Floor 89, Federation East Tower
Moscow-City Complex
Bld. 12, Presnenskaya Embankment
Personal data processing policy at LLC “SP-Capital” (hereinafter – Policy) is developed in accordance with Federal Law of 27.07.2006 №152-FL “On Personal data” (hereinafter – FL-152).
Present Policy establishes personal data processing procedure and measures to personal data safety at LLC “SP-Capital” (hereinafter – Company) to protect the rights and freedoms of man and the citizen while personal data processing, including privacy protection, personal and family secret.
Basic notions in the Policy as follows:
automatic personal data processing – personal data processing by computing devices;
personal data blocking – temporary suspension of personal data processing (except the cases, if processing is necessary for personal data clarification);
personal data information system – set of personal data contained in databases, information technology and equipment to provide their processing;
personal data sanitization – actions the result of which becomes impossible to identify without additional information whether personal data belongs to particular data subject;
personal data processing – any action (operation) or set of actions (operations), made with automation techniques or without them in terms of personal data, including collection, registration, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (spread, provision, access), sanitization, blocking, deletion, erasing personal data;
operator – state body, municipal body, legal person or individual, on its own or together with other parties, organizing and/or processing personal data, and also defining the goals of personal data processing, scope of personal data to be processed, actions (operations) made with personal data;
personal data – any information related directly or indirectly to determined or determinable individual (data subject);
sharing personal data – actions aimed at personal data disclosure to a certain person or particular specific persons;
personal data dissemination – actions aimed at personal data disclosure to uncertain specific persons;
personal data cross-border transmission – personal data transmission to the foreign state territory, foreign state authorities, foreign individual or foreign legal person;
personal data erasing – actions the result of which becomes impossible to restore personal data content in the personal data information system and/or the result of which is destruction of physical storage media.
Company is obliged to publish or to provide unlimited access anyhow to the present Personal data processing policy in accordance with paragraph 2, article 18.1, FL-152.
2.1. Principles of personal data processing
Personal data processing in the Company is based on the following principles:
— legitimacy and equitable basis;
— personal data processing limitation by reaching concrete, predetermined and legal goals;
— prevention of personal data processing inconsistent with the goals of persona data collection;
— prevention of databases integration, containing personal data, processing of which has the purposes inconsistent with each other;
— processing only that personal data which meets the goals of the processing;
— compliance of the content & amount of the processed personal data and the stated goals of processing;
— prevention of personal data processing, excessive in relation to the stated goals of the processing;
— provision of the personal data accuracy, sufficiency and relevance in relation to the goals of personal data processing;
— personal data erasing or sanitization on completion of the processing goals or in case of loss of necessity to complete these goals, if the Company cannot rectify the violation during personal data processing, unless otherwise provided by federal law.
2.2. Terms of personal data processing
Company processes personal data when at least one of the following terms obtains:
— personal data shall be processed with the consent of the data subject to process his personal data;
— personal data processing is essential in attaining the goals, provided for by international agreement of the Russian Federation or by the law, to implement and fulfil the functions, authorities and responsibilities entrusted to the Company by the legislation of the Russian Federation;
— personal data processing is essential in administration of justice, judicial act enforcement, act of another body or official to be executed in accordance with the Enforcement Proceedings law of the Russian Federation;
— personal data processing is essential in implementation of the contract, a party, beneficiary or guarantor of which is the data subject, also to conclude the contract on the data subject’s initiative or the contract according to which the data subject will be a beneficiary or a guarantor;
— personal data processing is essential in implementation of the rights and legitimate interests of the Company or third parties, either to achieve public objectives on the condition that the data subject’s rights and freedoms are not violated;
— personal data is processed, the access to which is provided to uncertain specific persons by the data subject or on his request (hereinafter – publicly available personal data);
— personal data is processed, which is to be published or mandatory disclosure in accordance with federal law.
2.3. Personal data confidentiality
Company and other persons, who got the access to personal data, undertake not to disclose to the third parties and not to disseminate personal data without the data subject’s consent, unless otherwise provided by federal law.
2.4. Publicly available personal data sources
In order to inform the Company may establish publicly available sources of the personal data subjects, including handbooks and address books. With the written consent of the subject the following data may be included in the publicly available personal data sources: last name, name, middle name, date and place of birth, position, contact phone numbers, e-mail address and other personal data provided by the data subject.
On the data subject’s request or by court order or other authorized state bodies, information about the data subject is excluded from publicly available personal data sources of the Company.
2.5. Personal data special categories
Special categories of the personal data related to racial or national identity, political views, religious or philosophical belief, health, private life, are processed by the Company in case:
-data subject gave written consent to his personal data processing;
-personal data is made publicly available by the data subject;
-personal data is processed in accordance with legislation on State social insurance, labour legislation, legislation of the Russian Federation on Pensions under State pension provision, on labour pensions;
– personal data processing is essential in protection of the life, health or other vital interests of the data subject or the life, health or other vital interests of other persons and obtaining the data subject’s consent is impossible;
-personal data is processed in preventive-medicine purposes, in making medical diagnosis, medical and medico-social services provision on condition that a person, who processes personal data, practices medicine professionally and is obliged to maintain doctor-patient confidentiality in accordance with legislation of the Russian Federation;
– personal data processing is essential in determining and implementing the rights of the data subject or third parties as well as in administration of justice;
-personal data is processes in accordance with legislation on Compulsory types of insurance, insurance legislation.
Processing of personal data special categories has to be stopped immediately, if the causes due to which it has been processed are removed, unless otherwise provided by federal law.
Personal data referring to criminal record may be processed by the Company only in the cases and according to the procedure determined in accordance with federal laws.
2.6. Personal biometric data
Information that characterizes physiological and biological human features on the basis of which it is possible to identify a person (personal biometric data) and which are used by the operator to identify the data subject, may be processed by the Company only with the written consent of the data subject.
2.7. Entrust other person with personal data processing
Company has the right to entrust other person with personal data processing with the data subject’s consent, unless otherwise provided by federal law, on the basis of the contract concluded with this person. The person, who processes personal data, entrusted by the Company, is obliged to observe principles and rules of personal data processing under FL-152.
2.8. Personal data cross-border transmission
Company has to verify that foreign state to which territory the personal data is to be transmitted provides adequate protection of the data subject’s rights, before the start of transmission.
Personal data cross-border transmission to the territories of foreign states which do not provide adequate protection of the data subject’s rights, may be done in case:
written consent of the data subject to his personal data cross-border transmission;
implementation of the contract, the party of which is the data subject.
3.1. Consent of the data subject to process his personal data
Data subject makes a decision on his personal data provision and gives consent to its processing freely, on his own will and in his own interest. Consent to the personal data processing may be given by the data subject or by his representative in any form which allows to confirm the fact of its receipt, unless otherwise provided by federal law.
Responsibility to provide proof of getting the consent of the data subject to process his personal data or to prove the existence of grounds, indicated in FL-152 lies with the Company.
3.2. Rights of data subject
Data subject has the right to obtain information from the Company regarding his personal data processing, if such right is not limited in accordance with federal laws. Data subject has the right to require the Company to clarify his personal data, its blocking or erasing in case the data is incomplete, outdated, inaccurate, illegally obtained or are not essential for the stated goal of processing, and also to take measures stipulated by the law to protect his rights.
Personal data processing in order to promote products, work, services on the market by direct contacts with potential customer via communication means, is allowed only on condition of prior consent of the data subject. Indicated personal data processing is accepted to be implemented without prior consent of the data subject, if the Company will not prove that the consent has been obtained.
Company has to stop personal data processing immediately on demand of the data subject for the above purposes.
Making such decisions only on the basis of automatic personal data processing is prohibited, as they might produce legal consequences regarding the data subject or otherwise affect his rights and interests, except in the cases provided for by federal laws, or having written consent of the data subject.
If the data subject supposes that the Company processes his personal data violating FL-152 requirements or otherwise violates his rights and freedoms, the data subject has the right to
appeal against the Company’s actions or inaction to Authorized body for the protection of the data subjects’ rights or to court.
Data subject has the right to protection of his rights and interests in court, following pre-trial dispute resolution procedure.
Security of the personal data, processed by the Company, is provided by implementing legal, organizational and technical measures, obligatory to secure federal law requirements in the area of personal data protection.
To prevent unauthorized access to the personal data, the Company implements the following organizational and technical measures:
-appointment of authorized persons, responsible for organizing personal data processing and security;
-limit the number of persons who have access to personal data;
-familiarization of the subjects with federal legislation requirements and normative documents of the Company on personal data processing and security;
-organizing of accounting for, storage, circulation of information carriers;
-defining security threats from personal data while its processing;
-personal data protection system development on the basis of entrenchment level personal data security while its processing in the personal data information systems and based on threat models.
-selectable access of the users to information resources and software & hardware of data processing;
-registration and accounting of the actions of the personal data information systems;
-measures for information security use if necessary (anti-virus tools, firewalls, intrusion detection means, security analysis means, cryptographic information protection means, etc.);
-most browsers are configured to automatically personal data cleaning when closing (cash, cookies, browsing and download history);
-permit regime organizing to the Company’s territory, protection of the premises with personal data processing technical means.
Other rights and responsibilities of the Company as personal data operator are established by legislation of the Russian Federation on personal data.
Authorized persons of the Company, guilty of violations of standards, regulating personal data processing and protection, are held liable, disciplinary, administrative, civil, or criminal liability according to the rules under federal laws.
LLC “SP-Capital”
Address: office 1/89, 12 bld. 2, Presnenskaya Embankment, Moscow, 123112.
Primary State Registration Number: 1177746563576
Taxpayer Identification Number: 7703428522
Registration Reason Code: 770301001