ru | en

POLICY OF ASTRUM LLC IN THE FIELD OF PERSONAL DATA PROCESSING AND SECURITY

Back

1. GENERAL PROVISIONS

1.1. This Policy in the field of personal data processing and security (hereinafter referred to as the Policy) is the basis for the procedure of personal data processing and security in ASTRUM LLC (hereinafter referred to as the Company). The provisions of this Policy apply to all employees of the Company who have access to personal data.

1.2. This Policy is publicly available and shall be posted on the Company's website. The Company reserves the right to update and modify the Policy at any time.

1.3. The Company shall process personal data in accordance with the requirements of applicable legislation and the following basic principles:

  • legitimacy of the objectives and methods of personal data processing and good faith;
  • conformity of the purposes of personal data processing to the purposes pre-determined and declared upon personal data collection, as well as to the powers and authority of the Company;
  • compliance of the amount and nature of processed personal data, methods of personal data processing with the purposes of personal data processing;
  • reliability of personal data, their relevance and sufficiency for the purposes of processing, prevention of excessive processing in relation to the purposes of personal data collection;
  • legitimacy of organizational and technical measures to ensure personal data security;
  • continuous improvement of the level of knowledge of the Company's employees in the field of personal data security during their processing;
  • commitment to continuous improvement of the personal data protection system.

1.4. In order to maintain its goodwill, the Company considers the most important objective to be to ensure the legitimacy of processing and security of subjects' personal data in the Company's business processes.

1.5.  To accomplish this objective, the Company has implemented, operates and regularly reviews (controls) the personal data protection system.

1.6 The Company shall ensure that it takes measures necessary and sufficient to ensure the fulfillment of its obligations under Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” and the applicable regulations adopted in accordance therewith.

2. BASIC TERMS USED IN THE POLICY

2.1. Personal data processing - any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of personal data.

2.2. Operator - a state or municipal authority, legal entity or individual, independently or jointly with others, organizing and (or) carrying out the personal data processing, as well as determining the personal data processing, the composition of personal data to be processed, the actions taken with personal data.

2.3. Personal data subject - a certain or identifiable individual to whom the personal data directly or indirectly relates.

2.4. Cross-border transfer of personal data - transfer of personal data to a foreign country to a foreign authority, a foreign individual or a foreign legal entity.

2.5. Personal data confidentiality - a mandatory requirement for the person who has access to personal data not to disclose personal data to third parties and not to distribute personal data without the consent of the personal data subject, unless otherwise provided for by federal law.

3. PURPOSES OF PERSONAL DATA PROCESSING

3.1. In accordance with the principles of personal data processing, the Company defines the following purposes of personal data processing:

3.1.1. Conducting labor relations with employees in accordance with applicable labor laws and concluded employment agreements and providing employees with comfortable working conditions;

3.1.2 Fulfillment of obligations stipulated by the applicable legislation of the Russian Federation, including bylaws;  

3.1.3. Conclusion, execution, maintenance, amendment, termination of contracts with counterparties, subject to the requirements of the applicable legislation;

3.1.4. Information support for persons using the Company's internal information services;

3.1.5. Issuance of guest passes for single entry to the operator's territory;

3.1.6 Processing of appeals (complaints, claims, applications, etc.) under concluded contracts (including from users) or in accordance with the applicable legislation of the Russian Federation;

3.1.7 Promotion of goods, works, services in the market by means of direct contacts with potential consumers;

3.1.8 Provision of information about the person on the Company's online resources.

3.2. The document “List of Personal Data Processed in ASTRUM LLC” defines the list of processed personal data, categories of subjects whose personal data are processed, methods, terms of their processing and storage, procedure of personal data destruction for each purpose of personal data processing in the Company.

4. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING

4.1. The Company processes personal data on the following legal grounds:

  • Articles of Association of ASTRUM LLC;  
  • Labor laws, including Labor Code of the Russian Federation No. 197-FZ dated 30 December 2001, Law of the Russian Federation No. 1032-1 dated 19 April 1991 “On the Employment of the Population in the Russian Federation”;
  • Civil Code of the Russian Federation No. 51-FZ dated 30 November 1994 ( Part One), No. 14-FZ dated 26 January 1996 (Part Two), No. 146-FZ dated 26 November 2001 (Part Three), No. 230-FZ dated 18 December 2006 (Part Four);
  • Tax Code of the Russian Federation No. 146-FZ dated 31 July 1998 (Part One), No. 117-FZ dated 05 August 2000 (Part Two);
  • Federal Law No. 149-FZ  dated 27 July 2006 “On Information, Information Technologies, and Information Protection”;
  • Federal Law No. 135-FZ dated 26 July 2006 “On Protection of Competition”;
  • Federal Law No. 167-FZ dated 15 December 2001 “On Compulsory Pension Insurance”;
  • Federal Law No. 27-FZ dated 01 April 1996 “On Individual (Personified) Accounting in the System of Compulsory Pension Insurance”;
  • Federal Law No. 402-FZ dated 06 December 2011 “On Accounting”;
  • Resolution of the State Committee of the Russian Federation on Statistics No. 1 dated 05 January 2004 “On Approval of the Unified Forms of Primary Accounting Documentation on Accounting for Labor and its Payment”;
  • Resolutions of competent authorities;
  • Contracts with counterparties;
  • User (license) agreement of an online service/game;
  • Rules of events (competitions) (agreement);
  • Consent to personal data processing;
  • Consent to processing of personal data approved by the personal data subject for distribution;
  • Local acts adopted by the Company in accordance with the legislation on personal data, including this Policy and the current version of the Regulation on Personal Data Processing in ASTRUM LLC.

4.2. Each of the Company's online services has an appropriate privacy policy that does not contradict this Policy.

5. CATEGORIES OF PERSONAL DATA SUBJECTS AND AMOUNT OF PROCESSED PERSONAL DATA

5.1. The Company processes or enables processing of personal data of the following categories of personal data subjects:

  • the Company's employees;
  • relatives of the Company's employees;
  • the Company's former employees;
  • employees of Russian legal entities in which MULTIPLICATOR GROUP JSC directly or indirectly, including through participation in their authorized capitals, has the status of a parent company;
  • individuals affiliated with the Company;
  • contractors under contracts with individuals;
  • users of the Company's online services (including former users);
  • applicants;
  • the Company's guests on business trips;
  • participants of events (competitions) organized by the Company;
  • representatives of persons who have contractual relations with the Company;
  • users of the Company's internal information services;
  • the Company's visitors;
  • personal data subjects who send applications, claims and other appeals to the Company;
  • representatives of personal data subjects who send applications, claims and other appeals to the Company on behalf of personal data subjects;
  • potential consumers of goods, works, services;
  • analysts monitoring the Company's activity.

5.4. The Company may process special categories of personal data only as provided for by the federal legislation of the Russian Federation.

5.5. The Company does not process biometric personal data, unless otherwise explicitly stated in the privacy policy of the Company's online services or in a separate local regulation.

6. BASIC RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS

6.1. Personal data subjects may:

6.1.1. receive information regarding their personal data and their processing in the manner and to the extent provided for by the Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;

6.1.2. appoint representatives;

6.1.3. require the Company to update, block or destroy personal data if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;

6.1.4. take measures provided for by the legislation of the Russian Federation to protect their rights;

6.1.5. withdraw consent to personal data processing in accordance with the procedure stipulated by this Policy;

6.1.6. terminate personal data processing in accordance with the procedure stipulated by this Policy.

6.2. Personal data subjects shall exercise their rights in accordance with the Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, including Part 3 of Article 14, which establishes the requirements for the content of requests from subjects, as well as with other regulations. 

7. BASIC RULES OF PERSONAL DATA PROCESSING

7.1. The Company shall process personal data, namely: collect, record, systematize, accumulate, store, clarify (update, modify), extract, use, transfer (distribute, provide, access), block, remove and destroy personal data only if there are legitimate grounds and within the terms provided for by the applicable legislation.

7.2. The Company shall process personal data both with or without the use of automation tools (including mixed processing).

7.3. When processing personal data, the Company shall observe the rights of personal data subjects and fulfill the obligations of the operator stipulated by the legislation of the Russian Federation on personal data.

7.4. The Company may process personal data on behalf of third parties. In such cases, the Company is not considered an operator and is not obliged to obtain consent to process personal data from personal data subjects.

7.5. When processing the personal data of a personal data subject, the Company may entrust the personal data processing to another person upon the consent of the personal data subject and on the basis of an agreement concluded with this person.

7.6. When collecting personal data, the Company ensures that it records, systematizes, accumulates, stores, clarifies (updates, modifies), extracts personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

7.7. The Company is prohibited from making decisions regarding personal data subjects based solely on the automated processing of their personal data.

7.8. In the course of its activities, the Company may transfer personal data to third parties in cases stipulated by the legislation of the Russian Federation or upon consent of personal data subjects.

7.9. In the course of its activities, the Company may carry out cross-border transfer of personal data in compliance with the conditions stipulated by Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.

8. UPDATING, CORRECTION, REMOVAL AND DESTRUCTION OF PERSONAL DATA, RESPONDING TO THE SUBJECTS' REQUESTS FOR ACCESS TO PERSONAL DATA

8.1. If it is confirmed that personal data is inaccurate or unlawful, personal data shall be updated by the Company.

8.2. When the purposes of personal data processing are achieved, as well as in case the personal data subject withdraws the consent to personal data processing or requests to terminate personal data processing, the Company shall terminate personal data processing in the manner provided for by Part 7 of Article 5 of the Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.

8.3. The Company may continue to process personal data if the purpose of processing has been achieved, provided there are other legitimate grounds. The Company may also continue to process personal data after the subject withdraws consent to personal data processing or requests termination of personal data processing, if there are grounds provided for in Clauses 2 - 11 of Part 1 of Article 6, Part 2 of Article 10 and Part 2 of Article 11 of the Federal Law of the Russian Federation No. 152-FZ dated 27 July 2006 “On Personal Data”.

8.4. If unauthorized processing of personal data is detected, the personal data shall be destroyed by the Company in accordance with the procedure stipulated by the legislation of the Russian Federation on personal data.

8.5. The Company shall respond to requests/appeals of personal data subjects and their representatives, as well as competent authorities in accordance with the applicable legislation of the Russian Federation.

8.6. Requests/appeals of the said subjects regarding inaccuracy of personal data, unlawfulness of their processing, access of the subject of personal data to their personal data shall be sent to the Company's location address in writing or in any other manner provided for by the applicable legislation of the Russian Federation. Withdrawal of consent to personal data processing, personal data subject's request to terminate personal data processing shall be sent by the personal data subject in writing to the Company's location address.

8.7. The Company may restrict access of the subject of personal data to their personal data in cases stipulated by the federal laws of the Russian Federation, including if such access violates the rights and legitimate interests of third parties.

8.8. A request/appeal to the Company aimed at exercising the rights of personal data subjects shall contain:

  • last name, first name, patronymic of the personal data subject or their representative;
  • number of the main identity document of the personal data subject or their representative;
  • Information on the issue date of the said document and an issuing authority;
  • information confirming that the personal data subject has any relations with the Company (for example, number and date of the contract, name and date of the competition, user identifier in the Company's services: login, id, link to profile, telephone, e-mail or other), or information that may indicate that the Company is processing the personal data of the relevant subject;
  • signature of the personal data subject (or their representative).

8.9. A withdrawal of consent to personal data processing, or a request to terminate personal data processing to the Company in order to exercise the rights of personal data subjects shall contain, including but not limited to:

  • last name, first name, patronymic of the personal data subject or their representative, address of the personal data subject;
  • information confirming that the personal data subject has any relations with the Company (for example, number and date of the contract, name and date of the competition, user identifier in the Company's services: login, id, link to profile, telephone, e-mail or other), or information that may indicate that the Company is processing the personal data of the relevant subject;
  • signature of the personal data subject (or their representative).

8.10. The Company has developed samples for each type of request or appeal, as provided in the appendix to the Company's document “Regulations on Interaction with Personal Data Subjects”. Personal data subjects may refuse to use the sample and submit a request or appeal in another form, subject to the requirements of Federal Law No. 152-FZ.

9. REQUIREMENTS TO ENSURE PERSONAL DATA SECURITY

9.1. In order to ensure the security of personal data during their processing, the Company complies with the requirements of applicable regulatory documents in the field of personal data processing and security, including:

  • Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;
  • Resolution of the Government of the Russian Federation No. 1119 dated 01 November 2012 “On Approval of Requirements for the Protection of Personal Data when Processing in Personal Data Information Systems”;
  • Resolution of the Government of the Russian Federation No. 687 dated 15 September 2008 “On Approval of the Regulation on the Characteristics of Personal Data Processing Performed Without the Use of Automation Tools”;
  • Order of the Federal Service for Technical and Export Control of Russia No. 21 dated 18 February 2013 “On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data when Processing in Personal Data Information Systems”.

9.2. The Company shall assess the harm that may be caused to personal data subjects and identify threats to the security of personal data. In accordance with the identified actual threats, the Company shall apply necessary and sufficient organizational and technical measures, including the use of information protection means, detection of unauthorized access, recovery of personal data, establishment of rules for access to personal data, as well as control and assess the performance of the applied measures.

9.3. The Company has appointed persons responsible for managing personal data processing and ensuring its security.

9.4. The Company's management is aware of the need for and is interested in ensuring a proper level of security of personal data processed in the course of the Company's core activities, both in terms of the requirements of regulations of the Russian Federation and in terms of business risk assessment.

Revision as of 07 July 2023

Download PDF