1.1. This personal data processing policy (hereinafter — the Policy) is a public document that declares general personal data processing approaches and personal data protection measures applied by the following companies of the FBK Group (hereinafter individually and/or collectively referred to as the Company, the Processor):
1.2. The Policy is used to develop internal personal data processing documents that describe procedures aimed to prevent and identify violations of the Russian personal data law and remedy consequences of the violations (the Personal Data Processing Regulation).
1.3. The Company discloses in the Policy key categories of personal data processed by the Company, the purposes, principles, procedures and conditions of personal data processing, the rights and obligations of the Company and personal data subjects, as well as approaches applied by the Company to protect personal data.
1.4. The Policy has been developed in accordance with the provisions of the applicable international law and requirements of laws and regulations of the Russian Federation concerning personal data protection, including:
1.5. In case of changes in the applicable law, this Policy is valid to the extent it is not inconsistent with the effective law and other regulations, as well as the respective internal documents, until the Policy is brought in compliance with the new requirements.
1.6. The regulations being the legal framework of personal data processing at the Company are listed below (the Company as the PD Processor processes personal data in compliance and in accordance with these regulations):
1.7. This Policy is a public internal document that is freely available at https://fbkmoscow.ru/subscribe/personal-data-processing-policy.php.2. Terms and definitions
This Policy uses the following terms and definitions:
2.1. ‘Automated personal data processing’ means processing of personal data by automated means.
2.2. ‘Blocking of personal data’ means temporary suspension of personal data processing (except when processing is required to update personal data).
2.3. ‘Personal data information system’ means a set of personal data in databases and information technologies used to process it.
2.4. ‘Clients’ mean legal entities (residents and non-residents), individual entrepreneurs, individuals that are engaged in private practice and/or entered into a contract with the Company to render a service or carry out a transaction.
2.5. ‘Personal data confidentiality’ means a requirement that is mandatory for the Processor or other persons that have obtained access to personal data not to disclose to third parties and not to disseminate the personal data without the consent from the personal data subject unless otherwise required by the federal law.
2.6. ‘Anonymisation of personal data’ means actions taken to render it impossible to attribute personal data to a specific personal data subject without the use of additional information.
2.7. ‘Personal data processing’ means any operation or a set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, structuring, accumulation, storage, adjustment (updating or alteration), retrieval, use, transfer (transmission, dissemination or otherwise making available), anonymisation, blocking, erasure or destruction of personal data.
2.8. ‘Processor’ means the Company that arranges processing of and/or processes personal data, as well as determines the purpose of personal data processing, the composition of personal data to be processed and operations performed on personal data.
2.9. ‘Personal data’ (PD) means any information that relates to a directly or indirectly identified or identifiable individual (personal data subject).
2.10. ‘Personal data permitted by the personal data subject for dissemination’ means personal data to which an unlimited number of persons have access provided by the personal data subject by giving the consent to the processing of personal data permitted by the personal data subject for dissemination in the manner prescribed by Law 152-FZ.
2.11. ‘Provision of personal data’ means actions aimed at disclosure of personal data to a specific person or persons.
2.12. ‘Representative’ means a person acting on behalf of the person being represented (an employee, a client, a correspondent, a counterparty, a partner) under a law, a contract or a power of attorney.
2.13. ‘Employee’ means a person employed (hired by the Company, working under an employment contract at the Company full time or part time).
2.14. ‘Contractor’ means a person working under an individual contractor agreement.
2.15. ‘Dissemination of personal data’ means actions aimed at disclosure of personal data to a non-specific person or persons.
2.16. ‘Website’ means the Company’s websites (collectively and/or individually) at the following domains: http://www.fbk.ru, https://fbkmoscow.ru/, https://fbk-pravo.ru/, https://fbk-legal.com/, https://fbkcs.ru/, http://elsfbk.ru/.
2.17. ‘Applicant’ means a candidate to fill vacancies and/or inclusion in the talent pool.
2.18. ‘Personal data subject’ means an individual that is directly or indirectly identified or identifiable with personal data.
2.19. ‘Cross-border personal data transfer’ means transfer of personal data to a foreign country for a public authority of a foreign country, a foreign natural or legal person.
2.20. ‘Destruction of personal data’ means actions which render the content of personal data irretrievable in the personal data information system and/or which destroy tangible media bearing the personal data.3. Personal data processing principles
3.1. The Company processes personal data on a legitimate and equitable basis.
3.2. Personal data processing is limited to achieving specific pre-defined legitimate purposes. The Company does not allow personal data processing inconsistent with the purposes of personal data collection. Only the personal data that serves the purposes of its collection is subject to processing. Personal data processed should not be excessive with respect to the processing purposes declared.
3.3. It is not allowed to combine databases that contain personal data processed for conflicting purposes.
3.4. When processing personal data, the Company ensures that the personal data is accurate, sufficient and, if necessary, relevant with respect to the purposes of personal data processing. The Company takes appropriate measures or procures that they are taken to eliminate or update incomplete or inaccurate data.
3.5. Personal data is stored so that the PD subject can be identified, for a period not longer that it is required to achieve the purpose of personal data processing, unless the personal data storage period is defined in a law or a contract under which the PD subject is a party, a beneficiary or a guarantor. Personal data processed should be destroyed or anonymised when the purposes of its processing are achieved or if it is no longer necessary to achieve those purposes, unless otherwise required by law.4. Rights and obligations of the company as PD processor
4.1. The Company, as the PD processor, is entitled to:
4.1.1. collect, record, structure, accumulate, store, adjust, retrieve, use, transfer and anonymise PD based on the consent from the PD subjects;
4.1.2. block and erase PD as required by the applicable law and the Company’s internal documents;
4.1.3. check PD provided for accuracy, reliability and relevance in cases, to the extent and according to the procedure established by law;
4.1.4. refuse to provide PD to third parties in cases established by law;
4.1.5. provide subjects’ PD to third parties if permitted by the effective law;
4.1.6. use a subject’s PD without their consent in cases established by law;
4.1.7. refuse to render services to a PD subject if the subject refuses to provide (fails to provide) PD that needs to be processed for the services to be rendered unless otherwise stipulated by law;
4.1.8. protect its interests in court;
4.1.9. pursue other rights given by laws or contracts.
4.2. The Company, as the PD processor, is obliged to:
4.2.1. refrain from disclosing to third parties and not to disseminate personal data without obtaining consent from the PD subject unless otherwise stipulated by law;
4.2.2. provide subjects’ PD to third parties if permitted by the effective law (to tax, law enforcement authorities etc.);
4.2.3. stop personal data processing if requested by the PD subject unless otherwise required by law;
4.2.4. take measures that are necessary and sufficient to fulfil obligations under Law No. 152-FZ and other regulations of the Russian Federation;
4.2.5. notify the body authorised to protect the rights of PD subjects about its intention to process PD before its processing unless otherwise required by law;
4.2.6. notify, on a timely basis, the body authorised to protect the rights of PD subjects about changes in the information given in a PD processing notification or PD processing termination notification;
4.2.7. provide, on a timely basis, the body authorised to protect the rights of PD subjects with documents and local regulations requested and/or otherwise confirm that it has taken measures to fulfil obligations under the personal data protection law;
4.2.8. fulfil other obligations under laws or contracts.5. Rights and obligations of PD subjects
5.1. When processing personal data, the Company ensures that the following rights of PD subjects (their representatives) are observed:
5.1.1. the right of free access to their personal data, including the right to receive copies of any record containing the personal data unless otherwise provided by law;
5.1.2. the right to demand adjustment (amendment) of their personal data, its blocking or destruction if the personal data is incomplete, inaccurate, outdated, unreliable, obtained illegally or no longer necessary for the processing purpose declared, as well as to take measures permitted by law to protect their rights;
5.1.3. the right to demand provision of a list of their personal data processed by the Company and information about the source from which it was obtained unless otherwise provided by law;
5.1.4. the right to receive information about the personal data processing period, including the personal data storage period;
5.1.5. the right to receive other information about their personal data processing;
5.1.6. the right to demand notification of all parties to whom inaccurate or incomplete (incorrect, outdated) personal data of the PD subject was sent about all exceptions, corrections or updates;
5.1.7. the right to complain to the body authorised to protect the rights of PD subjects about unlawful actions or omissions by the Processor during their PD processing;
5.1.8. the right to protect their rights and legal interests in court, in particular claim pecuniary and/or non-pecuniary damages;
5.1.9. the right to select representatives for protection of their PD;
5.1.10. the right to withdraw PD processing consent unless otherwise provided by law;
5.1.11. other rights given by laws or contracts.
5.2. When processing personal data, the Company assumes that the PD subject (their representative) will:
5.2.1. ensure that the personal data is accurate, reliable and updated when it is provided to the Processor;
5.2.2. provide the Processor, on a timely basis, with information about changes in their PD if required by a law and/or a contract entered into by and between the PD subject and the Company;
5.2.3. fulfil other obligations under a law or a contract with the PD subject (their representative).6. Categories of personal data subjects and personal data processed
6.1. The Company processes personal data of the following categories of PD subjects obtained from relevant sources:
6.1.1. the Company’s employees, former employees, interns, as well as employees’ family members — PD subjects are the source of personal data;
6.1.2. applicants during interviews at the Company — personal data subjects and public sources are the source of personal data;
6.1.3. individuals — suppliers/contractors (including potential ones) and their representatives — personal data subjects, representatives of suppliers/contractors, public sources, including information in mass media and on a supplier’s/contractor’s website, are the source of personal data;
6.1.4. individuals — clients (including potential ones) and their representatives/counterparties — personal data subjects, the Company’s clients, public sources, including information in mass media and on a client’s/its representative’s/counterparty’s website, are the source of personal data;
6.1.5. visitors of the Company’s website and/or users of the Company’s social networks and/or mobile apps — personal data subjects are the source of personal data;
6.1.6. visitors of the Company’s offices — personal data subjects and their representatives are the source of personal data;
6.1.7. attendees of events organised by the Company in whole or in part — personal data subjects and their representatives are the source of personal data.
6.2. Under each category of subjects and with respect to the Company’s specific purposes, the Company may process the following categories of personal data:
6.2.1. First (special) category PD includes PD about the PD subject’ racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sex life and other personal data classified by the effective legislation as special category PD. Special category PD is not processed by the Company unless otherwise provided by law;
6.2.2. Second category PD includes biometric personal data, i.e. data relating to physiological and biological characteristics of a person, which may be used to identify that person. Biometric personal data may be processed by the Company after obtaining respective written consent from the PD subject or without consent if permitted under article 11 of Law No. 152-FZ;
6.2.3. Third (general) category PD includes publicly available personal data obtained exclusively from publicly available sources established in accordance with article 8 of Law No. 152-FZ. The Company processes that data in respect of all categories of PD subjects;
6.2.4. Fourth category PD includes other categories of personal data not stipulated in clauses 6.2.1, 6.2.2 or 6.2.3.
6.3. The complete list of the personal data processed by the Company for each category of data subjects for specific purposes is provided in the Personal Data Processing Regulation.7. Personal data processing purposes
7.1. The Company, as the PD processor, processes personal data to achieve the following purposes:
8.1. Personal data is processed with the PD subject’s consent to the processing of their personal data.
8.2. The PD subject decides of their own free will and volition whether to provide their personal data and gives consent to its processing. Consent to personal data processing should be affirmative, informed and freely given.
8.3. The PD subject or their representative may give consent to personal data processing in any form that makes it possible to confirm its receipt unless otherwise stipulated by the federal law. Written paper-based consent personally signed by the PD subject is valid as much as electronic consent signed with an electronic signature in accordance with the federal law.
8.4. The subject’s personal data may be obtained from a person other than the PD subject if the Company is provided with proof of appropriate reasons for that stipulated by law. If consent to personal data processing is obtained from the PD subject’s representative, the Company should verify whether the representative is authorised to give consent on behalf of the PD subject.
8.5. The PD subject may withdraw consent to personal data processing as stipulated by law. If the PD subject withdraws their consent to personal data processing, the Company stops to process the data as appropriate.
8.6. There is no need in obtaining consent from the subject to process personal data if the processing is required:
8.6.1. to achieve purposes stipulated in an international treaty of the Russian Federation or a law, execute and fulfil the Company’s functions, powers and obligations;
8.6.2. for a person to participate in a constitutional, civil, administrative, criminal or commercial proceedings;
8.6.3. to enforce a court judgement;
8.6.4. for federal executive authorities, state non-budgetary funds, state executive authorities of Russian constituent entities, local authorities and organisations that provide state and municipal services to fulfil their powers;
8.6.5. to fulfil a contract under which the PD subject is a party, a beneficiary or a guarantor, as well as to enter into a contract at the initiative of the PD subject or a contract under which the PD subject will be a beneficiary or a guarantor;
8.6.6. to protect the life, health or other vital interests of the PD subject if it is impossible to obtain consent from the PD subject;
8.6.7. to execute the rights and legal interests of the Company or third parties or to pursue publicly significant purposes provided that the rights and freedoms of the PD subject are not violated;
8.6.8. to carry out professional activities of a journalist and/or legitimate activities of mass media or scientific, literary or other creative activities provided that the rights and legal interests of the PD subject are not violated;
8.6.9. for statistical or other research purposes, except for marketing and political campaigning purposes, provided that personal data is anonymised;
8.6.10. to process personal data obtained as a result of its anonymisation or subject to publication or mandatory disclosure in accordance with the federal law.
8.7. The Company is entitled to delegate personal data processing to another person with the PD subject’s consent under the processor’s instruction unless otherwise stipulated by the federal law.
8.8. The Company may generate publicly available PD sources, which may include, with the PD subject’s written consent, their surname, name, patronymic, year and place of birth, address, telephone number, profession and other PD communicated by the PD subject. The Company does not publish the PD subject’s personal data in publicly available sources without obtaining their prior written consent.
8.9. The Company may grant access to personal data to an unlimited number of persons provided that it has obtained consent to process personal data permitted by the PD subject for dissemination, which is separate from other types of PD processing consent.
8.10. If it does not follow from the consent to process personal data permitted by the PD subject for dissemination that the PD subject has given consent to its dissemination, the Company should process the data without the right to disseminate it.
8.11. The Company gives the PD subject an opportunity to determine a list of personal data for each category of personal data stipulated in the consent to process personal data permitted by the PD subject for dissemination.
8.12. The consent to process personal data permitted by the PD subject for dissemination may be given directly to the Company or using the information system of Roskomnadzor.
8.13. The Company should stop transferring (disseminating, making available) personal data permitted for dissemination if requested to do so by the PD subject.
8.14. The PD subject’s access to their personal data processed by the Company is governed by Law No. 152-FZ and the Company’s internal documents (the Personal Data Processing Regulation).
8.15. PD obtained is stored on tangible (paper-based and electronic) media (including personal data information systems). Access to PD is granted only to the Company’s employees who needs it to fulfil their job duties and who are duly authorised to process personal data and have respective access rights. Other persons may be granted access to personal data processed by the Company only if permitted by law and in accordance with the procedure described in effective regulations or the Company's internal documents.
8.16. To permit and control access of the Company’s employees to personal data required for them to fulfil their job duties, the Company’s management prepares a list of respective employees and approves it in an order. When an employee leaves on vacation, business trip or is absent for a long time for other reasons, they are obliged to transfer documents and other tangible media containing PD of the Company’s clients and/or employees to a person that fills in temporarily and performs their functions under an order. If no such person is appointed, documents and other media containing the PD are transferred to another person that has access to the same PD at the instruction of the head of the subdivision.
8.17. The Company applies both automated and non-automated PD processing methods. Automated PD processing is performed in personal data information systems. A list of personal data information systems is approved by an order of the head of the Company. Personal data information systems are classified by categories of PD processed. PD processed in personal data information systems is protected as required by the effective legislation in accordance with the classification of personal data information systems.
8.18. The Company uses standard document templates to process PD (standard templates of applications, questionnaires, consents and other unified document templates used by the Company to collect PD). Respective regulations and internal documents of the Company (the Personal Data Processing Regulation) govern the way these standard templates are used.
8.19. The personal data processing and storage period depends on:
8.20. The retention periods of documents containing personal data are determined in the Personal Data Processing Regulation.
8.21. PD processing may be stopped when:
8.22. Personal data is destroyed by a commission established in a subdivision under the Company’s order.9. Personal data protection
9.1. When processing personal data, the Company takes appropriate legal, organisational and technical measures or procures that they are taken to protect the personal data from unauthorised or accidental access, destruction, alteration, blocking, copying, transfer and dissemination and from other unlawful acts.
9.2. Personal data protection measures are organised and taken in accordance with this Policy and other internal documents of the Company.
9.3. Personal data protection measures include but are not limited to:
9.4. The Company protects information using cryptographic information protection means that meet the requirements set by the federal security body and have been designed and used in accordance with the Cryptographic Information Protection Means Development, Manufacturing, Sale and Use Regulation, as approved by Order No. 66 dated 09 February 2005 of the Federal Security Service and registered by the Ministry of Justice of Russia on 3 March 2005, registration No. 6382, 25 May 2010, registration No. 17350, and technical documentation for cryptographic information protection means.
9.5. As personal data is important and the Company needs to protect it, the Company regularly improves systems used to protect PD processed as part of its core activities, takes additional measures to protect information about clients, employees, partners, counterparties and other PD subjects. To improve efficiency of the systems and measures, the Company follows recommendations of control and supervisory bodies, and applies best Russian and international practices.10. Cross-border personal data transfer
10.1. Before a cross-border personal data transfer, the Company makes sure that the foreign country to which the personal data is to be transferred ensures reliable protection of the rights of personal data subjects.
10.2. Cross-border personal data transfers to foreign countries that do not ensure appropriate protection of the rights of PD subjects are possible in the following cases:
10.3. The databases that contain personal data of Russian citizens and that are used at the Company are located in the Russian Federation.11. Final provisions
11.1. This Policy becomes effective when approved by the head of the Company and is valid until replaced with a new revision.
11.2. The head of the Company is responsible for the overall organisation of personal data processing at the Company.