PERSONAL DATA PROTECTION AND PROCESSING POLICY

PERSONAL DATA PROTECTION AND PROCESSING POLICY
of NOYTECH Logistics Rus Limited Liability Company (hereinafter – the «‎Company»‎)

1. General Provisions

1.1. The current Policy regarding the processing of personal data (hereinafter referred to as the “Policy”) has been drawn up in accordance with Art. 18.1, par. 1, sub-par. 2 of the Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter referred to as the “Law on Personal Data”), as well as other regulatory legal acts in the field of protection and processing of personal data and applies to all personal data (hereinafter referred to as the “Data”). The organization (hereinafter referred to as the “Operator”, the “Company”) processes PD in compliance with the principles and rules, as well as in cases provided for by the Law on Personal Data.

1.2. The Operator shall ensure the protection of processed personal data from unauthorized access and disclosure, misuse or loss in accordance with the Law on Personal Data.

1.3. The Operator shall have the right to make changes to the Policy. When making changes, the heading of the Policy indicates the date of the last update. The new version of the Policy comes into force from the date of the relevant order on the entry into force of the Policy, unless otherwise provided by the new version of the Policy.

1.4. The Policy shall be reviewed as necessary, but at least once every three years from the date of the previous revision of the Policy.

2. Terms and Abbreviations

Company;NOYTECH Logistics Rus Limited Liability Company Personal data (PD);Any information relating directly or indirectly to an identified or identifiable individual (personal data subject) Personal data subject;An individual, a carrier of personal data, whose personal data is transferred to the company for processing Data operator (Operator);A state agency, municipal authority, legal entity or individual who independently or in cooperation with other entities organizes and/or processes personal data as well as determines the purposes and scope of personal data processing, actions (operations) performed with personal data Personal data processing;Any action (operation) or a combination of actions (operations) performed both automatically and manually with personal data, including, collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, transfer (distribution, provision, access), anonymizing, blocking, deletion, destruction Automated personal data processing;Personal data processing by means of computer technology Distribution of personal data;Actions related to making the data available to indefinite range of persons Provision of personal data;Actions related to making the data available to a definite person or a definite range of persons Blocking of personal data;The temporary cessation of personal data processing (except for the cases when the processing is needed for personal data specification) Destruction of personal data;Actions performed on personal data contained in the respective database that prevent such data from being restored and (or) actions aimed at the physical destruction of the tangible medium of personal data Anonymization of personal data;actions performed on personal data that do not permit the identity of the individual concerned to be verified solely from such anonymized data Personal data information system;A database that contains personal data as well as information technologies and hardware used for data processing Cross-border transfer of personal data;Cross-border transfer of personal data to a foreign state agency, foreign legal entity or individual located in a foreign state PDISs;Personal data information systems Personal Data Processor;A legal entity that independently or jointly with other persons organizes and (or) processes personal data transferred from the Operator on the basis of an assignment agreement.

3. Scope of Application

The Policy shall apply to all processes of the Company within which personal data of personal data subjects are processed, both using computer equipment, including using information and communication networks, and without using such means.

4. Principles of Personal Data Processing

The Company shall ensure the personal data processing lawfulness, as well as the appropriate level of personal data security.

The personal data processing in the Company shall be carried out on a legal and equitable basis and shall be restricted by achieving specific pre-determined and legal purposes. Personal data shall be stored in a form that allows verification of the identity of personal data subjects only to the extent necessary for processing purposes unless the personal data storage time is not established by federal laws, agreements concluded with personal data subjects as a beneficiary or guarantor party. Personal data shall be destroyed or depersonalized upon achieving the set goals as well as when such goals cease to be relevant unless otherwise provided for by federal legislation of the Russian Federation.

5. Conditions of Personal Data Processing

5.1. The Operator shall process personal data in accordance with the requirements of the legislation of the Russian Federation.

5.2. Personal data processing shall be carried out with the consent of the personal data subject to the processing of his/her personal data, as well as in cases of occurrence of another legal basis for the personal data processing provided for by the current legislation of the Russian Federation.

5.3. The Operator shall provide both automated and non-automated processing of personal data.

5.4. The Operator’s employees are allowed to process personal data, whose duties include the personal data processing.

5.5. The personal data shall be processed by:

obtaining personal data in oral and written form directly with the consent of the personal data subject to the processing of his/her personal data;
obtaining personal data from publicly available sources;
entering personal data into the Operator’s logs, registers and information systems;
using other personal data processing methods.

5.6. It is not allowed to disclose to third parties and distribute personal data without the consent of the personal data subject, unless otherwise provided by the Federal law.

5.7. In accordance with parts 3-5 of Article 6 of the Law on Personal Data, the Company has the right to accept personal data for processing from affiliated companies belonging to the Neutec Group, that is, to assume the duties of a PD "processor" on the basis of an assignment agreement. The contract of the order between the Operator and the "processor" can define not only the rules for processing PD, the obligations of the parties, but also establish responsibility for their violation, determine the extrajudicial procedure for collecting a fine and/or a penalty. The Company's responsibility is to ensure the confidentiality and security of PD during their processing.

5.8. The transfer of personal data to the bodies of inquiry and investigation, the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other authorized executive bodies and organizations shall be carried out in accordance with the requirements of the legislation of the Russian Federation.

5.9. The Operator shall take all necessary legal, organizational and technical measures to protect personal data against unauthorized or accidental access thereto, destruction, alteration, blocking, distribution and other unauthorized actions, including:

identification of threats to the security of personal data during their processing;
adoption of local regulations and other documents in the field of processing and protection of personal data; • appointment of officials responsible for ensuring the security of personal data in the divisions and information systems of the Operator;
creation of necessary conditions for working with personal data;
organization of registration of physical storage media for personal data;
organization of work with information systems in which personal data are processed;
storage of physical storage media for personal data in compliance with the conditions providing protection of personal data and eliminating an opportunity of unauthorized access to them;
organization of training of the Operator’s employees engaged in personal data processing.

5.10. The Operator shall store personal data in a form that allows determining the personal data subject, no longer than the purpose of processing personal data requires, if the storage period for personal data is not established by federal law, by an agreement.

5.11. When collecting personal data, including through the information and telecommunications network Internet, the Operator provides recording, systematization, accumulation, storage, specification (updating, changing), extraction of personal data of citizens of the Russian Federation using databases located in the Russian Federation, with the exception of cases specified in the Law on Personal Data.

5.12. Personal Data Processing Purposes:

5.12.1. Only personal data that comply with the purposes of their processing are subject to processing.

5.12.2. Processing of personal data by the Operator shall be performed for the following purposes:

to provide compliance with the Constitution of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation;
to implement its activities in accordance with the Charter of the Company;
to provide keeping of HR records and employee’s personal files;
to assist candidates in employment, workers in education and career development, provide personal safety of employees, control the quantity and quality of work performed and ensure safety of a property; • to attract and select candidates for work with the Operator;
to organize individual (personified) accounting of employees in the system of mandatory pension insurance;
to file in and transfer to the executive authorities and other authorized organizations the required reporting forms;
to implement civil and legal relations;
to maintain accounting records;
to ensure access control.

5.13. Categories of personal data subjects. PD of the following personal data subjects shall be processed: – individuals who are in labor relations with the Company; – individuals who quit the Company; – individuals who are potential employees; – individuals who are in civil law relations with the Company.

5.14. PD processed by the Operator: – data obtained during the implementation of labor relations; – data obtained for the applicants’ selection for work; – data obtained in the implementation of civil law relations.

5.15. Storage of personal data.

5.15.1. PD of subjects can be obtained, undergo further processing and transferred for storage both in paper and in electronic form.

5.15.2. PD recorded on paper shall be stored in lockable cabinets or in locked rooms with limited access rights.

5.15.3. It is not allowed to store and place documents containing PD in open electronic catalogs (file sharing) in PDISs.

5.16. Destruction of personal data.

5.16.1. Destruction of documents (carriers) containing PD shall be carried out by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass or powder. For the destruction of paper documents, the use of a shredding machine is allowed.

5.16.2. PD stored on computer media shall be destroyed by erasing or formatting the media.

5.16.3. The fact of the destruction of PD shall be confirmed by the documentary act of destruction of carriers.

6. Personal Data Protection

6.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (PDPS), consisting of subsystems of legal, organizational, and technical protection.

6.2. The subsystem of legal protection is a complex of legal, organizational, administrative, and regulatory documents that ensure the creation, functioning, and improvement of the PDPS.

6.3. The subsystem of organizational protection includes the organization of the management structure of the data protection system, the authorization system, and information protection when working with employees, partners, and third parties.

6.4. The subsystem of technical protection includes a set of technical, software, firmware, and hardware tools that ensure PD protection.

6.5. The principal PD protection measures used by the Operator are as follows:
6.5.1. Appointing a person responsible for the processing of PD, organizing the processing of PD, training and instructing, internal control over the compliance of the institution and its employees with the requirements for the PD protection.
6.5.2. Identifying actual threats to the security of PD when processing them in the ISPD and the development of measures and measures to protect PD.
6.5.3. Establishing rules for accessing PD processed in the ISPD, as well as ensuring the registration and accounting of all actions performed with the PD in the ISPD.
6.5.4. Setting up individual passwords for employees’ access to the information system in accordance with their production responsibilities.
6.5.5. Applying the procedure for assessing the conformity of information protection means that have passed in the prescribed manner.
6.5.6. Certified antivirus software with regularly updated databases.
6.5.7. Complying with the conditions that ensure the PD protection and exclude unauthorized access to them.
6.5.8. Identifying unauthorized access to personal data and taking measures.
6.5.9. Recovering PD that were modified or destroyed due to unauthorized access to them.
6.5.10. Training of the Operator’s employees who are directly involved in the processing of personal data, the provisions of the legislation of Ireland on personal data, including the requirements for the protection of personal data, documents defining the Operator’s policy regarding the processing of personal data, local acts on the processing of personal data.
6.5.11. Implementing internal control and audit.

7. Basic Rights of the PD Subject and Obligations of the Operator Document History

7.1. Basic rights of the PD subject. The subject has the right to access his personal data and the following information: – confirmation of the processing of personal data by the Operator; – the legal grounds for and purposes of the processing of the personal data; – the purposes and methods used by the Operator for the processing of personal data; – the name and location of the Operator and information on persons (other than employees of the Operator) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Operator or on the basis of a Federal law; – the period of the processing of the personal data, including the period for which they are kept; – the procedure for the exercise by the personal data subject of the rights provided for in this Federal law; – name or surname, first name and patronymic and the address of the person carrying out the processing of personal data on the instruction of the operator, if the processing has been or is intended to be assigned to such a person; – addressing to the Operator and sending requests to it; – appealing actions or inaction of the Operator.

7.2. Operator’s Obligations. The operator shall be obliged to: – provide information on personal data processing when it collects personal data; – inform a subject if personal data have been obtained other than from the personal data subject; – in case of refusal to provide the PD, the subject is explained the consequences of such refusal; – publish or otherwise provide unrestricted access to the document that defines Company’s PD processing policy, to information about the requirements for PD protection that are being implemented; – take the necessary legal, organizational and technical measures or ensure their adoption to protect the PD against unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of PD, as well as other illegal actions in relation to PD; – to give answers to the queries and complaints of personal data subjects, their representatives and the authorized body for the protection of personal data subjects’ rights.

7.3. An operator who has assumed the functions of a LDPE Processor under an assignment agreement with an affiliated legal entity of the Noitek Group of Companies is obliged to:

Comply with the legal principles of PD processing.
Ensure traffic safety.
3. Not to disclose to third parties and not to distribute PD.
4. Perform technical and organizational protection measures.
5. Establish rules for access to the PD of the Guarantor Operator. The Company is not obliged to obtain the consent of the PD subject to the processing of its PN.

8. Responsibility for Violation or Non-fulfillment of the Policy

8.1. Control over the implementation of the Policy is imposed on the person, responsible for organizing the personal data processing.

8.2. Persons who violate or do not fulfill the requirements of the Policy shall be brought to disciplinary, administrative, civil, criminal responsibility under the legislation of the Russian Federation.

8.3. Heads of Operator’s divisions shall bear personal liability for the performance of duties by their subordinates.