FRACJET-VOLGA DATA PROTECTION POLICY Engels – 2023
1. GENERAL PROVISIONS
This FJV Data Protection Policy (hereinafter referred to as the Policy) defines the basic principles, goals, conditions and methods of processing personal data, lists of subjects and personal data processed by FracJet-Volga LLC (hereinafter referred to as the Company), the functions of the Company in processing personal data, the rights of personal data subjects, as well as the requirements for the protection of personal data implemented in the Company.The Policy has been developed to meet the requirements of the Constitution of the Russian Federation, laws and regulations of the Russian Federation related to personal data protection.The Company, as part of its core business, processes personal data using personal data information systems, including the Company's website: https://fj-volga.com.2. REFERENCE LAWS AND REGULATIONS OF THE RUSSIAN FEDERATION
In accordance with the current laws of the Russian Federation, the Company shall serve as the operator of personal data. The policy for processing personal data in the Company is determined in accordance with the following laws and regulations:- the Labor Code of the Russian Federation;- Federal Law No. 152-FZ of July 27, 2006 "On Personal Data";- Decree of the President of the Russian Federation dated 06.03.1997 No. 188 "On the list of confidential information;- Resolution of the Government of the Russian Federation dated 15.09.2008 No. 687 "On approval of the regulation on personal data processing without the use of automation tools";- Resolution of the Government of the Russian Federation dated 06.07.2008 No. 512 "On approval of requirements for tangible media of biometric personal data and technologies for storing such data outside personal data information systems";- Resolution of the Government of the Russian Federation dated 01.11.2012 No. 1119 "On approval of requirements for the protection of personal data when processing them in personal data information systems"; Order of the Federal Service for Technical and Export Control of Russia dated 18.02.2013 No. 21 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems";- Order of Roskomnadzor dated 05.09.2013 No. 996 "On approval of requirements and methods for depersonalization of personal data";- other laws and regulations of the Russian Federation and government bodies.The provisions of the Policy shall be implemented by the Company in the relevant local regulations, including:- Regulation on the protection of personal data stored within the Company's personal data information systems;- other local regulations and documents governing the processing of personal data in the Company.3. TERMS AND DEFINITIONS
Personal data shall mean any information related to an individual (referred to as the subject, or the owner of personal data).Personal data permitted for distribution shall mean personal data in respect of which the owner of personal data has given a data processing consent in the manner prescribed by the current laws of the Russian Federation.Information shall mean any data regardless of the form of their presentation.An operator shall mean a state body, municipal body, legal entity or individual, independently or jointly with other persons, organizing and/or performing the processing of personal data, and also determining the purposes of processing personal data, the composition of personal data, and operations performed with personal data.Processing of personal data shall mean any operation or a set of operations performed with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, clarification, updating, modification, extraction, use, transfer, distribution, provision, access, depersonalization, blocking, deletion, destruction of personal data.Automated processing of personal data shall mean processing of personal data using information technologies.Personal data provision shall mean any operations aimed at disclosing personal data to a specific person or a specific group of persons.Distribution of personal data shall mean any operations aimed at disclosing personal data to an indefinite group of persons.Cross-border transfer of personal data shall mean transfer of personal data to a foreign state, a foreign government body, a foreign individual or a foreign legal entity.Blocking personal data shall mean temporary suspension of personal data processing (except cases where processing is required to clarify personal data).Personal data destruction shall mean any operations that result in permanent elimination of personal data stored in the personal data information system and/or on tangible media.Depersonalization of personal data shall mean any operations that result in impossibility to determine the owner(s) of personal data.Personal data information system shall mean a set of personal data contained in databases and the information technologies and technical means that ensure their processing.4. PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING
The Company as the operator of personal data shall process the personal data of the Company's employees and other personal data owners who are not employed by the Company.When processing personal data, the Company shall ensure the protection of the rights and freedoms of the Company's employees and other personal data owners, including the protection of the right to privacy, personal and family secrets based on the following principles:- personal data shall be processed on a legal and fair basis;- personal data processing shall be limited to the specific, predetermined and legal purposes;- any personal data processing incompatible with the purposes of collecting personal data is not allowed;- it is not allowed to combine databases containing personal data processed for purposes incompatible with each other;- only personal data that meets the purposes of their processing may be subject to processing;- the content and volume of the personal data being processed corresponds to the stated purposes of processing. It is not allowed to process excessive amounts of personal data;- when processing personal data, the Company shall ensure the accuracy of personal data, their sufficiency, and, where necessary, relevance in relation to the purposes of processing. The Company shall take any required measures to delete, clarify incomplete or inaccurate personal data;- personal data are stored in a form that allows identifying the owner of personal data for no longer than required by the purposes of processing personal data, unless the storage period of personal data is established by federal law or by a contract to which the owner of personal data is a party, beneficiary or guarantor;- processed personal data are destroyed or depersonalized upon achieving the processing purposes or if such purposes become irrelevant, unless otherwise provided by federal law.Personal data are processed in the Company for the purposes of:- ensuring compliance with the Constitution of the Russian Federation, laws and regulations of the Russian Federation, as well as local regulations of the Company;- exercising the functions, powers and duties imposed on the Company by the laws of the Russian Federation, including the provision of personal data to government bodies, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, and other government bodies;- regulating labor relations with the Company's employees (assistance in employment, training and career advancement, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property);- providing the Company's employees and members of their families with additional guarantees and compensation, including non-state pension provision, voluntary medical insurance, medical care and other types of social security;- protecting the life, health or other vital interests of personal data subjects;- preparing, concluding, executing and terminating contracts with counterparties;- ensuring access control and internal facilities at the Company's facilities;- generating reference materials for internal information support of the Company's activities, its branches and representative offices, as well as subsidiary organizations of the Company;- enforcing court rulings, acts of other bodies or officials to be enforced in accordance with the legislation of the Russian Federation;- implementing the rights and legitimate interests of the Company while performing the activities stipulated by the Charter and other local regulations of the Company or third parties, or the achievement of socially significant goals;- for other legitimate purposes.5. TYPES OF PERSONAL DATA OWNERS
The Company processes personal data of the following categories of owners:- employees of the Company, family members of the employee;- candidates for a job in the Company;- other owners of personal data.6. TYPES OF PERSONAL DATA
The list of personal data processed by the Company shall be determined by the laws of the Russian Federation and local regulations of the Company, taking into account the purposes of processing personal data specified in Section No. 4 of this Policy.The processing of personal data permitted by the owner of personal data for distribution shall be subject to the consent of the personal data owner in compliance with the prohibitions and conditions for the processing of personal data established by the owner of personal data.7. FRACJET-VOLGA FUNCTIONS IN PROCESSING PERSONAL DATA
When processing personal data, the Company shall:- take measures required and sufficient to ensure compliance with the laws of the Russian Federation and local regulations of the Company related to personal data;- take legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as any other illegal actions in relation to personal data;- appoint a person in charge of personal data processing in the Company;- issue local regulations defining the policy and procedures for processing and protecting personal data in the Company;- familiarize the employees of the Company directly involved in the processing of personal data with the provisions of the laws of the Russian Federation and local regulations of the Company related to personal data, including requirements for the protection of personal data;- publish or otherwise ensure unlimited access to this Policy;- inform the owners of personal data or their representatives of the availability of personal data related to the relevant owners, provide an opportunity to familiarize themselves with this personal data upon application and (or) receipt of requests from the said owners of personal data or their representatives, unless otherwise established by the laws of the Russian Federation;- suspend processing and destroy personal data in cases stipulated by the laws of the Russian Federation related to personal data;- perform any other actions required by the laws of the Russian Federation related to personal data.8. TERMS AND CONDITIONS OF PERSONAL DATA PROCESSING
Personal data processing in the Company shall be performed with the consent of the personal data owner unless otherwise provided by the laws of the Russian Federation related to personal data.The Company may not disclose to third parties or distribute personal data without the consent of the personal data owner unless otherwise provided by federal laws.The Company may instruct a third person to process personal data on a contractual basis upon the consent of the personal data owner. The contract shall contain a list of actions / operations with personal data that may be performed by the person processing the personal data, the purposes of processing, the obligation of such person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of personal data in accordance with Article 19 of the Federal Law "On Personal Data".For the purposes of internal information handling, the Company may create directories, address books and other sources that may include personal data upon the written consent of the personal data owner, unless otherwise provided by the laws of the Russian Federation.Access to personal data processed by the Company is permitted only to employees of the Company whose job responsibilities include personal data processing.9. PERSONAL DATA PROCESSING PROTOCOL AND METHODS
The Company may collect, record, systematize, accumulate, store, clarify, update, change, retrieve, use, transfer, distribute, provide, access, depersonalize, block, delete and destroy personal data.The Company may process personal data in the following ways:- non-automated processing of personal data;- automated processing of personal data with or without the transfer of the received information via information and telecommunications networks.10. RIGHTS OF PERSONAL DATA OWNERS
Personal data owners shall have the right to:- get full information about their personal data processed by the Company;- access their personal data, including the right to receive a copy of any record containing their personal data, except for cases stipulated by federal law, as well as access medical data related to them with the help of a medical specialist of their choice;- update their personal data, blocking or destroy it if the personal data is incomplete, outdated, inaccurate, obtained illegally or is not relevant to the stated purpose of processing;- withdraw their consent to process personal data;- take measures provided by law to protect their rights;- appeal against the actions or inactions of the Company that violate the laws of the Russian Federation related to personal data, to the authorized body for the protection of the rights of personal data subjects or to the court;- exercise any other rights provided by law.11. MEASURES TO ENSURE THE FULFILLMENT OF THE OPERATOR'S RESPONSIBILITIES WHEN PROCESSING PERSONAL DATA
In order to maintain its business reputation and ensure compliance with the federal laws, the Company shall commit to ensuring the legitimacy of personal data processing in its business processes and ensuring an appropriate level of security for the personal data processed by the Company.The Company managers are aware of the importance of ensuring the security of personal data and encourage the continuous improvement of the system for protecting personal data processed as part of the Company's core business.The following measures are deemed necessary and sufficient to ensure that the Company fulfills its obligations as an operator stipulated by the laws of the Russian Federation related to personal data:- appointment of a person in charge of organizing the processing of personal data in the Company;- adoption of local regulations and other documents for processing and protection of personal data;- organizing trainings for the Company's employees holding positions involved in processing personal data;- obtaining consent from personal data owners to process their personal data, except for cases stipulated by the laws of the Russian Federation;- separating personal data processed without the use of automation tools from other information, in particular by recording them on separate tangible personal data media, in special sections;- ensuring separate storage of personal data and their tangible media if their processing is performed for different purposes and if they contain different categories of personal data;- ensuring the security of personal data when transmitted via open communication channels;- storing tangible media in conditions that ensure the safety of personal data and exclude any unauthorized access to them;- implementing internal control over the compliance of personal data processing with the Federal Law "On Personal Data" and regulations adopted in accordance with this law, requirements for the protection of personal data, this Policy, and local Company regulations;- other measures set forth by the laws of the Russian Federation related to personal data.Measures to ensure the security of personal data in personal data information systems are established in accordance with the relevant local Company regulations.12. COMPLIANCE WITH THE LAWS OF THE RUSSIAN FEDERATION AND LOCAL COMPANY REGULATIONS
Control over the Company's compliance with the legislation of the Russian Federation and local regulations of the Company related to personal data, including personal data protection, is aimed at ensuring the compliance of personal data processing in the Company with the laws of the Russian Federation and local Company regulations, including requirements for personal data protection, as well as the measures taken to prevent and detect violations of the laws of the Russian Federation related to personal data, to identify possible leakage channels and unauthorized access to personal data, and to eliminate the consequences of such violations.Internal control of the Company's compliance with the laws of the Russian Federation and local Company regulations related to personal data, including protection of personal data, shall be performed by the person in charge of organizing the processing of personal data in the Company.Internal control of compliance of personal data processing with the Federal Law "On Personal Data" and local regulations adopted in accordance with it, personal data protection requirements, this Policy, and with local Company regulations shall be performed by the department in charge of these functions.Personal responsibility for compliance with the laws of the Russian Federation and local Company regulations related to personal data, as well as for ensuring the confidentiality and security of personal data shall be assigned to the heads of departments involved in personal data processing.