1. General provisions
1.2. The following terms and definitions related to the personal data processing shall be used in the document:
“Personal data” shall mean any data related to the determined or determinable individual (“personal data subject”); a determinable individual here is an individual that can be identified directly or indirectly using the identifiers such as a name, an identification number (including a tax identification number, an insurance number, etc.), address, Internet identifiers (IP addresses, identifiers such as cookie files or other identifiers). Personal data shall not include data of deceased persons or anonymous data: information that is not related to the determined or determinable individual, and personal data provided anonymously in such a way that the personal data subject cannot be identified without the additional data.
“Personal data controller“ shall mean Topvisor Co., Ltd located at the following address: Russian Federation, Sankt Petersburg, ul. Egorova, 23A, 118.
“Personal data processing“ shall mean any operation or a collection of operations related to the personal data processing with or without automated tools, including collecting, recording, systematization (organization, structuring), accumulation, storage, refinement (updating, editing), retrieval, use, transfer (sharing, grant, access), anonymization, blocking, removal, and destruction.
“Data processor“ shall mean an individual or a legal entity that processes personal data on behalf of the controller.
“Personal data processing“ shall mean a free, comprehensive, explicit and substantive expression of the subjects' will by which they accept the processing of their personal data.
“Unauthorized personal data access“ shall mean a security breach that may result in the accidental or unlawful loss, alteration, unauthorized disclosure or access to the provided, saved or in any other way processed data (“personal data leaks”).
The terms and definitions not covered by the Policy shall be interpreted in accordance with the effective Russian and international laws.
1.3. This Policy is a public document that defines the basic principles, purposes, conditions and means of personal data processing, the lists of subjects and data collected by the data processor, functions of the personal data processors, rights of the personal data subjects, and the list of the measures taken to guarantee personal data security during data processing.
1.4. In personal data processing, the processor is guided by the effective Russian and international laws governing personal data processing; labor and tax laws of the Russian Federation; and other legal instruments of the Russian Federation.
2. Principles of personal data processing
2.1. The Processor shall process personal data on the legal and fair basis to carry out the statutory functions, powers and duties; to exercise rights and justified interest of the Processor, Processor’s employees and the third parties. The Processor makes every effort to protect personal data in accordance with the following principles:
- personal data processing shall be limited to the achievement of the specific predefined and lawful purposes; personal data processing that is incompatible with the purposes of the personal data collection shall be prohibited;
- nature and extent of the processed personal data shall be compatible with the stated purposes of the personal data processing. Processed data shall not exceed the stated purposes of the personal data processing;
- in processing personal data, the Processor shall guarantee its accuracy, sufficiency, and, when necessary, relevance in accordance with the purposes of the personal data processing. The Processor shall make every effort or guarantee that the measures are taken to remove or refine any incomplete or inaccurate personal data;
- the processed personal data shall be destroyed or anonymized after the stated purposes of data processing are achieved, or if it is no longer necessary to achieve those purposes, unless otherwise is specified in Russian effective legislation;
- transparency in respect to the functions and personal data processing that enables the data subject to control data processing and the data processor to design and improve protection methods t0 guarantee the personal data safety (its integrity and confidentiality).
3. List of subject’s personal data processed by the data processor, purposes of data processing
3.1. The processor shall process personal data of individuals; processor’s employees; third parties that are in any civil-legal relations with the processor and the processor’s counterparties; an of any other personal data subjects to acheive the statutory purposes of the data processing specified in this part, for example, of the subjects that submit requests to Topvisor Co., Ltd.
3.1.1. Processor has the right to process the following personal data of the processor’s employees: the first name, the middle name, the last name, a patronymic name (including any former names), a date and a place of birth, gender, age, citizenship, the passport details, the details of other identity documents (a travel passport), a residential address (postal and physical address), a date of registration at the permanent address, contact phone numbers, email addresses, any other means of personal communication, information about education, skills, employment history, income details, including salaries (bank account details to complete payments, any other details), information about a job position, a number and series of a state pension insurance certificate, a tax identity number and other data (personal data) that is necessary to achieve the purposes specified in this policy and in employee’s consent with the personal data processing.
3.1.2. Processor has the right to process the following personal data of the third parties: the first name, the middle name, the last name, a patronymic name (including any former names), a date and a place of birth, gender, age, citizenship, passport details, details of other identity documents (a travel passport), a residential address (postal and physical address), a date of registration at the permanent address, contact phone numbers, email addresses, other means of personal communication, bank account details, a number and a series of state pension insurance certificate, the Internet identifiers (IP addresses, identifiers such as cookie files or other identifiers that are not anonymous that allow to identify the personal data subject) and other data (personal data) that is necessary to achieve the purposes specified in this policy and in the third party’s consent.
This policy covers the processing of personal data collected on the Internet, and only for the data that allow to identify the personal data subject.
3.2. The processor shall not process specific categories of employees' and third parties' personal data, namely: biometrics; data, relating to the racial or ethnic origin, political, religious or philosophical views and beliefs, personal life.
3.3. The processor shall process employees' and third parties' personal data in accordance with the purposes of the personal data processing stated in the policy and personal data subject’s consent.
3.3.1. The processor shall process personal data of its employees in order to enforce labor contracts, comply with the rules of law, and also in order to:
- to manage the personnel records, for tax and accounting purposes;
- to carry out the functions, powers, and duties assigned to the processor by Russian legislation, including a duty to provide personal data to the government authorities, Pension Fund of the Russian Federation, Social Insurance Fund of the Russian Federation, Federal Compulsory Medical Insurance Fund and other authorities.;
- for regulation of the labor relations with Topvisor Co., Ltd employees (assistance in employment, training, career development, ensuring the personal safety, control of volume and quality of the work performed, property protection, and to providie benefits and compensations under the Russian Federation law);
- execution of court decisions and decisions by other authorized bodies and officials that are enforceable under the Russian executive procedure law;
- in order to exercise the rights and justified interest of the Processor in the course of performing the activities under the Charter;
- for other lawful purposes.
3.3.2. The processor shall process personal data of the third parties in order to:
- concluding civil contracts and fulfilling obligations, including those on the Internet, in the exercise of the processor’s website administrative functions;
- to carry out the functions, powers, and duties assigned to the processor by the Russian legislation, including a duty to provide personal data to the government authorities, Pension Fund of the Russian Federation, Social Insurance Fund of the Russian Federation, Federal Compulsory Medical Insurance Fund and other authorities.
- in order to exercise the rights and justified interest of the Processor in the course of performing the activities under the Charter, including informing about news, new services, processor’s special campaigns and services in accordance with the personal data subject’s consent;
- for other lawful purposes.
4. Procedure of processing personal data
4.1. The processor receives personal data directly from the personal data subject and processes it with the subject’s consent using the automated means (using computing devices) and/or non-automated means (without using computing devices).
If the Processor can receive subject’s personal data from the third party only, the processor shall notify the subject on this matter in advance and get the subject’s written consent. The processor shall inform the personal data subject about the purposes, sources, ways of receiving the data, nature of the data to be received, and the consequences of the refusal to provide the written consent to process the data.
4.2. Actions related to the personal data processing include collecting, recording, systematization (organization, structuring), accumulation, storage, refinement (updating, editing), retrieval, use, transfer (sharing, grant, access) to the third parties, anonymization, blocking, removal, and destruction.
4.3. The databases that store personal data of the subjects shall be located in the Russian Federation. The Processor provides access to personal data of the subjects to the admitted persons who have the right to receive the data that is necessary to carry out their functions only.
Processor warns the individuals who process personal data that the data can be used only for the stated purposes and requires the confirmation that they comply with the hereinabove mentioned rule.
4.4. The processor shall process personal data of the personal data subjects until the employment contract or a concluded civil-law contract expires. The processor is allowed to process personal data of the subjects after the contract expiration within the period stated by the tax law, other legal instruments, and personal data subject’s consent.
4.5. In cases specified by the law and personal data subject’s consent, Processor transfers or assigns personal data processing to the third parties, in particular: governmental and law enforcement institutions (Pension Fund of the Russian Federation, Internal Revenue Service, Social Security Fund, etc.), banks, insurance companies, passenger transportation companies, hotels (for example, to organize a business trip), other organizations, including processor’s partners and individuals in order to fulfill obligations under concluded agreements and to achieve other lawful purposes.
5. Measures taken by the processor to protect personal data
5.1. When processing personal data, the processor shall take all necessary and sufficient measures at its own expense to guarantee that the processor's functions stated by the Russian law governing personal data processing shall be carried out, including the following:
- putting in place legal, institutional and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, sharing access, dissemination of personal data, or from other unauthorized actions with personal data;
- appointment of an individual who shall be responsible for personal data processing in Topvisor Co., Ltd;
- adoption of local legal provisions and other documents governing the personal data processing;
- sensitizing processor’s employees to the Russian laws and local legal provisions governing personal data processing including personal data protection requirements;
- providing a free public access to the policy;
- engage processor’s employees assigned to the positions related to the personal data processing in the methodological work;
- establishing rules that shall regulate the access to personal data processed within the Processor’s informational system and control of all actions with the data;
- assessment of the possible damage that may be done to the personal subjects’ data; assessment of the measures taken to guarantee personal data safety before putting the processor’s informational system into service;
- identifying security threats of personal data processing, assessment of risks related to personal data processing, introducing measures to reduce the risks and promote security (confidentiality) considering the state of technology at that time and the cost to implement these technologies;
- detecting any cases of the unauthorized access to personal data (personal data leak) and taking measures to respond, including restoring personal data, modified or destroyed as a result of unauthorized access;
- securing separate storage of personal data and their material carrier that is being processed to accomplish different purposes and that contain different categories of personal data ;
- termination of data processing and destruction of personal data in cases provided by the Russian laws governing personal data processing;
- internal records of personal data processing and control of personal data processing compatibility with the requirements in the area of personal data processing and this policy;
- taking other measures to protect personal data.
6. Rights of personal data subjects
6.1. The personal data subject has the right to:
- receive full information about personal data processed by the Processor and methods of the data processing;
- get access to subject’s personal data, purposes of data processing, information about third parties that have access to personal data, and other data specifoied in Russian laws;
- refinement, editing the subject’s personal data, data blocking and destruction in cases if data is incomplete, out-of-date, fraudulently obtained or not necessary for the stated purposes of the data processing;
- revoke a consent with the personal data processing;
- object to personal data processing for the purposes of meeting the legitimate concern of the processor, including the marketing goals;
- restrict personal data processing (in case of verification of the personal data accuracy, the legitimacy of data processing for the duration of inspection, expiration of data processing period, subject to the judicial disputes);
- implementation of the statutory measures to protect the subject’s personal data;
- submit complaints regarding the actions or omissions of Topvisor Co., Ltd related to personal data to the authorized institution governing the protection of personal data subjects’ rights;
- protect their rights and legitimate interests, including a compensation for loss;
- exercise any other rights provided for by the Russian law.
7. Rights and obligations of processor
7.1. Upon receipt of the personal data subject’s request to access, edit, refine, block, destroy the personal data or any other related request, the Processor shall provide a response and grant the personal data subject’s request or specify within 30 (thirty) calendar days why it is not possible to grant the request.
When technically possible, the processor shall arrange a way to accept electronic requests from data subjects. In this, the processor shall confirm the identity of the personal data subject, for example, using the electronic digital signature or other identification means.
7.2. Revocation of the personal subject consent to process data shall not affect the legitimacy of the processor’s rights to process data that were assigned to the processor before the revocation.
7.3. In the event of personal data leakage, the processor has to thereof immediately (no later than three working days) notify the personal data subject and provide recommendations that can reduce the possible negative impact; and also take all the measures to reduce the risk of damage.
7.4. The right of the personal data subjects to delete their data shall be reinforced immediately on the following grounds:
- personal data is no longer required to achieve the purposes for which it was obtained;
- the personal data subject revoked the consent and there is no other legal basis for data processing;
- the data subject objects to the data processing according to para.7, article 6.1 of the Policy and there is no overriding legal basis to continue processing;
- data has been processed illegally or there are any other grounds to delete personal data in order to ensure that the Russian and international laws are observed.
Hereinabove described rules are not applicable when data processing is required to comply with the Processor’s legal obligations in the public interest, for legal protection from claims, in other cases established by Russian and international law.
The Processor shall take all possible measures to inform about changes or removal of the personal data to the third parties that had access to personal data, excluding authorities and the cases when this prooves to be impossible or requires a disproportionate amount of effort (expenses).
7.5. The right of the personal data subjects to access their personal data can be restricted in accordance with the Russian law.
7.6. The processor reserves the right to change the Policy or approve a new version unilaterally, without notifying the data subject. A hereinabove mentioned notification can be sent to the data subject by a Topvisor employee or the third party, by placing a new version of the policy on the official website of the processor, by sending information via electronic or any other channels.
8. Final clauses
8.1. The processor and parties involved in the data processing shall bear full responsibility for compliance with the Russian legislation governing personal data processing.
8.2. If otherwise not mentioned in the policy, any disputes or questions shall be resolved in accordance with the active Russian and international legislation related to the personal data processing and local acts adopted by Topvisor Co., Ltd.