1. GENERAL PROVISIONS
1.1. The Personal Data Processing Policy of PROJECT GROUP HOLDING COMPANY LLC (the “Policy”) defines the key principles, purposes, conditions, and methods of personal data processing; the categories of data subjects and the categories of personal data processed by PROJECT GROUP HOLDING COMPANY LLC (the “Company”); the Company’s responsibilities in processing personal data; the rights of personal data subjects; as well as the personal data protection requirements implemented by the Company in the course of its activities.
1.2. The Policy has been developed in accordance with the requirements of the Constitution of the Russian Federation; Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (the “Federal Law on Personal Data”); the Labor Code of the Russian Federation No. 197-FZ dated December 30, 2001; Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008 “On Approval of the Regulation on the Specifics of Personal Data Processing Carried Out Without the Use of Automation Tools”; Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012 “On Approval of Requirements for the Protection of Personal Data During Their Processing in Personal Data Information Systems”; as well as other legislative and regulatory acts of the Russian Federation and regulatory documents issued by competent public authorities in the field of personal data.
1.3. The provisions of this Policy form the basis for the development of the Company’s internal regulatory documents governing the processes of personal data processing with respect to the Company’s employees and other personal data subjects, as well as the measures to ensure the security of personal data during such processing.
1.4. For the purpose of implementing the provisions of this Policy, the relevant internal regulations and other documents have been developed, including:
• Regulation on Personal Data Processing;
• Procedure Governing Employees’ Access to Personal Data Processing at PROJECT GROUP HOLDING COMPANY LLC;
• Other internal regulations and documents governing personal data processing within PROJECT GROUP HOLDING COMPANY LLC.
2. KEY TERMS AND DEFINITIONS
Personal Data means any information related, directly or indirectly, to a specific or identifiable individual (personal data subject).
Information means any information (messages, data) regardless of the form in which it is presented.
Data Controller means a governmental authority, municipal authority, legal entity or individual that individually or together with other persons organizes and/or carries out the processing of personal data, as well as defines the purposes of personal data processing, the composition of personal data to be processed, the actions (operations) performed with personal data.
Personal Data Processing means any action (operation) or a set of actions (operations) made with personal data with or without automation aids, including collection, recording, systematization, accumulation, storage, update (upgrade, modification), retrieval, use, transmission (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data.
Automated Personal Data Processing means processing of personal data using computer equipment and technologies.
Provision of Personal Data means any actions aimed at disclosing personal data to a specific person or limited audience.
Personal Data Dissemination means actions aimed at disclosing personal data to the public.
Anonymization of Personal Data means actions resulting in making it impossible to refer personal data to a specific personal data subject without having additional information.
Cross-Border Transfer of Personal Data means transfer of personal data abroad to a foreign state authority, a foreign individual or a foreign legal entity.
Personal Data Information System means a set of personal data contained in databases as well as information technologies and hardware supporting its processing.
Personal Data Blocking means a temporary suspension of the personal data processing (unless the processing is required to verify the personal data).
Destruction of Personal Data means actions making it impossible to restore the personal data content in the information system and/or resulting in physical destruction of storage media carrying the personal data.
3. PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING
3.1. Personal data processing within the Company shall be carried out with due regard for the need to protect the rights and freedoms of its employees and other personal data subjects, and shall be based on the following principles:
• Personal data processing by the Company shall be conducted on a lawful and fair basis;
• Personal data processing shall be limited to the achievement of specific, predetermined, and lawful purposes;
• Personal data processed shall meet the purposes of processing, and the volume and content of such data shall comply with the stated purposes of processing;
• Databases containing personal data processed for the purposes incompatible with each other may not be combined;
• In the course of personal data processing, the accuracy, completeness, and, where necessary, relevance of personal data to the purposes of processing shall be ensured, with measures taken to delete or update any incomplete or inaccurate data;
• Personal data shall be stored in a form that allows the identification of the data subject no longer than is necessary to achieve the purposes of processing, unless a longer storage period is required by the laws of the Russian Federation or by a contract to which the data subject is a party, beneficiary, or guarantor;
• Unless otherwise provided for in the laws of the Russian Federation, personal data processed shall be destroyed or depersonalized when the processing purposes are achieved or in case there is no more need for achieving these purposes.
3.2. Personal data shall be processed within the Company for the following purposes:
• Ensuring compliance with the Constitution of the Russian Federation, the legislative and other regulatory acts of the Russian Federation, and the Company’s internal regulations;
• Carrying out the functions, powers, and duties assigned to the Company under the laws of the Russian Federation, including providing personal data to state authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Mandatory Medical Insurance Fund, and other governmental bodies;
• Regulating employment relations with the Company’s employees, including maintaining personnel and accounting records, assisting with employment, training, and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, and safeguarding Company property;
• Protecting the life, health, or other vital interests of personal data subjects;
• Preparing, concluding, executing, and terminating contracts with counterparties;
• Ensuring access control and implementing internal security procedures at the Company’s facilities;
• Compiling and maintaining reference materials to support the internal informational needs of the Company’s activities;
• Executing court rulings, acts of other authorities, or decisions of officials that are subject to enforcement in accordance with the laws of the Russian Federation on enforcement proceedings;
• Exercising the rights and legitimate interests of the Company in the course of activities provided for by the Articles of Association and other internal regulations of the Company, as well as protecting the rights of third parties or achieving socially significant objectives;
• For other lawful purposes.
4. LIST OF DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED BY THE COMPANY AND CATEGORIES OF PERSONAL DATA PROCESSED
4.1. To achieve the processing purposes set forth in this Policy, the Company shall process the personal data of the following categories of data subjects:
• Individuals who are employees of the Company;
• Individuals who are candidates for employment with the Company;
• Individuals whose personal data is processed in connection with the performance of civil law contracts entered into by the Company.
4.2. The list of personal data processed by the Company shall be determined in accordance with the laws of the Russian Federation and the Company’s internal regulations, taking into account the purposes of personal data processing set forth in this Policy.
4.3. The Company shall not process special categories of personal data relating to race, nationality, political opinions, religious or philosophical beliefs, or private life, except in cases provided for by the laws of the Russian Federation.
4.4. The Company may process biometric personal data of data subjects only upon obtaining their written consent, unless otherwise provided by the laws of the Russian Federation.
5. THE COMPANY’S FUNCTIONS IN PERSONAL DATA PROCESSING
When processing personal data, the Company shall:
• Take all necessary and sufficient measures to ensure compliance with the requirements of the laws of the Russian Federation and the Company’s internal regulations in the field of personal data;
• Take necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, disclosure, distribution or any other illegal actions in respect of personal data;
• Ensure that the Company’s employees directly involved in personal data processing are familiar with the provisions of the laws of the Russian Federation on personal data and with the Company’s internal regulations regarding personal data processing;
• Appoint a person responsible for organizing personal data processing within the Company;
• Identify threats to the security of personal data during their processing in personal data information systems;
• Issue internal regulations defining the policy and governing the processing and protection of personal data within the Company;
• Publish or otherwise ensure unrestricted access to this Policy;
• Obtain the consent of personal data subjects for the processing of their personal data, except in cases provided for by the laws of the Russian Federation;
• Provide, in the prescribed manner, personal data subjects or their representatives with information regarding the existence of personal data relating to them, and allow access to such personal data upon request from the specified personal data subjects or their representatives, unless otherwise provided by the laws of the Russian Federation;
• Terminate the processing and destroy personal data in cases provided for by the laws of the Russian Federation in the field of personal data;
• Perform other actions as required by the laws of the Russian Federation in the field of personal data.
6. PROCEDURE AND CONDITIONS FOR PERSONAL DATA PROCESSING WITHIN THE COMPANY
6.1. The Company shall carry out the collection, recording, systematization, accumulation, storage, clarification (updating or modification), retrieval, use, transfer (distribution, provision, or access), anonymization, blocking, deletion, and destruction of personal data.
6.2. Personal data processing within the Company shall be carried out using the following methods:
• Non-automated personal data processing;
• Automated personal data processing, with or without the transmission of the obtained information via information and telecommunications networks;
• Mixed personal data processing.
6.3. Personal data processing within the Company shall be carried out based on the consent of the data subject to the processing of their personal data, as well as on other grounds provided for by the laws of the Russian Federation in the field of personal data.
6.4. The Company shall not disclose or distribute personal data to third parties without the consent of the data subject, unless otherwise provided by the laws of the Russian Federation.
6.5. The Company may delegate the processing of personal data to another party only with the consent of the data subject, based on a contract entered into with that party. The contract shall specify the list of actions (operations) to be performed with personal data by the party processing the data, the purposes of processing, the obligation of such party to maintain the confidentiality of personal data and ensure their security during processing, as well as the requirements for the protection of processed personal data in accordance with Article 19 of the Federal Law “On Personal Data.”
6.6. For internal information purposes, the Company may create internal reference materials which, only with the written consent of the data subject, unless otherwise provided by the laws of the Russian Federation, may include their last name, first name, patronymic, place of work, position, phone number, email address, and other personal data provided by the data subject.
7. RIGHTS OF PERSONAL DATA SUBJECTS
Personal data subjects shall have the right to:
• Receive complete information about their personal data processed by the Company;
• Access their personal data, including the right to obtain a copy of any record containing their personal data, except in cases provided for by federal law;
• Clarify their personal data, request that the personal data be blocked or destroyed if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
• Withdraw their consent to the processing of personal data;
• Take measures provided by law to protect their rights;
• Appeal against the actions or inactions of the Company that violate the requirements of the laws of the Russian Federation in the field of personal data, to the authorized body for the protection of data subjects’ rights or to a court;
• Exercise other rights provided for by the laws of the Russian Federation.
8. MEASURES TAKEN BY THE COMPANY TO ENSURE COMPLIANCE WITH THE DATA CONTROLLER’S OBLIGATIONS IN PERSONAL DATA PROCESSING
The Company shall take the following measures, necessary and sufficient to ensure the fulfillment of its obligations as a data controller under the laws of the Russian Federation in the field of personal data, including, but not limited to:
• Appointing a person responsible for organizing personal data processing within the Company;
• Adopting internal regulations and other documents in the field of personal data processing and protection;
• Organizing training and conducting methodological work with employees of the Company’s departments whose positions involve personal data processing;
• Obtaining the consent of personal data subjects for the processing of their personal data, except in cases provided for by the laws of the Russian Federation;
• Segregating personal data processed without the use of automation tools from other information, in particular by recording it on separate physical media in designated sections;
• Ensuring separate storage of personal data and their physical media when processed for different purposes and containing different categories of personal data;
• Ensuring the security of personal data during their transmission via open communication channels, computer networks, and the Internet;
• Storing physical media containing personal data under conditions that ensure their safety and prevent unauthorized access;
• Organizing and ensuring that the person responsible for personal data processing within the Company conducts internal control over compliance of personal data processing with the Federal Law “On Personal Data” and the regulations adopted pursuant thereto, the requirements for personal data protection, this Policy, and the Company’s internal regulations;
• Implementing other measures provided for by the laws of the Russian Federation in the field of personal data.
