of employment, job title, awards if any), number of certificate of compulsory pension insurance (SNILS), INN, marital status, domicile address, residence address, contact information (contact telephone number, email address), employee ID, details of transfers, details of certification, details of refresher and advanced training, details of occupational retraining, details of awards and honorary titles, details of leaves and social benefits, details in the employment contract and in the supplementary agreements thereto (job title, business unit, rate of remuneration (salary and extra pay), work schedule and conditions, other particulars, information about employment contract termination), military service records (military rank, field of military specialization, military service fitness category, entry of registration/deregistration with military authorities), other details in the personnel file (details of applications and written submissions, details of commendation decisions and disciplinary action decisions, reference details of orders and other documents), information about children, including details of birth certificates of children, bank details, details of the international passport, photo image, signature.

The personal data processing options for the purpose specified in cl. 8 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 8 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 8 hereof is set out in cl. 5.1 of the Policy.

9. The personal data processing purpose “Provision of company mobile phones to employees”
As part of the contents of “Provision of company mobile phones to employees” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 9 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); details of passport or other ID (serial number and details such as the date of issue and issuer), place of employment, contact information (contact telephone number, email address).

The personal data processing options for the purpose specified in cl. 9 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 9 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 9 hereof is set out in cl. 5.1 of the Policy.

10. The personal data processing purpose “Provision of additional entitlements, benefits and allowances, and specifically supplemental medical insurance services”
As part of the contents of “Provision of additional entitlements, benefits and allowances, and specifically supplemental medical insurance services” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 10 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); date of birth, details of passport or other ID (serial number and details such as the date of issue and issuer), residence address, contact information (contact telephone number, email address), signature.

The personal data processing options for the purpose specified in cl. 10 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 10 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 10 hereof is set out in cl. 5.1 of the Policy.

11. The personal data processing purpose “Staff training and promotion”
As part of the contents of “Staff training and promotion” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 11 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); date of birth, domicile address, SNILS, educational certificate, email address, telephone number.

The personal data processing options for the purpose specified in cl. 11 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 11 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 11 hereof is set out in cl. 5.1 of the Policy.

12. The personal data processing purpose “Employee performance appraisal using the CSOD information system”
As part of the contents of “Employee performance appraisal using the CSOD information system” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 12 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); job position, department, telephone number, email address, photo.

The personal data processing options for the purpose specified in cl. 12 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 12 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 12 hereof is set out in cl. 5.1 of the Policy.

13. The personal data processing purpose “Human security, site access control and physical asset security”
As part of the contents of “Human security, site access control and physical asset security” the Company shall process the personal data of the following categories of data subjects: Employees, Office Visitors, Representatives of Customers/Suppliers.
In respect of Employees in the context of the purpose specified in cl. 13 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); corporate name, business unit, job title, photo image.

In respect of Office Visitors in the context of the purpose specified in cl. 13 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); contact telephone number, plate number.

In respect of Representatives of Customers/Suppliers in the context of the purpose specified in cl. 13 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); corporate name, plate number, venue, type of visitor, purpose of visit, effective time and date of access badge, expiration time and date of access badge, telephone number.

The personal data processing options for the purpose specified in cl. 13 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 13 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 13 hereof is set out in cl. 5.1 of the Policy.

14. The personal data processing purpose “Controller’s pursuit of the core line of business and performance of its duties by means of third-party information systems”
As part of the contents of “Controller’s pursuit of the core line of business and performance of its duties by means of third-party information systems” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 14 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); sex, date of birth, place of birth, citizenship, details of passport or other ID (serial number and details such as the date of issue and issuer), reference details of certificates of education, qualifications or specialist knowledge (name of school, year of graduation, qualifications and field of study), details of employment record book (profession and speciality, employment details: place of employment, job title, awards if any), number of certificate of compulsory pension insurance (SNILS), INN, marital status, domicile address, residence address, contact information (contact telephone number, email address), employee ID, details of transfers, details of certification, details of refresher and advanced training, details of occupational retraining, details of awards and honorary titles, details of leaves and social benefits, details in the employment contract and in the supplementary agreements thereto (job title, business unit, rate of remuneration (salary and extra pay), work schedule and conditions, other particulars, information about employment contract termination), military service records (military rank, field of military specialization, military service fitness category, entry of registration/deregistration with military authorities), other details in the personnel file (details of applications and written submissions, details of commendation decisions and disciplinary action decisions, reference details of orders and other documents), details of birth certificates of children, bank details, details of the international passport, photo image, signature.

The personal data processing options for the purpose specified in cl. 14 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 14 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 14 hereof is set out in cl. 5.1 of the Policy.

15. The personal data processing purpose “Controller’s compliance with statutory requirements and military record-keeping”
As part of the contents of “Controller’s compliance with statutory requirements and military record-keeping” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 15 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); place of employment, date of birth, place of birth, education details, profession, marital status, second languages, passport details, driving licence details, residence address, telephone number, military service details, hire and termination details.

The personal data processing options for the purpose specified in cl. 15 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 15 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 15 hereof is set out in cl. 5.1 of the Policy.

16. The personal data processing purpose “Organization of employee engagement survey”
As part of the contents of “Organization of employee engagement survey” the Company shall process the personal data of the following categories of data subjects: Employees.
In respect of Employees in the context of the purpose specified in cl. 16 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); place of employment, survey findings, age, email address, length of service with the company, department.

The personal data processing options for the purpose specified in cl. 16 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 16 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 16 hereof is set out in cl. 5.1 of the Policy.

17. The personal data processing purpose “Generation of powers of attorney”
As part of the contents of “Generation of powers of attorney” the Company shall process the personal data of the following categories of data subjects: Employees, Representatives of Suppliers.
In respect of Employees and Representatives of Suppliers in the context of the purpose specified in cl. 17 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); details of power of attorney, passport details, registered residence address, job title, signature.

The personal data processing options for the purpose specified in cl. 17 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 17 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 17 hereof is set out in cl. 5.1 of the Policy.

18. The personal data processing purpose “Formalization of contractual arrangements”
As part of the contents of “Formalization of contractual arrangements” the Company shall process the personal data of the following categories of data subjects: Representatives of Customers, Representatives of Affiliates.
In respect of Representatives of Customers, Representatives of Affiliates in the context of the purpose specified in cl. 18 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); contact telephone number, email address, place of employment, job title.

The personal data processing options for the purpose specified in cl. 18 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 18 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 18 hereof is set out in cl. 5.1 of the Policy.

19. The personal data processing purpose “Customer set-up and processing of requests through IXdesk”
As part of the contents of “Customer set-up and processing of requests through IXdesk” the Company shall process the personal data of the following categories of data subjects: Representatives of Customers, Representatives of Suppliers, Employees.
In respect of Representatives of Customers, Representatives of Suppliers, Employees in the context of the purpose specified in cl. 19 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); the company’s name, job title, contact telephone number, email address.

The personal data processing options for the purpose specified in cl. 19 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 19 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 19 hereof is set out in cl. 5.1 of the Policy.

20. The personal data processing purpose “Send-out of event invitations”
As part of the contents of “Send-out of event invitations” the Company shall process the personal data of the following categories of data subjects: Representatives of Customers, Representatives of Affiliates.
In respect of Representatives of Customers, Representatives of Affiliates in the context of the purpose specified in cl. 20 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); email address, place of employment, job title, motor vehicle plate number/make.

The personal data processing options for the purpose specified in cl. 20 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 20 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 20 hereof is set out in cl. 5.1 of the Policy.

21. The personal data processing purpose “Analytical research”
As part of the contents of “Analytical research” the Company shall process the personal data of the following categories of data subjects: Website Users.
In respect of Website Users in the context of the purpose specified in cl. 21 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • IP address, contents of cookie files, location data, URLs of requested pages, searches, description of device, specifications of hardware and software.

The personal data processing options for the purpose specified in cl. 21 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 21 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 21 hereof is set out in cl. 5.1 of the Policy.

22. The personal data processing purpose “Procurement”
As part of the contents of “Procurement” the Company shall process the personal data of the following categories of data subjects: Representatives of Suppliers, Suppliers.
In respect of Representatives of Suppliers in the context of the purpose specified in cl. 22 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); contact telephone number, email address, place of employment, job title.

In respect of Suppliers in the context of the purpose specified in cl. 22 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); passport details, domicile address, date of birth, contact telephone number, email address, INN, SNILS, bank details, signature.

The personal data processing options for the purpose specified in cl. 22 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 22 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 22 hereof is set out in cl. 5.1 of the Policy.

23. The personal data processing purpose “Investment activities”
As part of the contents of “Investment activities” The Company shall process the personal data of the following categories of data subjects: Representatives of Affiliates.
In respect of Representatives of Affiliates in the context of the purpose specified in cl. 23 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); passport details, motor vehicle plate number, contact telephone number, email address, place of employment, job title.

The personal data processing options for the purpose specified in cl. 23 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 23 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 23 hereof is set out in cl. 5.1 of the Policy.

24. The personal data processing purpose “Claim management”
As part of the contents of “Claim management” the Company shall process the personal data of the following categories of data subjects: Representatives of Customers, Representatives of Affiliates, Representatives of Suppliers.
In respect of Representatives of Customers, Representatives of Affiliates, Representatives of Suppliers in the context of the purpose specified in cl. 24 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); contact telephone number, email address, place of employment, job title.

The personal data processing options for the purpose specified in cl. 24 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 24 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 24 hereof is set out in cl. 5.1 of the Policy.

25. The personal data processing purpose “Counterparty vetting”
As part of the contents of “Counterparty vetting” the Company shall process the personal data of the following categories of data subjects: Representatives of Customers, Representatives of Affiliates, Representatives of Suppliers, Independent Contractors.
In respect of Representatives of Customers, Representatives of Affiliates, Representatives of Suppliers in the context of the purpose specified in cl. 25 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); contact telephone number, email address, place of employment, job title, passport details, details of power of attorney.

In respect of Independent Contractors in the context of the purpose specified in cl. 25 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); date of birth, domicile address, actual residence address, passport details, SNILS, INN, bank details, contact information.

The personal data processing options for the purpose specified in cl. 25 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 25 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 25 hereof is set out in cl. 5.1 of the Policy.

26. The personal data processing purpose “Government relations”
As part of the contents of “Government relations” the Company shall process the personal data of the following categories of data subjects: Employees, Authorised Body Representatives.
In respect of Employees in the context of the purpose specified in cl. 26 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); specifics depending on enquiry.

In respect of Authorised Body Representatives in the context of the purpose specified in cl. 26 hereof, with due regard to the terms of (legal grounds for) (if any) personal data processing, the following personal data can be processed:

  • last name, first name and patronymic (if any); contact telephone number, email address, place of employment, job title.

The personal data processing options for the purpose specified in cl. 26 hereof are identified in cl. 6.3 of the Policy.
The personal data processing and storage time limits for the purpose specified in cl. 26 hereof are identified in cl. 6.4 of the Policy.
The personal data destruction procedure for the purpose specified in cl. 26 hereof is set out in cl. 5.1 of the Policy.

 

История изменений

Номер версии Дата вступления в действие Краткое описание внесенного изменения
HR-PL-P01-2107-03 2021-07-26 Начальная версия
HR-PL-001-221129 2022-11-29 Обновление по сроку ревизии
HR-PL-001-230401 2023-04-01 Обновление в связи с изменением в законодательстве
HR-PL-001-240401 2024-04-01 Обновление по сроку ревизии
HR-PL-001-250401 2025-04-01 Обновление по сроку ревизии
HR-PL-001-260401 2026-04-01 Обновление по сроку ревизии
+7-495-8000-911
Back To Top
Our website uses cookies files, which customize it for each user, but you can manage access to your cookies files by configuring your browser’s settings. By visiting our webpages, you accept our User Agreement (Пользовательское соглашение) and our Personal Data Processing Policy (Политика в отношении обработки персональных данных).