Personal Data Processing Policy

1. GENERAL

1.1 Personal data processing policy (hereinafter referred to as the Policy) is developed in accordance with the Federal Law No. 152-FZ “On Personal Data” dated 27.07.2006 (hereinafter referred to as the FZ-152).

1.2 This Policy defines the procedure for processing personal data and measures to ensure the safety of personal data in IT Brick LLC (hereinafter referred to as the Company) in order to protect the rights and freedoms of individuals and citizens in the processing of their personal data, including the protection of rights to privacy, personal and family secrets.

1.3 This Policy applies to all collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data with or without the use of automation means.

2. PRINCIPLES OF PERSONAL DATA PROCESSING

2.1 The Operator processes personal data on the basis of the following principles:

  • legality and equitable basis;
  • restriction of personal data processing to achievement of specific, predetermined and lawful purposes;
  • prevention of personal data processing which is incompatible with the purposes of collecting personal data;
  • prevention of combining databases containing personal data, which are processed for the purposes incompatible with each other;
  • processing only those personal data which meet the purposes of their processing;
  • conformity of the contents and amount of the processed personal data to the declared purposes of processing;
  • prevention of processing of the personal data superfluous in relation to the declared purposes of their processing;
  • maintenance of accuracy, sufficiency and an urgency of the personal data in relation to the purposes of personal data processing;
  • destruction or depersonalization of personal data to achieve the purposes of their processing or in case of loss of the need to achieve these purposes, if the Company is unable to eliminate violations of personal data, unless otherwise provided by federal law.

3. TERMS OF PERSONAL DATA PROCESSING

3.1 The personal data are processed under at least one of the following conditions:

  • personal data are processed with the consent of the personal data subject to the processing of his/her personal data;
  • personal data processing is necessary for achievement of the purposes provided by the international agreement of the Russian Federation or the law, for performance of the functions, powers and duties imposed by the law of the Russian Federation on the operator;
  • personal data processing is necessary for the implementation of justice, the execution of the judicial act, the deed of another authority or official subject to execution in accordance with the law of the Russian Federation on enforcement proceedings;
  • personal data processing is necessary for the execution of the contract, the party to which either the beneficiary or the guarantor is the personal data subject, as well as for the conclusion of the contract on the initiative of the personal data subject or the contract under which the personal data subject will be the beneficiary or guarantor;
  • personal data processing is necessary for exercising the rights and legitimate interests of the operator or third parties or for achieving socially important goals provided that the rights and freedoms of the personal data subject are not violated;
  • personal data are processed for statistical or other research purposes under the obligatory depersonalization of personal data. An exception is the processing of personal data in order to promote goods and services through direct contact with the potential consumer by means of communication, as well as for political agitation;
  • the personal data, access of an unlimited circle of persons to which is given by the personal data subject or at his/her request (hereinafter referred to as the publicly available personal data), are processed;
  • personal data subject to publication or mandatory disclosure in accordance with federal law are processed.

3.2 The Company may create publicly available personal data sources, including directories and address books, for information purposes. The publicly available sources of personal data may include the subject’s full name, date and place of birth, position, contact phone numbers, e-mail address and other personal data communicated by the personal data subject, subject to his/her written consent.

The data on the subject should be excluded from publicly available personal data sources at any time at the request of the subject or under the decision of court or other authorized state authorities.

3.3 Certain personal data relating to race, nationality, political opinions, religious or philosophical beliefs, health status, intimate life are not processed in the Company.

3.4 Biometric personal data (information that characterizes the physiological and biological characteristics of the person on the basis of which he/she can be identified and which are used by the operator to identify the personal data subject) are not processed in the Company.

3.5 The Company is entitled to assign personal data processing to another person with the consent of the personal data subject based on the contract concluded with this person, unless otherwise provided for by federal law. The person who processes personal data on behalf of the Operator shall comply with the principles and rules of personal data processing provided for in Federal Law FZ-152.

3.6 The Company must ensure that the foreign state to whose territory the personal data are to be transferred provides adequate protection of the rights of personal data subjects before such transfer takes place.

Cross-border personal data transfer in territory of the foreign states, not providing adequate protection of the rights of personal data subjects, can be performed in following cases:

  • there is a written consent of the personal data subject to the cross-border transfer of his/her personal data;
  • the contract to which the personal data subject is a party is executed.

3.7 The Company undertakes and obliges other persons who have obtained access to personal data not to disclose to third parties and not to distribute personal data without the consent of the personal data subject, unless otherwise provided by federal law.

4. RIGHTS OF THE PERSONAL DATA SUBJECT

4.1 The personal data subject decides to provide his/her personal data and gives his/her consent to their processing freely, by his/her will and in his/her interest. The consent to personal data processing can be given by the personal data subject or his/her representative in any form that allows to confirm the fact of its receipt, unless otherwise established by federal law.

4.2 The personal data subject has the right to receive information from the Company regarding the processing of his/her personal data, unless such right is restricted in accordance with federal laws. The personal data subject has the right to require the Company to clarify his/her personal data, block or destroy it if personal data are incomplete, outdated, inaccurate, obtained illegally or are not necessary for the stated purpose of processing, as well as to take the measures required by law to protect his/her rights.

4.3 The processing of personal data in order to promote goods and services through direct contact with the potential consumer by means of communication, as well as for political agitation is allowed only with the prior consent of the personal data subject.  The said processing of personal data is recognized as performed without the prior consent of the personal data subject, unless the Company can prove that such consent was obtained.

4.4 Upon request of the personal data subject, the Operator shall immediately stop processing his/her personal data for the above purposes.

4.5 The decisions generating legal consequences concerning the personal data subject or otherwise affecting his/her rights and legitimate interests are forbidden to be made on the basis of exclusively automated processing of the personal data except for the cases provided by federal laws or in the presence of the written consent of the personal data subject.

4.6 If the personal data subject considers that the Company processes his/her personal data in violation of the requirements of FZ-152 or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal against actions or inaction of the operator to the Authority for the Protection of the Personal Data Subjects’ Rights or in court.

4.7 The personal data subject has the right to protection of his/her rights and legal interests, including damage and/or moral compensation in court.

5. ENSURING THE SAFETY OF PERSONAL DATA

5.1 When processing personal data, the Company takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.

5.2 The following organizational and technical measures are used to prevent unauthorized access to personal data:

  • appointment of the officials responsible for the organisation of processing and protection of the personal data;
  • restriction of the number of people who have access to personal data;
  • making the subjects familiar with the requirements of federal legislation and the Company’s regulatory documents on personal data processing and protection;
  • organization of accounting, storage and circulation of data carriers;
  • definition of threats to the personal data security at their processing, formation of threat models on their basis;
  • development of a personal data protection system based on a threat model;
  • check of readiness and efficiency of use of information protection means;
  • separation of user access to information resources and information processing software and hardware;
  • registration and recording of actions of users of personal data systems;
  • use of antivirus software and personal data protection system recovery tools;
  • application of firewall, detection of intrusions, the analysis of security and cryptographic protection of the information.

6. MISCELLANEOUS

6.1 Other rights and obligations of the Company as an operator of personal data are determined by the personal data legislation of the Russian Federation.