Personal Data Processing Policy
1. Purpose and scope
1.1. This document (hereinafter referred to as the Policy) sets forth the purposes and general principles of personal data processing, as well as the personal data security measures implemented by LLC «Technology Transfer Center» (hereinafter referred to as Processor/Company). The Policy is Processor’s document put in the public domain and is open to the general public.
1.2. Once approved, the Policy shall remain in effect indefinitely until amended.
1.3. The terms and concepts used in the Policy shall be applied as defined in Federal Law No 152-FZ of 27.07.2006, On Personal Data (hereinafter referred to as Federal Law on Personal Data).
1.4. The Policy applies to all Processor’s activities related to personal data processing.
1.5. Processor has no control over such other websites as may be accessed from Processor’s website. 2. Details of personal data processing
2.1. Processor uses combined processing of personal data: with and without automation.
2.2. Personal data processing operations include the collection, recording, organization, accumulation, storage, updating (refreshing, modification), retrieval, use, transfer (dissemination, disclosure and access), anonymization, blocking, deletion and destruction of personal data.
2.3. Processor conducts personal data processing in a legal and fair way on the following statutory authority:
— Constitution of the Russian Federation;
— Labour Code of the Russian Federation;
— Civil Code of the Russian Federation;
— Tax Code of the Russian Federation;
— Federal Law of 27.07.2006, No 152-FZ, On Personal Data;
— Federal Law of 10.01.2002, No 1-FZ, On Digital Signature Scheme;
— Federal Law of 06.04.2011, No 63-FZ, On Electronic Signature;
— Federal Law of 01.04.1996, No 27-FZ, On Individual (Personalized) Accounts in the System of Compulsory Pension Insurance;
— Federal Law of 24.07.2009, No 212-FZ, On Insurance Contributions to the RF Pension Fund, the RF Social Insurance Fund, the Federal Compulsory Health Insurance Fund and State Compulsory Health Insurance Funds;
— Charter of LLC «Technology Transfer Center»;
— as well as such other regulations as may be applicable to Processor’s activities.
2.4. The nature and scope of personal data being processed shall be determined based on the processing purposes.
2.5. Primary purposes of personal data processing:
— performance of Processor’s civil legal obligations (including notification of Processor’s services);
— compliance with the current employment, labour, accounting, pension and other laws of the Russian Federation.
2.5. The main categories of data subjects whose details are processed by Processor include:
— individuals employed and contracted by Processor;
— individuals employed and contracted by Processor’s counterparties;
— individuals to whom Processor provides services as part of its statutory activities, and job seekers.
2.6. For the specified categories of subjects, there can be processed:
last name, first name and patronymic; date of birth; place of birth, address; family status; social status; financial situation; educational background; profession; income; INN [Taxpayer Identification Number], SNILS [Personal Pension Account Number], contact information (phone number, email address) and such other details as may be required by standard forms and standard processing procedures.
2.7. In the context of processing, there are ensured the accuracy and sufficiency of personal data and the relevance thereof for the purposes of personal data processing. Upon discovery of inaccurate or incomplete personal data, these shall be clarified and updated.
2.8. Private personal data are kept confidential.
2.9. Personal data shall be processed and stored within the time period needed to achieve the purpose of personal data processing unless there are legitimate reasons for further processing. The personal data being processed shall be destroyed or anonymized upon the following events:
— the purposes of personal data processing are achieved or the maximum storage period is reached;
— there is no further need to accomplish the objectives of personal data processing;
— the data subject or his legal representatives provides evidence that the personal data are illegally obtained or are not required for the stated purpose of processing;
— it is impossible to ensure the legitimacy of personal data processing;
— the data subject revokes consent to personal data processing and the personal data need no longer be stored for the purposes of personal data processing;
— the data subject revokes consent to the use of personal data for consumer communications in the promotions of products and services.
2.10. Personal data processing under Processor’s contracts and other agreements and personal data processing authorizations given and received by Processor shall be subject to the terms and conditions of Processor’s said contracts and agreements, as well as the legitimate agreements with the processing outsourcers or providers. Such agreements can provide, among other things, for: the purposes, conditions and time frame of personal data processing; the parties’ obligations, including security arrangements; the rights, duties and liability of the parties in the context of personal data processing.
2.11. Beyond the scope of explicit provisions of the current legislation or the contract, processing shall be subject to the prior consent of the data subject. Consent can be expressed in the form of action taken, acceptance of the terms and conditions of an adhesion contract, entries made to this effect, completion of fields in online or printed forms, or documented in writing as stipulated by law. 3. Security precautions for personal data
3.1. Processor shall implement the necessary legal, organizational and technical measures to ensure the security of personal data against unauthorized (including, accidental) access, deletion, alteration, access denial and other unauthorized activities. 4. Data subject rights
4.1. The data subject shall be entitled to revoke consent to the processing of personal data by giving notice thereof to Processor by post or in person.
4.2. The data subject is entitled to receive information pertaining to the processing of his personal data, including details such as: acknowledgement of processing of personal data by Processor; statutory authority for and purpose of personal data processing; personal data processing purposes and procedures used by Processor; Processor’s name and place of business, details of the persons (other than Processor’s staff/workers) who have access to the personal data or to whom personal data can be disclosed under a contract with Processor or by federal law; the data subject’s personal data being processed and the source thereof unless alternative arrangements are stipulated by federal law for the sourcing of such data; the time frame for the processing of personal data, including the length of the storage thereof; arrangements for the exercise by the data subject of the rights provided by the Federal Law on Personal Data; information about a completed or anticipated cross-border transfer of personal data; the business name or the last name, first name and patronymic and the address of the processor tasked by Processor to process personal data where processing is outsourced; such other details as may be required by the Federal Law on Personal Data or other federal laws.
4.3. The data subject shall be entitled to demand that Processor update, block or destroy his personal data where the personal data are incomplete, outdated, inaccurate, illegally obtained or not required for the stated purpose of processing, as well as use statutory remedies available to him.
4.4. If a data subject believes that Processor performs the processing of his personal data in violation of the requirements of the Federal Law on Personal Data or otherwise violates his rights and freedoms, the data subject shall be entitled to appeal against Processor’s acts or omissions to the competent authority in charge of protecting the rights of data subjects (Federal Communications, Information Technology and Media Oversight Agency, or Roskomnadzor) or through the courts.
4.5. The data subject is entitled to seek redress against those who infringe their rights and legitimate interests, including pecuniary and/or non-pecuniary damages, before the courts. 5. Roles and responsibilities
5.1. Processor’s rights and duties are determined by the current legislation and Processor’s agreements.
5.2. Verification of compliance with the requirements hereof shall be the responsibility of the personal data processing manager.
5.3. Liability of the persons involved in personal data processing in accordance with Processor’s arrangements for misuse of personal data shall be subject to the terms of the independent contractor contract or Confidentiality Agreement made by and between Processor and his counterparty.
5.4. Persons guilty of a breach of regulations governing personal data processing and security shall be subject to financial punishments, disciplinary action, administrative sanctions, civil or criminal liability in the manner prescribed by federal laws and Processor’s bylaws and agreements.
5.5. Other rights and duties of Processor are determined by the personal data legislation of the Russian Federation.
5.6. The Policy shall be developed by the personal data processing manager and shall come into effect when approved by Processor’s CEO. Please email your comments and suggestions to amend the Policy at email@example.com. The Policy shall be updated if and where necessary. The permanent URL of the Policy is yellowrockets.com/en/legal.