Personal data policy
Scope of application
These Policies for personal data processing and protection (“Policies”) shall define the main goals of personal data processing at STEP LOGIC LLC (“Company”), categories of personal data subjects (“Subjects”), terms and methods of personal data processing, measures implemented to provide the security of personal data, to safeguard the Subjects’ rights, and shall be mandatory for all Company employees.
These Policies have been drawn pursuant to Article 18.1, Part 2, of the Federal Law dated July 27, 2006, No 152-FZ, “On personal data”, and other legal regulations of the Russian Federation as pertain to the personal data processing and protection and shall be applied to all personal data processed by the Company. The Policies requirements shall also be taken into account and presented with respect to other persons when their participation in the course of personal data processing by the Company is needed, and when personal data is provided to them for processing under agreements, contracts, or instructions according to an established procedure.
Regulatory references
These Policies refer to the legal regulations below:
- Labor Code of the Russian Federation
- Federal Law dated July 27, 2006, No. 152-FZ “On Personal Data”
Abridgments and designations
As applied to these Policies, the abridgements and designations are used pursuant to the Terms and Definitions Guide posted on the corporate web-site at: Main > Document Center > Terms and definitions.
Terms and Definitions
As applied to these Policies, the terms and definitions are used pursuant to the Terms and Definitions Guide posted on the corporate web-site at: Main > Document Center > Terms and definitions, including the following ones:
- Automated personal data processing means personal data processing with the use of computers.
- Information system of personal data means a totality of personal data contained in data bases, information technologies and technical means providing the processing thereof.
- Personal Data Processing means any action (transaction) or a totality of actions (transactions) performed with personal data with or without the use of computers, including collection, recording, systematisation, accumulation, storage, specification (updating, changing), retrieval, use, transmission (dissemination, provision, access), depersonalisation, blocking, deletion, and destruction of the personal data.
- Personal data means any information directly or indirectly relating to a certain or identifiable individual (Subject).
- Personal data provision means actions aimed at personal data disclosure to a certain person or a certain scope of persons.
Policies description
General provisions
- The provision of personal data security shall be one of the Company’s priorities.
- The Company shall provide the protection of processed personal data from any unauthorised access or disclosure, wrongful use or loss pursuant to the Federal Law dated July 27, 2006, No 152-FZ, “On personal data”.
Goals of personal data processing
- The goals of personal data processing shall include:
- Compliance with the Labor Code of the Russian Federation;
- Compliance with an employment agreement;
- Accounting and drawing of statements, accrual and charges on the basis of a salary and other pay-outs;
- Issuance of payroll cards;
- Perfection of voluntary health insurance policies;
- Military service registration;
- Assistance to an employee in training and career development;
- Perfection of business trip documents;
- Execution of powers of attorney;
- Preparation of visiting cards;
- Personal data processing by auditors during audits;
- Personal data processing by company’s counterparties during the performance of the relevant contractual obligations;
- Drafting, entry into, performance, and termination of agreements with counterparties;
- Search for candidates for filling any vacancies;
- Processing of data received through the company’s web-site;
- Performance of equipment repair requests received through the company’s web-site;
- Feedback with Subjects who left their requests to the General Director and Compliance Supervisor on the Company’s web-site;
- Provision of pass control and intrafacility control at Company’s facilities;
- Other legitimate purposes.
Personal data processing
- Personal data shall be processed in the cases below:
- Personal data shall be processed with consent of a Subject;
- Personal data processing is required for implementation and performance of functions, powers, and duties imposed by the Russian Federation law on the Company;
- Personal data processing shall be required for the performance of an agreement with a Subject being a party thereto or a beneficiary thereof, or a surety thereunder, including in the case of Company’s exercising their right to assign rights (claims) under such agreement, and for entry into of an agreement at the initiative of the Subject or an agreement whereunder the Subject is a beneficiary or surety;
- Personal data processing shall be required for exercising rights and legitimate interests of the Company or third parties, provided that no rights or freedoms of the Subject are violated thereat;
- Personal data processing shall be required for the delivery of justice, performance of any judicial ruling, regulation of any other body or officer subject to performance pursuant to the Russian Federation law on enforcement proceedings;
- The processing of personal data shall be undertaken, when the access to such data is provided by a Subject or at his/her request to an unlimited scope of persons.
- The Subjects whose personal data is processed by the Company, shall include:
- Individuals having employment relations with the Company and their family members (spouses and close relatives);
- Individuals resigned from the Company;
- Individuals being candidates for vacant positions;
- Individuals having civil law relations with the Company or being at a stage of pre-contractual relations or performed obligations of similar kind;
- Individuals who visited the Company’s office;
- Individuals who left their personal data through a feedback on the Company’s web-site;
- Other persons consented to the Company’s processing their personal data or who made their personal data publicly available in the cases envisaged by the Russian Federation law.
- Personal data shall be processed:
- Using computers;
- Without using any computers.
- The Company may instruct personal data processing to another person with consent of a Subject, unless otherwise is envisaged by the Russian Federation law, under an agreement being entered into with that person, the mandatory term whereof is the compliance with the Federal Law dated July 27, 2006, No 152-FZ, “On personal data” by that person.
Personal data obtainment
- All personal data shall be received by the Company from a Subject. The Company shall only be entitled to receive personal data of a Subject from third parties if Subject’s consent thereto in writing is available.
- The Company shall inform the Subject regarding the goals, assumed sources of, and methods for obtaining personal data, and the nature of personal data subject to obtaining, list of actions with the personal data, validity term of the consent, and procedure for the consent revocation, and effects of the Subject’s refusal to give consent to the obtaining of personal data.
- Documents containing personal data shall be produced by:
- Copying original documents (passport, education certificate, TIN certificate, pension certificate, etc.);
- Entering information in account forms;
- Obtaining originals of the required documents (employment record book, medical opinion, character reference, etc.)
Personal data storage
- Personal data of Subjects may be obtained, undergo further processing, and be transferred to storage both in paper form and in electronic form.
- Personal data of Subjects in paper form shall be retained in locked cabinets or locked premises with a restricted access.
- Personal data of Subjects processed with computers shall be stored in a local computer network of the Company.
- No storage or location of documents with personal data is allowed in open electronic catalogues (file hosting services).
- The storage of personal data in a form allowing to identify a Subject shall be as long as it is required for the purposes of processing thereof, and this data shall be destroyed upon the achievement of the processing goal or in the case of loss of any need to achieve it.
Personal data transmission
- The Company shall transmit personal data to third parties in the cases below:
- A Subject has provided his/her consent in writing thereto;
- Transmission is envisaged by the Russian law or another applicable law within the procedure set by the law.
- The list of third parties to whom the personal data is transmitted:
- Pension Fund of the Russian Federation for accounting (on a lawful basis);
- Tax authorities of the Russian Federation (on a lawful basis);
- Social Security Fund of the Russian Federation (on a lawful basis);
- Territorial Compulsory Medical Insurance Fund (on a lawful basis);
- Insurance medial organisations on voluntary health insurance (under an agreement);
- Banks for salary accrual (under an agreement);
- Internal affairs bodies of Russia in the cases envisaged by the law.
Personal data destruction
- Documents (media) containing personal data shall be destroyed through burning, breakage (shredding), chemical decomposition, transformation into a formless mass or powder. In order to destroy paper documents, the use of shredder shall be allowed.
- Personal data on electronic media shall be destroyed through deletion or formatting of a medium.
Personal data protection
- Pursuant to the legal regulations, the Company has created a personal data protection system consisting of subsystems of the legal, organisational, and technical protection.
- The subsystem of legal protection is a set of legal, organisational/management and legal regulations providing the building, functioning, and improvement of the personal data protection system.
- The subsystem of organisational protection includes the organisation of the management structure of the personal data protection system, authorisation system, information protection at work with employees, partners, and outsiders.
- The subsystem of technical protection includes a set of technical, software, soft hardware means providing the protection of personal data.
- The main personal data protection measures used by the Company shall include:
- Appointment of a person responsible for organisation of personal data processing;
- Issuance of these Policies, local regulations on the matters of personal data processing, and local regulations setting the procedures aimed at prevention and identification of violations of the Russian Federation law, damage control due to such violations;
- Assessment of harm which may be inflicted on Subjects in the case of violation of the Federal Law dated July 27, 2006, No 152-FZ, “On personal data”, correlation between the said harm and measures taken and aimed at the provision of performance of duties envisaged by the law above;
- Identification of threats to the personal data security at processing thereof within the information systems of personal data;
- Application of organisational and technical measures on provision of personal data security at processing thereof within the information systems of personal data required for the performance of requirements to the personal data protection, the performance whereof ensures the established levels of personal data protection, including the application of:
- Antivirus protection means;
- Information cryptoprotection means, in order to protect personal data at transmission thereof (preparation for transmission) through communication channels going outside the controlled zone;
- Application of information protection means which underwent the procedure of conformity assessment as applicable;
- Assessment of efficiency of the measures taken on provision of personal data security before commissioning new information systems of personal data;
- Accounting of machine media for personal data;
- Identification of facts of unauthorised access to personal data and taking of the required measures;
- Enabling of recovery of modified or destroyed personal data from back up media;
- Management and control of user access to information resources, soft hardware means for information processing and protection;
- Registration and accounting of events in the information systems processing personal data;
- Control, from time to time, over the measures taken for the provision of personal data security and personal data information systems protection level;
- Undertaking of internal control and/or audit of compliance of the personal data processing with the Federal Law dated July 27, 2006, No 152-FZ, “On personal data”, and legal regulations adopted pursuant thereto, requirements to the personal data protection, these Policies, and local regulations of the Company;
- Familiarisation of the Company employees who directly process personal data, with the requirements of the Russian Federation law regarding the personal data processing and protection, these Policies, local regulations on the matters of personal data processing, and training in safe handling of computer equipment;
- Organisation of the mode of provision of physical security of premises, information media and equipment;
- Provision of preservation and integrity of personal data media;
- Provision of separate storage of the personal data (physical media), which is processed for different purposes;
- Limitation and control of the list of persons who have access to personal data;
- Appointment of persons responsible for the provision of security of personal data within the information systems.
Key rights of a personal data Subject and duties of the Company
- The Subject shall be entitled to have access to his/her personal data and the information below:
- Confirmation of a fact of personal data processing by the Company;
- Legal grounds for and purposes of the personal data processing;
- Goals and personal data processing methods applied by the Company;
- Name and address of the Company, information of persons (except for the Company employees) having access to the personal data or whom the personal data may be disclosed to under an agreement with the Company or pursuant to the federal law;
- Time frames for personal data processing, including the period of storage thereof;
- Procedure for exercising the rights envisaged by the Federal Law dated July 27, 2006, No. 152-FZ “On Personal Data”;
- Name or full name and address of a person processing personal data on instructions of the Company, if the processing was or will be instructed to such person;
- Address to the Company and filing requests to them;
- Appealing of actions or omission of the Company.
- The Company shall be obliged to:
- Provide information of the personal data processing at collection thereof;
- Inform a Subject, where the personal data was obtained not from the Subject;
- Explain the effects of refusal to provide personal data to a Subject, when he/she refuses to do so;
- Take the required legal, organisational, and technical measures or to provide taking thereof, in order to protect personal data from unauthorised or accidental access thereto, destruction, modification, blocking, copying, provision, distribution of personal data, and from other wrongful actions with respect thereto;
- Reply to requests and address of Subjects, their representatives and authorised body for the protection of rights of personal data subjects.