Personal Data Processing Policy of Accent Capital, LLC
1. GENERAL PROVISIONS
1.1. This Personal Data Processing Policy (hereinafter – the Policy) has been prepared in accordance with Article 18.1, Part 1, Clause 2 of Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 (hereinafter – the Law) and determines the position of Accent Capital Limited Liability Company (hereinafter – the Company) with respect to processing and protecting personal data (hereinafter – the Data), observation of the rights and freedoms of every person, and, particularly, the right to privacy, personal and family secrecy.
2. SCOPE OF APPLICATION
2.1. This Policy applies to Data obtained both before and after this Policy became effective.
2.2. Understanding the importance and value of the Data, as well as committing to observe the constitutional rights of the Russian Federation citizens and citizens of other states, the Company ensures reliable Data protection.
3.1. The Data shall mean any information referring directly or indirectly to a particular or identified individual (citizen). Such information shall, among others, include: name, year, month, day and place of birth, address, information about family, social and property status, information about education, profession, income, telephone number, contact e-mail address, information about candidates for vacant positions left by such candidates in the questionnaire, including information contained in a candidate’s CV, as well as other information.
3.2. Data processing shall mean any action (operation) or a combination of actions (operations) performed automatically and/or manually with the Data. Such actions (operations) include collection, recording, arrangement, accumulation, storage, rectification (updating, changing), extraction, use, transfer (distribution, provision, access), anonymizing, blocking and destruction of the Data.
3.3. Data security shall mean the protection of the Data from illegal and/or unauthorized access, destruction, alteration, blocking, copying, provision, distribution of Data, as well as from other unlawful acts in relation to the Data.
4. LEGAL FRAMEWORK AND PURPOSES OF PROCESSING
4.1. Data processing and ensuring the protection of the Data at the Company are performed in accordance with the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, bylaws, other federal laws of the Russian Federation determining the cases and peculiarities of Data processing, as well as guiding documents issued by the Federal Service for Technology and Export Control of Russia and the Federal Security Service of Russia.
4.2. The subjects of Data processed by the Company are as follows:
- candidates for vacant positions;
- the Company’s employees, relatives of the Company’s employees, to the extent determined by the legislation of the Russian Federation, if information about them is provided by the employee;
- persons who are members of the Company’s management bodies and are not employees of the Company;
- individuals with whom the Company enters into civil law contracts;
- representatives of legal entities being the Company’s contractors;
- other (interested) persons, including the visitors of the website with the domain name owned by the Company: www.accent.ru (hereinafter – “Website”).
4.3. The Company processes the Data for the following purposes:
- performance of the functions, authorities and obligations assigned to the Company by the laws of the Russian Federation in accordance with the federal laws, including but not limited to: the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, Federal Law No. 27-FZ “On Individual (Personified) Accounting in the System of Mandatory Pension Insurance” dated April 01, 1996, Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006, Federal Law No. 53-FZ “On Military Duty and Military Service” dated March 28, 1998, Federal Law No. 31-FZ “On Mobilization Training and Mobilization in the Russian Federation” dated February 26, 1997, Federal Law No. 14-FZ “On Limited Liability Companies” dated February 08, 1998, Law of the Russian Federation No. 2300-1 “On the Protection of the Customers’ Rights” dated February 07, 1992, Federal Law No. 402-FZ “On Accounting” dated December 06, 2011, Federal Law No. 326-FZ “On Mandatory Medical Insurance in the Russian Federation” dated November 29, 2010, the Charter and internal regulations of the Company;
- compliance with the labor, tax and pension laws of the Russian Federation in respect of the Company’s employees, namely:
- assisting the employees in finding jobs, training and promotion; calculating and accrual of wages;
- arrangement of business trips of the employees;
- issue of powers of attorney (including for representing the Company’s interests before third parties);
- ensuring personal safety of employees; controlling the quantity and quality of work performed;
- ensuring the integrity of property;
- ensuring access control at the Company’s premises;
- recording of hours worked; using various types of benefits in accordance with the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, federal laws, as well as the Company’s Charter and internal regulations;
- taking decisions concerning the possibility of concluding an employment contract with persons applying for vacancies (in respect of candidates for vacant positions at the Company);
- fulfillment of other requirements stipulated by the law, including mandatory information disclosure, audit, verification of the possibility of performing transactions, including interested party transactions and/or major transactions (with regard to persons who are members of the Company’s management bodies and are not employees of the Company);
- conclusion and execution of a contract, one of the parties to which is an individual;
- considering the opportunities for further cooperation;
- conducting negotiations, concluding and executing the contracts under which the Data of the legal entity’s employees are provided;
- promoting the goods, works, services in the market;
5. PRINCIPLES AND CONDITIONS OF DATA PROCESSING
5.1. When processing Data, the Company shall comply with the following principles:
- the Data shall be processed on a legal and equitable basis;
- the Data shall not be disclosed to third parties or distributed without the consent of the Data subject, except for the cases of mandatory data disclosure of the Data under a federal law;
- determination of specific legal purposes prior to the start of Data processing (including collection);
- only the Data, which is necessary and sufficient for the stated processing purpose, is collected;
- consolidation of databases containing the Data processed for incompatible purposes shall not be allowed;
- Data processing shall be restricted by achieving specific predetermined and legal purposes;
- processed Data shall be subject to destruction or anonymizing after the processing purposes have been achieved or if the necessity to achieve such purposes no longer exists, unless otherwise provided for by a federal law.
5.2. The Company may include the subjects’ Data in publicly available Data sources with the subject’s written consent to process their Data.
5.3. The Company shall not process Data relating to race, nationality, political opinions, religious, philosophical and other beliefs, intimate life, or membership in public associations.
5.4. The Company may process data concerning the health status of the Data subject in the following cases:
- in accordance with the legislation on state social assistance, labor legislation, and Russian Federation legislation on state pensions and labor pensions;
- to protect the life, health or other vital interests of the employees, or to protect the life, health or other vital interests of other persons when obtaining the consent of the Data subject is impossible;
- to establish or exercise the rights of an employee or third parties, or in connection with the administration of justice;
- in accordance with the legislation on mandatory types of insurance, and with the insurance legislation. 5.5. The Company shall only transfer Data across borders based on the respective consent of the Data subject.
5.6. In cases stipulated by the legislation of the Russian Federation, the Company may transfer Data to third parties, including state bodies, institutions, and the Bank of Russia.
5.7. The Company is entitled to assign Data processing to third parties with the consent of the Data subject on the basis of a contract concluded with these parties.
5.8. The parties processing the Data based on a contract concluded with the Company (operator’s assignment) shall comply with the principles and rules of Data processing and protection stipulated by the Law. For each third party, the contract shall stipulate a list of actions (operations) with the Data to be performed by the third party processing the Data, the processing purposes, the obligation of such party to keep confidential and ensure security of the Data in the course of processing it, and the requirements to the protection of the Data being processed in accordance with the Law.
5.9. In order to comply with the requirements of the legislation of the Russian Federation and its contractual obligations, the Company shall process the Data automatically and/or manually.
5.10. The combination of processing actions includes collection, recording, arrangement, accumulation, storage, rectification (updating, changing), extraction, use, transfer (provision, access), anonymizing, blocking and destruction of the Data.
6. RIGHTS AND OBLIGATIONS OF DATA SUBJECTS AND THE COMPANY WITH RESPECT TO DATA PROCESSING
6.1. The subject whose Data is processed by the Company shall be entitled to:
- receive from the Company: o confirmation of the processing of the Data and information about the availability of the Data relating to the respective Data subject; o information about the legal grounds for and purposes of the Data processing; o information about the purposes and methods used by the Company to process the Data; o information about the name and location of the Company; information about persons (other than the Company’s employees) who have access to the Data or to whom the Data may be disclosed on the basis of a contract with the Company or on the basis of a federal law; o the processed Data relating to the Data subject and the source from which they were obtained, unless a different procedure for the presentation of such Data is prescribed by a federal law; o information about the period of the Data processing, including the period for which it is kept; o information about the procedure for the exercise by the Data subject of the rights provided for in the Law; o name or last name, first name and patronymic and the address of the party carrying out the processing of the Data on the instruction of the operator, o other information provided for in the Law or other legislative acts of the Russian Federation;
- request from the Company rectification of their Data, its blocking or destruction in the event that the Data is incomplete, outdated, inaccurate, obtained illegally or not necessary for the stated purpose of processing;
- revoke their consent to the processing of Data at any time;
- require that the unlawful actions of the Company in relation to their Data be remedied;
- file a complaint concerning the actions or omissions of the Company to the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) or to the court if the Data subject believes that the Company processes their Data in violation of the requirements of the Law or infringes upon their rights and freedoms;
- to have their rights and legal interests protected, including compensation of losses and/or compensation for moral harm through the courts.
6.2. In the process of Data processing, the Company shall be obliged to:
- provide to the Data subject at their request information concerning the processing of their Data, or to provide a refusal on a legal basis within thirty days from the date of receiving the Data subject’s or their representative’s request;
- explain to the subject of Data the legal consequences of refusal to provide Data if its provision is mandatory under federal law;
- prior to the start of Data processing (if the Data was received from a party other than the Data subject) provide to the Data subject the following information, except for the cases stipulated by Article 18, Part 4 of the Law: o Company’s name and address, or last name, name and patronymic of its representative; o purpose of Data processing and its legal basis; o intended users of the Data; o the rights of Data subjects established by the Law; o source of Data;
- Take necessary legal, organizational, and technical measures or have them taken to protect the Data from illegal and/or unauthorized access, destruction, alteration, blocking, copying, provision, distribution of Data, as well as from other unlawful acts in relation to the Data.
- publish on the Internet and provide unrestricted access via the Internet to the document setting out its Data processing policy, as well as to information concerning the implemented Data protection requirements;
- provide Data subjects and/or their representatives with an opportunity to inspect the Data free of charge upon request within thirty days of receiving such request;
- block illegally processed Data relating to a Data subject or arrange for it to be blocked (if the Data is processed by another party acting on the Company’s behalf) after the respective inquiry or request for the period of inspection, in the event of detecting illegal processing of Data upon an inquiry of a Data subject or their representative, or at the request of a Data subject, their representative, or a competent authority dealing with the issues of protecting the rights of personal data subjects;
- rectify the Data or arrange for it to be rectified (if the Data is processed by another party acting on the Company’s behalf) within seven business days after the information was provided, and unblock the Data in the event that the Data is confirmed as inaccurate based on the information provided by the Data subject or their representative;
- in the event that it is discovered that the Data is being unlawfully processed by the Company or the party acting on the basis of a contract with the Company, the Company shall be obliged, within a period not exceeding three working days from the date of that discovery, to cease the unlawful processing of the Data or to arrange for the unlawful processing of the Data to be terminated by the party acting on the Company’s behalf.
- stop Data processing or arrange for it to be stopped (if the Data is processed by another party acting on the basis of a contract with the Company) and destroy the Data or arrange for it to be destroyed (if the Data is processed by another party acting on the basis of a contract with the Company) after the purpose of the Data processing has been achieved, unless otherwise stipulated by a contract to which the Data subject is a party (a beneficiary or surety);
- stop Data processing or arrange for it to be stopped, destroy the Data or arrange for it to be destroyed in the event that the Data subject revokes their consent to Data processing, if the Company is not entitled to process the Data without the Data subject’s consent;
- maintain a register of Data subjects’ inquiries, in which the requests of Data subjects for receipt of the Data, as well as the facts of Data provision upon these requests shall be registered.
7. REQUIREMENTS TO DATA PROTECTION
7.1. When processing the Data, the Company shall take all necessary legal, organizational, and technical measures to ensure protection of Data from illegal and/or unauthorized access, destruction, alteration, blocking, copying, provision, distribution of Data, as well as from other unlawful acts in relation to the Data.
7.2. In accordance with the Law, such measures shall include:
- the appointment of a person responsible for organizing the processing of the Data;
- development and approval of internal regulations concerning Data processing and protection;
- the application of legal, organizational and technical measures to ensure the security of personal data; o identifying threats to the security of the Data while it is being processed in personal data filing systems; o applying such organizational and technical measures for ensuring the security of the Data while they are being processed in personal data filing systems as are necessary to meet the requirements relating to the protection of the Data which shall be fulfilled in order to ensure the levels of protection of the Data which are established by the Government of the Russian Federation; o applying means of data protection which have duly undergone conformity assessment procedures; o assessing the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of a personal data filing system; o keeping records of media containing the Data, if the Data is stored on such media; o detecting instances of unauthorized access to the Data and taking measures; o restoring the Data which has been modified or destroyed as a result of unauthorized access; o establishing rules for access to personal data being processed in a personal data filing system and providing for the registration and recording of all actions performed on the Data in a personal data filing system;
- monitoring measures taken to ensure the security of the Data and the level of protection of personal data filing systems;
- assessment of harm, which may be inflicted on Data subjects in the event of violating the requirements of the Law, and the correlation between such harm and the measures taken by the Company to ensure that it meets its obligations stipulated by the Law;
- compliance with the conditions that prevent unauthorized access to physical Data storage media and ensure Data security;
- familiarizing the Company’s employees directly processing the Data with the provisions of the legislation of the Russian Federation concerning the Data, including data protection requirements, internal regulations on Data processing and protection, and training of the Company’s employees.
8. DATA PROCESSING (STORAGE) TERMS
8.1. Time periods for Data processing (storage) shall be determined based on the purposes of Data processing in accordance with the validity period of the contract with the Data subject, the requirements set by federal laws, the main rules of archive operation, and limitation periods.
8.2. The Data, whose processing (storage) has expired, shall be subject to destruction, unless otherwise stipulated by a federal law.
8.3. Storage of Data after termination of its processing shall be allowed only after its anonymization.
9. PROCEDURE FOR GETTING EXPLANATIONS CONCERNING DATA PROCESSING ISSUES
9.1. Persons whose Data are processed by the Company can get explanations concerning the processing of their Data by contacting the Company or by sending a written request to the Company’s location: Offices 1 and 2, 2 Barykovsky Lane, Moscow, 119034, Russia.
9.2. An official request sent to the Company shall contain the following information:
- last name, first name, patronymic of the Data subject or their representative;
- the number of the principal identity document of the Data subject or their representative, information about the date of issue of the said document and the issuing authority;
- information confirming the existence of a relationship between the Data subject and the Company;
- contact information to be used by the Company to send a reply;
- signature of the Data subject (or their representative). If the request is sent electronically, it should be executed as an electronic document and signed using an electronic signature in accordance with the legislation of the Russian Federation.
10. FINAL PROVISIONS
10.1. This Policy is the Company’s internal regulation.
10.2. This Policy shall be generally accessible. General accessibility of this Policy shall be ensured by publishing it at the Company’s Website.
10.3. This Policy may be revised in any of the following cases:
- amendment of the legislation of the Russian Federation in the field of personal data processing and protection;
- if instructions from competent state authorities or the Bank of Russia to eliminate discrepancies within the scope of the Policy are received;
- upon the decision of the Company’s management;
- if the purposes or time periods of Data processing change;
- in case of changes in organizational structure, information and/or telecommunication systems (or introduction of new ones);
- if new data processing and protection (including transfer and storage) technologies are applied;
- if it becomes necessary to change the methods of Data processing related to the Company’s activities.
10.4. In the event of failure to comply with the provisions of this Policy, the Company and its employees shall be liable in accordance with the laws of the Russian Federation.
10.5. Compliance with the requirements of this Policy shall be controlled by the persons responsible for the organization of processing of the Company’s Data, as well as for the security of personal data.