PERSONAL DATA PROCESSING POLICY AT «ARS» LLC

1. PURPOSE AND SCOPE

  • 1.1. This Policy determines the principles and conditions for personal data processing (hereinafter the “PD”), personal data protection measures, as well as obligations of ARS LLC (hereinafter the Company) during its processing.
  • 1.2. This Policy has been developed in accordance with the current legislation of the Russian Federation concerning personal data, and regulatory and procedural documents of the state executive authorities on PD security, including during its processing within personal data information systems (hereinafter the PDIS).
  • 1.3. According to Federal Law No. 152 dated 27 July 2006 “On Personal Data” (hereinafter the Personal Data Law), PD subjects should be allowed unrestricted access to this Policy, including by it being posted on the Company's websites.
  • 1.4. This Policy on processing personal data applies to all processes of collecting, recording, organising, accumulating, storing, amending, extracting, using, transferring (distributing, providing, accessing), depersonalising, blocking, deleting and destroying personal data using means of automation or otherwise.

2. TERMS, DEFINITIONS AND ABBREVIATIONS

Personal data (PD) means any information relating to a directly or indirectly identified or identifiable individual (personal data subject).
Personal data subject means an individual directly or indirectly identified or identifiable with the help of personal data.
Personal Data Information System (PDIS) means a set of personal data contained in databases and the information technologies and technical means used for processing them.
Personal data processing means any action (operation) or set of actions (operations) performed on personal data using means of automation or otherwise, including collection, recording, systematisation, accumulation, storage, amendment (updating, change), retrieval, use, transfer (distribution, provision, accessing), depersonalisation, blocking, deletion and destruction of the personal data.
Operator means ARS LLC, which organises and (or) processes personal data independently or together with other persons, and determines the purposes of the personal data processing, the scope of the personal data to be processed and the actions (operations) performed with the personal data.
Federal Law “On Personal Data” means Federal Law No. 152 dated 27 July 2006 “On Personal Data”.
Personal data distributed with the personal data subject’s consent means personal data to which the personal data subject grants access for an unlimited range of people by consenting to processing of personal data distributed with the personal data subject’s consent as per Federal Law No. 152.

3. PERSONAL DATA PROCESSING PRINCIPLES

3.1. The Company processes personal data in accordance with the following principles:
  • 3.1.1. Personal data are processed in a legitimate and fair manner.
  • 3.1.2. Personal data processing is restricted to achievement of specific, predetermined and legitimate purposes. Personal data processing inconsistent with the purposes of collecting personal data is not permitted.
  • 3.1.3. It is not permitted to merge databases containing personal data processed for mutually incompatible purposes.
  • 3.1.4. Only personal data that meet the purposes for which they are processed are subject to processing.
  • 3.1.5. The content and amount of processed personal data must correspond to the stated purposes of the processing.
  • 3.1.6. Personal data being processed must not be excessive in relation to the stated purposes of the processing.
  • 3.1.7. Personal data processing ensures the accuracy of the personal data, their sufficiency and, if appropriate, their applicability to the stated purposes of their processing.
  • 3.1.8. Personal data in a form allowing the personal data subject to be identified are stored no longer than required for the purpose of the personal data processing unless the term for storing personal data is established by federal law or a contract under which the personal data subject is a party, beneficiary or guarantor. The processed personal data is to be destroyed or depersonalised when the processing purposes are achieved or there is no further need to achieve these purposes, unless otherwise is provided for by federal law.

4. THE TERMS OF PERSONAL DATA PROCESSING

4.1. Personal data should be processed in compliance with the principles and rules established by the Federal Law “On Personal Data”. Personal data processing is permitted in the Company in the following cases:
  • 4.1.1. Personal data are processed with the personal data subject’s consent.
  • 4.1.2. Personal data processing is necessary for achieving the objectives of an international agreement to which the Russian Federation is party or stipulated by law, for implementing and fulfilling the functions, powers and duties assigned to the operator by the legislation of the Russian Federation.
  • 4.1.3. Personal data processing is necessary for administration of justice, execution of a judicial act, an act of another body or official that is subject to execution as per the legislation of the Russian Federation on enforcement proceedings.
  • 4.1.4. Personal data processing is necessary for performance of a contract under which the personal data subject is a party, beneficiary or guarantor, as well as for conclusion of a contract on the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor.
  • 4.1.5. If it is impossible to gain the consent of the personal data subject, personal data processing is necessary for protecting the personal data subject’s life, health or other vital interests.
  • 4.1.6. Personal data processing is necessary for exercise of the rights and legitimate interests of the operator or third parties, or achievement of socially significant goals, provided that it does not violate the rights and freedoms of the personal data subject.
  • 4.1.7. Personal data are processed for statistical or other research purposes, subject to mandatory depersonalisation of the personal data. An exception is processing of personal data to promote goods, works and services on the market through direct contacts with a potential consumer with the help of means of communication, as well as for political propaganda purposes.
  • 4.1.8. Personal data are processed if subject to publication or mandatory disclosure in accordance with federal law.
    4.2. In the following cases (with the exception of cases specified in the Federal Law “On Personal Data”), the personal data subject’s written consent to processing of their personal data is required:
  • - Inclusion of the PD subject in publicly available sources of PD.
  • - Processing of special categories of personal data relating to race, nationality, political views, religious or philosophical convictions, health, intimate life and criminal record.
  • - Processing of biometric PD (a person’s physiological and biological characteristics by which they can be identified and that are used by the operator to do so).
  • - Cross-border transfer of PD to foreign states that do not adequately protect the rights of PD subjects.
  • - Making, on the basis solely of automated processing of PD, decisions that have legal consequences for the PD subject or otherwise affect their rights and legitimate interests.
4.3. In the absence of a need to obtain the PD subject’s written consent to PD processing as per the Federal Law “On Personal Data”, the subject’s consent may be given by the personal data subject or their representative in any form confirming receipt of the consent, including electronically (by ticking on the relevant window).
4.4. Unless federal law prescribes otherwise, the Company has the right, with the consent of the personal data subject, to entrust personal data processing to another person on the basis of an agreement therewith (hereinafter the operator’s assignment). The person processing personal data on behalf of the Company shall observe the personal data processing principles and rules provided for by this Policy and the Federal Law “On Personal Data”.
4.5. If the Company entrusts personal data processing to another person, the Company is responsible to the personal data subject for the latter’s actions. The person processing the personal data on behalf of the Company is responsible to the Company.
4.6. The Company and other persons with access to personal data shall not disclose the personal data to third parties or distribute them without the consent of the personal data subject, unless otherwise is provided for by federal law.
4.7. Personal data are distributed on the basis of the personal data subject’s consent to processing of personal data to distribution of which the personal data subject has given their permission. This consent is executed separately from other consents provided by the personal data subject.
4.8. If the Company processes a subject’s personal data that they have disclosed to an unlimited number of people and the subject has not given the Company their consent to processing of the personal data, the Company must prove the legality of subsequent distribution or other processing of the given personal data.
4.9. The operator shall, within three business days of receiving relevant consent from the personal data subject, publish information about the conditions for processing and about any prohibitions on or conditions relating to processing by an unlimited number of people of personal data to distribution of which the personal data subject has given their consent.

5. RIGHTS OF THE PERSONAL DATA SUBJECT

5.1 The personal data subject has the right to require the Company to amend, block or destroy their personal data if the personal data are incomplete, outdated, inaccurate, illegally obtained or unnecessary for the stated purpose of the processing, and to take measures provided for by law to protect their rights.
5.2 The personal data subject has the right to demand termination of transfer (distribution, provision, accessing) of personal data to distribution of which they previously gave their consent.
5.3 The personal data subject has the right to receive information concerning processing of their personal data, including:
  • - Confirmation of personal data processing by the Company.
  • - The legal grounds for and purposes of the personal data processing.
  • - The purposes and methods used by the Company for personal data processing.
  • - The name and location of the Company, information about persons (other than Company employees) with access to the personal data or to whom the personal data may be disclosed under an agreement with the Company or on the basis of the Federal Law “On Personal Data”.
  • - The processed personal data relating to the relevant personal data subject and the source from which they are obtained, unless the Personal Data Law provides otherwise.
  • - The terms for personal data processing, including the storage period.
  • - The procedure by which the personal data subject exercises the rights provided for by the Personal Data Law.
  • - Information about previous or prospective cross-border data transfer.
  • - The name or the surname, first name and patronymic, and the address of the person processing the personal data on behalf of the Company if the processing is or will be entrusted to the given person.
  • - Other information provided for by the Federal Law “On Personal Data” or other federal laws.

6. COMPANY OBLIGATIONS

The Personal Data Law requires the Company to:
  • - Provide the PD subject, at their request, with information regarding the processing of their PD or a lawful refusal to do so.
  • - At the request of the PD subject, amend, block or delete processed PD if they are incomplete, outdated, inaccurate, illegally obtained or unnecessary for the stated purpose of the processing. Or procure their blocking or deletion if the personal data are processed by another person acting on behalf of the operator.
  • - Maintain a Register of applications by PD subjects for recording requests by PD subjects to receive personal data, as well as provision of personal data by request.
  • - Notify the PD subject of PD processing if the PD were not received from the PD subject (unless the relevant operator has already notified the PD subject of the processing of their personal data).
  • - If the purpose of processing personal data is achieved, immediately halt the personal data processing and destroy or depersonalise the relevant personal data within thirty days of the purpose of personal data processing being achieved, unless otherwise is provided for by federal laws. Or procure deletion or depersonalisation of the personal data if they are processed by another person acting on behalf of the operator. Notify the personal data subject or their legal representative to this effect and, if the request is submitted by an authorised body for protection of the rights of personal data subjects, also notify the given body.
  • - If the personal data subject revokes their consent to processing of their personal data, halt processing of the personal data and destroy them within thirty days of receipt of the specified revocation, unless otherwise is provided for by agreement between the Operator and the personal data subject. Or procure termination of the personal data processing and destruction of the personal data if they are processed by another person acting on the instructions of the operator. The Company shall notify the personal data subject about destruction of their personal data.
  • - Should the subject request termination of processing of their personal data for the purpose of promoting goods, works or services on the market, immediately halt the personal data processing. Or procure termination of the personal data processing if they are processed by another person acting on the instructions of the operator.
  • - If the personal data subject requests termination of transfer (distribution, provision, accessing) of personal data to distribution of which they previously gave their consent, the Company shall, within three business days of receiving the personal data subject’s request, halt transfer (distribution, provision, accessing) of these personal data.
  • - When collecting personal data, including via the Internet, provide for recording, systematisation, accumulation, storage, amendment (updating, modification) and retrieval of personal data of citizens of the Russian Federation using databases located in the Russian Federation, unless otherwise is specified separately in the Federal Law “On Personal Data”.

7. MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA DURING THEIR PROCESSING

7.1. When processing personal data, the Company takes the necessary legal, organisational and technical measures to protect personal data against unlawful or accidental access thereto, destruction amendment, blocking, copying, provision and dissemination thereof, as well as against other illegal actions with respect to the personal data.
7.2. Personal data security is achieved, in particular by:
  • - Identifying threats to the security of personal data during their processing within personal data information systems.
  • - Using the requisite organisational and technical measures that meet the personal data protection requirements providing the levels of personal data security established by the Government of the Russian Federation in order to ensure the security of personal data during their processing within personal data information systems.
  • - Evaluating the effectiveness of measures taken to ensure the security of personal data prior to the personal data information system being started up.
  • - Accounting of machine media for personal data storage.
  • - Detecting unauthorised access to personal data and taking relevant actions.
  • - Restoring personal data modified or destroyed owing to unauthorised access thereto.
  • - Establishing rules for accessing personal data processed within personal data information system, as well as procuring registration and recording of actions performed with the personal data within the personal data information system.
  • - Controlling access to the premises on which personal data are being processed.
  • - Monitoring the effectiveness of the measures and means used to ensure the security of personal data, as well as monitoring the level of protection of personal data information systems.