PERSONAL DATA PROCESSING POLICY

Intersvyaz Firm, LLC,

hereinafter referred to as the “Company”

  1. INFORMATION ON THE POLICY

The goal of the Policy — it is drafted to implement: the Constitution of the Russian Federation, Federal Law No. 149-FZ dated July 27, 2006 “On Information, Information Technology, and Information Protection”, provisions of Chapter 14 of the Labor Code of the Russian Federation “Protection of Personal Data of Employees”, Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”, Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008 “On Approval of the Regulations on Peculiarities of Personal Data Processing Performed without Automation Tools”, Resolution of the Government of the Russian Federation No. 1119 dated November 01, 2012 “On Approval of Requirements to Protection of Personal Data upon Their Processing in Personal Data Information Systems”, and other regulatory legal acts, and normative and methodological documents of the Russian Federation governing relations related to ensuring security of personal data upon their processing in personal data information systems.

It defines the policy of the Company in relation to personal data, and it is a publicly available document.

2. GROUNDS FOR PROCESSING OF PD PROCESSED BY THE COMPANY

Articles 23 and 24 of the Constitution of the Russian Federation;

Articles 86 to 90 of the Labor Code of the Russian Federation;

Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”; Federal Law No. 126-FZ dated July 07, 2003 “On Communication”;

Resolution of the Government of the Russian Federation No. 32 dated January 23, 2006 “On Approval of the Rules for Rendering Communication Services for Data Transmission”;

Resolution of the Government of the Russian Federation No. 575 dated September 10, 2007 “On Approval of the Rules for Rendering Telematic Communication Services”;

Federal Law No. 149-FZ dated July 27, 2006 “On Information, Information Technology, and Information Protection”; other regulatory legal acts of the Russian Federation.

Documents of the Company specifying activity for PD processing:

a) the Articles of Association of the Company;

b) licenses for the performed activities related to personal data processing;

c) this Policy concerning PD processing;

d) consent to PD processing given by the subject of PD;

e) civil law contracts concluded by the Company with the Subscribers and the counterparties.


3. Terms and Abbreviations



Name of the term

Abbreviation

Definition of the term

Subscriber



Personal data

PD

Any information relating to an individual identified or being identified, directly or indirectly (the subject of personal data).

PD processing


Any action (operation) or a set of actions (operations) with the PD performed with or without automation tools. It includes: collection, recording, systematization, accumulation, storage, revision (update, change), retrieval, use, transmission (distribution, provision, access), depersonalization, blocking, deletion, and destruction.

PD distribution


Actions aimed at disclosure of the PD to an indefinite set of people.

PD provision


Actions aimed at disclosure of the PD to a certain individual or a certain set of people.

PD blocking


Temporary termination of PD processing (unless processing is required to update the PD).

PD destruction


Actions, as a result of which it becomes impossible to restore the content of the personal data in the personal data information system and (or) as a result of which the media of the personal data are destroyed.

PD depersonalization


Actions, as a result of which it becomes impossible to determine attribution of the personal data to a particular subject of personal data without use of additional information.

PD information system

PDIS

The set of PD contained in databases and information technologies and technical means ensuring their processing.

Cross-border transmission of PD


Transmission of the PD to the territory of a foreign state, the authority of a foreign state, a foreign individual, or a foreign legal entity.

Internal order document

IOD

This is a document that fixes decisions concerning administrative and organizational issues of the Company’s activities, regulates and coordinates activities, and allows the management body to ensure implementation of the tasks set for it.


4. GENERAL

  1. The activities of the Company (hereinafter referred to as the “organization” or the “operator of PD”) in accordance with this Policy are aimed at protection of the rights and freedoms of a person and a national upon processing the PD.

  2. This Policy applies to all PD of the below persons processed by the Company:

— employees of the Company, former employees, candidates for open positions as well as relatives of the employees;

— the Subscribers and the counterparties of the Company (individuals);

— representatives/employees of the Subscribers and the counterparties of the Company (legal entities).

The content and the volume of the processed PD shall be consistent with the stated goals of processing. The processed PD shall not be redundant in relation to the stated goals of their processing.

  1. In accordance with the laws of the Russian Federation, the PD shall be deemed restricted information. The PD may be processed independently or as a part of other confidential information, the processing procedure for which is established by federal laws and regulatory legal acts, in particular, on trade secret (the trade secret), communication (information on the subscriber and communication secret), banks (the bank secret), archiving, and other acts. The procedure for PD processing in the organization is governed by this Policy in accordance with the requirements of the current laws of the Russian Federation on PD and branch laws of the Russian Federation if they establish the procedure for restricted information processing.

  2. Storage, recording, and use of the PD shall be arranged for in accordance with Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” and the IOD.

  3. Handling of documents submitted for storage in accordance with the laws of the Russian Federation on archiving is not governed by this Policy.

  4. The requirements of this Policy apply to all processes related to processing of the PD of subjects, and they are binding on all employees processing the PD.

  5. In all cases not regulated hereby, it is necessary to be governed by the current laws of the Russian Federation.


5. ENSURING CONFIDENTIALITY OF THE PERSONAL DATA

The employees as well as persons engaged in the PD processing pursuant to the assignment of the organization shall not disclose to third parties and not distribute the personal data without the consent of the subject of PD unless otherwise provided for by the federal law.


6. PERSONAL DATA PROCESSING

  1. The Company is an operator of PD, it arranges for and (or) performs PD processing, independently or jointly with other parties, and it determines the goals of PD processing, composition of the PD to be processed, and actions performed with the PD.

  2. The personal data of the subjects of PD shall be performed for the following purposes:

  1. The PD shall be processed on a legal basis. Only PD that are consistent with the goals of processing shall be subject to processing. PD processing shall be limited to achieving specific, predetermined and legitimate goals. PD processing inconsistent with the goals of PD collection shall not be acceptable. The content and the volume of the processed PD shall be consistent with the stated goals of processing. The processed PD shall not be redundant in relation to the stated goals of their processing. It is not acceptable to combine the PDIS containing the PD, which are processed for purposes incompatible with each other.

  2. Upon PD processing, their accuracy, sufficiency and, if needed, their relevance to the goals of PD processing shall be ensured. The required measures shall be taken to delete or update incomplete or inaccurate data. Liability for timely provision of information on changes in the PD processed in the PDIS shall be imposed on the subjects of PD.

  3. The PD shall be stored in a form that allows determining the subject of PD not longer than the purpose of PD processing requires unless a different period of PD storage is established by the federal law or the contract to which the subject of PD is the party, the beneficiary, or the surety. The PD to be processed shall be destroyed or depersonalized upon achievement of the goals of processing or in case of loss of the need to achieve these goals unless otherwise provided for by the federal law.

  4. PD processing shall be allowed in the following cases:


  1. Special categories of the PD relating to race, nationality, political views, religious or philosophical beliefs, health, and intimate life shall not be processed.

  2. The PD may be processed by:

— the employees of the organization who have access to the PD;

— other persons engaged in PD processing pursuant to the assignment of the organization.

  1. The operator shall be entitled to authorize another person to process the PD with the consent of the subject of personal data, unless otherwise provided for by the federal law, on the basis of a contract concluded with this person, including a state or municipal contract, or by adopting a relevant act by the state or municipal body (hereinafter referred to as the “operator’s assignment”). A person who performs PD processing in accordance with the operator’s assignment shall comply with the principles and rules of PD processing provided for by the federal law. The operator’s assignment shall define a list of actions (operations) with personal data that will be performed by the person who processes the personal data, and the goals of processing, it shall establish the obligation of this person to keep the PD confidential and ensure security of the PD upon their processing, and specify the requirements to protection of the PD in accordance with Article 19 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”. The person who processes the PD pursuant to the operator’s assignment is not required to obtain the consent of the subject of PD to processing of its personal data.

  2. The PD may be processed with or without automation tools.

  3. Automated PD processing shall be performed in the PDIS in accordance with this Policy.

  4. It shall be prohibited to make decisions based solely on the automated processing of the PD, which give rise to legal consequences in relation to the subject of PD or otherwise affect its rights and legitimate interests, except for cases provided for by the laws of the Russian Federation.

  5. Non-automated PD processing shall be performed in such a manner that the PD are separated from other information, in particular, by processing them on separate PD media, in special sections, or in the fields of forms and in another way.

  6. Persons processing PD without automation tools shall be informed about actual PD processing by them, the categories of the PD being processed as well as the features and rules of such processing established by the regulatory legal acts of the federal executive bodies, executive bodies of the constituent entities of the Russian Federation, and the IOD.

  7. Upon non-automated processing of the PD involving use of standard forms of documents, the nature of information in which implies or allows inclusion of the PD into them, the following conditions shall be met:

a) A standard form or related documents (instructions for its filling in, cards, registers, and journals) shall contain:

— information about the goal of PD processing without the automation tools;

— details of the organization;

— name, patronymic, surname, and address of the subject of PD;

— source of PD, period of PD processing;

— a list of actions with the PD that will be performed in the course of their processing;

— general description of the methods of PD processing used by the operator;

b) The standard form shall provide for a field in which the subject of PD may make a note on its consent to PD processing without the automation tools, if needed, obtaining written consent to PD processing;

c) The standard form shall be prepared in such a way that every subject of PD contained in the document would have an opportunity to review its personal data contained in the document without infringing the rights and legitimate interests of other subjects of PD;

d) The standard form shall exclude combining fields intended for entering PD, the processing goals of which are obviously not compatible.

6.16. When saving the PD on media, it is not allowed to save personal data, the processing goals of which are obviously not compatible, on one medium. To process various categories of the PD without the automation tools, an individual medium shall be used for each category of the PD.


7. SECURING RIGHTS OF THE SUBJECT OF PERSONAL DATA

  1. In cases provided for by the law, the subject of PD shall make a decision on provision of its PD and give consent to their processing freely, willfully, and in its interest. Consent to PD processing may be given by the subject of personal data or its representative in any form making it possible to confirm the fact of its receipt unless otherwise established by the federal law.

  2. The obligation to provide evidence of the consent of the subject of PD to processing of its personal data or proof of the grounds specified in Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” shall be imposed on the operator of PD.

  3. The subject of PD shall be entitled to receive information regarding processing of its personal data if such a right is not restricted in accordance with the federal laws. The subject of PD shall be entitled to require the organization to update its personal data, block or destroy them if the PD are incomplete, outdated, inaccurate, illegally obtained, or not required for the stated goals of processing as well as to take measures provided for by the law to protect its rights.

  4. PD processing to promote goods, work, and services on the market by making direct contacts with a potential consumer using means of communication shall be acceptable only with the prior consent of the subject of PD. The operator of PD is obliged to immediately cease processing its PD upon request of the subject of personal data for the above goals.


8. ACQUISITION OF PERSONAL DATA

      1. All PD of the employee shall be received from it. If the employee’s PD can only be obtained from a third party, the employee shall be notified of it in advance, and written consent shall be obtained from it.

      2. Personal data of other persons shall be obtained in accordance with the requirements of the current laws of the Russian Federation.

      3. In the event of legal incapacity of the subject of PD, written consent to processing of its PD shall be obtained from its legal representative.

      4. The PD may be obtained by the operator from a person who is not the subject of personal data, provided that the operator is given confirmation that there are grounds specified in paragraphs 2 to 11, part 1, Article 6, part 2, Article 10, and part 2, Article 11 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.


9. TERMS OF PERSONAL DATA PROCESSING

  1. The procedure for processing of the PD processed in the PDIS shall be determined by the IOD in accordance with the provisions of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.

  2. The terms of PD processing shall be governed by the current laws of the Russian Federation, including the Federal Law “On Personal Data”, and they shall be specified in the List of Personal Data, in documents fixing the contractual relations of the operator of PD with the subjects of personal data, and in the subjects’ consent to their PD processing.

  3. The PD, the term of processing of which has expired, shall be destroyed unless otherwise provided for by the federal law. Storage of the PD upon expiry of the period of storage shall be acceptable only after their depersonalization.


10. UPDATE OF PERSONAL DATA

  1. The PD processed in the PDIS shall be updated upon requests of the subjects of PD, their legal representatives, or in case of an application from the authorized body for protection of rights of the subjects of PD.

  2. PD updating upon their processing without the automation tools shall be ensured by updating or changing data on the medium, and if it is not feasible due to technical features of the medium, by recording information about the changes in them on the same medium or by making a new medium with updated personal data after destruction of information on the old one.


11. PROVISION AND TRANSMISSION OF PERSONAL DATA

11.1. Upon provision of the PD to a third party, the following conditions shall be met:

the PD shall be transmitted to a third party on the basis of the current laws of the Russian Federation;

there is a written consent of the subject of PD to transmission of its PD to a third party, except for cases provided for by the law. The PD shall be transmitted to a third party on the basis of a contract, the essential condition of which is ensuring by the third party of safety of the PD upon their processing;

  1. Cross-border transmission of the PD to the territory of foreign states shall not be performed.

  2. Specialized guides containing the PD, access to which may be granted to an indefinite set of people with the written consent of the subject of PD, may be created to ensure information support.

  3. Information on the subject of PD shall be at any time excluded from publicly available sources of personal data upon request of the subject of PD or by decision of the court or other authorized public bodies.


12. BLOCKING OF PERSONAL DATA

12.1. The basis for blocking of the PD related to the relevant subject of PD shall be as follows:

— If unlawful processing of personal data is detected upon application of the subject of personal data or its representative, or upon request of the subject of personal data or its representative, or the authorized body for protection of rights of the subjects of personal data, the operator shall block unlawfully processed personal data related to this subject of personal data, or ensure their blocking (if the personal data are processed by another person acting on behalf of the operator) from the moment of this application or upon receipt of the said request for the period of checking;

— If inaccurate personal data are detected upon application of the subject of personal data or its representative, or upon their request, or upon request of the authorized body for protection of rights of the subjects of personal data, the operator shall block personal data related to this subject of personal data, or ensure their blocking (if the personal data are processed by another person acting on behalf of the operator) from the moment of this application or upon receipt of the said request for the period of checking unless blocking of personal data infringes the rights and legitimate interests of the subject of personal data or the third parties.

In case of confirmation of the fact of inaccuracy of the personal data, on the basis of information provided by the subject of personal data or its representative, or the authorized body for protection of rights of the subjects of personal data, or other necessary documents, the operator shall update the personal data or ensure their updating (if the personal data are processed by another person acting on behalf of the operator) within seven business days from the date of submission of this information and unblock the personal data.


13. DESTRUCTION OF PERSONAL DATA

13.1. The basis for destruction of the PD processed in the PDIS shall be as follows:

- revocation by the subject of PD of the consent to its PD processing, except for the cases when processing of the said PD is mandatory in accordance with the laws of the Russian Federation or the contract. The consent to processing of the personal data (including changes in the goals of processing) shall be revoked by filing by the Subject of PD of a relevant application in a free written form to the Operator of PD at the following address: 38b, Komsomolsky pr., Chelyabinsk;


  1. If the goals of processing of the PD recorded on the same medium are incompatible, if the medium does not allow processing the PD separately from other PD recorded on the same medium, and if it is necessary to destroy or block some PD, the medium shall be destroyed or blocked with prior copying of information not subject to destruction or blocking in a manner preventing simultaneous copying of the PD to be destroyed or blocked.

  2. If the medium allows it, some PD shall be destroyed in a manner preventing further processing of these PD while preserving the possibility of processing other data recorded on the medium.


14. ENSURING SAFETY OF PERSONAL DATA UPON THEIR PROCESSING

  1. Upon processing of the PD in the PDIS, legal, organizational and technical measures shall be taken to protect the PD against unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of the PD as well as against other illegal actions in relation to the PD.

  2. Safety of the PD shall be ensured within the framework of implementation of a security regime for confidential information.

  3. In particular, safety of the PD shall be ensured by:

- establishment of rules for access to the PD processed in the PDIS as well as ensuring registration and recording of all actions performed with the PD in the PDIS;

- control over the measures taken to ensure safety of the PD and the level of PD protection in the PDIS.

  1. Upon processing of information in the communication systems and networks, security of communication secrets and information on the subscribers shall be ensured in accordance with the requirements of the laws of the Russian Federation on communication.

  2. Safety of the PD processed in the information systems while supporting investigative work shall be ensured in accordance with the laws of the Russian Federation on investigative work.

  3. The levels of PD protection upon their processing in the PDIS, the requirements to protection of the PD, ensuring PD protection levels shall be determined based on the security risks related to the personal data taking into account the potential harm to the subject of PD, volume and content of the processed PD, type of activity, upon performance of which the PD are processed, relevance (level) of PD security threats in accordance with Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”, the Resolutions of the Government of the Russian Federation, and other regulatory legal acts.

  4. In case of non-automated processing, the PD shall be protected in accordance with the requirements of the regulatory legal acts of the Russian Federation and the IOD on information media handling.


15. RIGHTS OF THE SUBJECT OF PERSONAL DATA

15.1. The subject of PD whose personal data are processed in the PDIS shall be entitled to obtain information concerning processing of its PD, including information containing:

- information on the implemented or intended cross-border transmission of the PD;

15.2. Information specified in paragraph 15.1 shall be provided to the subject of PD in an accessible form, and it shall not contain the PD related to other subjects of PD unless there are legal grounds for disclosing these PD.


16. LIABILITY FOR VIOLATION OF NORMS REGULATING PERSONAL DATA PROCESSING

  1. The employees of the organization being guilty of violating the requirements of the laws of the Russian Federation on PD as well as the provisions of this Policy shall be liable under the laws of the Russian Federation.

  2. The moral damage caused to the subject of PD as a result of infringement of its rights, violation of the PD processing rules as well as the requirements to PD protection shall be reimbursed for in accordance with the laws of the Russian Federation.


17. FINAL PROVISIONS

  1. This Policy is a publicly available document. Availability of the Policy to the public shall be ensured by its posting on the website: www.is74.ru.

  2. This Policy shall be revised as and when necessary.

  3. Persons whose personal data are processed may receive clarifications on processing of their personal data having sent a written request to the following postal address: 38b, Komsomolsky pr., Chelyabinsk.

9