POLICY of FabricOn LLC Personal Data Processing
1. GENERAL PROVISIONS
1.1. This Personal Data Processing Policy (hereinafter referred to as the “Personal Data Processing Policy”) of FabricOn LLC (hereinafter referred to as the “Operator”), Taxpayer Identification Number (INN) 1187746685048, located at: 108811 Moscow, Russia, Kievskoe Shosse, 22km (Moskovsky settlement), house 6, bldg. 1, room. 95, has been developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Civil Code of the Russian Federation, Federal Law No. 149-FZ of 27 July 2006 “On Information, Information Technologies and Information Protection”, Federal Law No. 152-FZ of 27 July 2006 “On Personal Data”, the Decree of the Government of the Russian Federation No. 1119 of 01.11.2012 “On Approval of the Requirements for Protection of Personal Data at their Processing in Personal Data Information Systems”, other federal laws and regulations
1.2. The Policy was developed in compliance with the Constitution of the Russian Federation, legislative and other regulatory legal documents of the Russian Federation in personal data.
1.3. The Personal Data Processing Policy was developed to ensure protection of personal data subject’s rights and freedoms during processing of his/her personal data (hereinafter referred to as “Personal Data”).
1.4. Provisions of this Policy serve as a basis for development the internal regulatory documents guiding FabricOn LLC in the matters of processing of personal data of employees of FabricOn LLC and other subjects of personal data; they do not cancel internal regulatory documents of FabricOn LLC in force at the moment when the present Policy comes into effect.
2. PURPOSE OF PERSONAL DATA PROCESSING
Personal data is processed by the Operator for the following purposes:
1) Execution and fulfillment of functions, powers and duties imposed on the Operator by the legislation of the Russian Federation, in particular:
- compliance with labor and tax legislation requirements;
- maintaining current bookkeeping and tax accounting, formation, preparation and timely submission of accounting, tax and statistical reports;
- compliance with legal requirements on determining the procedure for processing and protection of personal data of citizens, who are clients or contractors of FabricOn LLC (hereinafter referred to as “Personal Data Subjects”).
2) Exercise of rights and legitimate interests of FabricOn LLC within the activities provided for by the Articles of Association and other internal regulatory documents of FabricOn LLC or third parties or achievement of socially significant goals.
3) Entering into labor relations with individuals.
4) Compliance with applicable labor, accounting, pension and other laws of the Russian Federation.
5) For other lawful purposes.
The Operator processes personal data of different categories of personal data subjects, including processing with the use of personal data information systems, including the following Internet sites of the Operator: https://ocs.ru, https://hr.ocs.ru, as well as other sites of the Operator, which refer to this Policy (hereinafter referred to as the Sites).
3. LEGAL BASIS FOR PERSONAL DATA PROCESSING
Processing of Personal Data shall be based on the following federal laws and regulations:
1) Constitution of the Russian Federation;
2) Labor Code of the Russian Federation;
3) Federal Law No. 152-FZ of 27 July 2006 “On Personal Data”;
4) Federal Law No. 149-FZ of 27 July 2006 “On Information, Information Technologies and Information Protection”.
5) Specific regulations governing the organization of personal data processing without the use of automation tools. Approved as per Decree of the Government of the Russian Federation No. 687 of 15 September 2008
6) Decree No. 1119 of November 1, 2012 on the approval of the requirements for the protection of personal data during processing in personal data information systems.
7) Order of the Federal Service for Technical and Export Control of Russia No. 55, Order of the Federal Security Service of Russia No. 86, Order of the Ministry of Information and Communication of Russia No. 20 of 13 February 2008. “On Approval of the Classification Procedure of Personal Data Information Systems”;
8) Order of the Federal Service for Technical and Export Control of Russia No. 21 of February 18, 2013 “On Approval of Content and Scope of Organizational and Technical Measures to Ensure Security of Personal Data in Processing of Personal Data in Personal Data Information Systems”;
9) Order of Roskomnadzor No. 996 of September 5, 2013 “On Approval of Requirements and Methods for Depersonalization of Personal Data”;
10) Order of the Federal Tax Service of November 17, 2010 No. ММВ-7-3/611 “On approval of the form of information on income of individuals and recommendations for its completion, the format of information on income of individuals in electronic form, directories”.
11) Other regulatory legal documents of the Russian Federation and regulatory documents of authorized government bodies.
4. OPERATIONS WITH PERSONAL DATA
When processing Personal Data, the Operator will perform the following actions with Personal Data: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access (including transfer to third parties in Russia), anonymization, blocking, deletion, destruction of personal data.
5. CONTENTS OF PERSONAL DATA TO BE PROCESSED
5.1. The Operator shall process the Personal Data of the following Data subjects:
- Operator’s employees;
- Operator’s customers;
- Operator’s counterparties;
- Individuals who have applied to the Operator in the manner prescribed by the Federal Law “On the Procedure for Consideration of Applications of Citizens of the Russian Federation”;
- Candidates to fill vacant positions.
5.2. The contents of Personal Data of each category of the personal data subjects listed in Clause 5.1 of these Regulations shall be determined in accordance with the regulatory documents listed in Section 3 of these Regulations, as well as the Operator’s regulatory documents issued to ensure compliance with them.
5.3. In cases stipulated by applicable law, the subject of personal data makes a decision to provide his/her Personal Data to the Operator and gives consent to their processing voluntarily, of his/her own free will and in his/her own interest.
5.4. The Operator shall ensure that the content and scope of processed Personal Data correspond to the declared processing purposes and, if necessary, take measures to eliminate their redundancy in relation to the declared processing purposes.
5.5. FabricOn LLC does not process special personal data categories concerning ethnicity, nationality, political, religious or philosophical beliefs, and/or privacy.
5.6. For the categories of subjects specified in Clause 5.1. the following data may be processed: surname, name, patronymic; year, month, date of birth; place of birth, address; marital status; social status; property status; education; occupation; income; Taxpayer Identification Number (INN), Personal Insurance Policy Number (SNILS), contact information (phone, e-mail address), other information provided for by standard forms and established processing procedure. Personal data may also include other information and data as prescribed by the forms and processing procedures, including information on IP addresses and cookies.
The operator may passively collect personal data in the form of statistical information on the current connection: user ID assigned by the site; pages visited; number of visits to pages; information on user’s path through the site pages; duration of the user session; entry points (third-party sites from which the user links to the site); exit points (links on the site from which the user goes to third-party sites); user country; user region; timezone set on the user’s device; user’s service provider; user’s browser; canvas fingerprint; available browser fonts; installed browser plugins; WebGL settings of the browser; type of available media devices in the browser; ActiveX availability; list of languages supported on the user’s device; user’s device processor architecture; user’s operating system; screen properties (resolution, color depth, properties of page display on screen); information on usage of automation in accessing the website.
The operator may use third-party Internet services (third-party technologies) to organize the collection of statistical personal data; third-party Internet services store the data received on their own servers. The operator is not responsible for localization of servers of the third-party Internet services. At the same time, such third-party internet services (third-party technologies) installed on the site and used by the Operator can install and read cookies from the browsers of end users accessing the site, or use web beacons to collect information in the process of advertising activities on the site. The manner of collection and use of data collected by such third-party Internet services (third-party technologies) shall be determined independently by these third-party Internet services, and they shall be directly responsible for compliance with this procedure and the use of the data collected by them. In particular, these third-party Internet services are responsible for and ensure compliance with applicable laws, including the legislation on personal data of the Russian Federation.
The Operator shall not compare the information provided by the user themselves and allowing to identify the subject of personal data with statistical personal data obtained in the course of application of similar passive methods of information collection.
5.7. The personal data shall not be stored and processed longer than required for the purposes of personal data processing, if there is no legal basis for further processing, for example, if the federal law or the agreement with the personal data subject does not specify an appropriate retention period.
6. PERSONAL DATA PROCESSING
6.1. FabricOn LLC processes personal data as follows:
- non-automated personal data processing;
- automated personal data processing with or without the transfer of information received over the information and telecommunication networks;
- mixed personal data processing.
7. ENSURING PROTECTION OF PERSONAL DATA WHEN PROCESSED BY THE OPERATOR
7.1. The Operator shall take all the necessary and sufficient measures to ensure fulfilment of obligations under Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” and regulatory documents adopted in accordance therewith. The operator shall independently determine the content and scope of measures necessary and sufficient to ensure the implementation of the obligations established by Federal Law No. 152-FZ of 27 July 2006 “On Personal Data”, Decree of the Government of the Russian Federation No. 687 of 15 September 2008 “On Approval of the Regulation on the Particularities of the Processing of Personal Data Carried Out Without the Use of Automation Equipment”, Government Decree No. 1119 of 1 November 2012 “On the Approval of the Requirements for the Protection of Personal Data at Their Processing in Personal Data Information Systems”, Order of the Federal Service for Technical and Export Control of Russia No. 21 of 18 February 2013 “On Approval of Content and Scope of Organizational and Technical Measures to Ensure Security of Personal Data in Processing of Personal Data in Personal Data Information Systems” and other regulatory legal documents, unless otherwise provided by federal laws. Such measures include:
- appointing a person responsible for organizing personal data processing by the Operator;
- adopting any documents regulating the Operator’s personal data processing policy, in-house personal data processing policies and procedures and regulations setting forth procedures aimed at preventing and detecting violations of the Russian law and eliminating the consequences of such violations;
- taking legal, organizational and technical measures to ensure personal data security;
- maintaining internal control and (or) conducting audits of the compliance of personal data processing with the Federal Law “On Personal Data” and regulatory legal documents adopted in pursuance thereof, requirements to personal data protection, the Operator’s personal data policy and internal regulations and procedures;
- evaluating damage as may be caused to data subjects in case of breach of Federal Law “On Personal Data”, correlation between such damage and the measures taken by the Company in order to fulfill the duties stipulated by Federal Law “On Personal Data”;
- familiarizing the Operator’s employees directly involved in personal data processing with the provisions of the Russian legislation with regards to personal data, including requirements to personal data protection, documents defining the Operator’s policy with regards to personal data processing, and internal regulations on various issues of personal data processing, and/or training said employees.
7.2. When processing personal data, the Operator must take appropriate organizational and technical measures (or ensure such measures are taken) to protect personal data against unauthorized or accidental access, destruction, modification, blocking, copying, submission, distribution of the personal data, as well as other unlawful acts in relation to the personal data.
8. RIGHT OF THE SUBJECT OF PERSONAL DATA TO ACCESS HIS/HER PERSONAL DATA
8.1. A personal data subject is entitled to demand that the Operator specify, block or destroy his/her personal data if said data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the declared purpose of processing, and to take measures to defend his/her rights as stipulated in the law.
8.2. The details shall be provided to the personal data subject or his/her representative by the operator upon request, or upon receiving a written inquiry of the personal data subject or his/her representative. Such inquiry shall contain the number of the primary identity document of the personal data subject or his/her representative, information on the date of issue and issuing authority of that document, documents confirming the personal data subject’s relationship with the Operator (contract number and date, conventional verbal designation and/or other data), or information otherwise confirming the fact of personal data processing by the Operator, the personal data subject’s and his/her representative’s signature. The inquiry may be sent in the form of an electronic document and certified with electronic signature in accordance with the laws of the Russian Federation.
8.3. The Operator may refuse to fulfill the repeated request of the personal data subject. Such refusal must be motivated. It is the responsibility of the Operator to provide evidence of the reasonable nature of the refusal to fulfil a repeated request.
8.4. A personal data subject shall be eligible to be provided with information concerning the processing of the subject’s personal data, in particular, with information concerning:
- confirmation of the fact of personal data processing by the operator;
- legal grounds and purposes of personal data processing;
- the Operator’s purposes and methods of personal data processing;
- the Operator’s name and location, information on persons (except for the Operator’s employees) who have access to the personal data or to whom personal data may be disclosed based on an agreement with the Operator or under federal law;
- data related to the respective personal data subject and the source from which said personal data has been obtained, unless a different procedure for provision of such data is stipulated by the federal law;
- personal data processing and storage term;
- the mode for the exercise of the personal data subject’s rights as stipulated by the Federal Law “On Personal Data”;
- details of a cross-border data transfer accomplished or intended;
- business name or full name and address of the person processing personal data on behalf of the Operator, if such person is or will be appointed to perform personal data processing.
8.5. If the subject of personal data believes that the Operator processes his/her personal data in violation of the requirements of the Federal Law “On Personal Data” or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal against the actions or omission of the Operator to the authority empowered to protect the rights of subjects of personal data or in court.
8.6. A data subject shall be entitled to protection of his/her rights and legitimate interests, in particular, to compensation of losses and (or) moral damage through courts.
8.7. A personal data subject shall be eligible to be provided with information concerning the processing of the subject’s personal data by the Operator. As such, he/she may send a written request to: 108811 Moscow, Russia, Kievskoe Shosse, 22km (Moskovsky settlement), house 6, bldg. 1, room. 7, marked “Request for information on the processing of personal data”.
9. ROLES AND RESPONSIBILITIES
9.1. The Operator’s rights and obligations are determined by applicable laws and the Operator’s agreements.
9.2. Control over compliance with the requirements of this Policy shall be exercised by the person responsible for organization of personal data processing and the Operator’s information security department within the scope of their authority.
9.3. Liability of persons involved in processing personal data under the Operator’s instructions for unauthorized use of personal data shall be established in accordance with the terms of a civil law contract or an Confidentiality Agreement concluded between the Operator and the counterparty.
9.4. Persons found guilty of violating the rules governing the receipt, processing and protection of personal data shall be subject to financial, disciplinary, administrative, civil or criminal responsibility as stipulated by the federal laws, inhouse documents and agreements of the Operator.
9.5. This Policy shall be developed by the person responsible for organization of personal data processing and shall be put into effect upon approval by the Operator's Head. Suggestions and comments for changes to the Policy should be sent to email@example.com. The policy is reviewed and updated as necessary.