GENERAL PROVISIONS AND TERMS USED IN THE POLICY
This document sets out the Policy of the Limited Liability Company “Sustainability Monitoring Russia” (“Sustainability Monitoring Russia LLC”) regarding the processing of personal data (Sustainability Monitoring Russia LLC) (hereinafter, the “Company”) in relation to processing personal data and implementing the requirements for protection of personal data (hereinafter, the “Policy”) in accordance with the requirements of Article 18.1 of the Federal Law dated 27.07.2006 No. 152-FZ “On Personal Data”.
This Policy uses the following key terms:
- personal data – any information relating to a directly or indirectly defined or identifiable individual (personal data subject);
- Processing of personal data – any action (operation) or set of actions (operations), performed with or without the use of automation with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of personal data;
- Automated processing of personal data – processing of personal data by means of computer equipment;
- Dissemination of personal data – actions aimed at disclosure of personal data to an indefinite number of persons;
- Provision of personal data – actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
- blocking of personal data – temporary termination of personal data processing (except for cases when processing is necessary to clarify personal data);
- Destruction of personal data – actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material media of personal data are destroyed;
- depersonalization of personal data – actions as a result of which it becomes impossible, without the use of additional information, to determine the attribution of personal data to a particular personal data subject;
- personal data information system – a set of personal data contained in databases of personal data and information technologies and technical means ensuring its processing;
personal data subject is an individual to whom personal data directly or indirectly relates.
THE PRINCIPLES OF PERSONAL DATA PROCESSING IN THE COMPANY:
The processing of personal data shall take place on a lawful and fair basis.
Processing of personal data shall be limited to achieving specific, predetermined, and legitimate purposes. Processing of personal data that is incompatible with the purposes of personal data collection shall not be permitted.
Databases containing personal data which are processed for purposes incompatible with each other shall not be merged.
Only personal data that meets the purposes for which it is processed may be processed.
The content and scope of personal data processed shall comply with the stated processing purposes and shall not be excessive in relation to the stated processing purposes.
The processing of personal data shall ensure the accuracy of personal data, its sufficiency and, where necessary, its relevance in relation to the purpose of personal data processing. Necessary measures shall be taken to delete or clarify incomplete or inaccurate data.
Personal data shall be stored in a form that allows identification of the subject of personal data, no longer than required by the purposes of personal data processing, unless the period of storage of personal data is established by federal law, the contract, a party to which, a beneficiary or a guarantor under which the subject of personal data is a party. Unless otherwise provided by federal law, personal data shall be destroyed or depersonalized upon attainment of the processing objectives or if it is no longer necessary to attain such objectives.
When personal data is collected, including by means of the information and telecommunications network “Internet”, recording, systematization, accumulation, storage, clarification (updating, change), extraction of personal data of citizens of the Russian Federation using databases located in the Russian Federation shall be provided.
LEGAL BASIS FOR PERSONAL DATA PROCESSING:
Processing of personal data in the Company shall be carried out in accordance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, Article 53 of the Federal Law of the Russian Federation of 07.07.2003 No. 126-FZ “On Communications”, the Labour Code of the Russian Federation, the Decree of the Government of the Russian Federation of 01.11.2012 No. No. 1119 “On Approval of the requirements for the protection of personal data at their processing in the information systems of personal data”, Decree of the Government of the Russian Federation dated September 15, 2008 № 687 “On Approval of the Regulations on the specific processing of personal data carried out without the use of automation” and other regulations in the field of personal data protection.
PURPOSES OF PERSONAL DATA PROCESSING:
The Company collects, stores and processes only those personal data that are necessary for the provision of services and to carry out its activities, as well as to ensure the rights and legitimate interests of third parties, provided that the rights of the subject of personal data are not violated in doing so.
The personal data of the subject of personal data may be processed by the Company for the following purposes:
- To identify the subject of personal data;
- To communicate with the subject of personal data, if necessary, including to send notifications, requests and information relating to the provision of services, as well as to process requests and applications from subjects of personal data;
- To conduct statistical and other research based on anonymized data;
- The Company does not process special categories of personal data relating to race, ethnicity, political opinions, religious beliefs, health status and biometric personal data.
COMPOSITION OF PERSONAL DATA:
Personal data about personal data – the Company’s employee – information required by the Company in connection with the execution, amendment, termination of employment relations.
Personal data about personal data – counterparty under a civil law contract – information needed by the Company in connection with the execution, amendment, termination of the contract of civil law relations with the subject of personal data.
Personal information of the subject of personal data – the Company’s client – information needed for the Company to fulfil its obligations under the contractual relationship with the subject of personal data (the Company’s client) and to comply with the requirements of the legislation of the Russian Federation on the protection of personal data.
PROCESSING OF PERSONAL DATA:
Processing of personal data on subjects of personal data of the Company is carried out to ensure compliance with laws and other regulations of the Russian Federation, training of subjects of personal data-employees of the Company, providing personal security of subjects of personal data, control the quantity and quality of work performed and to ensure the safety of the Company’s property.
The Company shall process personal data with consent of subjects of personal data, both with and without the use of automation means.
The Company shall not provide and disclose information, containing personal data on subjects of personal data, to any third party without written consent of the subject of personal data, except in cases, when it is necessary for prevention of threat to life and health, as well as in cases, established by the current legislation of the Russian Federation in the field of personal data protection.
Personal data may be disclosed without the consent of the data subject at the reasonable request of the authorized agency and solely in accordance with applicable law:
- to judicial authorities in connection with the administration of justice;
- Federal security service authorities;
- The prosecution service;
- Police authorities;
- Other authorities and organizations in cases prescribed by mandatory regulatory acts.
- If consent to personal data processing is received from a representative of the subject of personal data, the authority of such representative to give consent on behalf of the subject of personal data shall be verified by the Company.
If the personal data subject withdraws consent to personal data processing, the Company may continue to process personal data without the subject’s consent, on the grounds set forth by applicable law.
Legal regulation of the procedure and time limits for storage of documents containing personal data on subjects of personal data is based on the “List of standard management archival documents generated during the activities of state agencies, local authorities and organizations, indicating the period of storage”, approved by Order of the Ministry of Culture of Russia from 25.08.2010 № 558.
Documents containing personal data shall be destroyed in any way that excludes the possibility of familiarization of unauthorized persons with the materials to be destroyed and the possibility of their retrieval.
CONFIDENTIALITY OF PERSONAL DATA
The information relating to personal data which has become known in connection with realization of labor relations, performance of provisions of the contract of civil law to which the subject of personal data is a party, and in connection with rendering services by the Company, is confidential information and is protected by the current legislation of the Russian Federation.
Persons who gained access to the processed personal data, signed an undertaking not to disclose confidential information, as well as warned of the possible disciplinary, administrative, civil, and criminal liability in case of violation of the norms and requirements of the current legislation of the Russian Federation in the field of protection of personal data.
Persons granted access to processed personal data shall not disclose personal data to a third party without written consent of such subject, except in cases where it is necessary to prevent a threat to the life or health of the subject of personal data, as well as in cases prescribed by the laws of the Russian Federation.
Persons granted access to personal data shall not disclose personal data for commercial purposes without the written consent of the subject of personal data. Processing of personal data on personal data subjects for the purpose of promoting goods, works, services on the market by direct contact with a potential consumer by means of communication is permitted only with the prior consent of the consumer.
RIGHTS OF SUBJECTS OF PERSONAL DATA
The subject of personal data has the right to receive information concerning the processing of his personal data, including containing:
- confirmation of the fact of processing of personal data by the Company;
- the legal basis and the purpose of the processing of personal data;
- objectives and methods of personal data processing used by the Company;
name and location of the Company, information on persons (except for the Company’s employees) who have access to personal data or to whom personal data may be disclosed based on the agreement with the Company or based on the federal law of the Russian Federation;
- Processed personal data pertaining to the respective personal data subject, the source of its obtaining, unless other procedure for providing such data is provided by the federal law of the Russian Federation;
- The terms of processing of personal data, including the period of their storage;
- Procedure for personal data subject’s exercising his/her rights under the Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”;
- information on the cross-border transfer of data that has taken place or is expected to take place;
Name or surname, first name, patronymic and address of the person processing personal data on behalf of the Company if processing is or will be assigned to such person.
- Other information as provided by Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” or other federal laws of the Russian Federation.
The subject of personal data shall have the right to request the Company to clarify his personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take statutory measures to protect their rights.
If the subject of personal data considers that the Company carries out processing of his personal data in violation of the requirements of the Federal Law of July 27, 2006 № 152-FZ “On Personal Data” or otherwise violates his rights and freedoms, the subject of personal data may appeal against the action or inaction of the Company in the body to protect the rights of subjects of personal data (the Federal Service for Supervision of Communications, Information Technology and Mass Communications – Roskomnadzor) or in court.
Personal data subjects have the right to the protection of their rights and legitimate interests, including the right to damages and/or compensation for moral harm in court.
Other rights specified in Chapter 3 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”.
MEASURES AIMED AT ENSURING THE COMPANY’S FULFILMENT OF ITS OBLIGATIONS UNDER ART. 18.1., 19 OF THE FEDERAL LAW DATED JULY 27, 2006, NO. 152-FZ “ON PERSONAL DATA”:
Legal, organizational, and technical measures, envisaged by corresponding normative legal acts, shall be applied to ensure security of personal data during their processing in personal data information systems of the Company.
When personal data is processed without the use of automation equipment, the requirements set forth by Decree of the Government of the Russian Federation dated September 15, 2008, No. 687 “On Approval of the Regulations on the Specifics of Processing of Personal Data Performed without the Use of Automation Equipment” are observed.
The Company’s employees directly engaged in personal data processing shall be familiarized with the provisions of the personal data legislation of the Russian Federation (including requirements to protection of personal data), local regulations on personal data processing.
The Company shall be liable for violation of obligations to ensure security and confidentiality of personal data during their processing in accordance with the laws of the Russian Federation.
To ensure unrestricted access to the Company’s Personal Data Processing Policy and information about measures implemented to protect personal data, the text of this Policy is published on the Company’s official website (https://monitoring-esg.ru/).