PrCS Ltd Personal Data Processing Policy

1. General provisions

This document defines the policy of ‘PrCS’ Ltd (hereinafter referred to as the Company) regarding personal data processing and sets out the system of basic principles applicable to personal data processing in the Company.

This Policy applies to all transactions performed with personal data in the Company with or without automation tools.

This Policy is binding on all persons admitted to personal data processing in the Company and persons involved in the organization of personal data processing and security processes in the Company.

This Policy is drawn up in accordance with the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ of July 27, 2006.

This Policy shall be updated in case of change of the personal data legislation of the Russian Federation.

2. Introduction

The company is a personal data operator.

An important condition to achieve the Company’s goals is protection of rights and freedoms of the personal data owner during processing of his personal data.

The Company has developed and implemented documents establishing the procedure for processing and ensuring the security of personal data, which ensure compliance with the requirements of the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ of July 27, 2006 and the regulatory legal acts adopted in accordance with it.

3. Principles and conditions of personal data processing in the Company

The Company, being an operator, processes the following personal data:

- Applicants for vacant positions – within the scope and within the terms necessary for the Company to take a decision on hiring or refusal to hire, with the consent of personal data subjects, as well as for formation of a personnel reserve with the consent of personal data subjects

- Employees who are or were in an employment relationship with the Company - within the scope and within the terms, necessary to achieve the objectives stipulated by the legislation of the Russian Federation, to perform the functions assigned by the legislation of the Russian Federation to the Company, Powers and obligations for formation of personnel reserve upon the consent of personal data owners, as well as for the conclusion and execution of a contract to which either the beneficiary or the guarantor under which the personal data owner is a party, including for the purpose of providing insurance with the consent of personal data owners;

- Relatives of employees of the Company - as part of and within the terms necessary for the performance of the functions, powers and duties assigned to the Company by the legislation of the Russian Federation, the exercise of the rights and legitimate interests of the Company, as well as for the conclusion and execution of a contract to which the beneficiary or guarantor is a personal data owner.

- Representatives of suppliers of the Company – within the scope and the terms necessary for interaction with suppliers upon the consent of personal data owners;

- Persons related to accidents - within the scope and the terms required to achieve the objectives stipulated by the legislation of the Russian Federation, to perform the functions, powers and duties assigned by the legislation of the Russian Federation to the Company;

- Persons who receive income but do not have labor relations with the Company, within the scope and the terms necessary to achieve the goals stipulated by the legislation of the Russian Federation, to perform the functions, powers and duties assigned by the legislation of the Russian Federation to the Company;

- Representatives of potential and existing clients - within the scope and the terms necessary for interaction with potential and existing clients, with the consent of personal data subjects;

- Representatives of partners - within the scope and the terms necessary for interaction with partners, with the consent of personal data subjects;

Personal data processing terms are defined taking into account:

- Established purposes of personal data processing;

- Validity terms of contracts with personal data owners and consent of personal data owners for processing of their personal data;

- Terms established by Order No. 558 of the Ministry of Culture of the Russian Federation dated 25 August 2010 ‘On Approval of the List of ‘Standard Management Archival Documents Formed during the Activity of State Bodies, Local Self-Government Bodies and Organizations, with Indication of Storage Terms’.

The Company processes personal data on a legal and fair basis.

When processing personal data, its accuracy, adequacy and, where necessary, relevance to the purposes of processing personal data are ensured.

The Company does not disclose personal data to third parties and does not distribute personal data without the consent of the personal data owner (unless otherwise provided by federal law of the Russian Federation).

The company processes special categories of personal data of people related to accidents, employees and expats (information on the state of health in line with employment relations). At the same time, the Company meets the requirements for processing of special categories of personal data provided for by the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dated July 27, 2006 and the Labour Code of the Russian Federation.

The company does not process biometric personal data.

The Company does not make decisions that give rise to legal consequences with respect to the personal data owner or otherwise affect his rights and legitimate interests on the basis of exclusively automated processing of personal data.

The company assigns the personal data processing to another person. At the same time, the Company complies with the requirements to the instructions for personal data processing provided by the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dd July 27, 2006.

The company processes personal data using automation tools and without using them. At the same time, the Company meets the requirements for automated and non-automated personal data processing provided for by the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dd July 27, 2006 and regulatory legal acts adopted in accordance with it.

4. Rights of personal data subjects processed in the Company

A personal data subject is entitled to receive information relating to his personal data processing. In order to obtain this information, the personal data owner may send a written request (the request may also be sent as an electronic document and signed by an electronic signature) to: 82 Marata Street, St. Petersburg, 191119, Russia, in accordance with the procedure established by Article 14 of the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dd July 27, 2006.

5. Performance of duties of the Operator by the Company

The company receives personal data from personal data owners and from third parties (persons who are not personal data owners). At the same time, the Company fulfils the obligations stipulated by the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dd July 27, 2006 and the Labour Code of the Russian Federation when collecting personal data.

The Company shall stop processing personal data in the following cases:

- In case of termination of personal data processing conditions or after the established terms are expired;

- Upon achievement of the objectives of their processing or in case of loss of the need to achieve these objectives;

- At the request of the personal data owner, if the personal data processed by the Company is incomplete, obsolete, inaccurate, illegally obtained or not necessary for the stated purpose of processing;

- In case of detection of illegal processing of personal data, if it is impossible to ensure legal processing of personal data;

- If the personal data owner revokes its consent to process his personal data or if such consent expires (if the personal data is processed by the Company solely on the basis of the personal data subject 's consent);

- In case of dissolution of the Company.

The following measures have been taken by the company to ensure compliance with the obligations stipulated by the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dd July 27, 2006 and regulatory legal acts adopted in accordance with it:

- The person responsible for organization of personal data processing is appointed;

- Local acts on processing and ensuring the security of personal data have been issued, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations:

Regulation on Personal Data Processing;

- real Policy;

- Other local acts on issues of personal data processing and security;

- Legal, organizational and technical measures have been applied to ensure the security of personal data;

- Internal control of compliance of personal data processing with the requirements of the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dd July 27, 2006 and regulatory legal acts adopted in accordance with it, this Policy, local acts of the Company;

- Assessment of the damage that may be caused to personal data owners in case of violation of the federal legislation requirements on personal data, the balance of the said damage and the measures taken by the Company to ensure fulfillment of the obligations provided for in the requirements of the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dd July 27, 2006 and regulatory legal acts adopted in accordance with it;

- Employees of the Company who directly process personal data are acquainted with the provisions of the Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dd July 27, 2006 and the regulatory legal acts adopted in accordance with it, this Policy and local acts of the Company on issues of personal data processing.

The Company implements the following personal data protection requirements:

- A security regime has been established for premises where information systems are located, which prevents uncontrolled entry or stay of persons who do not have the right of access to these premises;

- Personal data carriers protection is implemented;

- The head of the Company has approved a document defining the list of persons whose access to personal data processed in the information system is necessary for their performance of official (labor) duties;

- Data protection tools which have passed the procedure of assessment of compliance with the requirements of the legislation of the Russian Federation in the field of information security are being used;

- The requirements established by the Resolution of the Government of the Russian Federation of September 15, 2008 № 687 ‘On Approval of the Regulation on Peculiarities of Personal Data Processing Performed without Use of Automation Tools’ have been implemented.