POLICY of personal data processing

 POLICY of personal data processing in Limited Liability Company UNIVERSAL FINANCIAL SYSTEMS

                               (hereinafter referred to as the Policy)

 

 

1                    GENERAL PROVISIONS

The personal data processing policy at UFS LLC (hereinafter referred to as the "Policy") was developed according to the Federal Law from July 27, 2006 No.152-FZ "On personal data" (hereinafter referred to as “FZ‑152”).

This Policy determines the procedure for processing personal data and the personal data security measures at UFS LLC (hereinafter referred to as the "Company") to enable the protection of human and civil rights and freedoms when processing personal data, including the protection of the rights to privacy, personal and family secrets.

The following basic concepts are used in the Policy:

automated personal data processing — processing personal data using computer software;

blocking personal data — temporary suspension of personal data processing (except where data processing is needed to update the personal data);

personal data information system — a set of personal data contained in personal data databases and information technologies and software used for their processing;

personal data depersonalization — actions which make it impossible to identify personal data as related to a specific personal data subject, without using additional information.

personal data processing — any action (operation) or a series of actions (operations) performed using automation or without, including personal data acquisition, recording, classification, accumulation, storage, updating or modifying, extraction, use, transfer (distribution, presentation, access), depersonalization, blocking, deleting and destruction of personal data;

operator — a state authority, municipal authority, legal entity or individual acting independently or jointly with other persons who organize and/or process personal data, as well as define the goals for personal data processing, their contents subject to processing and actions (operations) to be performed with the personal data;

personal data — any information relating directly or by implication to a specific individual (personal data subject);

provision of personal data — actions aimed at the disclosure of personal data to a certain person or a group of persons;

distribution of personal data — actions aimed at the disclosure of personal data to an unidentified group of persons (transfer of personal data) or for the review of the personal data by an unlimited number of persons, including the publishing of the personal data in mass media, posting in information and telecommunication networks or providing access to the personal data in any other way;

cross-border transfer of personal data — transfer of personal data to the territory of a foreign state, to a foreign government body, a foreign physical or legal entity;

destruction of personal data — actions which make it impossible to recover the contents of the personal data in the personal data information system and/or which result in the destruction of the tangible media of the personal data.

The Company is obliged to publish or otherwise provide unlimited access to the present Policy on personal data processing in accordance with part 2 of article 18.1 of FZ‑152.

2                    PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING

2.1              Principles of Personal Data Processing

The Company process personal data based on the following principles:

  • the rule of law and an equitable basis;
  • personal data processing is limited to achieving specific, predetermined and legitimate goals;
  • personal data processing which is inconsistent with the goals of personal data acquisition shall not be allowed;
  • combining databases that contain personal data processed for purposes incompatible with each other shall not be allowed;
  • only personal data that meet the purposes of their processing shall be processed;
  • the contents and volume of the processed personal data correspond to the declared purposes of their processing;
  • processing personal data which are redundant with respect to the declared purposes of their processing shall not be allowed;
  • the accuracy, adequacy and relevance of personal data in relation to the purposes of processing personal data shall be ensured;
  • personal data shall be destroyed or depersonalized once the goal of their processing has been achieved, or if it is no longer necessary to achieve such goals, or if the Company is unable to remedy violations to personal data, if not otherwise prescribed by the Federal Law.

2.2              Conditions for Processing Personal Data

The Company processes personal data if at least one of the following conditions is fulfilled:

  • personal data is processed with the personal data subject's consent to process them;
  • personal data must be processed to comply with an international treaty or law of the Russian Federation, for the operator to perform and implement the functions, powers and obligations imposed on it by the legislation of the Russian Federation;
  • personal data must be processed for the dispensation of justice, enforcement of a court ruling or a decision of another body which shall be implemented in accordance with the enforcement proceedings of the Russian Federation;
  • personal data must be processed for the execution of a contract, a party to which the subject of the personal data is a beneficiary or guarantor; personal data must also be processed to conclude a contract on the initiative of the subject of personal data or an agreement under which the subject of the personal data is the beneficiary or guarantor;
  • personal data must be processed for the protection of life, health or other vital interests of the subject of personal data if it is impossible to obtain the consent of said subject of personal data;
  • personal data must be processed to protect the rights and legitimate interests of the operator or third parties or to achieve socially significant goals provided that the rights and freedoms of the subject of personal data are not infringed upon;
  • processed personal data can be accessed by an unlimited number of persons if granted by the subject of personal data or through his/her request (hereinafter referred to as publicly available personal data);
  • processed personal data is subject to publication or mandatory disclosure according to the Federal Law.

2.3              Confidentiality of Personal Data

The Company and other persons who have access to the personal data shall not disclose them to third parties or distribute them without the consent of the subject of personal data, if not otherwise prescribed by the Federal Law.

2.4              Publicly Available Personal Data Sources

For the purposes of information support, the Company can create publicly available sources of personal data of individuals, including directories and address books. Publicly available sources of personal data, with the written consent of the personal data subject, can include the subject's surname, first name, patronymic, date and place of birth, job title, contact phone numbers, email address and other personal data, which has been shared by the subject of the personal data.

Information on the individual must be removed at any time from the publicly available sources of personal data following a request from the personal data subject or following a court ruling or other from other authorized state bodies.

2.5              Special Categories of Personal Data

The Company may only process special categories of personal data concerning race and ethnicity, political views, religious or philosophical beliefs, state of health, and the intimate life of the subjects of personal data if:

  • the subject of personal data agrees in writing to the processing of such personal data;
  • the personal data is made publicly available by its subject;
  • the personal data is processed according to the laws on state social services, labor legislation, the laws of the Russian Federation on pensions and the state pension provision, as well as on work pensions;
  • the personal data must be processed for the protection of life, health or other vital interests of the subject of personal data or the life, health or other vital interests of other persons when it is impossible to obtain the approval of the personal data subject;
  • the personal data is processed for medical and preventive purposes, for identifying a medical disease, providing medical and social services, on condition that the personal data is processed by a person who is a medical profession and who is obliged, in accordance with the legislation of the Russian Federation, to maintain medical confidentiality;
  • the personal data must be processed to establish or exercise the rights of the personal data subject or third parties, as well as in connection with the administration of justice;
  • the personal data must be processed in accordance with the legislation of the Russian Federation on defense, security, counter-terrorism, transport security, anti-corruption, investigative activity, enforcement proceedings, criminal and penal legislation of the Russian Federation;
  • the personal data is processed in accordance with the legislation on mandatory insurance schemes and in accordance with insurance laws.

Processing personal data of special categories must be immediately terminated if the reasons for processing were eliminated, unless otherwise prescribed by the Federal Law.

Processing personal data regarding conviction records may only be performed by the Company only in cases and in line with the procedure laid out by the Federal Laws.

2.6              Personal Biometric Data

Information which characterizes the physiological and biological features of a person, based on which it is possible to identify an individual (personal biometric data), and which is used by the operator to identify the subject of the personal data subject, can only be processed by the Company with the written consent of the personal data subject.

Biometric personal data can be processed without the consent of the personal data subject in relation to the implementation of international agreements of the Russian Federation on remission, in connection with the dispensation of justice and enforcement of court rulings, as well as in cases provided by the legislation of the Russian Federation on defense, security, counter-terrorism, transport security, anti-corruption, investigative activity, public service, criminal and penal legislation of the Russian Federation, as well as the legislation of the Russian Federation on the exit and entry procedure from/into the Russian Federation.

2.7              Assignment of Personal Data Processing to Other Persons

The Company has the right to entrust the personal data processing to another entity with the consent of the personal data subject, if not otherwise prescribed by the Federal Law, on the basis of the agreement concluded with this person. The entity processing the personal data in accordance with the Company's instructions is obliged to comply with the personal data processing principles and rules as provided for in the Federal Law‑152.

2.8              Cross-Border Transfer of Personal Data

The Company shall make sure that the foreign state to which territory the personal data is to be transferred ensures adequate protection of the rights of the subjects of personal data, prior to the beginning such a data transfer.

The cross-border transfer of personal data to the territory of foreign states which do not ensure adequate protection of the rights of subjects of personal data may be performed in the following cases:

  • the written consent of the subject of personal data for the cross-border transfer of his/her personal data;
  • cases provided for by international agreements of the Russian Federation;
  • cases provided for by Federal Laws, if necessary for the protection of the foundations of the constitutional system of the Russian Federation, to ensure the defense of the country and the security of the state, as well as to ensure the safe and consistent functioning of the transport system, protect the interests of individuals, society and the state in the area of the transport system and their protection from illegal interference;
  • execution of a contract to which the subject of the personal data is a party;
  • protection of the life, health and other vital interests of the subject of the personal data or other persons if it is impossible to obtain the consent of that subject of the personal data.
  1. RIGHTS OF THE SUBJECT OF PERSONAL DATA

3.1. Consent of the Subject of Personal Data to Processing his/her Personal Data

The subject of personal data decides to provide his/her personal data and freely consents to it being processed and in his/her interest. Consent to processing personal data can be given by the subject of personal data or his/her representative in any form which allows its confirmation, if not otherwise prescribed by the Federal Law.

The responsibility to provide proof of consent from the subject of personal data consent to processing his/her personal data or the evidence of its availability of the grounds, as stated in FZ‑152, lies with the Company.

3.2. Rights of the Subject of Personal Data

The subject of personal data is entitled to receive information concerning the processing of his/her personal data from the Company, if such a right is not limited by the Federal Law. The subject of personal data is entitled to require the Company to update his/her personal data, blocking or destroy it in the event this personal data is partial, outdated, inaccurate, acquired illegally or is not necessary for the declared goal of data processing. He/she is also entitled to take measures prescribed by law to protect his/her rights.

Processing personal data for the purpose of promoting goods, operations, services on the market by providing direct contacts to potential users by communication means, as well as for the purpose of political propaganda is only allowed with the prior consent of the subject of personal data. This personal data processing can be performed without the prior consent of the subject of personal data if the Company fails to prove that such consent has been obtained.

The Company shall immediately stop, upon the request of the subject of personal data, processing his/her personal data for the above-stated purposes.

It is prohibited to make decisions solely on the basis of automated personal data processing that results in legal implications with respect to the subject of personal data or otherwise infringes upon his/her rights and legitimate interests, except for cases prescribed by Federal Laws, or if the written consent of the subject of personal data is obtained.

If the subject of personal data believes that the Company is processing his/her personal data in contravention of the requirements of FZ‑152 or otherwise infringes upon his/her rights and freedoms, the subject of personal data shall be entitled to appeal against the Company's actions or its lack of action to an authorized body for the defense of personal data subject rights, or start legal proceedings.

The subject of personal data is entitled to the protection of his/her rights and legitimate interests, including ones for the indemnification and/or reimbursement of moral harm in legal proceedings.

  1. ENSURING PERSONAL DATA SECURITY

The security of personal data processed by the Company is ensured by the implementation of the legal, organizational and technical measures necessary for complying with the requirements of federal legislation in the field of protecting personal data.

The following organizational and technical measures are applied by the Company in order to prevent unauthorized access to personal data:

  • appointment of officials responsible for the organization of personal data processing and protection;
  • limitation of the range of persons with access to personal data;
  • familiarizing the subject of personal data with the requirements of Federal legislation and regulatory documents on processing and protecting personal data;
  • organization of record-keeping, storage and handling of media;
  • identification of threats to the security of personal data during its processing, simulation of a threat model on the basis of threats;
  • development of a personal data protection system on the basis of the threat model;
  • checking readiness and performance of information protection tools;
  • differentiation of user access to informational resources, software and hardware for processing information;
  • registration and record-keeping of the activities of users of the personal data information systems;
  • use of anti-virus tools and means for recovering the personal data protection system;
  • the use, when necessary, of firewalls, identification of intrusions, analysis of security and cryptographic information protection tools;
  • organization of access control on the territory of the Company, guarding premises containing hardware components for processing personal data.

 

  1. FINAL PROVISIONS

Other rights and responsibilities of the Company as the personal data operator are regulated by laws of the Russian Federation in the field of processing personal information.

Officials of the Company found guilty of violating the standards for regulating the processing and protection of personal data bear pecuniary, disciplinary, administrative, legal or criminal liability in accordance with the procedures prescribed by the Federal Law.