«ID Mediacrat» LLC
1.1.
This Personal Data Processing Policy of «ID Mediacrat» LLC (hereinafter referred to as the «Policy») has been developed pursuant to Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 «On Personal Data» (the «Personal Data Law») and establishes the purposes, scope and procedures for the processing of Personal Data, measures aimed at ensuring the protection of Personal Data, as well as procedures intended to identify and prevent violations of the legislation of the Russian Federation in the field of Personal Data by ID Mediacrat LLC (hereinafter referred to as the «Company»).
1.2.
This Policy establishes the procedures and conditions governing the processing and protection of Personal Data within the Company.
1.3.
For the purposes of this Policy, the following terms shall have the meanings set forth below:
Personal Data means any information relating directly or indirectly to an identified or identifiable individual (Personal Data Subject).
Personal Data Permitted by the Personal Data Subject for Dissemination means Personal Data to which an unlimited number of persons has been granted access by the Personal Data Subject through consent to the processing of Personal Data permitted for dissemination in accordance with the procedure established by the Personal Data Law.
Operator means a state authority, municipal authority, legal entity or individual that independently or jointly with other persons organizes and/or carries out the processing of Personal Data and determines the purposes of Personal Data processing, the categories of Personal Data subject to processing, and the actions (operations) performed with Personal Data.
Processing of Personal Data means any action (operation) or set of actions (operations) performed with Personal Data, whether or not by automated means. Processing of Personal Data includes, among other things:
Automated Processing of Personal Data means processing of Personal Data using computer technology.
Non-Automated Processing of Personal Data means manual processing performed using paper-based media.
Mixed Processing of Personal Data means a combination of automated and non-automated methods of processing Personal Data.
Dissemination of Personal Data means actions aimed at disclosure of Personal Data to an indefinite number of persons.
Provision of Personal Data means actions aimed at disclosure of Personal Data to a specific person or a specific group of persons.
Blocking of Personal Data means temporary suspension of the processing of Personal Data, except where processing is required for clarification of Personal Data.
Destruction of Personal Data means actions resulting in the impossibility of restoring the content of Personal Data within a Personal Data Information System and/or resulting in the destruction of physical media containing Personal Data.
Depersonalization of Personal Data means actions resulting in the impossibility of determining, without the use of additional information, whether Personal Data belongs to a specific Personal Data Subject.
Personal Data Information System means a set of Personal Data contained in databases, together with information technologies and technical means ensuring their processing.
1.4.
This Policy applies to all relations involving the processing of Personal Data arising within the Company both before and after approval of this Policy.
1.5.
Pursuant to Part 2 of Article 18.1 of the Personal Data Law, this Policy shall be published and made freely accessible on the Company’s websites within the Internet information and telecommunications network.
1.6.
Liability for violations of the legislation of the Russian Federation and the Company’s internal regulations governing the processing and protection of Personal Data shall be determined in accordance with the legislation of the Russian Federation.
1.7.
The legal basis for the processing of Personal Data consists of the regulatory legal acts pursuant to and in accordance with which the Operator processes Personal Data, including:
1.8.
The legal basis for the processing of Personal Data shall also include:
1.9.
The following contact details may be used to communicate with the Operator:
Postal address: Premises 8/1, 1/15 Krasnokholmskaya Embankment, Moscow 115172, Russian Federation.
2.1.
The Company processes Personal Data solely for specific, predetermined and lawful purposes declared at the time of collection. The scope and content of the Personal Data processed correspond to the stated processing purposes. Excessive processing of Personal Data is not permitted.
2.2.
The Company processes Personal Data in the course of its business activities, including, but not limited to, the following purposes:
3.1.
The Company processes Personal Data on a lawful and fair basis and limits such processing to the achievement of specific, predetermined and lawful purposes.
3.2.
The processing of Personal Data that is incompatible with the purposes for which such Personal Data was collected is not permitted. Databases containing Personal Data processed for purposes that are incompatible with one another shall not be merged.
3.3.
The scope and content of Personal Data processed by the Operator shall correspond to the stated processing purposes.
3.4.
When processing Personal Data, the Operator shall ensure the accuracy, sufficiency and, where necessary, relevance of Personal Data in relation to the purposes of processing.
3.5.
The Operator shall take the necessary measures to delete or rectify incomplete or inaccurate Personal Data.
3.6.
Personal Data shall be stored in a form that permits identification of the Personal Data Subject for no longer than is required for the purposes of processing, unless a longer retention period is established by federal law or by an agreement to which the Personal Data Subject is a party, beneficiary or guarantor.
3.7.
Processed Personal Data shall be destroyed or depersonalized upon achievement of the processing purposes or when such purposes no longer require processing, unless otherwise provided by federal law.
3.8.
Personal Data shall be processed in accordance with the purposes specified and declared at the time of collection, as well as the functions, powers and obligations assigned to the Operator under the legislation of the Russian Federation and the regulatory legal acts of the City of Moscow.
3.9.
The processing of Personal Data permitted by the Personal Data Subject for Dissemination is permitted in accordance with Article 10.1 of the Personal Data Law.
3.10.
The Operator may transfer Personal Data to third parties in accordance with the requirements of the legislation of the Russian Federation governing Personal Data.
3.11.
The Company carries out both Automated Processing of Personal Data and Non-Automated Processing of Personal Data.
3.12.
The periods for processing, including retention periods for Personal Data processed by the Company, shall be determined based on the purposes of processing and in accordance with the requirements of applicable federal laws.
3.13.
When collecting Personal Data, including through the Internet information and telecommunications network, the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), depersonalization, deletion and destruction of Personal Data of citizens of the Russian Federation shall be carried out using databases located within the territory of the Russian Federation.
4.1.
Personal Data shall be processed in compliance with the principles and requirements established by the Personal Data Law. Personal Data may be processed in the following cases:
4.1.1.
Processing of Personal Data is carried out with the consent of the Personal Data Subject or the Personal Data Subject’s legal representative.
4.1.2.
Processing of Personal Data is necessary to achieve the purposes stipulated by an international treaty of the Russian Federation or by law, and for the performance of functions, powers and duties imposed on the Operator by the legislation of the Russian Federation.
4.1.3.
Processing of Personal Data is carried out in connection with an individual’s participation in constitutional, civil, administrative, criminal or arbitration proceedings.
4.1.4.
Processing of Personal Data is necessary for the execution of a judicial act, an act of another authority or official subject to enforcement in accordance with the legislation of the Russian Federation on enforcement proceedings.
4.1.6.
Processing of Personal Data is necessary for the performance of an agreement to which the Personal Data Subject is a party, beneficiary or guarantor, as well as for entering into an agreement at the initiative of the Personal Data Subject or an agreement under which the Personal Data Subject will be a beneficiary or guarantor.
4.1.7.
Processing of Personal Data is necessary to protect the life, health or other vital interests of the Personal Data Subject where obtaining the consent of the Personal Data Subject is impossible.
4.1.8.
Processing of Personal Data is necessary for the exercise of the lawful rights and interests of the Operator or third parties, or for the achievement of socially significant objectives, provided that the rights and freedoms of the Personal Data Subject are not violated.
4.1.9.
Processing of Personal Data is necessary for the professional activities of a journalist and/or the lawful activities of a mass media outlet, or for scientific, literary or other creative activities, provided that the rights and legitimate interests of the Personal Data Subject are not violated.
4.1.10.
Processing of Personal Data is carried out for statistical or other research purposes, subject to mandatory depersonalization of Personal Data.
4.2.
The Company may include Personal Data in publicly available sources of Personal Data, provided that the Company obtains the Personal Data Subject’s written consent for such processing.
4.3.
The Company may process data concerning the health status of a Personal Data Subject in the following cases:
4.3.1.
In cases provided for by legislation governing state social assistance, labor relations and pension provision in the Russian Federation.
4.3.3.
For the protection of the life, health or other vital interests of an employee, or for the protection of the life, health or other vital interests of other persons where obtaining the consent of the Personal Data Subject is impossible.
4.3.4.
For the establishment or exercise of the rights of the Personal Data Subject or third parties, as well as in connection with the administration of justice.
4.3.5.
In cases provided for by legislation governing mandatory insurance, insurance activities, defense, anti-corruption measures and other special legislation.
4.4.
The Company does not process biometric Personal Data (information characterizing an individual’s physiological and biological characteristics on the basis of which the individual’s identity may be established and which is used by the Operator to identify the Personal Data Subject).
4.5.
The Company does not carry out cross-border transfers of Personal Data.
4.6.
The Company does not make decisions based solely on Automated Processing of Personal Data that produce legal consequences for a Personal Data Subject or otherwise affect the rights and legitimate interests of a Personal Data Subject.
4.7.
Where written consent of the Personal Data Subject is not required by law, consent may be provided by the Personal Data Subject or the Personal Data Subject’s legal representative in any form that allows confirmation of its receipt.
4.8.
The Company may entrust the processing of Personal Data to another person with the consent of the Personal Data Subject, unless otherwise provided by federal law, on the basis of an agreement concluded with such person (hereinafter referred to as the “Operator’s Instruction”).
In such cases, the Company shall require the person processing Personal Data on its behalf to comply with the principles and requirements for Personal Data processing established by the Personal Data Law.
4.9.
Where the Company entrusts the processing of Personal Data to another person, the Company shall remain liable to the Personal Data Subject for the actions of such person. The person processing Personal Data on behalf of the Company shall be liable to the Company.
5.1.
In accordance with the requirements of the Personal Data Law, the Company shall:
5.1.1.
Upon request of a Personal Data Subject, provide information relating to the processing of the Personal Data Subject’s Personal Data or provide a reasoned refusal on lawful grounds within ten (10) business days from the date of receipt of the request from the Personal Data Subject or the Personal Data Subject’s representative.
This period may be extended by no more than five (5) business days provided that the Company sends a reasoned notification to the Personal Data Subject specifying the grounds for such extension.
5.1.2.
Upon request of the Personal Data Subject, rectify, block or delete Personal Data being processed if such Personal Data is incomplete, outdated, inaccurate, unlawfully obtained or unnecessary for the stated purpose of processing, within a period not exceeding seven (7) business days from the date on which the Personal Data Subject or the Personal Data Subject’s representative provides information confirming such circumstances.
5.1.4.
Notify the Personal Data Subject of the processing of Personal Data where such Personal Data was not obtained directly from the Personal Data Subject, except where:
5.1.5.
Upon achievement of the purpose of Personal Data processing, immediately cease processing and destroy the relevant Personal Data within a period not exceeding thirty (30) days from the date the processing purpose has been achieved, unless otherwise provided by an agreement to which the Personal Data Subject is a party, beneficiary or guarantor, another agreement between the Company and the Personal Data Subject, or where the Company is entitled to continue processing Personal Data without consent pursuant to the Personal Data Law or other federal laws.
5.1.6.
Where a Personal Data Subject withdraws consent to the processing of Personal Data, cease processing and destroy the relevant Personal Data within a period not exceeding thirty (30) days from the date of receipt of such withdrawal, unless otherwise provided by an agreement between the Company and the Personal Data Subject.
The Company shall notify the Personal Data Subject of the destruction of the Personal Data.
5.1.7.
Upon receipt of a request from a Personal Data Subject to cease the processing of Personal Data used for the promotion of goods, works or services in the market, immediately cease such processing.
5.2.
The Company undertakes, and requires any other persons granted access to Personal Data, not to disclose or disseminate Personal Data to third parties without the consent of the Personal Data Subject, unless otherwise provided by federal law.
6.1.
When processing Personal Data, the Company implements the necessary legal, organizational and technical measures to protect Personal Data against unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as against any other unlawful actions involving Personal Data.
6.2.
The security of Personal Data is ensured, inter alia, through the following measures:
6.2.1.
Identification of threats to the security of Personal Data during processing within Personal Data Information Systems.
6.2.2.
Implementation of organizational and technical measures necessary to ensure the security of Personal Data processed within Personal Data Information Systems and to comply with the Personal Data protection requirements established by the Government of the Russian Federation.
6.2.3.
Use of information security tools that have successfully undergone conformity assessment procedures in accordance with the established requirements.
6.2.4.
Assessment of the effectiveness of the measures implemented to ensure the security of Personal Data prior to commissioning a Personal Data Information System.
6.2.5.
Maintenance of records of machine-readable media containing Personal Data.
6.2.6.
Detection of unauthorized access to Personal Data and implementation of appropriate response measures.
6.2.7.
Restoration of Personal Data modified or destroyed as a result of unauthorized access.
6.2.8.
Establishment of access control rules for Personal Data processed within Personal Data Information Systems, as well as logging and recording of all actions performed with Personal Data within such systems.
6.2.9.
Monitoring of the measures implemented to ensure the security of Personal Data and the level of protection of Personal Data Information Systems.
7.1.
The Operator may process Personal Data for the purpose of sending informational, news-related and service communications relating to the Operator’s activities, projects, publications, events, as well as other products and services offered by the Operator.
7.2.
Such communications may include:
7.3.
Personal Data for the above purposes shall be processed on the basis of:
7.4.
For the above purposes, the Operator may process the following categories of Personal Data:
7.5.
The Operator undertakes not to use Personal Data for marketing communications without an appropriate legal basis and provides Personal Data Subjects with the opportunity to opt out of receiving such communications at any time by contacting the Operator.
7.6.
Upon receipt of an opt-out request, the Operator shall cease processing Personal Data for the purpose of sending informational communications, except where such processing is required to comply with the legislation of the Russian Federation or to perform obligations owed to the Personal Data Subject.
8.1.
The Operator may use cookies to provide website visitors with personalized services, for statistical and research purposes, and for the collection, processing and analysis of statistical information relating to the use of the website.
8.2.
Computer hardware and software used to access the Company’s website may allow users to disable the use of cookies and delete previously stored cookies. Disabling cookies may, however, limit access to certain sections and functionality of the website.
8.3.
The structure, content and technical parameters of cookies are determined by the Operator and may be modified without prior notice to website visitors.
8.4.
The Company uses the Yandex Metrica web analytics service provided by Yandex under the following conditions:
8.5.
Yandex processes the information received in accordance with the following documents:
8.6.
By continuing to use the Company’s website, the Personal Data Subject consents to the processing of cookies by Yandex for the purposes and in the manner described in this Policy.
8.7.
Cookies are used by the Company for the purpose of improving and ensuring the proper functioning of its website.
8.8.
The Company uses the Yandex Metrica web analytics service to collect information regarding website usage, including:
8.9.
The Yandex Metrica web analytics service collects only IP addresses assigned on the date of the website visit, but does not collect the name or any other identifying information relating to the Personal Data Subject.
8.10.
The Yandex Metrica web analytics service places a persistent cookie in a web browser to recognize a visitor as a unique user during subsequent visits to the website. Such cookie may only be used by Yandex. Information collected through the cookie is transmitted to Yandex.
8.11.
The Company uses information obtained through the Yandex Metrica web analytics service solely for the purpose of improving website services and functionality.
The Company does not combine information obtained through the Yandex Metrica web analytics service with Personal Data processed by the Company.
8.12.
Yandex’s ability to use and disclose to third parties information collected through the Yandex Metrica web analytics service regarding visits to the website is governed by Yandex’s Privacy Policy.
8.13.
Visitors may independently prevent the Yandex Metrica web analytics service from recognizing them during subsequent visits to the website by disabling cookies in their browser settings.
Pursuant to the Personal Data Law, a Personal Data Subject has the right to:
9.1.
Obtain information regarding the processing of Personal Data by the Company, including:
9.1.1.
Confirmation that Personal Data is being processed.
9.1.2.
The legal basis and purposes of Personal Data processing.
9.1.3.
The methods used for the processing of Personal Data.
9.1.4.
The name and location of the Company, as well as information regarding persons who have access to Personal Data or to whom Personal Data may be disclosed pursuant to an agreement or federal law.
9.1.5.
The Personal Data being processed relating to the relevant Personal Data Subject, the source from which such Personal Data was obtained, unless another procedure for the provision of such information is established by federal law.
9.1.6.
The periods of Personal Data processing, including retention periods.
9.1.7.
The procedure for exercising the rights granted to Personal Data Subjects under the Personal Data Law.
9.1.8.
Information regarding completed or proposed cross-border transfers of Personal Data.
9.1.9.
The name or full name and address of the person processing Personal Data on behalf of the Company, where such processing has been or will be entrusted to such person.
9.1.10.
Other information provided for by the Personal Data Law or other federal laws.
9.2.
Require the Company to rectify, block or destroy Personal Data where such Personal Data is incomplete, outdated, inaccurate, unlawfully obtained or unnecessary for the stated purpose of processing.
9.3.
Withdraw consent to the processing of Personal Data in cases provided for by law.
9.4.
Take any measures provided for by law to protect his or her rights.
9.5.
Where a Personal Data Subject believes that the Company is processing his or her Personal Data in violation of the requirements of the Personal Data Law or otherwise violates the rights and freedoms of the Personal Data Subject, the Personal Data Subject may appeal against the actions or omissions of the Company to the authority responsible for protecting the rights of Personal Data Subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) or seek judicial protection.
9.6.
A Personal Data Subject has the right to protect his or her rights and legitimate interests, including the right to compensation for damages and/or moral damages through judicial proceedings.
10.1.
Requests submitted by a Personal Data Subject to the Operator for the purpose of exercising rights established under the Personal Data Law shall be made in writing or during a personal visit by the Personal Data Subject or the Personal Data Subject’s representative to the Company.
Such requests may also be submitted in the form of an electronic document signed with an electronic signature in accordance with the legislation of the Russian Federation.
10.2.
The request form shall be provided to the Personal Data Subject or the Personal Data Subject’s representative by the person responsible for Personal Data processing and shall be completed and signed by the Personal Data Subject or the representative in the presence of such responsible person.
10.3.
Upon receipt of a request submitted using the prescribed form, the person responsible for Personal Data processing shall verify the information specified in the request regarding the identity document of the Personal Data Subject, the authority of the representative acting on behalf of the Personal Data Subject, and the original documents presented during submission of the request.
10.4.
A response to the request shall be sent to the Personal Data Subject in writing by mail to the address specified in the request.
10.5.
The period for preparing a response and forwarding it to a postal service provider for delivery shall not exceed ten (10) business days from the date on which the Company receives the relevant request.
This period may be extended by no more than five (5) business days, provided that the Company sends a reasoned notification to the Personal Data Subject specifying the reasons for such extension.
10.6.
The period for making necessary amendments to Personal Data that is incomplete, inaccurate or no longer relevant shall not exceed seven (7) business days from the date on which the Personal Data Subject or the Personal Data Subject’s representative provides information confirming that such Personal Data is incomplete, inaccurate or no longer relevant.
10.7.
The period for destroying Personal Data that has been unlawfully obtained or is unnecessary for the stated purpose of processing shall not exceed seven (7) business days from the date on which the Personal Data Subject or the Personal Data Subject’s representative provides information confirming such circumstances.
11.1.
The right of a Personal Data Subject to access his or her Personal Data may be restricted where the provision of such Personal Data would violate the rights and legitimate interests of other persons.
11.2.
Where information relating to the processing of Personal Data and the Personal Data being processed has been provided to a Personal Data Subject upon request, the Personal Data Subject may submit a repeated request for such information and access to the Personal Data no earlier than thirty (30) business days after the submission of the initial request, unless a shorter period is established by federal law, a regulatory legal act adopted pursuant thereto, or an agreement to which the Personal Data Subject is a party, beneficiary or guarantor.
11.3.
A Personal Data Subject may submit a reasoned repeated request to the Company for information relating to the processing of Personal Data and access to the processed Personal Data before the expiration of the period specified in Section 11.2 of this Policy where such information and/or Personal Data was not provided in full following consideration of the initial request.
12.1.
This Policy may be amended periodically.
The Operator reserves the right to make amendments at its sole discretion, including, but not limited to, cases where such amendments are required due to changes in applicable legislation or changes in the Operator’s business activities.
12.2.
This Policy may be made available in both Russian and English. The Russian-language version of this Policy shall be the governing version. In the event of any discrepancy, inconsistency or ambiguity between the Russian-language version and the English-language version, the Russian-language version shall prevail.