• Policy with regard to the processing of personal data

    Policy on processing of personal data

    1. General Provisions

    1. The present policy regarding the processing of personal data (hereinafter - the “Policy”) was developed in accordance with the requirements of the Federal Law dated 27.07.2006 № 152-FZ "On Personal Data" in the Management Company "Sodrugestvo" (hereinafter - the “Company”).

    1. The Policy defines the objectives, principles of process and accomplishable requirements for the protection of personal data in the Company.

    1. Information containing personal data is confidential and constitutes a secret protected by law.

    1. Basic terms

    The Policy is based the following terms:

    1. Subject of personal data of the Company are individuals owning personal data, who submitted their personal media data to the Company (both voluntarily and in compliance with legal requirements) for acceptance, receipt, search, collection, systemizing, accumulation, storage, clarification, renewal, amendment, usage, distribution (including communication), depersonalization, including:

    • Company’s employees, including those employed in internal and external secondary jobs;

    • students having academic or industrial internship in the Company;

    • any other persons providing their personal data to the Company.

    1. Personal data means any information related directly or indirectly to an individual (subject of personal data).

    1. Processing of Personal data is any action (operation) or combination of actions (operations) performed with or without application of automation means with personal data, including collection, recording, systemizing, accumulation, storage, clarification (renewal, amendment), retrieval, usage, communication (distribution, submitting, access), depersonalization of persons related data, blockage, deleting or elimination of personal data.

    1. Any operation or other persons who have gained access to personal data has to treat such personal data confidentially and may not disclose personal data to third parties and is not authorized to distribute personal data without consent of the personal data owner, unless otherwise specified by the federal law.

    1. Principles and purpose of the processing of personal data

    1. In its activities on the processing of personal data adheres to the following rules:

    1. Personal data is processed on a legal and equitable basis.

    2. Purposes of processing of personal data are adequate in relation to the powers of the Company.

    3. Contents and scope of processed personal data are adequate in relation to the purpose of processing of personal data.

    4. Validity of personal data, their relevance and sufficiency for the purpose of processing, inadmissibility of processing of personal data in an excessive way in relation to the purposes of the collection of personal data.

    5. Limitation of processing of personal data upon achieving specific and lawful objectives, prohibition of processing of personal data, that are inconsistent with the purposes of collection of personal data.

    6. Prohibition of integration of databases containing personal data being processed for purposes incompatible with each other.

    7. Storage of personal data in a form that allows identification of the personal data owner, not longer than it is required for purposes of personal data processing, unless a storage period of personal data is specified by effective laws.

    8. Processed personal data have to be destroyed or depersonalized upon achievement of processing objectives or provided there is no more need to reach such objectives, unless otherwise provided by effective laws

    1. Processing of personal data of the Company’s personal data owners is carried out in order to ensure the adherence to the Constitution of the Russian Federation, federal laws and other regulations of the Russian Federation, to facilitate them (personal data owners) in work, training and career development.

    1. List of measures to ensure the security of personal data during their processing.

    1. The Company has to take all necessary legal, organizational and technical measures during processing of personal data in order to protect them from unauthorized or accidental access, elimination, amendment, blocking, copying, submitting, distribution or any other unlawful actions with regard to such data. Personal data security shall be achieved in particular through the following ways:

    1. Appointment of a person in charge of organization of personal data processing.

    2. Approval of the Company’s management in relation to regulations on issues of personal data processing and local acts that establish procedures to prevent and detect violations of Russian laws, and remedial actions in case of such violations.

    3. Effectuation of internal inspections of compliance of personal data processing with the Federal law № 152-FZ “On personal data” as of 27.07.2006 and regulations adopted in this respect, requirements to personal data protection.

    4. Familiarization of the Company’s employees directly involved in personal data processing with requirements of Russian laws on personal data, including requirements to personal data protection, as well as with local acts relating to personal data processing.

    5. Fulfillment of requirements established in the Russian Government regulation № 687 of 15.09.2008 “On ratification of the Provision on peculiarities of personal data protection carried out without using automation means” during processing personal data without using automation means.

    6. Implementation of information protection means having passed, when necessary, the procedure of compliance assessment according to the established order.

    7. Recording of data media.

    8. Exposure of events of unauthorized access to personal data and adoption of necessary measures accordingly.

    9. Recovery of personal data modified or deleted as a result of an unauthorized access to them.

    10. Establishment of rules to have access to personal data processed in the respective information system, as well as ensuring registration and recording of any actions performed within the information system of personal data.

    1. The Company’s employees responsible for violation of the procedure in connection with personal data processing bear disciplinary, administrative, civil and legal or criminal liability according to laws of the Russian Federation.

    1. Final Provisions

    1. The present Policy is approved by the management of the Company.

    2. The Policy is binding and has to be disclosed to all employees of the Company. The management of the Company is responsible to monitor that the Policy is being complied with.