Personal data protection and processing policy, SimbirSoft LTD

1. General Provisions

1.1. Personal Data Processing Policy (hereinafter the Policy) has been developed in accordance with Article 18.1, Paragraph 2 of Federal Law No. 152-FZ “On Personal Data” of July 27, 2006 (hereinafter the Law on Personal Data). And in accordance with other regulatory legal acts on security and processing of personal data and is applicable to personal data (hereinafter PD), which SimbirSoft Ltd (hereinafter the Company) can collect.

1.2. The Company protects the processed PD from unauthorized access and disclosure, inappropriate use or loss in accordance with the Law on PD.

1.3. The Company has the right to make changes to this Policy. The new version of the Policy comes into effect since it has been laid open on the website, unless the new version of the Policy provides otherwise.

1.4. Terms contained in Article 3 of the Law on PD are used with the same meaning in this Policy.

2. Legal Grounds for Personal Data Processing

2.1. Legal grounds for personal data processing by the Company are as follows:

• Constitution of The Russian Federation; • Labor Code of The Russian Federation; • The Civil Code of The Russian Federation; • Federal Law N 149 of July, 27, 2006 On information, informatization and the protection of information; • Federal Law N 152 of July, 27, 2006 On Personal Data; • Federal Law N 14 of February, 8, 1998 On Limited Liability Companies; • Federal Law N 27 of April, 1, 1996 On Individual (Personalized) Accounting In The Compulsory Pension Insurance Scheme; • The Company Charter; • contracts between the Company and PD owners; • with consent of personal data owners to their personal data processing; • other grounds when PD processing consent need not to be granted under the law.

3. Personal Data Processing and Storage Terms and Conditions

3.1. The Company performs PD processing in accordance with the laws of the Russian Federation.

3.2. PD processing requires the consent of personal data owners to their personal data processing or does not require consent if granted under the law of the Russian Federation.

3.3. The Company performs automated and manual methods of PD processing.

3.4. PD processing is performed by the employees of the Company, engaged in personal data processing.

3.5. PD processing shall be carried out through:

• receiving orally and written PD directly with the consent of the PD owner to process his/her data;
•  public sources;
•  other ways of data processing.

3.6. PD shall not be disclosed or distributed to third parties without consent of the data owner, unless otherwise is provided by the Law of the Russian Federation.

3.7. Transfer of PD to bodies of inquiry and investigation, Federal Tax Service, Pension Fund, Social Insurance Fund, and other state bodies and services shall be performed according to laws of the Russian Federation.

3.8. The Company shall take required legal, organizational and technical measures to protect PD from unlawful or accidental access, destruction, adjustment, blocking, sharing or other unlawful actions. The Company also:

•  identifies threats to personal data safety while they are processed;
•  adopts applicable local regulatory acts and other documents regulating relations in the area of PD processing and protection;
• appoints persons responsible for organizing personal data safety at the units and in information systems of the Company;
•  creates the necessary conditions for working with PD;
•  organizes the tracking of the documents containing PD;
•  manages work with information systems, that process PD;
•  stores PD in conditions that ensure their safety and prevent an unlawful access;
•  conducts training of the employees engaged in personal data processing.

3.9. PD are stored by the Company in the form that enables to define the data owner no longer than it’s required for the purposes of processing in case PD retention period is not set by the federal law or an agreement.

3.10. While the acquisition of PD via the internet, The Company provides recording, systematization, accumulation, storage, update and alteration, extraction of PD of Russian Federation citizens through data bases in the territory of the Russian Federation, except as specified otherwise by the Law on PD.

3.11. Purposes of PD processing:

3.11.1. PD meeting the purposes of their processing may only be processed.

3.11.2. Processing of PD is performed for the purpose of:

• complying with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation;
• acting in accordance with the Company Charter;
• keeping personnel records;
• assisting the employees and candidates in employment, career development. personal safety, quantity and quality control of the work, property protection;
• attracting and selecting candidates for work at the Company;
• signing and executing agreements with PD owners;
• identifying the PD owner within the framework of agreements with the Company;
• providing the PD owners with the Company services and information about the development of new products and services, including advertising;
• contacting PD owners: managing their requests, providing an information on the work of the website;
• controlling and improving the service quality of the Company, including those presented on the website;
• organizing individual (personalized) accounting in the compulsory pension insurance scheme for employees;
• preparing and submitting the required reports to the executive branch or other state bodies and services;
• accounting;
• exercising of other functions, powers and requirements imposed upon the Company by the laws of the Russian Federation.

3.11.3. Employee's PD shall be processed only for the purpose of complying with laws and other statutory acts of the Russian Federation.

3.12. PD owners list.

List of data owners, which have their PD processed:

- employees and former employees of the Company, job applicants;

- clients and contractors (natural persons) of the Company;

- client's and contractor's representatives or employees (artificial persons);

- the Company website https://www.simbirsoft.com visitors.

3.13. PD processed by the Company are as follows: • full name of the PD owner; • passport data; • residence place and address; • job or area of professional interest; • mobile number; • e-mail; • information on the search history and actions on the website and its services (for the website visitors); • photos of the PD owner; • other information (may be reduced or expanded respective of the specific case and the purpose of processing).

3.14. The Company provides compliance of the scope and amount of PD with the stated purposes of processing and if necessary, take action to eliminate data redundancy in relation to the stated purposes.

3.15. Special personal data categories concerning race and national identity, political commitment, religious or philosophic views and private life are not subject to processing at the Company.

3.16. Trans-border transfer of PD is not performed by the Operator.

3.17. PD storage.

3.17.1. PD can be received, further processed and allowed for the deposition both in paper and in electronic form.

3.17.2. In paper PD are stored in a locked filing cabinet or locked rooms with limited access.

3.17.3. Automatically processed PD are stored in different files according to the purpose.

3.17.4. Storing and placing up the documents on PD in online catalogues (file sharing platforms) is not allowed.

3.17.5. PD are stored in the form that enables to define the data owner no longer than it’s required for the purposes of PD processing. PD under processing are annihilated once the purposes are achieved or in case achieving these purposes is not required anymore.

3.18. PD annihilation.

3.18.1. Annihilation of documents or data storage devices containing PD shall be realized by: burning, crushing, chemical degradation, grinding into dust or a shapeless mass. A paper shredder can be used to eliminate paper documents.

3.18.2. Storage devices containing PD shall be destroyed by the means of deleting or formatting.

3.18.3. The destruction of PD is documented by an act on destruction of storage devices.

4. Information on The Applicable Requirements to PD Protection

4.1. The Company has created a PD protection system consisting of subsystems of legal, administrative and technical protection.

4.2. The legal protection subsystem is a set of legal, administrative and regulatory documents that ensure the creation, operation, and improvement of PD protection system.

4.3. The administrative subsystem includes the management of PD protection system structure, and authorization system, employees', partners' and third parties' information protection.

4.4. The technical subsystem includes a set of technical, software and hardware measures that provide PD protection.

4.4. While protecting PD, the Company:

4.5.1. Appoints a party responsible for PD processing and the arrangement of PD processing. Arranges training for the employees and in-house control over the adherence of the Company and its employees to the protection requirements of PD.

4.5.2. Identifies threats to personal data safety while they are processed within the information PD systems, develops and takes measures on PD protection.

4.5.3. Develops PD processing policy.

4.5.4. Establishes access rules for PD, that is processed in the information system. Ensures registration and record-keeping of all actions performed with PD in the information system.

4.5.5. Uses individual passwords for employees to get access to the information system in accordance with their work responsibilities.

4.5.6. Uses information security measures that have undergone approved conformity assessment procedures in due course.

4.5.7. Uses a certified anti-virus software with regularly updated databases.

4.5.8. Complies with conditions that ensure the PD safety and prevent an unauthorized access.

4.5.9. Traces cases of unauthorized access to PD and takes relevant measures.

4.5.10. Restores PD, that has been modified or annihilated due to unauthorized access.

4.5.11. Provides trainings for employees of the Company, who are directly involved in PD processing to get familiar with the provisions of the Law of the Russian Federation on PD, including the requirements to the PD protection, documents which define the PD processing policy and corporate statutory acts on PD processing.

4.5.12. Conducts in-house inspections and audits.

5. Rights and Obligations of PD Owners and Obligations of the Company

5.1. Rights of PD owners.

PD owner is entitled to the access to his/her PD and the following information:

- confirmation of PD processing;

- legal grounds and purposes of PD processing;

- ways of PD processing used by the Company;

- the name and location of the Company, third parties to whom PD was transferred (except for employees of the Company) or to whom they may be disclosed under an agreement with the Company or federal law;

- PD processing and storage period;

- manner of exercising the rights under the laws by the PD owner;

- full name and address of the person who is responsible or will be responsible for PD processing by the Company's order;

- contacting and requesting the Company;

- challenging the actions or failure to act on the part of the Company.

5.2. Rights of PD owners.

The PD owner shall: - provide the Company with valid data; - provide PD documents needed for the processing purposes;  - inform the Company about updating or changing their PD.

Those who provided the Company with invalid data about themselves or another PD owner without his/her consent are liable under the Russian Federation law.

5.3. Obligations of the Company.

The Company shall:

- provide information on the PD processing;

- inform the PD owner if data were received from the other PD owner;

- explain consequences of the refusal to provide PD;

- publish or otherwise enable unrestricted access to the document defining the policy on PD processing and the information about the implemented protection requirements;

- establish legal, administrative and technical procedures or ensure their adoption to protect PD against illegal or accidental access, annihilation, alteration, blocking, copying, presentation, distribution, as well as against other misconduct in relation to PD;

- answer to requests of PD owners, their representatives and the relevant authority, which protects PD owners' rights.

 5.4. The Company is entitled to:

- collect the valid data or documents containing PD from PD owners;

- require PD owners to timely update the provided PD.

6. Modification and Annihilation of PD, Requests of PD Owners

6. 1. In case of confirmation of the fact of PD inaccuracy or illegality of their processing, the PD shall be updated by the Company, or their processing shall be terminated.

6. 2. The fact of inaccuracy of PD or illegality of their processing can be established either by the PD owner, or by the state authorities of the Russian Federation. 

6.3. Upon a written request of the PD owner or its representative, the Company is obliged to provide information about the processing of the PD of the specified owner. Such request must contain the number of the main identity document of the PD owner and its representative and a document confirming the rights of the representative to receive such data, information on the issue date of the specified document and the issuing authority, information confirming the participation of the PD owner in relations with the Company (date of conclusion of the agreement, conditional verbal designation and (or) other information), or information otherwise confirming the fact of PD processing by the Company, the signature of the PD owner or its representative.

6.4. If the request of the PD owner does not reflect all the necessary information or the owner does not have access rights to the requested information, then a reasoned refusal is sent. 

6.5. In accordance with the procedure provided for in paragraph 6.3, the PD owner is entitled to require the Company for updating, blocking or destroying his/her PD if the PD are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the processing purposes, as well as to take legal measures to protect rights. 

6.6. When the purposes of PD processing are achieved, but the PD owner revokes consent, the PD shall be annihilated in case: • The Company is not entitled to perform processing without the PD owner consent;  • otherwise is not provided by the agreement, where the PD owner is a party, beneficiary or guarantor;  • otherwise is not  provided by another agreement between the Company and the PD owner.

7. Cookie Policy

7.1. Cookies are used to improve users' interaction with the site. They allow the site to remember users during their first or repeated visits. In some cases, cookies are used to personalize based on location information.

7.2. The Company uses cookies to perform basic functions or for page navigation on the site. Cookies improve the functionality of the site by saving user settings. What is more, the Company uses cookies to improve the performance of the site in order to improve visitors' interaction.