Personal data processing and protection policy

Inmar Legal Ltd.
(revised on June 1, 2017)

1. General Provisions

1.1. This Policy regarding personal data processing (hereinafter referred to as the “Policy”) is worked out in accordance with Paragraph 2 of Article 18.1 of the Federal law No. 152-ФЗ of July 27, 2006 “On personal data” and other laws and regulations of the Russian Federation in the sphere of protection and processing of personal data, and shall be applied to all personal data (hereinafter referred to as the “Data”) which may be obtained by Inmar Legal Ltd. (hereinafter referred to as the “Operator”, or “Company”) from a personal data subject being a party under a civil law contract including through the official website of the Operator, as well as from a personal data subject being in relationships with the Operator governed by the labor legislation (hereinafter referred to as the “Employee”).

1.2. The Operator shall provide for protection of personal data processed from unauthorized access and disclosure, unlawful use or loss under the Federal law No. 152-ФЗ of July 27, 2006 “On personal data”.

1.3. The Operator shall be entitled to amend this Policy. In amendments being made to a title of the Policy, the date of the latest revision shall be specified. The revised version of the Policy shall become effective on the date of approval thereof.

2. Terms and Abbreviations Used

Personal data — any information referring directly or indirectly to a particular or identified individual (personal data subject).

Personal data processing — any action (operation) or a combination of actions (operations) performed both automatically and manually with personal data, including collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, transfer (distribution, submission, access), anonymizing, blocking, and destruction of personal data.

Personal data made public by a personal data subject — data made available to unlimited range of persons by a personal data subject or by request thereof.

Personal data blocking — the temporary cessation of personal data processing (except for the cases when the processing is needed for personal data specification).

Personal data destruction — actions resulting in impossibility to restore personal data content in the respective database and (or) actions resulting in the physical destruction of the tangible medium of personal data.

Operator — an organization arranging for personal data processing independently or in cooperation with other entities, and determining the purposes of processing of personal data subject to processing, and actions (operations) performed with regard to personal data. The Operator shall be Inmar Legal Ltd. located at the address: Uborevich St, 5a, 8 floor, Vladivostok, Russia, 690091.

Website — software and hardware complex for a computer providing for publication of information and data united by common intended purpose for public view by means of technical tools used for connection between computers on the Internet. In the framework of this Policy, the Website shall mean the websites with the following addresses on the Internet:

Personal data subject (subject) — a person to whom the respective personal data refers including the Website users.

3. Obtainment and Processing of Personal Data

3.1. Personal data obtainment.

3.1.1. A source of information on all personal data of a subject shall be the subject himself. If the data of the subject may be obtained from the third party only, the subject shall be notified of that or submit the consent.

3.1.2. A source of information on personal data of the Website users shall be the data obtained due to submission of the Website user’s rights to the user by the Operator.

3.1.3. The Operator shall inform the subject on purposes, intended sources and ways of obtainment of data, nature of data subject to obtainment, list of actions with data, consent validity period and procedure of revoke thereof.

3.1.4. Documents containing data shall be made by the following ways:
— original documents copying;
— obtainment of scanned copies of documents from the subject or information contained in the document;
— obtainment of original documents needed.

3.1.5. The Operator shall not collect and process the specific and biometric categories of personal data.

3.2. Personal data processing.

3.2.1. Processing of personal data shall be performed:
— upon the consent of the personal data subject to the processing of his personal data;
— in the cases when personal data processing is required for implementation and fulfillment of functions, powers and obligations imposed by the legislation of the Russian Federation;
— in the cases when personal data processing is performed, the access of unlimited range of persons to which is presented by the personal data subject or by request thereof (hereinafter referred to as the “personal data made public by the personal data subject”).

3.2.2. Personal data processing purposes:
— carrying out of labor relationships;
— entering into and fulfillment of civil law contracts and agreements;
— submission to the user of opportunity to interact with the Website.

3.2.3. Categories of personal data subjects.
Data of the following subjects shall be processed:
— individuals entered into the civil law relations with the Company;
— representatives/employees of customers and contract partners of the Operator (legal entities);
— individuals entered into the labor relationships with the Company;
— individuals resigned from the Company;
— individuals being applicants;
— the Website users.

3.2.4. Personal data processed by the Operator:
— data obtained in the course of the civil law relationships implementation;
— data obtained in the course of the labor relationships implementation;
— data obtained for selection of applicants;
— data obtained in the course of interaction of a user with the Website (surname, name, patronymic, mobile phone, and e-mail).

3.2.5. The Operator shall carry out manual personal data processing, i. e. with direct participation of a person.

3.2.6. Personal data of subjects shall be classified as confidential restricted access information.

3.2.7. According to official duties, persons so authorized shall have the right of access to personal data of subjects. The manager of the Operator shall approve the list of persons having access to personal data.

3.3. Personal data storage.

3.3.1. Data of subjects may be processed further both in hard copies and electronically.

3.3.2. Data recorded in hard copies shall be kept in locked cabinets and in locked room of the Operator with the restricted access right.

3.3.3. Storage and allocation of documents containing data in open electronic catalogues (file sharing services) shall not be allowed.

3.3.4. Data storage in the form allowing determining the personal data subject shall be carried out not longer than it is required by the purposes of processing thereof; they shall be destructed upon achievement of purposes of the processing, or in the case of loss of necessity in achievement thereof.

3.4. Personal data destruction.

3.4.1. Destruction of documents (media) containing the data shall be performed by means of burning, breakage (shredding), chemical disintegration, turning into shapeless mass or powder. Use of shredder is allowed for destruction of paper copies of documents.

3.4.2. Data on electronic media shall be destructed by means of deleting or formatting the media.

3.4.3. The fact of data destruction shall be confirmed in written form by the certificate of media destruction.

3.5. Personal data transfer.

3.5.1. The Operator shall transfer data to the third parties in the following cases:
— the subject expressed his consent on such actions;
— the transfer is stipulated by Russian or other applicable law within the frame of the procedure stipulated by the law.

4. Personal Data Protection

4.1. In accordance with the requirements of laws and regulations, the Operator has established the personal data protection system (PDPS) consisting of subsystems of legal, organizational and technical protection.

4.2. Subsystem of legal protection shall constitute the complex of legal, organizational, management, and regulatory documents providing for establishment, functioning, and improvement of PDPS.

4.3. Subsystem of organizational protection shall include the management structure arrangement for PDPS, authorization system, protection of information in the course of work with employees, partners, and the third parties.

4.4. Subsystem of technical protection shall include the complex of technical, software, and hardware tools providing for data protection.

4.5. The Operator shall use the following basic data protection measures:

4.5.1. Appointment of a person responsible for data processing who shall perform the arrangement of the data processing, training and instructing, internal control over compliance with the requirements to data protection by the company and employees thereof.

4.5.2. Elaboration of policy with regard to personal data processing.

4.5.3. Establishment of individual passwords for access to computers for persons admitted to work with personal data in accordance with official duties thereof.

4.5.4. Certified antivirus software with bases updated regularly.

4.5.5. Observance of terms providing for data safety and excluding the unauthorized access thereto.

4.5.6. Detection of facts of unauthorized access to personal data, and taking measures.

4.5.7. Restoration of data modified or destructed due to unauthorized access thereto.

4.5.8. Training of the Operator’s employees directly performing personal data processing in the sphere of the Russian Federation legislation provisions on personal data including the requirements to personal data protection, documents determining the Operator’s policy with regard to personal data processing, and local regulations on personal data processing.

4.5.9. Carrying out internal control and audit.

4.6. Protected data on the personal data subject shall include data allowing identifying the personal data subject and/or obtaining additional information thereon provided for by the legislation and this Policy.

5. Basic Rights of the Personal Data subject and Obligations of the Operator

5.1. Basic rights of the personal data subject.

The Subject shall have the access right to his/her personal data and the following information:
— data processing confirmation by the Operator;
— legal basis and purposes of data processing;
— purposes and ways of personal data processing used by the Operator;
— name and location of the Operator, data on persons (except for the Operator’s employees) who has an access to the data, or to whom the data may be disclosed based on a contract with the Operator or under the federal law;
— personal data processing terms including the terms of storage thereof;
— procedure of these rights implementation by the subject provided for by this Federal law;
— title or surname, name, patronymic, and address of a person performing personal data processing by the Operator’s order if the processing is ordered or will be ordered to such a person;
— addressing to the Operator, and sending the requests thereto;
— appeal of the Operator’s actions or failure to act.

5.2. Obligations of the Operator.

The Operator shall:
— present the information on data processing in the course of data collection;
— notify the subject if the data was obtained not from the personal data subject;
— explain to the subject the consequences in the case of refusal to present the data;
— publish or in any other way provide for unlimited access to the document determining its policy regarding to the data processing, and to the information on requirements applied to the data protection;
— take appropriate legal, organizational, and technical measures, or provide for taking thereof for protection of data from unauthorized or accidental access thereto, destruction, modification, blocking, copying, submission, and distribution of data, as well as from other unlawful actions with regard to the data;
— in the presence of foundations, submit the data in the scope stipulated by the Federal law upon the fact of personal addressing or upon receipt of written request of the personal data subject within 30 days upon the date of addressing or receipt of request of the personal data subject or representative thereof. Such data shall be submitted to the personal data subject in understandable terms; and the data shall not contain personal data referred to the other personal data subjects except for the cases of existence of legal reasons for such personal data disclosure.
— all appeals of personal data subjects or representatives thereof shall be registered in the Logbook for applications of citizens (personal data subjects) on issues of personal data processing.
— in the case of refusal to provide the personal data subject or representative thereof in addressing or receipt of a request from the personal data subject or representative thereof with information on availability of the personal data on the relevant personal data subject, the Operator shall submit the written reasoned response containing the reference to provisions of Part 8 of Article 14 of the Federal law “On personal data” or the other Federal law being the basis for such refusal within the period not exceeding 30 days upon the date of addressing of the personal data subject or representative thereof, or upon the date of receipt of the request of the personal data subject or representative thereof.
— in the case of receipt of a request from the authorized body for protection of the rights of the personal data subjects on provision of information required for implementation of activities of this body, the Operator shall report such information to the authorized body within 30 days from the date of receipt of such request.
— in the case of detection of unlawful personal data processing in the addressing or at the request of the personal data subject or representative thereof or the authorized body for protection of the rights of the personal data subjects, the Operator shall block the unlawfully processed personal data relating to this personal data subject upon the date of such addressing or receipt of the specified request for the period of check.
— in the case of detection of unlawful personal data processing carried out by the Operator, the latter shall cease the unlawful personal data processing within the period not exceeding three working days upon the date of this detection. The Operator shall notify the personal data subject or representative thereof of the elimination of violations, as well as the authorized body for protection of rights of the personal data subjects if the appeal of the personal data subject or representative thereof or the request of the authorized body for protection of rights of the personal data subjects were sent by the authorized body for protection of rights of the personal data subjects.