Personal Data Processing Policy of
iFCM GROUP LLC
1. General Provisions
1.1. This Personal Data Processing Policy ("Policy"), drafted pursuant to Par. 2, Art. 18.1 of the Russian Federal Personal Data Act No. 152-FZ of July 27, 2006, the Constitution of the Russian Federation, and the Labor Code of the Russian Federation, applies to any and all personal data processed by iFCM GROUP LLC ("Operator").
1.2. The purpose of this Policy is to codify the personal data processed by the Operator and define the basic principles by which the Operator shall be guided in the processing of personal data.
1.3. The provisions of this Policy are binding on all employees of the Operator, any organizations receiving or providing personal data from/to the Operator, and any individuals abiding in a contractual relationship with the Operator.
1.4. The following terms used in this Policy shall have the definitions given below:
- Personal Data is any information pertaining to an individual person who can be directly or indirectly identified or is rendered identifiable by such information ("Personal Data Subject");
- Personal Data Operator/Operator is a state or municipal government agency, legal entity or individual that, independently or jointly with other actors, processes personal data and/or causes the same to be processed, and defines the purposes of its personal data processing, the composition of personal data to be processed, and the actions/operations to be performed with personal data;
- Personal Data Processingis any action/operation or a set of actions/operations with personal data, whether performed with or without the use of automation. The processing of personal data may include, without being limited to, any or all of the following:
o collecting;
o recording;
o systematization;
o accumulation;
o storage;
o updating and/or modification;
o extraction;
o use;
o transfer (dissemination, transmission, or access);
o blocking;
o deletion;
o annihilation.
- Automated Processing of Personal Data is personal data processing administered through the use of computer technology;
- Dissemination of Personal Data refers to any action aimed at disclosing personal data to an indefinite or unlimited number of persons;
- Transmission of Personal Data refers to any act aimed at disclosing personal data to a specific person or a specific circle of persons;
- Blocking of Personal Data is temporary cessation of personal data processing (except where processing is required to update the personal data);
- Annihilation of Personal Data refers to any action that makes it impossible to restore the content of personal data in the Personal Data IT system and/or results in the annihilation of the physical media on which the personal data was stored;
- Personal Data IT System is the combination of personal data contained in the databases, and the information technology and hardware that make the processing of personal data possible;
- Cross-Border Transfer of Personal Data is transfer of personal data to a foreign government agency, a foreign national, a foreign legal entity, or any other recipient in the territory of a foreign state.
- Privacy of Personal Data: it is a duty of the Operator and of any other actor having gained access to personal data not to divulge the same to any third party and not to disseminate personal data without the consent of the personal data subject, save as otherwise prescribed by federal law.
- Personal Data Subject (PD Subject) is any identified or identifiable individual. Such persons may include employees of the Operator, legal representatives of employees, family members of employees, counterparty proxies, or others;
1.5. Personal data subjects or their legal representatives have the following rights:
- to receive full information about their personal data and the processing of same (automated or not);
- to exercise free, unrestricted access to their personal data, including the right to obtain copies of any record containing the subject's personal data, save as otherwise specifically provided by the federal laws of the Russian Federation;
- to demand that any personal data that is found incorrect or incomplete, or not legally processed under Russian law be deleted or corrected;
- should the Operator or its authorized officer refuse to delete or correct the subject's personal data, to state their objections in writing, appending the appropriate evidence;
- to demand that the Operator or its authorized officer inform all persons to whom the incorrect or incomplete personal data of the subject had been previously communicated of all changes made to such data or deletions therefrom;
- to appeal in court against any unlawful act or omission of the Operator or its authorized officer in the processing or protection of the subject's personal data;
- any other rights provided by applicable law.
1.6. It is a duty of personal data subjects or their legal representatives:
- to provide accurate personal data to the Operator;
- to notify the Operator in a timely manner of any change in the subject's personal data.
1.7. The Operator is at liberty to process personal data on condition that there is a legitimate basis and the processing procedures are in compliance with the stated purposes of processing, the provisions of Russian law, this Policy, and other internal statutes of the Operator.
1.8. It is the Operator's duty:
- at its own cost to procure protection of the personal data from unauthorized use or loss in the manner prescribed by Russian law;
- to provide to the personal data subject at their request any information about the processing of their personal data, or withhold such information on legitimate grounds;
- to grant the subject unrestricted access free of charge to their personal data, including the right to obtain copies of any record containing their personal data, save as otherwise provided by Russian law;
- at the request of the personal data subject, to update, block of delete any processed personal data found incomplete, out-of-date, inaccurate, illegally obtained or redundant for the stated purpose of processing;
- to keep a log of personal data subject requests wherein to record personal data subjects' requests for personal data and every instance of personal data issued in response to such requests;
- to notify the personal data subject of the processing of their personal data in the event that the personal data in question was not received from the personal data subject;
- once the purpose of personal data processing has been fulfilled, to immediately cease the processing of the personal data in question and annihilate the personal data concerned within a maximum of thirty days from the date when the personal data processing purpose was deemed fulfilled, save as otherwise provided by Russian federal law, and to notify the personal data subject or their legal representative accordingly, and in case the request or query had been sent by a competent authority for the protection of the rights of personal data subjects, also notify the said authority;
- in the event of a personal data subject withdrawing their consent for the processing of their personal data, to cease the processing of the personal data in question and annihilate such personal data within a maximum of thirty days from the date when the notice of withdrawal was received, unless otherwise provided by the contract between the Operator and the personal data subject;
- to disclose the subject's personal data to authorized persons only, and only to the extent necessary for them to perform their job duties in accordance with this Policy and the laws of the Russian Federation.
2. Purposes of Personal Data Processing
2.1. The Operator has defined and codified sets of specific processing purposes for each category of personal data. No processing of personal data is permitted outside the authorized purposes of processing.
iFCM GROUP LLC
1. General Provisions
1.1. This Personal Data Processing Policy ("Policy"), drafted pursuant to Par. 2, Art. 18.1 of the Russian Federal Personal Data Act No. 152-FZ of July 27, 2006, the Constitution of the Russian Federation, and the Labor Code of the Russian Federation, applies to any and all personal data processed by iFCM GROUP LLC ("Operator").
1.2. The purpose of this Policy is to codify the personal data processed by the Operator and define the basic principles by which the Operator shall be guided in the processing of personal data.
1.3. The provisions of this Policy are binding on all employees of the Operator, any organizations receiving or providing personal data from/to the Operator, and any individuals abiding in a contractual relationship with the Operator.
1.4. The following terms used in this Policy shall have the definitions given below:
- Personal Data is any information pertaining to an individual person who can be directly or indirectly identified or is rendered identifiable by such information ("Personal Data Subject");
- Personal Data Operator/Operator is a state or municipal government agency, legal entity or individual that, independently or jointly with other actors, processes personal data and/or causes the same to be processed, and defines the purposes of its personal data processing, the composition of personal data to be processed, and the actions/operations to be performed with personal data;
- Personal Data Processingis any action/operation or a set of actions/operations with personal data, whether performed with or without the use of automation. The processing of personal data may include, without being limited to, any or all of the following:
o collecting;
o recording;
o systematization;
o accumulation;
o storage;
o updating and/or modification;
o extraction;
o use;
o transfer (dissemination, transmission, or access);
o blocking;
o deletion;
o annihilation.
- Automated Processing of Personal Data is personal data processing administered through the use of computer technology;
- Dissemination of Personal Data refers to any action aimed at disclosing personal data to an indefinite or unlimited number of persons;
- Transmission of Personal Data refers to any act aimed at disclosing personal data to a specific person or a specific circle of persons;
- Blocking of Personal Data is temporary cessation of personal data processing (except where processing is required to update the personal data);
- Annihilation of Personal Data refers to any action that makes it impossible to restore the content of personal data in the Personal Data IT system and/or results in the annihilation of the physical media on which the personal data was stored;
- Personal Data IT System is the combination of personal data contained in the databases, and the information technology and hardware that make the processing of personal data possible;
- Cross-Border Transfer of Personal Data is transfer of personal data to a foreign government agency, a foreign national, a foreign legal entity, or any other recipient in the territory of a foreign state.
- Privacy of Personal Data: it is a duty of the Operator and of any other actor having gained access to personal data not to divulge the same to any third party and not to disseminate personal data without the consent of the personal data subject, save as otherwise prescribed by federal law.
- Personal Data Subject (PD Subject) is any identified or identifiable individual. Such persons may include employees of the Operator, legal representatives of employees, family members of employees, counterparty proxies, or others;
1.5. Personal data subjects or their legal representatives have the following rights:
- to receive full information about their personal data and the processing of same (automated or not);
- to exercise free, unrestricted access to their personal data, including the right to obtain copies of any record containing the subject's personal data, save as otherwise specifically provided by the federal laws of the Russian Federation;
- to demand that any personal data that is found incorrect or incomplete, or not legally processed under Russian law be deleted or corrected;
- should the Operator or its authorized officer refuse to delete or correct the subject's personal data, to state their objections in writing, appending the appropriate evidence;
- to demand that the Operator or its authorized officer inform all persons to whom the incorrect or incomplete personal data of the subject had been previously communicated of all changes made to such data or deletions therefrom;
- to appeal in court against any unlawful act or omission of the Operator or its authorized officer in the processing or protection of the subject's personal data;
- any other rights provided by applicable law.
1.6. It is a duty of personal data subjects or their legal representatives:
- to provide accurate personal data to the Operator;
- to notify the Operator in a timely manner of any change in the subject's personal data.
1.7. The Operator is at liberty to process personal data on condition that there is a legitimate basis and the processing procedures are in compliance with the stated purposes of processing, the provisions of Russian law, this Policy, and other internal statutes of the Operator.
1.8. It is the Operator's duty:
- at its own cost to procure protection of the personal data from unauthorized use or loss in the manner prescribed by Russian law;
- to provide to the personal data subject at their request any information about the processing of their personal data, or withhold such information on legitimate grounds;
- to grant the subject unrestricted access free of charge to their personal data, including the right to obtain copies of any record containing their personal data, save as otherwise provided by Russian law;
- at the request of the personal data subject, to update, block of delete any processed personal data found incomplete, out-of-date, inaccurate, illegally obtained or redundant for the stated purpose of processing;
- to keep a log of personal data subject requests wherein to record personal data subjects' requests for personal data and every instance of personal data issued in response to such requests;
- to notify the personal data subject of the processing of their personal data in the event that the personal data in question was not received from the personal data subject;
- once the purpose of personal data processing has been fulfilled, to immediately cease the processing of the personal data in question and annihilate the personal data concerned within a maximum of thirty days from the date when the personal data processing purpose was deemed fulfilled, save as otherwise provided by Russian federal law, and to notify the personal data subject or their legal representative accordingly, and in case the request or query had been sent by a competent authority for the protection of the rights of personal data subjects, also notify the said authority;
- in the event of a personal data subject withdrawing their consent for the processing of their personal data, to cease the processing of the personal data in question and annihilate such personal data within a maximum of thirty days from the date when the notice of withdrawal was received, unless otherwise provided by the contract between the Operator and the personal data subject;
- to disclose the subject's personal data to authorized persons only, and only to the extent necessary for them to perform their job duties in accordance with this Policy and the laws of the Russian Federation.
2. Purposes of Personal Data Processing
2.1. The Operator has defined and codified sets of specific processing purposes for each category of personal data. No processing of personal data is permitted outside the authorized purposes of processing.
Personal data may be processed by the Operator for any of the following purposes:
- Hiring staff to fill vacant positions;
- Assessing whether the applicant is suitable for the job;
- Building a succession pool;
- Delivery of medical examinations;
- HR record keeping;
- Fulfillment of employer's duties as required by employment contracts and the laws of the Russian Federation;
- Military record keeping;
- Any data records necessary in evidence of the employer/employee relations as required under the laws of the Russian Federation, and records of responses to the queries of government agencies and the Operator's officers, active or former.
- Conclusion, continuation and termination of civil law contracts, payment of extra bonuses;
- Payroll calculations;
- Storage and annihilation of documents;
- Any disclosures necessary to comply with the laws for the time being in force in the Russian Federation;
- Adding an employee to a payroll scheme;
- Issuance of permanent access passes for employees;
- Issuance of one-time passes for visitors;
- Grant of access to corporate premises;
- Issuance of business travel documents;
- Ticket purchases, hotel reservations;
- Reimbursement for travel expenses;
- Visa support;
- Assistance in taking out an insurance policy;
- Invitations for foreign employees;
- Issuance of powers of attorney to act on behalf of the Operator;
- Issuance of powers of attorney to handle valuable inventories;
- Issuance of documents for the sale of inventories to employees;
- Identification of counterparty representatives acting by proxy;
- Foreign employee record keeping for migration control purposes;
- Preparation and filing of statutory reporting;
- Reporting to Rospotrebnadzor on the measles immunization status of foreign nationals;
- Financial and tax accounting;
- Preparation and submission of statements to government agencies (Pension Fund, Social Security Fund, Taxation Service)
- Payout of benefits as required by Russian law;
- Grant of access to IT systems and user profile management;
- Registration in GIS Mercury;
- Primary health examinations and repeat examinations before and after the trip;
- COVID tests, compliance with CEA's anti-COVID policy and the Operator's customers' requirements for access to restricted facilities;
- Ordering taxicabs;
- Contracting, contract supervision, and delivery of contracted services (accommodation / observation at customer sites, ordering of access passes for customer sites, food catering and full board, access to a personal account, allowances for customer employees, transportation services);
- Delivery and accounting for compulsory professional training;
- Connection to talent management platform;
- Collection and analysis of statistics;
- Adding employees to the corporate optional health insurance plan;
- Adding employees' family members to the corporate optional insurance plan;
- Ordering business cards;
- Maintenance and administration of IT systems;
- Statutory financial audits of the company as prescribed by law.
2.2. The personal data in processing shall be annihilated or depersonalized upon the lapse of its retention period, upon the fulfilment of its processing purposes or when the said purposes stop being relevant, save as otherwise prescribed by law.
2.3. The annihilation/depersonalization procedure shall be regulated by internal statutes of the Operator.
3. Legal Basis for Personal Data Processing
The personal data categories named below are processed, inter alia, in compliance with the provisions of the Tax Code of the Russian Federation, Federal Law № 402-FZ On Accounting, Federal Law N 125-FZ On the Business of Archiving in the Russian Federation, Rosarkhiv Order No. 236 of December 20, 2019 On Ratification of the List of Standard Management Archive Documents Generated by the Work Processes of State Government Agencies, Local Self-Governments and Organizations, with Indication of the Retention Periods Thereof, and other laws and statutes of the Russian Federation, in pursuance of the implementation and fulfilment of the functions, powers and duties vested in the Operator under the laws of the Russian Federation.
- Hiring staff to fill vacant positions;
- Assessing whether the applicant is suitable for the job;
- Building a succession pool;
- Delivery of medical examinations;
- HR record keeping;
- Fulfillment of employer's duties as required by employment contracts and the laws of the Russian Federation;
- Military record keeping;
- Any data records necessary in evidence of the employer/employee relations as required under the laws of the Russian Federation, and records of responses to the queries of government agencies and the Operator's officers, active or former.
- Conclusion, continuation and termination of civil law contracts, payment of extra bonuses;
- Payroll calculations;
- Storage and annihilation of documents;
- Any disclosures necessary to comply with the laws for the time being in force in the Russian Federation;
- Adding an employee to a payroll scheme;
- Issuance of permanent access passes for employees;
- Issuance of one-time passes for visitors;
- Grant of access to corporate premises;
- Issuance of business travel documents;
- Ticket purchases, hotel reservations;
- Reimbursement for travel expenses;
- Visa support;
- Assistance in taking out an insurance policy;
- Invitations for foreign employees;
- Issuance of powers of attorney to act on behalf of the Operator;
- Issuance of powers of attorney to handle valuable inventories;
- Issuance of documents for the sale of inventories to employees;
- Identification of counterparty representatives acting by proxy;
- Foreign employee record keeping for migration control purposes;
- Preparation and filing of statutory reporting;
- Reporting to Rospotrebnadzor on the measles immunization status of foreign nationals;
- Financial and tax accounting;
- Preparation and submission of statements to government agencies (Pension Fund, Social Security Fund, Taxation Service)
- Payout of benefits as required by Russian law;
- Grant of access to IT systems and user profile management;
- Registration in GIS Mercury;
- Primary health examinations and repeat examinations before and after the trip;
- COVID tests, compliance with CEA's anti-COVID policy and the Operator's customers' requirements for access to restricted facilities;
- Ordering taxicabs;
- Contracting, contract supervision, and delivery of contracted services (accommodation / observation at customer sites, ordering of access passes for customer sites, food catering and full board, access to a personal account, allowances for customer employees, transportation services);
- Delivery and accounting for compulsory professional training;
- Connection to talent management platform;
- Collection and analysis of statistics;
- Adding employees to the corporate optional health insurance plan;
- Adding employees' family members to the corporate optional insurance plan;
- Ordering business cards;
- Maintenance and administration of IT systems;
- Statutory financial audits of the company as prescribed by law.
2.2. The personal data in processing shall be annihilated or depersonalized upon the lapse of its retention period, upon the fulfilment of its processing purposes or when the said purposes stop being relevant, save as otherwise prescribed by law.
2.3. The annihilation/depersonalization procedure shall be regulated by internal statutes of the Operator.
3. Legal Basis for Personal Data Processing
The personal data categories named below are processed, inter alia, in compliance with the provisions of the Tax Code of the Russian Federation, Federal Law № 402-FZ On Accounting, Federal Law N 125-FZ On the Business of Archiving in the Russian Federation, Rosarkhiv Order No. 236 of December 20, 2019 On Ratification of the List of Standard Management Archive Documents Generated by the Work Processes of State Government Agencies, Local Self-Governments and Organizations, with Indication of the Retention Periods Thereof, and other laws and statutes of the Russian Federation, in pursuance of the implementation and fulfilment of the functions, powers and duties vested in the Operator under the laws of the Russian Federation.
3.9. The personal data of website visitors shall be processed subject to their consent to having their personal data processed and in keeping with the Operator's Cookie Policy.
4. Scope and Categories of Personal Data Processed, Categories of Personal Data Subjects
4.1. The operator processes personal data of the following categories of subjects:
- Job applicants
- Employees
- Family members of employees
- Visitors to the Operator's premises
- Dismissed employees
- Counterparty proxies
- Individual counterparties
- Website visitors
- Individual customers of counterparties
4.9. The personal data of a counterparty's individual customer includes:
Last name, given name, patronymic;
Phone number;
Class affiliation/Corporate unit;
Date of birth; (if a student)
Employee ID number;
Email;
4.10. The personal data of a website visitor includes:
OS type and version,
Browser type and version,
Device type and screen resolution,
How the visitor landed on the website: the other website they came from or the ad they clicked on,
OS and browser language,
User's actions on the website,
IP address;
statistical data;
4. Scope and Categories of Personal Data Processed, Categories of Personal Data Subjects
4.1. The operator processes personal data of the following categories of subjects:
- Job applicants
- Employees
- Family members of employees
- Visitors to the Operator's premises
- Dismissed employees
- Counterparty proxies
- Individual counterparties
- Website visitors
- Individual customers of counterparties
4.9. The personal data of a counterparty's individual customer includes:
Last name, given name, patronymic;
Phone number;
Class affiliation/Corporate unit;
Date of birth; (if a student)
Employee ID number;
Email;
4.10. The personal data of a website visitor includes:
OS type and version,
Browser type and version,
Device type and screen resolution,
How the visitor landed on the website: the other website they came from or the ad they clicked on,
OS and browser language,
User's actions on the website,
IP address;
statistical data;
5. Terms and Conditions of Personal Data Processing
5.1. The Operator receives all personal data directly from the personal data subject, their legal representative or the person who instructed the Operator to process the personal data, save as otherwise provided by Russian law.
5.2. Personal data is to be processed with the consent of the personal data subject, save as otherwise provided by Russian law. Consent can be expressed in a variety of forms that make it possible to ascertain that consent has in fact been given, such as through implicative action, as a separate document in writing, or as part of some other document signed by the subject. Consent may be given by the subject's legal representative, as long as the latter furnishes sufficient evidence of their powers.
5.3. Unless otherwise provided by federal law, the Operator may delegate the processing of personal data to another person, subject to the personal data subject's consent, on the strength of a contract with such person. The person processing personal data on behalf of the Operator must commit to observing the principles and rules prescribed by FZ-152 and this Policy, including certain other requirements for personal data processing.
5.4. The personal data subject may withdraw their consent for the processing of their personal data. In certain cases expressly provided by Russian law, the processing of personal data may continue after the subject withdraws their processing consent.
5.5. In making decisions that affect the interests of the subject, the Operator shall never act on the subject's personal data obtained solely through automated processing or electronic procurement.
5.6. Personal data shall not be used for the purpose of causing property damage and/or moral anguish to citizens, or to hinder the exercise by citizens of the Russian Federation of their rights and freedoms.
5.7. Access to personal data shall be granted to those employees of the Operator who need to know such personal data to be able to perform their job duties.
5.8. The Operator's employees may not transfer personal data to a third party without the subject's permission in writing, save as otherwise provided by Russian law.
5.9. The Operator may reveal personal data to detective and investigative authorities or other jurisdictional authorities on legitimate grounds as provided by the laws of the Russian Federation for the time being in force.
5.10. The Operator shall be at liberty to create public sources of personal data, which, however, may not include the personal data of a personal data subject without their express written consent.
5.11. The personal data of a subject may not be transmitted for commercial purposes without their consent in writing.
5.12. Should it become imperative for the Operator to transmit personal data to a third party, such transmission may not be effectuated unless and until the Operator and the third party have signed a nondisclosure agreement, save where otherwise specifically provided by Russian law.
5.13. Personal data may be processed with or without the use of computer equipment.
In the ordinary course of business, the time limits for the processing of personal data by the Operator shall correspond to the time limits established by Federal Personal Data Act No. 152-FZ of July 27, 2006; the effective term of the pertinent contract; the time limits agreed on in the instruction to process personal data; the effective terms of documents as prescribed by Federal Law No. 125-FZ On the Business of Archiving in the Russian Federation; Rosarkhiv Order No. 236 of December 20, 2019 On Ratification of the List of Standard Management Archive Documents Generated by the Work Processes of State Government Agencies, Local Self-Governments and Organizations, with Indication of the Retention Periods Thereof; the applicable action prescription, the effective term of the processing consent given by the personal data subject, and other applicable provisions of Russian law.
5.1. The Operator receives all personal data directly from the personal data subject, their legal representative or the person who instructed the Operator to process the personal data, save as otherwise provided by Russian law.
5.2. Personal data is to be processed with the consent of the personal data subject, save as otherwise provided by Russian law. Consent can be expressed in a variety of forms that make it possible to ascertain that consent has in fact been given, such as through implicative action, as a separate document in writing, or as part of some other document signed by the subject. Consent may be given by the subject's legal representative, as long as the latter furnishes sufficient evidence of their powers.
5.3. Unless otherwise provided by federal law, the Operator may delegate the processing of personal data to another person, subject to the personal data subject's consent, on the strength of a contract with such person. The person processing personal data on behalf of the Operator must commit to observing the principles and rules prescribed by FZ-152 and this Policy, including certain other requirements for personal data processing.
5.4. The personal data subject may withdraw their consent for the processing of their personal data. In certain cases expressly provided by Russian law, the processing of personal data may continue after the subject withdraws their processing consent.
5.5. In making decisions that affect the interests of the subject, the Operator shall never act on the subject's personal data obtained solely through automated processing or electronic procurement.
5.6. Personal data shall not be used for the purpose of causing property damage and/or moral anguish to citizens, or to hinder the exercise by citizens of the Russian Federation of their rights and freedoms.
5.7. Access to personal data shall be granted to those employees of the Operator who need to know such personal data to be able to perform their job duties.
5.8. The Operator's employees may not transfer personal data to a third party without the subject's permission in writing, save as otherwise provided by Russian law.
5.9. The Operator may reveal personal data to detective and investigative authorities or other jurisdictional authorities on legitimate grounds as provided by the laws of the Russian Federation for the time being in force.
5.10. The Operator shall be at liberty to create public sources of personal data, which, however, may not include the personal data of a personal data subject without their express written consent.
5.11. The personal data of a subject may not be transmitted for commercial purposes without their consent in writing.
5.12. Should it become imperative for the Operator to transmit personal data to a third party, such transmission may not be effectuated unless and until the Operator and the third party have signed a nondisclosure agreement, save where otherwise specifically provided by Russian law.
5.13. Personal data may be processed with or without the use of computer equipment.
In the ordinary course of business, the time limits for the processing of personal data by the Operator shall correspond to the time limits established by Federal Personal Data Act No. 152-FZ of July 27, 2006; the effective term of the pertinent contract; the time limits agreed on in the instruction to process personal data; the effective terms of documents as prescribed by Federal Law No. 125-FZ On the Business of Archiving in the Russian Federation; Rosarkhiv Order No. 236 of December 20, 2019 On Ratification of the List of Standard Management Archive Documents Generated by the Work Processes of State Government Agencies, Local Self-Governments and Organizations, with Indication of the Retention Periods Thereof; the applicable action prescription, the effective term of the processing consent given by the personal data subject, and other applicable provisions of Russian law.
5.19. Personal data shall be annihilated upon the attainment of the purposes of processing, in the event of the processing purposes becoming irrelevant, upon the expiration of the retention period, upon detection of an instance of unlawful processing or at the request of the person having commissioned the processing of the personal data, within no more than thirty days of the date when the purpose of personal data processing is fulfilled, or in the event of the processing instruction being revoked. The annihilation shall be administered in the presence of a panel of witnesses. The fact of annihilation shall be documented with a memorandum.
6. Protection of Personal Data
6.1. The Operator shall procure the protection of personal data from unauthorized or accidental access, loss, modification, blocking, copying, dissemination, and any other unlawful manipulations.
6.2. The Operator shall procure the protection of personal data in the manner contemplated by the applicable Russian laws and the Operator's internal statutes, and namely by implementing a suite of organizational and technical facilities to ensure data security.
6.3. All protection measures deployed in the collection, processing, storage and transmission of the subject's personal data shall apply to both paper and electronic (automated) media.
7. Updating, Correction, Deletion and Annihilation of Personal Data
7.1. The operator may in its discretion enter, supplement, modify, block or delete personal data, subject to the provisions of Russian federal law.
7.2. At the request of the personal data subject, the Operator shall:
- reveal whether the Operator is in possession of the subject's personal data;
- give the subject an opportunity to review their personal data (exception as per Art. 14, Part 5, FZ-152);
- update the personal data if it is found inaccurate or has changed;
- block or destroy personal data if it is found to have been obtained illegally or is deemed redundant for the stated purpose of processing or the subject's consent has been withdrawn.
7.3. The personal data subject shall submit its request to the Operator in paper form, indicating the number of the personal data subject's or their legal representative's main ID, the date of issue and issuing authority of the said ID, and the handwritten signature of the personal data subject or their legal representative. A recommended specimen request form is provided in Annex 1 to this Policy.
7.4. Under the laws of the Russian Federation, the request may be submitted electronically and signed with an electronic digital signature, and is to be sent to mailto:Natalia.tsaplina@ifcmgroup.ru reception.ru@ifcmgroup.ru.
7.5. Upon the receipt of a subject's request, the Operator's officer responsible shall record the request in the log of data subject requests.
7.6. The Operator shall reply, to the effect of acceptance or reasonable denial of the request, within ten (10) days of the date of receipt of the personal data subject's request. The response lead time may be extended by no more than five business days with the giving of a reasonable notice by the Operator to the request initiator. The reply shall contain specific and comprehensive information pertinent to the essence of the question.
7.7. In the event of an instance of unlawful or accidental transfer (divulgation, dissemination or access) of personal data being established, entailing impairment of the rights of personal data subjects, it is the duty of the Operator to inform Roskomnadzor of such incident, the alleged circumstances having led to the impairment of the rights of personal data subjects, the estimated extent of detriment to the rights of the personal data subjects, and the measures taken to trouble-shoot the consequences of the incident, appending the appropriate contact information, within 24 hours of the time when the incident first becomes known to the Operator, to Roskomnadzor or another party concerned, and further to inform Roskomnadzor about the findings of the Operator's internal investigation of the incident and the persons whose acts had occasioned the incident in question, if applicable, within three days.
8. Modification of this Policy
8.1. The Operator is at liberty to make changes to this Policy. Every time that changes are made, the date of the latest revision shall appear in the header of this Policy. The new edition of this Policy takes effect as of the date when the Operator's CEO approves it. This Policy shall be posted on the Operator's website no later than 3 days following the date of its approval.
8.2. The current edition hereof shall be kept at the location of the Operator's executive body, namely at 18, 3rd Rybinskaya Street, building 22, 4th floor, suite 8, room 46, Moscow 107113, Russian Federation, the electronic version of this Policy can be found on the Operator's website at http://ifcmgroup.ru/.
8.3. This Policy and the relations between personal data subjects and the Operator shall be governed by the laws of the Russian Federation.
9. Contact Us
9.1. Email: mailto:Natalia.tsaplina@ifcmgroup.ru [TN1] reception.ru@ifcmgroup.ru
9.2. Postal address: 18, 3rd Rybinskaya Street, building 22, 4th floor, suite 8, room 46, Moscow 107113, Russian Federation
Contact phone No.: +7 (495) 246-01 [TN1]
6. Protection of Personal Data
6.1. The Operator shall procure the protection of personal data from unauthorized or accidental access, loss, modification, blocking, copying, dissemination, and any other unlawful manipulations.
6.2. The Operator shall procure the protection of personal data in the manner contemplated by the applicable Russian laws and the Operator's internal statutes, and namely by implementing a suite of organizational and technical facilities to ensure data security.
6.3. All protection measures deployed in the collection, processing, storage and transmission of the subject's personal data shall apply to both paper and electronic (automated) media.
7. Updating, Correction, Deletion and Annihilation of Personal Data
7.1. The operator may in its discretion enter, supplement, modify, block or delete personal data, subject to the provisions of Russian federal law.
7.2. At the request of the personal data subject, the Operator shall:
- reveal whether the Operator is in possession of the subject's personal data;
- give the subject an opportunity to review their personal data (exception as per Art. 14, Part 5, FZ-152);
- update the personal data if it is found inaccurate or has changed;
- block or destroy personal data if it is found to have been obtained illegally or is deemed redundant for the stated purpose of processing or the subject's consent has been withdrawn.
7.3. The personal data subject shall submit its request to the Operator in paper form, indicating the number of the personal data subject's or their legal representative's main ID, the date of issue and issuing authority of the said ID, and the handwritten signature of the personal data subject or their legal representative. A recommended specimen request form is provided in Annex 1 to this Policy.
7.4. Under the laws of the Russian Federation, the request may be submitted electronically and signed with an electronic digital signature, and is to be sent to mailto:Natalia.tsaplina@ifcmgroup.ru reception.ru@ifcmgroup.ru.
7.5. Upon the receipt of a subject's request, the Operator's officer responsible shall record the request in the log of data subject requests.
7.6. The Operator shall reply, to the effect of acceptance or reasonable denial of the request, within ten (10) days of the date of receipt of the personal data subject's request. The response lead time may be extended by no more than five business days with the giving of a reasonable notice by the Operator to the request initiator. The reply shall contain specific and comprehensive information pertinent to the essence of the question.
7.7. In the event of an instance of unlawful or accidental transfer (divulgation, dissemination or access) of personal data being established, entailing impairment of the rights of personal data subjects, it is the duty of the Operator to inform Roskomnadzor of such incident, the alleged circumstances having led to the impairment of the rights of personal data subjects, the estimated extent of detriment to the rights of the personal data subjects, and the measures taken to trouble-shoot the consequences of the incident, appending the appropriate contact information, within 24 hours of the time when the incident first becomes known to the Operator, to Roskomnadzor or another party concerned, and further to inform Roskomnadzor about the findings of the Operator's internal investigation of the incident and the persons whose acts had occasioned the incident in question, if applicable, within three days.
8. Modification of this Policy
8.1. The Operator is at liberty to make changes to this Policy. Every time that changes are made, the date of the latest revision shall appear in the header of this Policy. The new edition of this Policy takes effect as of the date when the Operator's CEO approves it. This Policy shall be posted on the Operator's website no later than 3 days following the date of its approval.
8.2. The current edition hereof shall be kept at the location of the Operator's executive body, namely at 18, 3rd Rybinskaya Street, building 22, 4th floor, suite 8, room 46, Moscow 107113, Russian Federation, the electronic version of this Policy can be found on the Operator's website at http://ifcmgroup.ru/.
8.3. This Policy and the relations between personal data subjects and the Operator shall be governed by the laws of the Russian Federation.
9. Contact Us
9.1. Email: mailto:Natalia.tsaplina@ifcmgroup.ru [TN1] reception.ru@ifcmgroup.ru
9.2. Postal address: 18, 3rd Rybinskaya Street, building 22, 4th floor, suite 8, room 46, Moscow 107113, Russian Federation
Contact phone No.: +7 (495) 246-01 [TN1]
The central office of the iFCM GROUP
107113, Moscow, 3rd Rybinskaya str., 18, p. 22.
Tel: +7(495) 246-01-10
107113, Moscow, 3rd Rybinskaya str., 18, p. 22.
Tel: +7(495) 246-01-10
