Back to home

Policy of Joint-Stock Company «SINEUS FRANCHISE» on the Processing of Personal Data

APPROVED: CEO of JSC «SINEUS FRANCHISE» A.S. Krylov

1. Definitions and abbreviations

Key terms used in this document:

Personal data
any information relating to a directly or indirectly identified or identifiable natural person (the personal data subject).
Operator (under 152-FZ)
a state body, municipal body, legal entity or natural person that, alone or jointly with others, organises and/or carries out the processing of personal data and determines the purposes of processing, the composition of the personal data to be processed, and the actions (operations) performed with personal data.
Processing of personal data
any action (operation) or set of actions performed with or without automation tools, including collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalisation, blocking, deletion and destruction of personal data.
Automated processing of personal data
processing of personal data by means of computing technology.
Distribution of personal data
actions aimed at disclosing personal data to an indefinite group of persons.
Provision of personal data
actions aimed at disclosing personal data to a specific person or a specific group of persons.
Blocking of personal data
temporary suspension of the processing of personal data (except where processing is necessary to clarify the personal data).
Destruction of personal data
actions that make it impossible to restore the content of personal data in the information system and/or that destroy the material carriers of personal data.
Depersonalisation of personal data
actions that make it impossible, without additional information, to determine that personal data belong to a specific data subject.
Personal data information system
a set of personal data contained in databases together with the information technologies and technical means that ensure their processing.
Material carrier
a machine-readable information carrier (including magnetic and electronic) on which information characterising a person's physiological features is recorded and stored and from which their identity can be established.
Cookie files
small text files stored on the user's device or servers that collect information about visited sites and the user's individual settings.
Cross-border transfer of personal data
transfer of personal data to the territory of a foreign state, to a foreign authority, foreign natural person or foreign legal entity.

Unless the context otherwise requires, capitalised terms used in this document have the following defined meanings:

Data Subject
a natural person whose personal data are processed by the Operator or on its behalf.
Operator
Joint-Stock Company «SINEUS FRANCHISE», PSRN 1257700442670, TIN 9714081964, address: 125167, Moscow, Khoroshevsky municipal district, Leningradsky Ave, 37, premises 35/14.
PD
personal data.
CBT
cross-border transfer of personal data.
PDIS
personal data information system.
Consent
consent to the processing of personal data.
Policy
this Policy on the processing of personal data.
RF
the Russian Federation.
Website
a page on the Internet operating in the Operator's interests at the domain name https://sineus.io/
Personal data legislation
the body of regulations governing the rules of personal data processing in the Russian Federation.

Terms used in the Policy whose meanings are not specified in this section are applied and interpreted in accordance with the applicable legislation of the Russian Federation.

2. General provisions

The Operator pays close attention to the principles of lawfulness, fairness and confidentiality when processing personal data, as well as to the security of processing.

The Policy is developed in accordance with personal data legislation and defines the principles of processing and securing personal data by the Operator.

The purposes of the Policy are:

  • Ensuring the protection of human and civil rights and freedoms;
  • Protecting the right to privacy, personal and family secrecy, and establishing the liability of the Operator's officials who have access to personal data for failing to comply with the rules governing the processing and protection of personal data.

The Policy is developed in accordance with:

  • the Constitution of the Russian Federation (adopted by popular vote on 12.12.1993);
  • Federal Law No. 160-FZ of 19 December 2005 «On the ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data»;
  • Federal Law No. 152-FZ of 27.07.2006 «On Personal Data»;
  • the Labour Code of the Russian Federation No. 197-FZ of 30.12.2001;
  • Federal Law No. 149-FZ of 27.07.2006 «On Information, Information Technologies and Information Protection»;
  • Roskomnadzor Order No. 18 of 24.02.2021 «On approving the requirements for the content of consent to the processing of personal data authorised by the data subject for distribution»;
  • the Recommendations on drafting the document defining the operator's policy on the processing of personal data, in the manner established by Federal Law No. 152-FZ of 27 July 2006 «On Personal Data»;
  • and other regulations in force at the time the Policy was developed.

The Policy discloses the methods and principles of the Operator's processing of personal data, the rights and obligations of the Operator when processing personal data, the rights of Data Subjects, and includes the list of measures applied by the Operator to ensure the security of personal data during processing.

The Policy is a publicly available document declaring the conceptual basis of the Operator's activities in processing and protecting personal data.

The Operator has the right to:

  • independently determine the composition and list of measures necessary and sufficient to fulfil the obligations under the Personal Data Law and the regulations adopted on its basis, unless otherwise provided by personal data legislation or other federal laws;
  • entrust the processing of personal data to another person with the consent of the Data Subject, unless otherwise provided by federal law, on the basis of a contract concluded with that person. A person processing personal data on the Operator's behalf must observe the principles and rules of processing provided by the Personal Data Law, maintain confidentiality and take the necessary measures to fulfil the obligations provided by personal data legislation;
  • if the Data Subject withdraws consent, continue processing personal data without consent where other grounds established by personal data legislation and the Policy exist.

The Operator is obliged to:

  • organise the processing of personal data in accordance with personal data legislation;
  • respond to requests and enquiries from Data Subjects and their legal representatives in accordance with personal data legislation;
  • provide the authorised body for the protection of Data Subjects' rights, at its request, with the necessary information within the time limits established by personal data legislation;
  • in the manner determined by the federal executive body authorised in the field of security, ensure interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, including informing it of computer incidents that resulted in the unlawful transfer (provision, distribution, access) of personal data.

The Data Subject has the right to:

  • obtain information concerning the processing of their personal data, except in cases provided by federal law. The information is provided to the Data Subject in an accessible form and must not contain personal data of other Data Subjects, except where there are lawful grounds for disclosing such data. The list of information and the procedure for obtaining it is established by personal data legislation;
  • access their personal data, including the right to obtain a copy of any record containing it, except as provided by law;
  • require the Operator to clarify their personal data, block or destroy it if the data are incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing, and to take the legally provided measures to protect their rights;
  • appeal unlawful actions or inaction of the Operator when processing their personal data to the authorised body for the protection of Data Subjects' rights or in court.

3. Principles and rules of personal data processing

The Operator processes personal data on the basis of the following principles:

  • Lawful and fair grounds for processing;
  • Limitation of processing to specific, predetermined and lawful purposes;
  • No merging of databases containing personal data processed for mutually incompatible purposes;
  • Processing only of personal data that correspond to the purposes of processing;
  • Correspondence of the content and volume (no excess) of processed data with the stated purposes;
  • Ensuring the accuracy of personal data, their sufficiency and, where necessary, relevance to the purposes of processing;
  • Personal data are stored in a form allowing identification of the Data Subject no longer than required by the purposes of processing, unless the retention period is established by Russian law or by a contract to which the Data Subject is a party, beneficiary or guarantor. Processed data are subject to destruction or depersonalisation once the purposes are achieved or the need for them is lost, unless otherwise provided by federal law.

4. Legal grounds for personal data processing

The legal grounds for processing are:

The body of regulations pursuant to and in accordance with which the Operator processes personal data, including:

  • the Constitution of the Russian Federation (adopted by popular vote on 12.12.1993);
  • the Labour Code of the Russian Federation No. 197-FZ of 30.12.2001;
  • the Tax Code of the Russian Federation No. 146-FZ of 31.07.1998;
  • Federal Law No. 152-FZ of 27.07.2006 «On Personal Data»;
  • Federal Law No. 402-FZ of 06.12.2011 «On Accounting»;
  • Decree of the President of the RF No. 188 of 06.03.1997 «On approving the list of confidential information»;
  • other federal laws or regulations adopted on their basis governing relations connected with the Operator's activities;
  • the Operator's charter;
  • contracts concluded between the Operator and Data Subjects;
  • the Data Subject's consent.

5. Purposes of processing, scope and categories of processed data, categories of subjects

Processing is limited to specific, predetermined and lawful purposes. The Operator does not process personal data in ways incompatible with the purposes of collection.

The purposes of processing are determined, among other things, from an analysis of the legal acts governing the Operator's activities, the purposes of the Operator's actual activities and those provided for by its constituent documents, and the Operator's specific business processes in specific PDIS (by the Operator's structural units and their procedures in respect of certain categories of Data Subjects).

Appendix No. 1 to this Policy sets out the specific categories of personal data processed, the categories of Data Subjects, and the methods of processing and destruction of personal data upon expiry of the processing periods.

6. Collection of personal data

Personal data are collected directly from the Data Subject. Where the provision of personal data and/or obtaining consent is mandatory under Russian law, the Data Subject is informed of the legal consequences of refusing to provide the data.

When collecting personal data, including via the Internet, the recording, systematisation, accumulation, storage, clarification (updating, modification) and extraction of the personal data of Russian citizens is ensured using databases located in the Russian Federation.

7. Storage of personal data

Personal data are stored in a form allowing identification of the Data Subject no longer than required by the purposes of processing, unless the retention period is established by Russian law or by a contract to which the Data Subject is a party.

Storage of personal data is carried out with regard to ensuring their confidentiality.

The retention period of personal data processed in a PDIS corresponds to the retention period of personal data on paper.

Personal data are transferred to archival storage in accordance with Russian archival legislation and are destroyed or depersonalised once the purposes of processing are achieved or the need for them is lost, unless otherwise provided by Russian law or by a contract to which the Data Subject is a party.

8. Transfer of personal data

Personal data are transferred to a third party only with the consent of the Data Subject or in cases expressly provided by Russian law.

Transfer of personal data to a public authority, local government body, security and law-enforcement body, state institution and fund, or other authorised body is permitted on the grounds provided by Russian law.

Disclosure of personal data to a third party without the consent of the relevant Data Subject is not allowed, except where necessary to protect the life, health or other vital interests of the Data Subject.

Disclosure of personal data to a third party for commercial purposes without the consent of the relevant Data Subject is prohibited. Processing of personal data for the purpose of promoting goods, works and services on the market is carried out only with the prior consent of the Data Subject.

For the purposes established by the Policy, the Operator may entrust the processing of subjects' personal data to third parties.

Third parties take the necessary confidentiality and security measures when performing the assignment in accordance with the requirements set out in Part 5 of Article 18, Article 18.1 and Article 19 of Federal Law No. 152-FZ of 27.07.2006 «On Personal Data».

9. Cross-border transfer of personal data

Before any such transfer, the Operator verifies that the foreign state to whose territory the personal data are to be transferred provides adequate protection of Data Subjects' rights.

Before commencing CBT activities, the Operator notifies the authorised body for the protection of Data Subjects' rights of its intention to carry out CBT.

After sending the notification of its intention to carry out CBT, the Operator carries out CBT to the territory of the foreign states specified in the notification that provide adequate protection of Data Subjects' rights.

The Operator does not carry out CBT to the territory of the foreign states specified in the notification that do not provide adequate protection of Data Subjects' rights until the authorised body takes the relevant decision.

10. Distribution of personal data

Processing of personal data authorised by the Data Subject for distribution is carried out in compliance with the requirements of personal data legislation.

Consent for the distribution of personal data is executed separately from the Data Subject's other consents. The Operator must enable the Data Subject to determine the list of personal data for each category specified in the consent for distribution.

In the consent for distribution, the Data Subject may establish prohibitions on the Operator transferring such data to an indefinite group of persons, as well as prohibitions on or conditions for the processing of such data by an indefinite group of persons.

11. Processing of personal data on the Operator's website

While Data Subjects visit the Website and use its functionality, technical information about Data Subjects' devices may be passively collected using various technologies and methods, including Cookie technology. This is necessary due to how the Internet operates and how access to information resources (websites) on it is provided.

Data Subjects may refuse to accept the Website's Cookie files via their browser settings. However, this may cause certain inconveniences when using the Website (for example, the need to regularly complete the authentication procedure on the Website).

The Policy does not govern the processing and protection of personal data on any other third-party websites or web objects (including, among other things, any mobile applications) accessible via the Website or linked from it.

12. Conditions and procedure for ceasing the processing of personal data

The Operator ceases processing personal data in the following cases:

  • Achievement of the purposes of processing and the maximum retention periods;
  • Loss of the need to achieve the purposes of processing;
  • Provision by the Data Subject or their legal representative of information confirming that the data were unlawfully obtained or are not necessary for the stated purpose of processing;
  • Impossibility of ensuring the lawfulness of processing;
  • Withdrawal of consent by the Data Subject, where retention of the data is no longer required for the purposes of processing;
  • A demand by the Data Subject for the Operator to cease processing, except in cases provided by law;
  • Expiry of the limitation periods for the legal relations within which the processing is or was carried out;
  • Liquidation or reorganisation of the Operator;
  • In accordance with the requirements of the applicable personal data legislation.

Destruction of personal data is carried out in a way that excludes the possibility of restoring it. If personal data cannot be destroyed without such damage to its material carrier as would prevent its further use for its intended purpose, both the personal data and its material carrier are subject to destruction.

Confirmation of the destruction of personal data is carried out in accordance with the requirements established by the authorised body for the protection of Data Subjects' rights.

13. Procedure for interaction with data subjects

The Operator must inform the Data Subject or their representative about the existence of personal data relating to that Data Subject and provide the opportunity to review such data upon the request of the Data Subject or their representative, or within ten business days of receiving the request.

The Operator must provide the Data Subject or their representative, free of charge, with the opportunity to review the personal data relating to that Data Subject, in particular:

  • Confirmation of the fact of processing;
  • The legal grounds and purposes of processing;
  • The purposes and methods of processing applied;
  • The name and location of the Operator, information about persons (other than the Operator's employees) who have access to personal data or to whom personal data may be disclosed under a contract with the Operator or under Russian law;
  • The list of processed personal data relating to the relevant Data Subject and the source from which it was obtained;
  • The processing and retention periods;
  • The procedure for the Data Subject to exercise the rights provided by Russian law;
  • Information about any CBT carried out or intended;
  • The name of the person processing personal data on the Operator's behalf, where processing is entrusted to a third party;
  • Information about how the Operator fulfils the obligations established by Article 18.1 of Federal Law No. 152-FZ «On Personal Data».

The subject has the right to require clarification or modification of their personal data, its blocking or destruction if the data processed by the Operator are incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing.

The subject or their representative requests from the Operator the information specified in clause 14.1 and/or sends the demands specified in clause 14.3 by submitting a request in the form established in clause 14.5 and in Appendix No. 2.

The request of the subject or their representative must contain:

  • A description of the requested information or the subject's demands (clarification, modification, blocking, destruction of their data);
  • The number of the main identity document of the Data Subject or their representative;
  • Information about the date of issue of that document and the issuing authority;
  • Information confirming the Data Subject's participation in relations with the Operator (e.g. the number and date of an employment or civil-law contract), or information otherwise allowing the fact of processing by the Operator to be established;
  • The signature of the Data Subject or their representative.

Within seven business days of the day the Data Subject or their representative provides information confirming that the personal data are incomplete, inaccurate or outdated, the Operator must make the necessary changes to it.

The Operator must notify the Data Subject or their representative of the changes made and the measures taken, and take reasonable steps to notify third parties to whom that Data Subject's personal data were transferred.

If unlawful processing is detected upon the request of the Data Subject or their representative, the Operator blocks the unlawfully processed personal data relating to that Data Subject from the moment of such request.

If the inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the Data Subject or their representative or by the authorised body for the protection of subjects' rights, or other necessary documents, must clarify the data or ensure its clarification (if processing is carried out by another person acting on the Operator's behalf) within seven business days of the provision of such information, and lift the blocking.

The Data Subject may withdraw their consent by submitting a written request. A request to withdraw consent must contain:

  • The full name of the Data Subject;
  • information allowing the unambiguous identification of the Data Subject in relations with the Operator (e.g. the number and date of an employment or civil-law contract, or other information);
  • the signature of the Data Subject or their representative.

If the Data Subject withdraws consent, the Operator must cease processing the personal data or ensure that it ceases and, if retention of the data is no longer required for the purposes of processing, destroy the data or ensure its destruction within a period not exceeding thirty days from the date of receipt of the withdrawal, unless otherwise provided by a contract or agreement between the Operator and the Data Subject.

A request may be submitted in one of the following ways:

  • in person;
  • as an electronic document to the Operator's email d.gorchenok@sineus.io;
  • by post to the Operator's registered address.

14. Fulfilment of statutory obligations

To fulfil the obligations provided by personal data legislation, the Operator takes the following measures:

  • Appointing a person responsible for organising the processing of personal data;
  • Issuing documents defining the policy on the processing of personal data, local acts on personal data matters, and local acts establishing procedures aimed at preventing and detecting violations of Russian law and eliminating their consequences;
  • Applying legal, organisational and technical measures to ensure the security of personal data;
  • Carrying out internal control of the compliance of processing with the requirements of Russian law;
  • Assessing the harm that may be caused to Data Subjects in the event of a violation of Russian law;
  • Familiarising the Operator's employees with the provisions of Russian law and local acts.

15. Protection of personal data

The Operator takes the necessary legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, distribution and other unauthorised actions, including:

  • Identifying threats to the security of personal data during processing in the PDIS;
  • Applying organisational and technical measures to ensure the security of personal data during processing in the PDIS that meet the requirements for the established protection levels;
  • Assessing the effectiveness of the measures taken to ensure the security of personal data processed in the PDIS;
  • Detecting unauthorised access to personal data and responding to such incidents;
  • Restoring personal data modified or destroyed due to unauthorised access;
  • Establishing rules of access to personal data processed in the PDIS;
  • Registering and recording actions performed with personal data in the PDIS;
  • Monitoring the measures taken to ensure the security of personal data in accordance with the established protection level.

16. Liability

For violating the personal data protection requirements established by Russian law, the regulation on the processing and protection of personal data and other local acts of the Operator, the Operator's employees and other persons who have gained access to personal data and are guilty of such violations bear disciplinary, administrative, civil and criminal liability in accordance with the federal laws of the Russian Federation.

17. Final provisions

Unrestricted access to the Policy is provided to all interested parties, including Data Subjects and the authorities exercising control and supervisory functions in the field of personal data.

The electronic version of the current Policy is published on the Website.

The Operator may amend the Policy as necessary. In such case, the amended version of the Policy is published on the Website from the moment of its publication in the new version.

The Policy is revised as changes are made:

  • to the regulations of the Russian Federation in the field of personal data;
  • to the Operator's local acts governing the organisation of processing and the security of personal data.

Appendix No. 1

List of processing purposes, categories of processed personal data, and categories of data subjects.

Purpose: recruitment for the Operator's vacant positions

Includes the following activities requiring the processing of personal data:

  • searching for applicants for vacant positions
  • carrying out information (communication) interaction with applicants
  • assessing applicants' compliance with applicable requirements, including testing knowledge and abilities and conducting surveys
  • checking applicants' reliability, including managing the legal, reputational and compliance (preventing and/or resolving conflicts of interest, anti-corruption) risks associated with applicants, as well as verifying the completeness and accuracy of the information provided by applicants
  • deciding to hire or to refuse to fill the vacant position

Categories of data subjects: applicants for the Operator's vacant positions.

Categories of personal data: general personal data.

List of personal data:

  • surname, first name, patronymic
  • email address
  • date of birth and/or age
  • information about profession, occupational/professional qualification and competence
  • information about current employment (service) activity
  • information about previous employment (service) activity
  • city of residence
  • phone number
  • sex
  • information about education and training

Actions (operations) performed with personal data: collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, copying, blocking, deletion, destruction.

Legal grounds for processing: the data subject's consent to processing.

Methods of processing: mixed method (with and without the use of automation tools).

Processing periods: until conclusion of an employment contract with the applicant or the date of notifying the applicant of a refusal to hire + 3 months (Labour Code: Art. 64 part 6, Art. 391 part 3 para 2).

Purpose: organising, supporting and regulating labour and directly related relations

Includes the following activities requiring the processing of personal data:

  • processing of hiring
  • induction and adaptation to work and the social environment
  • maintaining HR and military records
  • payroll calculation, including calculation of vacation pay, sick-leave pay, business-trip pay, bonuses, surcharges and other payments
  • preparing payrolls for paying employees' salaries and remitting deductions to the tax authorities and the Social Fund of the RF in accordance with the law
  • compiling internal contact directories containing the surname, first name, patronymic, position, structural unit, phone number(s) and email address(es) of the organisation's employees
  • exercising the operator's rights and obligations in the field of occupational safety, including, but not limited to, the special assessment of working conditions (SOUT)
  • ensuring, monitoring, training (including briefing), internship and knowledge testing in occupational safety, safety techniques, fire safety, civil defence and protection against emergencies
  • processing of dismissal and conducting an exit interview (survey)
  • providing references to employees and former employees
  • providing the guarantees, compensations and benefits established by law for the Operator's employees
  • organising remote work arrangements

Categories of data subjects: the Operator's employees; relatives of the Operator's employees.

Categories of personal data: general personal data; special personal data.

List of personal data:

  • surname, first name, patronymic
  • phone number
  • information about profession, occupational/professional qualification and competence
  • information about military duty status and military records
  • information about place of residence and/or stay
  • date of birth and/or age
  • information about citizenship
  • information about marital status
  • information about education and training
  • information about attestation and/or conformity to a professional standard
  • information about length of service
  • passport details
  • date of registration at place of residence
  • contact phone number of close relatives
  • surname, first name, patronymic of close relatives with the degree of kinship
  • information about family composition
  • sex
  • individual personal account insurance number (SNILS)
  • bank account details
  • actual residential address
  • individual taxpayer information (INN)
  • address of registration at place of residence
  • information about leave
  • information about social benefits
  • salary information
  • information about position, structural unit and current place of employment
  • vehicle registration information
  • email address
  • information about previous employment (service) activity
  • health information regarding disability
  • disability data (group, date of issue)
  • contents of sick-leave certificates
  • health information regarding the ability to drive vehicles

Actions (operations) performed with personal data: collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), copying, blocking, deletion, destruction.

Legal grounds for processing:

  • The data subject's consent to processing
  • Processing is necessary to achieve the purposes provided by an international treaty of the RF or by law, for the performance of the functions, powers and obligations imposed on the Operator by Russian law

Methods of processing: mixed method (with and without the use of automation tools).

Processing periods: for the duration of the employment relationship with the Operator + 3 years after its termination on any grounds provided by Russian law. Individual documents containing personal data may be stored for the period established by the records schedule, depending on the type of document.

Purpose: providing guarantees and additional opportunities in healthcare (voluntary medical insurance)

Includes the following activities requiring the processing of personal data:

  • participation in voluntary medical insurance programmes

Categories of data subjects: the Operator's employees.

Categories of personal data: general personal data.

List of personal data:

  • surname, first name, patronymic
  • date of birth and/or age
  • information about the identity document
  • email address
  • phone number
  • address of registration at place of residence

Actions (operations) performed with personal data: collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), copying, blocking, deletion, destruction.

Legal grounds for processing:

  • The data subject's consent to processing
  • Processing is necessary to achieve the purposes provided by an international treaty of the RF or by law, for the performance of the functions, powers and obligations imposed on the Operator by Russian law

Methods of processing: mixed method (with and without the use of automation tools).

Processing periods: for the duration of the employment relationship with the Operator + 3 years after its termination on any grounds provided by Russian law. Individual documents containing personal data may be stored for the period established by the records schedule, depending on the type of document.

Purpose: organising business trips, including assignments and other official travel

Includes the following activities requiring the processing of personal data:

  • organising employees' movements / trips (including visa and migration support and the organisation of business trips)

Categories of data subjects: the Operator's employees.

Categories of personal data: general personal data.

List of personal data:

  • surname, first name, patronymic
  • date of birth and/or age
  • information about the identity document
  • email address
  • phone number
  • address of registration at place of residence

Actions (operations) performed with personal data: collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), copying, blocking, deletion, destruction.

Legal grounds for processing: the data subject's consent to processing.

Methods of processing: mixed method (with and without the use of automation tools).

Processing periods: for the duration of the employment relationship with the Operator + 3 years after its termination on any grounds provided by Russian law. Individual documents containing personal data may be stored for the period established by the records schedule, depending on the type of document.

Purpose: ensuring the security of the Operator and its employees

Including ensuring the personal safety of employees, access control to the Operator's premises, and the safety of the material and other valuables of the Operator and its employees.

Includes the following activities for the processing of personal data:

  • ensuring on-site and access control regimes at the real-estate facilities used
  • organising video surveillance on the premises at the Operator's disposal
  • providing information to the Ministry of Internal Affairs within the framework of operational investigative activities

Categories of data subjects:

  • the Operator's employees
  • the Operator's counterparties — individuals (clients, suppliers, contractors, agents, partners)
  • staff of the Operator's counterparties — legal entities (clients, suppliers, contractors, agents, partners)
  • applicants for vacant positions

Categories of personal data: general personal data.

List of personal data:

  • surname, first name, patronymic
  • passport details
  • driving licence details
  • audio-video recording of the image (including face) and speech

Actions (operations) performed with personal data: collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), blocking, deletion, destruction.

Legal grounds for processing:

  • Processing is necessary to achieve the purposes provided by an international treaty of the RF or by law, for the performance of the functions, powers and obligations imposed on the Operator by Russian law
  • The legitimate interest of the Operator

Methods of processing: mixed method (with and without the use of automation tools).

Processing (incl. storage) periods: for the retention periods established by the Operator for the technical recording means (video surveillance). Individual documents containing personal data may be stored for the period established by the records schedule, depending on the type of document.

Purpose: interaction with individual counterparties on concluding and performing contracts

Interaction with the Operator's individual counterparties on concluding civil-law contracts and performing obligations under such contracts.

Includes the following activities for the processing of personal data:

  • collecting data to conclude contracts
  • concluding contracts
  • carrying out information (communication) interaction with the Operator's counterparties
  • monitoring the quality of work performed / services rendered by the Operator's counterparties
  • calculating remuneration for work performed / services rendered
  • calculating and paying taxes, levies and other mandatory payments provided by Russian law
  • submitting the statutory reporting in respect of individuals performing work / rendering services under civil-law contracts
  • providing information to the bank for transferring remuneration for work performed / services rendered

Categories of data subjects:

  • the Operator's counterparties — individuals (clients, suppliers, contractors, agents, partners)
  • staff of the Operator's counterparties — legal entities (clients, suppliers, contractors, agents, partners)

Categories of personal data: general personal data.

List of personal data:

  • surname, first name, patronymic
  • phone number
  • information about citizenship
  • passport details
  • information about sex
  • address of registration at place of residence
  • actual residential address
  • place of birth
  • date of birth and/or age
  • individual personal account insurance number (SNILS)
  • individual taxpayer information (INN)
  • bank account details
  • information about profession, occupational/professional qualification and competence
  • information about education and training
  • information about independent economic activity

Actions (operations) performed with personal data: collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, blocking, deletion, destruction.

Legal grounds for processing:

  • Processing is necessary to achieve the purposes provided by an international treaty of the RF or by law, for the performance of the functions, powers and obligations imposed on the Operator by Russian law
  • The legitimate interest of the Operator
  • Processing is necessary for the performance of a contract to which the data subject is a party, beneficiary or guarantor, as well as for concluding a contract at the data subject's initiative or a contract under which the data subject will be a beneficiary or guarantor

Methods of processing: mixed method (with and without the use of automation tools).

Processing (incl. storage) periods: for the term of the contract + 3 years from its termination on any grounds. Individual documents containing personal data may be stored for the period established by the records schedule, depending on the type of document.

Purpose: enabling safe and productive interaction with interested parties via websites on the Internet

Includes the following activities for the processing of personal data:

  • providing information and/or organisational interaction with all interested parties (including information support, sending informational messages, processing incoming requests and materials of any nature and preparing responses to them, providing effective support when interested parties encounter various problems or situations), as well as managing the quality and effectiveness of such interaction (service)

Categories of data subjects: users of the Operator's online resources.

Categories of personal data: general personal data.

List of personal data:

  • surname, first name, patronymic
  • email address
  • phone number
  • website visitors' «Cookie» files

Actions (operations) performed with personal data: collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, blocking, deletion, destruction.

Legal grounds for processing: the data subject's consent to processing.

Methods of processing: mixed method (with and without the use of automation tools).

Processing (incl. storage) periods: for the duration of the Data Subject's consent to processing. Individual documents containing personal data may be stored for the period established by the records schedule, depending on the type of document.