General provisions Nova Legal Personal Data Processing (hereinafter “Nova Legal”) stipulates the basic principles, objectives, conditions and methods for personal data processing, lists of data subjects and personal data processed in Company, Company’s functions while processing personal data, rights of data subjects, as well as Company’s requirements to the personal data protection (hereinafter “Policy”). The Policy is developed based on the requirements of the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation related to personal data. Legislation and other statutory acts of the Russian Federation stipulating Personal Data Processing Policy Company’s Personal Data Processing Policy is based on the following statutory acts:
  • The Federal Law No. 152-FZ “On Personal Data” of July 27, 2006;
  • The Decree of the Russian President No. 188 “On Approving the List of Confidential Data” of March 6, 1997;
  • The Russian Federation Government Resolution No. 687 “On Approving the Provision Regarding Properties of Personal Data Processing without Software” of September 15, 2008;
  • other statutory acts of the Russian Federation and legal documents of authorized government bodies.
Principles and purposes for personal data processing Company in its capacity as a personal data operator performs personal data processing for the employees of Company and other data subjects not employed by Company. Company performs data processing with due diligence to the protection of rights and freedoms of Company’s employees as well as other data subjects, including the protection of privacy right, personal and family secrets, based on the following principles:
  • personal data processing in Company is performed on a legitimate equitable basis;
  • personal data processing is limited to reaching specific predetermined legitimate aims;
  • personal data processing incompatible with the purposes of personal data acquisition is not allowed;
  • combining databases that contain personal data processed for the purposes incompatible with each other is not allowed;
  • personal data meeting the purposes of their processing may only be processed;
  • scope and amount of personal data comply with the stated purposes of processing. The personal data redundancy in relation to the stated purposes is not allowed;
  • while processing personal data, accuracy, adequacy and actuality (if necessary) of personal data are provided in relation to the purposes of personal data processing. Company makes all reasonable efforts to delete or adjust incomplete or inaccurate personal data;
  • personal data are stored in the form that enables to define the data subject no longer than it’s required for the purposes of personal data processing, in case the personal data retention period is not set by a federal law or an agreement under which the data subject acts as a party, beneficiary or guarantor;
  • personal data under processing are deleted or depersonalized once the purposes of processing are achieved or in case achieving these purposes is not required anymore, unless otherwise provided by a federal law.
Company processes personal data for the purpose of:
  • complying with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation and corporate statutory acts of Company;
  • exercising functions, powers and requirements imposed upon Company by the Government of the Russian Federation;
  • regulating the employment relationships with Company’s employees;
  • protecting lives, health or other vital interests of personal data subjects;
  • developing, signing, executing and terminating agreements with counterparties;
  • executing court decisions, other bodies and authorities acts subject to execution in compliance with the Enforcement Law of the Russian Federation;
  • exercising rights and legal interests of Company while carrying out activities stipulated by Company’s Articles of Association and other corporate statutory acts of Company or third parties or with a view to achieve socially desirable purposes;
  • other legitimate purposes.
List of data subjects, which have their personal data processed at Company Company provides processing personal data of the following data subjects:
  • employees of Company;
  • other personal data subjects.
List of personal data processed at Company The list of personal data processed at Company is stipulated by the Law of the Russian Federation and corporate statutory acts considering the personal data processing purposes. Functions of Company in personal data processing While processing personal data, Company:
  • takes relevant measures to ensure compliance with the Law of the Russian Federation and corporate statutory acts related to personal data;
  • establishes legal, planning and technical procedures to protect personal data against illegal or accidental access, annihilation, alteration, blocking, copying, presentation, distribution, as well as against other misconduct in relation to personal data;
  • appoints a party responsible for the arrangement of personal data processing at Company;
  • issues corporate statutory acts stipulating the policy and personal data processing and protection procedures at Company;
  • familiarizes the employees of Company, its branches and representative offices directly involved in personal data processing with the provisions of the Law of the Russian Federation and corporate statutory acts of Company related to personal data, including the requirements to the personal data protection, as well as provides for certain employees training;
  • publishes or otherwise provides unlimited access to this Policy;
  • informs personal data subjects or their representatives in due course of the available data related to the relevant subjects, provides the representation of these personal data upon notification and/or request of the mentioned data subjects or their representatives, unless otherwise provided by the Law of the Russian Federation;
  • terminates the processing and annihilates personal data as stipulated by the Law of the Russian Federation related to personal data;
  • performs other activities stipulated by the Law of the Russian Federation related to personal data.

Conditions of personal data processing at Company

Personal data is processed at Company with consent of a data subject to have his/her personal data processed, unless otherwise is provided by the Law of the Russian Federation related to personal data.

Company shall not disclose or distribute personal data to third parties without consent of the data subject, unless otherwise is provided by the Law of the Russian Federation.

Company is entitled to entrust personal data processing to a third party with the data subject consent and upon an agreement with such a third party. An agreement shall provide for the list of personal data operations to be accomplished by a person in charge for the data processing, processing purposes, liabilities of such a person to keep personal data confidential and protected in course of processing, as well as requirements to the processed personal data protection as per Article 19 of the Federal Act On Personal Data.

For the purpose of in-house data support Company is entitled to develop reference documents, which provide (upon written consent of the relevant data subject) the subject name, family name, occupation, position, date of birth, address, subscriber number, e-mail address, other personal data presented by the relevant data person, unless otherwise is provided by the Law of the Russian Federation.

Access to personal data processed by the Company is allowed only to employees of Company included in the list of persons having access to personal data.

Actions with personal data and ways of its processing

Company provides for acquisition, logging, ranging, accumulation, storage, update and alteration, extraction, application, transfer (distribution, representation, and access), depersonalization, blocking, deletion and annihilation of personal data.

Personal data processing in Company is provided in the following ways:

  • manual personal data processing;
  • automated personal data processing with further transfer of received information via communication networks or otherwise;
  • combined personal data processing.

Rights of personal data subjects

Data subjects are entitled for:

  • completing information on their personal data under processing in Company;
  • accessing to their personal data, including copies of any records which contain their personal data, unless otherwise is provided by the Federal Law, as well as access to related health care information at their option under the medical expert supervision;
  • adjusting their personal data, as well as data blocking or annihilation in case of personal data are incomplete, outdated, inaccurate, illegally obtained or inessential for processing purpose declared;
  • revoking the consent given for personal data processing;
  • taking statutory actions to protect their rights;
  • appealing against Company’s action or inaction infringing the requirements of the Law of the Russian Federation related to personal data to the body authorized for the protection of data subject rights or to the court;
  • exercising other rights provided for by the Law of Russian Federation.

Actions taken by Company to ensure proper personal data processing

Actions, essential and sufficient to ensure proper personal data processing by Company in accordance with the Law of the Russian Federation related to personal data, are as following:

  • appointing a person in charge for the arrangement of personal data processing in Company;
  • adopting corporate statutory acts and other regulations related to personal data processing and protection;
  • arranging the training for the employees of structural units of Company’s administration, its branches and representative offices, which occupy the positions covered by the list of positions for structural units of Company’s administration, its branches and representative offices, substitution of which is subject to personal data processing;
  • carrying consents of data subjects to their personal data processing, unless otherwise is provided by the Law of the Russian Federation;
  • isolating personal data processed manually from other data, including their storage at the separate personal data carriers and/or within separate sections;
  • ensuring the separate storage of personal data processed for different purposes and comprising different personal data categories;
  • prohibiting the personal data transfer via open communication channels, Internet without taking measures on the personal data protection set by Company (excluding public and/or depersonalized personal data);
  • storing tangible personal data carriers that ensures the personal data safety and prevents unauthorized access to them;
  • exercising in-house control over the compliance of personal data processing with the Federal Law ‘On Personal Data’ and relevant statutory acts, personal data protection requirements, the Policy and Company’s corporate statutory acts;
  • other actions provided by the Law of the Russian Federation related to personal data.

Actions, providing the personal data protection while processing them by means of personal data information systems, shall correspond to Company’s corporate statutory acts, which stipulate the personal data protection measures while processing them by means of personal data information systems.

Control over compliance with Law of Russian Federation and Company’s corporate statutory acts related to personal data, including personal data protection requirements

Control over the adherence of Company to the Law of the Russian Federation and corporate statutory acts of Company related to personal data, including the personal data protection requirements, is aimed at ensuring the compliance of personal data processing by  Company  to the Law of the Russian Federation and corporate statutory acts of Company related to personal data, including the personal data protection requirements, as well as to measures aimed at prevention and identification of infringements of the Law of the Russian Federation related to personal data, identification of potential channels for the leakage of and the unauthorized access to personal data and the removal of consequences of such infringements.

In-house control over the adherence of Company  to the Law of the Russian Federation and corporate statutory acts of Company related to personal data, including the personal data protection requirements, is exercised by a person in charge for the arrangement of personal data processing in Company.