1. GENERAL PROVISIONS
1.1. This Policy in the field of personal data processing and security (hereinafter referred to as the Policy) is the basis for the procedure of personal data processing and security in ASTRUM LLC (hereinafter referred to as the Company). The provisions of this Policy apply to all employees of the Company who have access to personal data.
1.2. This Policy is publicly available and shall be posted on the Company's website. The Company reserves the right to update and modify the Policy at any time.
1.3. The Company shall process personal data in accordance with the requirements of applicable legislation and the following basic principles:
1.4. In order to maintain its goodwill, the Company considers the most important objective to be to ensure the legitimacy of processing and security of subjects' personal data in the Company's business processes.
1.5. To accomplish this objective, the Company has implemented, operates and regularly reviews (controls) the personal data protection system.
1.6 The Company shall ensure that it takes measures necessary and sufficient to ensure the fulfillment of its obligations under Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” and the applicable regulations adopted in accordance therewith.
2. BASIC TERMS USED IN THE POLICY
2.1. Personal data processing - any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of personal data.
2.2. Operator - a state or municipal authority, legal entity or individual, independently or jointly with others, organizing and (or) carrying out the personal data processing, as well as determining the personal data processing, the composition of personal data to be processed, the actions taken with personal data.
2.3. Personal data subject - a certain or identifiable individual to whom the personal data directly or indirectly relates.
2.4. Cross-border transfer of personal data - transfer of personal data to a foreign country to a foreign authority, a foreign individual or a foreign legal entity.
2.5. Personal data confidentiality - a mandatory requirement for the person who has access to personal data not to disclose personal data to third parties and not to distribute personal data without the consent of the personal data subject, unless otherwise provided for by federal law.
3. PURPOSES OF PERSONAL DATA PROCESSING
3.1. In accordance with the principles of personal data processing, the Company defines the following purposes of personal data processing:
3.1.1. Conducting labor relations with employees in accordance with applicable labor laws and concluded employment agreements and providing employees with comfortable working conditions;
3.1.2 Fulfillment of obligations stipulated by the applicable legislation of the Russian Federation, including bylaws;
3.1.3. Conclusion, execution, maintenance, amendment, termination of contracts with counterparties, subject to the requirements of the applicable legislation;
3.1.4. Information support for persons using the Company's internal information services;
3.1.5. Issuance of guest passes for single entry to the operator's territory;
3.1.6 Processing of appeals (complaints, claims, applications, etc.) under concluded contracts (including from users) or in accordance with the applicable legislation of the Russian Federation;
3.1.7 Promotion of goods, works, services in the market by means of direct contacts with potential consumers;
3.1.8 Provision of information about the person on the Company's online resources.
3.2. The document “List of Personal Data Processed in ASTRUM LLC” defines the list of processed personal data, categories of subjects whose personal data are processed, methods, terms of their processing and storage, procedure of personal data destruction for each purpose of personal data processing in the Company.
4. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
4.1. The Company processes personal data on the following legal grounds:
5. CATEGORIES OF PERSONAL DATA SUBJECTS AND AMOUNT OF PROCESSED PERSONAL DATA
5.1. The Company processes or enables processing of personal data of the following categories of personal data subjects:
5.4. The Company may process special categories of personal data only as provided for by the federal legislation of the Russian Federation.
6. BASIC RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS
6.1. Personal data subjects may:
6.1.1. receive information regarding their personal data and their processing in the manner and to the extent provided for by the Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;
6.1.2. appoint representatives;
6.1.3. require the Company to update, block or destroy personal data if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;
6.1.4. take measures provided for by the legislation of the Russian Federation to protect their rights;
6.1.5. withdraw consent to personal data processing in accordance with the procedure stipulated by this Policy;
6.1.6. terminate personal data processing in accordance with the procedure stipulated by this Policy.
6.2. Personal data subjects shall exercise their rights in accordance with the Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, including Part 3 of Article 14, which establishes the requirements for the content of requests from subjects, as well as with other regulations.
7. BASIC RULES OF PERSONAL DATA PROCESSING
7.1. The Company shall process personal data, namely: collect, record, systematize, accumulate, store, clarify (update, modify), extract, use, transfer (distribute, provide, access), block, remove and destroy personal data only if there are legitimate grounds and within the terms provided for by the applicable legislation.
7.2. The Company shall process personal data both with or without the use of automation tools (including mixed processing).
7.3. When processing personal data, the Company shall observe the rights of personal data subjects and fulfill the obligations of the operator stipulated by the legislation of the Russian Federation on personal data.
7.4. The Company may process personal data on behalf of third parties. In such cases, the Company is not considered an operator and is not obliged to obtain consent to process personal data from personal data subjects.
7.5. When processing the personal data of a personal data subject, the Company may entrust the personal data processing to another person upon the consent of the personal data subject and on the basis of an agreement concluded with this person.
7.6. When collecting personal data, the Company ensures that it records, systematizes, accumulates, stores, clarifies (updates, modifies), extracts personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.
7.7. The Company is prohibited from making decisions regarding personal data subjects based solely on the automated processing of their personal data.
7.8. In the course of its activities, the Company may transfer personal data to third parties in cases stipulated by the legislation of the Russian Federation or upon consent of personal data subjects.
7.9. In the course of its activities, the Company may carry out cross-border transfer of personal data in compliance with the conditions stipulated by Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.
8. UPDATING, CORRECTION, REMOVAL AND DESTRUCTION OF PERSONAL DATA, RESPONDING TO THE SUBJECTS' REQUESTS FOR ACCESS TO PERSONAL DATA
8.1. If it is confirmed that personal data is inaccurate or unlawful, personal data shall be updated by the Company.
8.2. When the purposes of personal data processing are achieved, as well as in case the personal data subject withdraws the consent to personal data processing or requests to terminate personal data processing, the Company shall terminate personal data processing in the manner provided for by Part 7 of Article 5 of the Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.
8.3. The Company may continue to process personal data if the purpose of processing has been achieved, provided there are other legitimate grounds. The Company may also continue to process personal data after the subject withdraws consent to personal data processing or requests termination of personal data processing, if there are grounds provided for in Clauses 2 - 11 of Part 1 of Article 6, Part 2 of Article 10 and Part 2 of Article 11 of the Federal Law of the Russian Federation No. 152-FZ dated 27 July 2006 “On Personal Data”.
8.4. If unauthorized processing of personal data is detected, the personal data shall be destroyed by the Company in accordance with the procedure stipulated by the legislation of the Russian Federation on personal data.
8.5. The Company shall respond to requests/appeals of personal data subjects and their representatives, as well as competent authorities in accordance with the applicable legislation of the Russian Federation.
8.6. Requests/appeals of the said subjects regarding inaccuracy of personal data, unlawfulness of their processing, access of the subject of personal data to their personal data shall be sent to the Company's location address in writing or in any other manner provided for by the applicable legislation of the Russian Federation. Withdrawal of consent to personal data processing, personal data subject's request to terminate personal data processing shall be sent by the personal data subject in writing to the Company's location address.
8.7. The Company may restrict access of the subject of personal data to their personal data in cases stipulated by the federal laws of the Russian Federation, including if such access violates the rights and legitimate interests of third parties.
8.8. A request/appeal to the Company aimed at exercising the rights of personal data subjects shall contain:
8.9. A withdrawal of consent to personal data processing, or a request to terminate personal data processing to the Company in order to exercise the rights of personal data subjects shall contain, including but not limited to:
8.10. The Company has developed samples for each type of request or appeal, as provided in the appendix to the Company's document “Regulations on Interaction with Personal Data Subjects”. Personal data subjects may refuse to use the sample and submit a request or appeal in another form, subject to the requirements of Federal Law No. 152-FZ.
9. REQUIREMENTS TO ENSURE PERSONAL DATA SECURITY
9.1. In order to ensure the security of personal data during their processing, the Company complies with the requirements of applicable regulatory documents in the field of personal data processing and security, including:
9.2. The Company shall assess the harm that may be caused to personal data subjects and identify threats to the security of personal data. In accordance with the identified actual threats, the Company shall apply necessary and sufficient organizational and technical measures, including the use of information protection means, detection of unauthorized access, recovery of personal data, establishment of rules for access to personal data, as well as control and assess the performance of the applied measures.
9.3. The Company has appointed persons responsible for managing personal data processing and ensuring its security.
9.4. The Company's management is aware of the need for and is interested in ensuring a proper level of security of personal data processed in the course of the Company's core activities, both in terms of the requirements of regulations of the Russian Federation and in terms of business risk assessment.
Revision as of 07 July 2023