Personal data processing policy
1. General Provisions
1.1. Ltd RITG (hereinafter the Company) Personal Data Processing Policy contains information on the applicable requirements to personal data processing and protection.
1.2. The Policy is developed in line with the requirements of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe, the Constitution of the Russian Federation, international agreements of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation related to personal data.
1.3. The purpose of this document is to inform the personal data owners and other persons engaged in personal data processing of Ltd RITG’s adherence to the fundamental principles of legitimacy, justice, non-redundancy, correlation of the content and scope of the personal data processed to the declared processing purposes.
1.4. Protection of rights and freedoms of an individual as part of personal data processing, including protection of rights to privacy, personal and family secrets is one of the Company’s priorities.
1.5. The Policy covers all personal data processed in the Company and constitutes a public document.
2. Legal grounds for personal data processing
2.1. Personal data are processed by the Company in view of the processing purposes:
2.1.1. With consent of personal data owners to their personal data processing;
2.1.2. For the purpose of compliance with the laws of the Russian Federation, international agreements of the Russian Federation, decrees by the RF Government and other regulatory legal acts of the Russian Federation;
2.1.3. For the purpose of agreement execution whose Party, beneficiary or guarantor is represented by the personal data owner, including the cases when the Company realizes its right to cession of rights (claims) under such agreement.
3. Purposes and applied methods of personal data processing
3.1. Personal data are processed in the Company either with application of automation technologies, including information personal data systems, or without them (mixed personal data processing).
3.2. Should the automated data processing method be used, personal data are transmitted via the Company’s internal network and via Internet, i. e., information and telecommunication network.
3.3. Personal data are processed for the following purposes:
3.3.1. Rendering assistance to the employees and candidates in employment, training and career development, quantity and quality control of the work performed, compliance with the labor legislation and other regulations containing the norms of labor legislation;
3.3.2. Provision of social benefits and guarantees, personal safety or protection of other vital interests of the Company’s employees and their family members;
3.3.3. Conclusion and execution of civil law contracts, including service contracts;
3.3.4. Compliance with the RF laws on joint-stock companies, information disclosure;
3.3.5. Compliance with antitrust legislation;
3.3.6. Compliance with the securities legislation;
3.3.7. Protection of rights and legal interests of the Company, and those of their officers in court, dispute settlement and administrative authorities;
3.3.8. Preparation of statements or requests, notifications, etc. provided for by the legislation to be submitted to the Pension Fund of the Russian Federation, Social Insurance Fund of the Russian Federation, Federal Compulsory Medical Insurance Fund, Federal Tax Service and other state bodies and services;
3.3.9. Consolidation of statistic data and figures;
3.3.10. Conduct of inspections and audits in the Company;
3.3.11. Organizing access and on-site control in the administrative buildings of the Company, property protection;
3.3.12. Keeping corporate phone and other information books, publications at in-house portals, recognition boards and in public personal data systems;
3.3.13. Fulfillment of other obligations as part of the legal grounds specified in cl. 2.1 hereof.
4. Personal data processing and storage period
4.1. Personal data shall not be processed until the legal grounds for personal data processing outlined in cl. 3 hereof arise.
4.2. Personal data processing shall be suspended as soon as processing purposes are achieved, legal grounds for data processing cease to exist, and the document storage period, provided for by the legislation on archive-keeping in the Russian Federation and the local regulations of Ltd RITG, expires.
4.3. Upon processing period expiration the personal data are either destroyed or depersonalized to be used for statistical or other research purposes.
5. Rights of personal data owners
5.1. The personal data owner shall be entitled to be informed of his/her personal data processing within the time period and according to the procedure provided for by the Federal law.
5.2. The personal data owner shall be entitled to require adjustment of his/her personal data from the Company, their blocking or destruction, provided that the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the declared processing purpose; the data owner shall have the right to take the measures provided for by the Federal law to protect his/her rights.
5.3. The access rights of the personal data owner to his/her personal data can be limited in accordance with the Federal law.
5.4. The personal data owner shall be entitled to challenge the actions or failure to act on the part of the Company by filing a petition to the authorized body for protection of personal data owner rights or by legal means.
5.5. The personal data owner shall be entitled to protect his/her rights and legal interests, including reimbursement of expenses and (or) compensation for moral injury by legal means.
6. Information on applicable requirements to personal data protection
6.1. In the course of personal data processing the Company shall take required legal, organizational and technical measures to protect the personal data from unlawful or accidental access, destruction, adjustment, blocking, copying, submission, sharing or other unlawful actions with regard to the personal data.
6.2. The personal data shall be protected by means of the following:
6.2.1. Appointment of persons responsible for organizing personal data processing and personal data safety;
6.2.2. Issuance of local regulations on personal data processing and protection focused on prevention and tracing violations of the RF laws, elimination of respective consequences;
6.2.3. Making a list of positions that require personal data processing of the persons filling such positions;
6.2.4. Conduct of trainings, rendering methodological support, informing, against signature, the employees engaged in personal data processing of the fact of their participation in personal data processing, as well as of the rules for personal data processing and protection set by the regulatory legal acts of the executive bodies and the local regulations of Ltd RITG;
6.2.5. Registration and recording of operations with personal data;
6.2.6. Keeping records of personal data owners’ appeals and their execution;
6.2.7. Transmission of personal data within the Company solely among the persons holding the positions included into the list of positions that require personal data processing of the persons filling such positions;
6.2.8. Identifying threats to personal data safety while they are processed within the information personal data systems, development, if appropriate, a personal data protection system while they are processed within the information personal data systems and setting access rules to personal data;
6.2.9. Tracing cases of unauthorized access to personal data and taking relevant measures;
6.2.10. Regular control over compliance of the personal data protection measures taken with the RF legislation on personal data and applicable local regulatory acts adopted in pursuance of the said legislation.
7. Responsibility for violation of personal data processing rules and requirements to personal data protection
According to the applicable RF legislation the Company’s employees engaged in personal data processing shall bear disciplinary, civil, administrative or criminal responsibility for violation of personal data processing rules and requirements to personal data protection.