PERSONAL DATA PROTECTION REGULATIONS
1. Information on the Company
1.1. Limited Liability Company “Invento”, hereinafter referred to as the Company, is registered in the Russian Federation.
Abbreviated name: OOO “Invento”
INN (Taxpayer Identification Number)/ KPP (Tax Registration Reason Code): 7701917888/770101001
Address: 101000 Moscow, Pokrovka str., d. 1/13/6, p. 2, floor 3, Room I, Room 1, office 3P
Official website of the Company: https://samelogic.ru/en
2. General Provisions
2.1. These Regulations concerning personal data processing (hereinafter referred to as the Regulations) is prepared in accordance with Federal Law of the Russian Federation On Personal Data No. 152-FZ dated July 27, 2006 (hereinafter referred to as FZ-152), Article 18.1, Part 1, Clause 2, and describes the Company’s methods and principles of personal data processing, Company’s rights and obligations related to personal data processing, rights of personal data subjects and includes a list of measures taken by the Company to ensure the security of personal data upon their processing.
Principles of Personal Data Processing
3.1. The Company shall guarantee implementation of the principles of personal data processing stated in Article 5 of Federal Law No. 152-FZ On Personal Data dated July 27, 2006, in its activity.
3.2. The Company shall process any personal data only for the purposes of obtaining thereof provided that personal data received by the Company’s employees in performance of their duties have to be protected.
3.3. The Company prohibits integration of databases containing personal data the purposes of which processing are considered as incompatible.
3.4. The Company’s employees shall be bound to keep confidential the information received. The right to access for the personal data processing shall be provided only to responsible officers (Company’s employees) subject to their functions.
3.5. The Company shall process personal data with consideration of conformity of the amount and nature of processed personal data and methods of personal data processing with the purposes thereof, reliability of personal data, their sufficiency for the purposes of processing and, where necessary, their applicability for the purposes of personal data processing, excluding processing of personal data that are redundant with respect to purposes stated upon personal data collection. The Company shall take necessary measures for deletion or clarification of incomplete or inaccurate data in accordance with local regulations and standards of the Company.
3.6. The Company shall keep any personal data in the manner enabling to identify a personal data subject no longer than needed for the purpose of personal data processing unless the period for retaining personal data is determined by the federal law, agreement, which party, beneficiary or guarantor is a personal data subject. Processed personal data shall be deleted or depersonalized after the purposes of processing are achieved or if their achievement is not required any more unless otherwise provided by the federal law.
3.7. The period for retaining personal data is set in accordance with the validity period for civil law relations between the personal data subject and the Company, as well as with action limitation period, retention period for hard copy documents and documents in electronic databases, other requirements of the legislation of the Russian Federation, as well as the validity period for the subject’s consent to the processing of his personal data.
3.8. Personal data processing for marketing activities based on making direct contacts with personal data subjects by means of communication tools is allowed only providing the consent from the personal data subject. The Company does not place the personal data subject’s personal data in publicly accessible sources without his prior consent.
3.9. Personal data processing is carried out in compliance with the principles and rules provided for in this Regulation.
3.10. Personal data processing by the Company includes collection, recording, systematization, accumulation, storage, specification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
3.11. The Company does not process biometric personal data (information that describes the physiological and biological characteristics of a person, basing on which his identity can be established).
3.12. The Company does not process sensitive personal data relating to race, nationality, political views, religion or philosophical views, health status, intimate life.
3.13. When collecting personal data, including through the Internet, the Company provides recording, systematization, accumulation, storage, specification (updating, modification), extraction of personal data of Russian Federation citizens using databases located in the territory of the Russian Federation.
3.14. The Company does not carry out cross-border transfer of personal data.
3.15. The Company does not make decisions that have legal consequences for personal data subjects or that otherwise affect their rights and legitimate interests, basing on exclusively automated processing of their personal data.
3.16. The Company performs mixed processing of personal data using automation tools and without them.
3.17. The Company has the right to charge the processing of personal data to a third party with the consent of the personal data subject and in other cases as stipulated by current legislation of the Russian Federation on the basis of a contract concluded with this party (hereinafter referred to as an commission). The third party, processing personal data on behalf of the Company, is obliged to comply with the principles and rules of processing personal data provided for by FZ-152, ensuring the confidentiality and security of personal data when processing them.
Measures for the proper organization of processing and ensuring the security of personal data
4.1. When processing personal data, the Company takes all necessary legal, organizational and technical measures to protect them from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions against them. Security of personal data is achieved, in particular, by following ways:
4.2. The appointment of the responsible person for the organization of processing and ensuring the security of personal data.
4.3. The implementation of internal control and / or investigation of compliance of the processing of personal data with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” and the regulatory legal acts adopted in accordance with it, the requirements for the protection of personal data, and local acts.
4.4. Familiarization of employees of the Company directly carrying out the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, local acts regarding the processing of personal data and / or training of these employees.
4.5. Identification of threats to the security of personal data when processing them in personal data information systems.
4.6. The use of organizational and technical measures to ensure the safety of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data.
4.7. Estimation of efficiency of measures taken to ensure the security of personal data prior to the commissioning of an personal data information system.
4.8. Accounting of computer storage of personal data.
4.9. Detection of unauthorized access to personal data and taking appropriate measures.
4.10. Recovery of personal data modified or destroyed due to unauthorized access.
4.11. Making access rules for personal data processed in the personal data information system as well as ensuring logging of activities with personal data in the personal data information system.
4.12. Control over actions taken in order to ensure personal data safety and protection level of the personal data information systems.
Rights of personal data subjects
5.1. Subjects which personal data are processed by the Company are able to request clarification in respect of personal data processing by contacting the Company personally or by sending an appropriate written request to the Company’s address.
5.2. In case of formal request to the Company, it is necessary to indicate the following:
5.2.1. surname, first name and patronymic of the personal data subject or his representative;
5.2.2. number of a primary identity document of the personal data subject or his representative, issue date, issuing authority;
5.2.3. information evidencing the personal data subject’s relationship with the operator (number of contract, date of contract conclusion, reference verbal mark and (or) other information);
5.2.4. signature of the personal data subject (or his representative).
5.3. The personal data subject shall have the right to receive information concerning the processing of his personal data, including:
5.3.1. confirmation of personal data processing by the operator;
5.3.2. legal grounds and objectives for personal data processing;
5.3.3. objectives and methods used by the Company for personal data processing;
5.3.4. name and location of the Company, information on persons (other than the operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the operator or on the basis of the Federal Law No. 152-FZ;
5.3.5. processed personal data relating to the corresponding personal data, thier source;
5.3.6. period of personal data, including period for which they are kept;
5.3.7. information on any actual or planned cross-border personal data transmission;
5.3.8. name of the person carrying out personal data processing by order of the Company, if the processing has been or is instructed to such a person;
5.3.9. other information provided for in this Federal Law No. 152-FZ or other federal laws.
5.4. The right of the personal data subject to access to its personal data can be limited in accordance with federal laws, including if access of the personal data subject to its personal data infringes rights and legitimate interests of the third party.
5.5. The personal data subject may demand from the Company to specify its personal data, their blocking or destruction if personal data are incomplete, aged, illegally received, or are not required for the stated processing objective, as well as take lawful steps on protection of its rights.
5.6. To exercise and protect its rights and legitimate interests the persnal data subject may contact the Company. The Company considers applications and complaints of personal data subjects, thoroughly investigates cases of infringements and takes all necessary steps to promptly eliminate them, punish guilty persons, and settle disputes and conflicts out of court.
5.7. The personal data subject may appeal against the actions or a lack of actions of the Company by applying to an authorized agency on protection of rights of personal data subjects.
5.8. The personal data subject is entitled to protect its rights and legitimate interests, as well as to receive a compensation of damages and/or compensation of moral damages in court.
Final provisions
6.1. These Regulations are publicly available and are to be posted on the Company’s official website: https://samelogic.ru/en/personal-data-protection-regulations/
6.2. These Regulations are subject to alteration and amendment in case of new enactments and special regulatory documents on processing and protection of personal data, but at least once every three years.
6.3. Implementation of this Policy must be controlled by a Person Responsible for Arrangement of Processing of the Company’s Personal Data.
6.4. Liability of officers of the Company, having access to personal data, for noncompliance with norms, regulating processing and protection of personal data, must be determined in accordance with the legislation of the Russian Federation and internal documents of the Company.