Pumori Corporation Ltd
________________ A. I. Balandin
“___” ___________ 2017
1.1 This document determines the policy of Pumori Corporation Ltd (hereinafter, the Company) in respect of processing of personal data (hereinafter, PD).
1.2 This Policy has been worked out in accordance with the current Russian Federation legislation on personal data.
1.3 The operation of this Policy extends to all processes of collecting, recording, systematizing, accumulating, storing,refining, extracting, using, transferring (distributing, providing, accessing), depersonalizing, blocking, deleting, destroying personal data, whether or not making use of automation means.
2 PRINCIPLES OF PERSONAL DATA PROCESSING
Personal data processing is based on the following principles:
1) Personal data processing is effected on a legal and just basis;
2) Personal data processing is limited to achieving concrete, predetermined, and lawful aims. Personal data processing incompatible with the aims of personal data collection is not permitted;
3) Integration of databases containing personal data processing of which is effected in aims incompatible between one another is not permitted;
4) Only those personal data are subject to processing which answer the aims of such processing;
5) The content and amount of personal data being processed correspond to the declared aims of processing. Personal data being processed are not redundant with respect to the declared aims of processing;
6) In personal data processing, accuracy and sufficiency of personal data is ensured, as well as their being up to date with respect to the declared aims of such processing.
7) Storage of personal data is effected in the form permitting to identify the personal data subject not longer than required by the aims of the personal data processing unless the period of storing such personal data is established by a federal law or a contract a party, beneficiary, or guarantor to which the personal data subject is. The personal data processed are subject to destruction or depersonalization upon the processing aims having been achieved or if achieving such aims has become unnecessary, unless otherwise provided for by federal law.
3 CONDITIONS OF PERSONAL DATA PROCESSING
3.1 Personal data processing is effected in observance of the principles and rules established by the Federal Law On Personal Data. Personal data processing is allowed in the following cases:
1) Personal data processing is effected with the personal data subject's consent to have his/her personal data processed;
2) Personal data processing is necessary for achievement of the aims provided for by an international treaty of the Russian Federation or a law, for exercise and fulfilment of functions, powers and duties imposed by the Russian Federation legislation on the operator;
3) Personal data processing is necessary for administration of justice, execution of a judicial act, or of an act of another body or an official if such acts are subject to execution in accordance with the Russian Federation legislation on execution of judgement;
4) Personal data processing is necessary for performance of a contract a party, or a beneficiary, or a guarantor to which the personal data subject is, and also for conclusion of a contract at the personal data subject's initiative or a contract under which the personal data subject is to be beneficiary or guarantor;
5) Personal data processing is necessary for protection of the life, health or other vital interests of the personal data subject if it is impossible to obtain the personal data subject's consent;
6) Personal data processing is necessary for exercise of rights and legitimate interests of the operator or third parties, or for achievement of socially-relevant aims on condition that the rights and freedoms of the personal data subjects are not violated;
7) Personal data processing is effected in statistical or other research aims on condition of mandatory depersonalization of such personal data, except for personal data processing in the aims of marketing of goods, work, services through direct contacts with a potential consumer with the aid of communication means as well as in the aims of political agitation;
8) Personal data is processed access to which of an unlimited range of persons has been granted by, or at the request of, the personal data subject (hereinafter, "personal data made generally available by the personal data subject");
9) Personal data is processed which is subject to publishing or obligatory disclosure in accordance with federal law.
3.2 The Company may include personal data of subjects in generally available personal data sources, the Company having obtained the subject's written consent to his/her personal data to be processed.
3.3 Biometric personal data (data characterizing physiological and biological peculiarities of a person enabling his/her identification and used by the operator to identify the personal data subject) are not processed in the Company.
3.4 No decisions are taken on the exclusive basis of automated personal data processing if such decisions would generate legal consequences regarding the personal data subject or otherwise affecting his/her rights and legitimate interests.
3.5 When a written consent of the subject to processing of his/her personal data, consent may be given by the subject or his/her representative in any form permitting to confirm the fact of its having been obtained.
3.6 The Company has the right to commission another person with personal data processing with the consent of the personal data subject, unless otherwise provided for in federal law, on the basis of a contract made with such person (hereinafter, "the operator's commission). In such contract, the Company obligates the person effecting personal data processing under the Company's commission to observe the principles and rules of personal data processing provided for in this Federal Law.
3.7 If the Company commissions personal data processing to another person, the responsibility to the personal data subject for actions of the said person is borne by the Company. The person effecting personal data processing under the Company's commission is responsible to the Company.
3.8 The Company obligates itself and other persons obtaining access to personal data not to disclose personal data to third persons and not to distribute such data without the personal data subject's consent unless otherwise provided for by federal law.
4 OBLIGATIONS OF THE COMPANY
In accordance with the requirements of Federal Law No. 152-FZ On Personal Data, the Company is obliged to:
• Provide the personal data subject, at his/her request, with information concerning processing of his/her personal data, or, on legitimate grounds, refuse to do so.
• At the personal data subject's demand, refine, block or delete the personal data being processed if such data is incomplete, obsolete, unlawfully obtained or not necessary for the declared aims of processing.
• Keep a Communication Log with Personal Data Subjects to record personal data subjects' requests to receive personal data and facts of provision of personal data according to such requests.
• Notify the personal data subject of personal data processing when the personal data was obtained not from the personal data subject, with the following exceptions:
1. The PD subject has been notified of processing his/her PD by the respective operator;
2. The PD has been obtained by the Company on the basis of federal law or in connection with performance of a contract a party, beneficiary or guarantor to which the PD subject is;
3. The PD has been made generally available by the PD subject or obtained form a generally available source;
4. The Company effects PD processing for statistical or other research aims, for professional journalist activities or for scientific, literary or other creative activities, on condition that in doing so, the rights and legitimate interests of the PD subject are not violated;
5. Provision to the PD subject of data contained in the PD Processing Notification violates the rights and legitimate interests of third parties.
• If the aim of personal data processing has been achieved, personal data processing shall be immediately stopped and the corresponding personal data shall be destroyed within the period not exceeding thirty days from the date of achievement of the aim of personal data processing, unless otherwise provided for by the contract a party, beneficiary or guarantor to which the personal data subject is, or another agreement between the Company and the personal data subject, or if the Company does not have the right to process personal data without the personal data subject's consent on the grounds provided for in Federal Law No. 152-FZ On Personal Data or other federal laws.
• If the personal data subject revokes his/her consent to processing his/her personal data, the personal data processing shall be stopped and the personal data shall be destroyed within the period not exceeding thirty days from the date when such revocation is received, unless otherwise provided for by an agreement between the Company and the personal data subject. The Company shall notify the personal data subject of the destruction of the personal data.
• If the subject demands that his/her personal data processing in the aims of marketing of goods, work, services be stopped, the personal data processing shall be immediately stopped.
5 PERSONAL DATA SECURITY MEASURES DURING PERSONAL DATA PROCESSING
5.1 In personal data processing, the Company takes necessary legal, organizational and technical measures to protect personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision or distribution of personal data as well as against other unlawful actions with respect to personal data.
5.2 Security of personal data is ensured, inter alia, by:
• identification of personal data security threats during its processing in personal data information systems;
• effectuation of organizational and technical measures to ensure personal data security during its processing in personal data information systems necessary to fulfil requirements to personal data protection the fulfilment of which ensures the personal data protectedness levels established by the Russian Federation Government;
• application of information protection facilities that have passed the compliance evaluation procedure according to the order established;
• evaluation of effectiveness of the measures taken to ensure personal data security prior to putting the personal data information system into operation;
• taking inventory of machine media of personal data;
• detection of facts of unauthorized access to personal data, and taking measures;
• recovery of personal data modified or destroyed in consequence of unauthorized access to it;
• establishment of rules of access to personal data processed in the personal data information system, as well as ensurance of registration and record-keeping of all actions effected with personal data in the personal data information system;
• control over measures being taken to ensure personal data security and protectedness level of personal data information systems.
Legal Department M. N. Leukhnenko
IT section S. A. Zherebtsov