PRIVACY POLICY

Moscow, 2017

 

1.GENERAL PROVISIONS

The privacy policy (hereinafter referred to as the Policy) was developed in accordance with the Federal Law No. 152-FZ dated July 27, 2006, on Personal Data (hereinafter referred to as FZ-152).

This Policy determines the procedure for the processing of personal data and arrangements to ensure the security of personal data in the Representative Office of Lex Optimum Limited Liability Company (hereinafter referred to as the Сontroller) in order to protect the rights and freedoms of a person and citizen in the processing of his personal data, including the personal privacy, personal and family secrets.

The Policy uses the following basic concepts:

automated processing of personal data means the processing of personal data using computer equipment;

blocking of personal data means the suspension of personal data processing (unless it is necessary to rectify personal data);

personal data information system means a total collection of personal data contained in databases, and information technologies and technical means ensuring their processing;

anonymization of personal data means actions that render personal data anonymous so it is impossible to determine without the use of additional information to which specific data owner the personal data belong;

processing of personal data means any action (procedure) or set of actions (procedures) performed with the use of automation equipment or without using such tools with personal data, including the collection, recording, systematization, accumulation, storing, rectification (update, modifying), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data;

controller means state body, a municipal body, legal entity or natural person, independently or together with other persons organizing and (or) processing personal data, as well as defining the purposes of personal data processing, the scope of personal data to be processed, actions (procedures) performed on personal data;

personal data mean any information relating to directly or indirectly determined or being determined natural person (personal data owner);

provision of personal data means actions aimed at disclosing personal data to a specific person or a particular set of persons;

distribution of personal data means actions aimed at disclosing personal data to an indefinite set of persons (transfer of personal data) or at familiarizing an unlimited number of persons with personal data, including the disclosure of personal data in the media, placement in information and telecommunication networks or providing access to personal data through other means;

cross-border transfer of personal data means the transfer of personal data on the territory of a foreign state to the authority of a foreign state, foreign natural person or foreign legal entity;

destruction of personal data means actions, as a result of which it is impossible to restore the content of personal data in the personal data information system and (or) as the result of which the material media bearing the personal data are destroyed.
The company is obliged to publish or otherwise provide unrestricted access to this Privacy Policy in accordance with Part 2 of Art. 18.1. FZ-152.

2.PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING

2.1. Principles of personal data processing

The Controller processes the personal data based on the following principles:

— legality and fairness of the basis;

— restricting the processing of personal data to the achievement of specific, predetermined and legitimate purposes;

— preventing the processing of personal data incompatible with the purposes of collecting personal data;

— preventing the merging of databases containing personal data that are processed for purposes that are incompatible with each other;

— processing only personal data that meet the purposes of their processing;

— compliance of the content and volume of personal data processed with the stated purposes of processing;

— preventing the processing of personal data redundant in relation to the stated purposes of their processing;

— ensuring the accuracy, sufficiency, and relevance of personal data in relation to the purposes of processing personal data;

— destruction or anonymization of personal data upon achieving the purposes of their processing or in case of no further need to achieve these purposes, if it is impossible for the Controller to eliminate the violations of personal data, unless otherwise provided by the federal law.

2.2. Personal data processing conditions

The Controller processes personal data in the presence of at least one of the following conditions:

— the processing of personal data is carried out with the consent of the personal data owner to the processing of his personal data;

— processing of personal data is necessary to achieve the purposes stipulated by the international treaty of the Russian Federation or the law, for the implementation and fulfillment of the functions, powers, and duties imposed by the legislation of the Russian Federation on the Controller;

— the processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official, to be executed in accordance with the legislation of the Russian Federation concerning enforcement proceedings;

— processing of personal data is necessary for the execution of the contract, either a party of which or the beneficiary or the guarantor of which is the personal data owner, as well as for entering into a contract on the initiative of the personal data owner or a contract in which the personal data owner will be the beneficiary or guarantor;

— processing of personal data is necessary for the exercise of the rights and legitimate interests of the Controller or third parties or to achieve socially significant purposes, provided that this does not violate the rights and freedoms of the personal data owner;

— processing of personal data is carried out, access to which is provided for an unlimited number of persons by the personal data owner or at his request (hereinafter – publicly available personal data);

— the processing of personal data to be published or having “compelling disclosure” status in accordance with federal law.

2.3. Confidentiality of personal data

The Controller and other persons who have obtained access to personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the personal data owner unless otherwise provided by the federal law.

2.4. Publicly available sources of personal data

In order to provide informational support, Controller can create publicly accessible sources of personal data of owners, including directories and address books. Publicly available sources of personal data with the written consent of the owner can include his last name, first name, middle name/patronymic, date and place of birth, position, contact telephone numbers, e-mail address and other personal data provided by the personal data owner.
Information about the data owner should be at any time excluded from publicly available sources of personal data at the request of the owner or under the court decision or other competent government agencies.

2.5. Sensitive personal data

The Controller is allowed to process sensitive personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, if:

— the personal data owner has agreed in writing to the processing of his personal data;

— the personal data is made publicly available by the personal data owner;

— processing of personal data is carried out in accordance with the legislation on state social assistance, labor legislation, legislation of the Russian Federation on  State-provided pension, on labor pensions;

— processing of personal data is necessary to protect the life, health or other vital interests of the personal data owner or the life, health or other vital interests of other persons and it is impossible to obtain the consent of the personal data owner;

— personal data is processed for medical and preventive purposes, in order to establish a medical diagnosis, to provide medical and medical and social services, provided that the processing of personal data is carried out by a person who is professionally engaged in medical activities and is obliged to keep medical confidentiality in accordance with the legislation of the Russian Federation;

— the processing of personal data is necessary to establish or exercise the rights of the personal data owner or third parties, as well as in relation to the administration of justice;

— the processing of personal data is carried out in accordance with the legislation on mandatory types of insurance, with insurance legislation.

The processing of sensitive personal data must be immediately terminated if the reasons for processing them are eliminated unless otherwise provided by federal law.

The processing of personal data on criminal record may be carried out by the Controller only in cases and in the manner determined in accordance with the federal laws.

2.6. Biometric personal data

Information that provides the physiological and biological characteristics of a person, based on which his identity can be established – biometric personal data – can be processed by the Controller only with the written consent in writing of the data owner.

2.7. Assignment of personal data processing to another person

The operator has the right to assign the processing of personal data to another person based on the agreement with this person only with the consent of the personal data owner unless otherwise provided by the federal law. The person who processes personal data on behalf of the Controller is obliged to comply with the principles and rules for the processing of personal data provided for by the Federal Law FZ-152.

2.8. Cross-border transfer of personal data

The Controller is obliged to ensure that the foreign state to whose territory it is supposed to transfer personal data provides adequate protection of the rights of the personal data owner prior to such transfer.
Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of personal data owners may be carried out in the following cases:
— with the written consent of the personal data owner to the cross-border transfer of his personal data;

— performance of the contract if the personal data owner is the party of such contract.

3. RIGHTS OF THE PERSONAL DATA OWNER

3.1. Consent of the personal data owner to the processing of his personal data

The personal data owner decides whether to provide his personal data and gives consent to their processing freely, by his own will and pursuing own benefit. Consent to the processing of personal data may be given by the data owner or his representative in any form allowing to confirm that it is received unless otherwise established by the federal law.

The Controller is obliged to provide evidence of the consent of the personal data owner to the processing of his personal data or proof of the grounds specified in the Federal Law FZ-152.

3.2. Rights of the personal data owner

The personal data owner has the right to receive information from the Controller regarding the processing of his personal data if such right is not limited in accordance with the federal laws. The personal data owner has the right to require the Controller to rectify his personal data, to block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect his rights.

The processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using means of communication, as well as for political campaigns is allowed only with the prior consent of the personal data owner. This processing of personal data shall be deemed to be carried out without the prior consent of the personal data owner unless the Company proves that such consent was obtained.

At the request of the personal data owner, the Controller is obliged to immediately stop the processing of his personal data for the above purposes.
It is forbidden to make decisions based solely on automated processing of personal data that give rise to legal consequences in relation to the personal data owner or otherwise affect his rights and legitimate interests, except in cases provided for by the federal laws, or if there is a written consent of the personal data owner.

If the personal data owner considers that the Controller is processing his personal data in violation of the requirements of Federal Law FZ-152 or otherwise violates his rights and freedoms, the personal data owner has the right to appeal against the Controller’s actions or omission to act to the Authorized Body for protection of the rights of personal data owners or in court.

The personal data owner has the right to protect his rights and legitimate interests, including compensation for damages and (or) compensation for moral harm in a judicial proceeding.

4.SECURITY OF PERSONAL DATA

The security of personal data processed by the Controller is ensured by the implementation of legal, organizational and technical arrangements necessary to meet the requirements of federal legislation in the sphere of personal data protection.

To prevent unauthorized access to personal data, the Controller applies the following organizational and technical arrangements:
— the appointment of officials responsible for organizing the processing and protection of personal data;

— limiting the number of persons who have access to personal data;

— familiarizing the data owners with the requirements of federal legislation and regulatory documents of the Controller on the processing and protection of personal data;

— organization of registration, storage, and circulation of data storage devices;

— identification of threats to the security of personal data during their processing, the formation of threat models on their basis;

— development of a personal data protection system based on the threat model;

— checking the readiness and effectiveness of the information security tools;

— delimitation of users’ access to information resources and software and hardware for information processing;

— registration and recording of users’ actions in the personal data information systems;

— use of antivirus and personal data protection system recovery tools;

— the use of a firewall, intrusion detection, security analysis, and data cryptographic protection facilities if necessary;

— organization of staffed checkpoint on the premises of the Controller, the protection of premises with technical means for processing personal data.

5.FINAL PROVISIONS

Other rights and obligations of the Controller of personal data are determined by the legislation of the Russian Federation in the sphere of personal data.
Controller’s officials who are guilty of violating the rules governing the processing and protection of personal data bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by the federal laws.

CALL ME
+
Call me!