1. Purpose and scope of application

This Personal Data Processing Policy (hereinafter — the “Policy”) has been developed pursuant to Article 18.1 of Federal Law 152-FZ “On Personal Data”, the requirements of the Constitution of the Russian Federation, the Council of Europe Convention on the Protection of Individuals with regard to Automated Personal Data Processing, international treaties to which the Russian Federation is a party, federal laws, and other regulations of the Russian Federation concerning personal data.

This Policy shall apply to relations involving the processing and security assurance of sensitive data that may be qualified as personal data pursuant to the legislation of the Russian Federation (hereinafter — “Personal Data, PD”).

This Policy determines ground rules, objectives, procedure, and terms of processing Personal Data of employees of ZAO (JSC) CROC incorporated (hereinafter — the “Company”) and other subjects whose Personal Data is processed by the Company. This Policy sets forth provisions concerning liability of the Company and its employees for violation of personal data processing legislation.

This Policy is a public document available on the Company’s official website. This Policy shall not apply to relations arising out of:

  • Storage, arrangement, recording, and use of documents that contain personal data and are qualified as archival documents in accordance with the archiving legislation of the Russian Federation,
  • Processing of personal data classified as information, which constitutes the state secrets pursuant to the established procedure.

All the Company employees shall follow this Policy.

2. Terms and abbreviations

PD means Personal Data

PDI Smeans Personal data information systems

UA means Unauthorized access

3. Personal Data processing principles

The Company shall process PD following the following principles:

  • 1. PD shall be processed lawfully and fairly.
  • 2. PD may only be processed for specific, pre-defined, and legal purposes.
  • 3. The Company shall only process PD in compliance with personal data collection purposes.
  • 4. The Company shall separate databases that contain PD to be processed for the purposes incompatible with each other.
  • 5. The Company shall only process PD in compliance with its processing purposes.
  • 6. Content and scope of PD to be processed shall meet the stated processing purposes.
  • 7. PD to be processed shall not be in excess of the stated processing purposes.
  • 8. PD processing shall ensure PD accuracy, sufficiency, and, if necessary, relevance with respect to PD processing purposes.
  • 9. Necessary steps shall be taken to remove or update incomplete or inaccurate PDн.
  • 10. PD shall be stored in a form that allows for PD subject identification and only as long as is needed for PD processing purposes, unless the period of PD storage is established by a federal law or an agreement to which a PD subject is a party or under which PD subject is a beneficiary or a guarantor.
  • 11. PD shall be destroyed or depersonalized upon achievement of processing purposes or when achievement of such purposes is no longer required, unless otherwise stipulated by federal law.

4. Personal Data processing objectives

The Company shall process personal data in order to carry out its activities pursuant to the legislation of the Russian Federation and the Company’s Articles of Association.

5. Categories of Personal Data subjects

The Company shall process PD (using or without automation tools) of the following subjects:

  • Applicants for positions within the Company
  • The Company employees and their family members (spouses and close relatives)
  • The Company former employees
  • Persons that have pre-contractual relations with the Company, or are parties to civil agreements with the Company, or have already fulfilled their obligations under the same
  • Persons doing an internship (being on probation) in the Company
  • The Company shareholders
  • The Company counterparties represented by individual entrepreneurs, their employees, founders, directors, representatives (persons acting under powers of attorney) and by employees of legal entities that have or had contractual relations with the Company or wish to enter into agreements with the Company
  • The Company office visitor
  • Other persons if their PD is to be processed for the Company to achieve the purposes specified in Section 4 hereof.

6. Personal Data categories

The Company shall process PD of the following categories:

  • General PD (other PD) that do not fall in special personal data categories, biometric personal data, or publicly available personal data
  • Biometric PD
  • Publicly available PD

7. List of persons who arrange and take part in PD processing and security

The Company has appointed a person responsible for PD processing arrangement.

The Company has appointed a person responsible for PD and PD information system security.

The Company has appointed persons responsible for PD processing arrangement within business units.

The Company employees take part in PD processing within the scope of their job duties.

8. PD Processing and security

8.1 PD processing and processing termination procedure

The Company may process PD in the following cases:

  • PD may be processed with the consent of PD subject
  • PD processing is required to perform an agreement to which PD subject is a party or under which PD subject is a beneficiary or a guarantor, including the event when the processor exercises its right to assign rights (claims) under such agreement, as well as to enter into an agreement at the initiative of PD subject or an agreement under which PD subject shall be a beneficiary or a guarantor.
  • PD processing is required to exercise rights or legitimate interests of the processor or third parties, or achieve socially significant objectives, provided that no PD subject’s rights and liberties are infringed thereby.
  • PD is processed for statistical or other research purposes, subject to mandatory PD depersonalization, with the exception of PD processing for the marketing of goods, work, services by directly contacting potential consumers using communication tools, as well as for political agitation.
  • PD subject authorized access to such PD or made such PD available to general public
  • PD is subject to publishing or mandatory disclosure pursuant to federal law
  • The Company may also process PD in other cases stipulated by federal legislation.

The Company may only include PD subjects into publicly available PD sources as required by the federal legislation or upon receipt of PD subject’s written consent.

The Company shall carry out cross-border transmission of employees’ PD for the purpose of fulfillment of contractual obligations by counterparties only upon PD subject’s written consent.

The Company shall not, solely based on automated PD processing, make any decisions that may entail legal consequences for PD subject or otherwise affect its rights and legitimate interests.

Unless otherwise stipulated by the federal law, the Company may only assign PD processing to another person upon the consent of PD subject based on an agreement entered into with that person (hereinafter — “Processor’s assignment”). In this case the Company shall oblige the person assigned to process PD, to comply with PD processing principles and rules stipulated in the federal law. If the Company assigns PD processing to other person then the Company shall be liable before PD subject for actions of such person. The person assigned by the Company to process PD shall be liable before the Company.

The Company shall itself and shall oblige other persons having access to PD, not to disclose PD to third parties and not disseminate PD without PD subject’s consent, unless otherwise stipulated by the federal law.

The Company shall terminate PD processing in the following cases:

  • Achievement of PD processing purposes
  • Expiration of PD processing term stipulated by the federal legislation, agreement, or PD subject’s consent to its PD processing
  • If PD subject revokes its consent to its PD processing in cases that are compliant with federal legislation requirements.

8.2 Implementing requirements to personal data protection

When processing PD, the Company takes all necessary legal, organizational and technical measures to protect PD from unauthorized or accidental access, destruction, modification, blocking, copying, submission, distribution, and other wrongful acts with respect to PD.

The Company takes the following measures to arrange processing and protection of PD that is processed without using automation tools, including:

  • PD (physical media) storage locations are defined for each PD category, and a list of persons having access to and eligible for PD processing is defined
  • PD (physical media) that are processed for different purposes are stored separately
  • Conditions are observed that ensure PD safety and prevent unauthorized access during physical media storage

information systems are implemented, including:

  • PD safety level when processing in PD information systems is determined
  • Requirements to PD protection in PD information systems are fulfilled in compliance with the defined PD security levels
  • Necessary information protection tools are used
  • Efficiency of PD security measures is accessed before putting PD information system in operation
  • PD machine-readable media are accounted
  • PD unauthorized access is detected, and then relevant measures are taken
  • Those PD that were modified or destroyed due to unauthorized access are recovered
  • Rules are set for access to PD that are processed in PD information system, and actions concerning PD in PD information system are detected and logged, where necessary
  • PD security measures and PD information system security level are monitored.

9. Policy violation and responsibility

The Company is responsible for personal data processing and protection in compliance with legislation. All the Company employees involved in PD processing are responsible for compliance with this Policy and other internal regulations of the Company relating to PD processing and security.

Any employee who has been aware of this Policy violation or suspects such violation must report to a person responsible for organization of PD processing in compliance with procedures adopted in the Company.

Any violations of this Policy and other internal regulations of the Company relating to PD processing and security shall be investigated in compliance with procedures adopted in the Company.

The persons found guilty of violation of existing order and procedures of PD processing and security may be subject to disciplinary, financial, civil, administrative and criminal liability in compliance with the legislation of the Russian Federation.