CHADOW

Personal Data

Introduction

Ensuring confidentiality and security in the processing of personal data is one of the Company's top priorities.

For these purposes, the Company has adopted a set of organizational and administrative documents that are mandatory for all employees authorized to process personal data.

The processing, storage, and protection of the confidentiality and security of personal data are carried out in accordance with the applicable laws of the Russian Federation on personal data protection and the Company's internal regulations.

This Policy defines the principles, procedure, and conditions for processing the personal data of the Company's employees and customers whose personal data are processed by the organization, in order to protect the rights and freedoms of individuals when their personal data are processed, including the right to privacy, and personal and family confidentiality. It also establishes the liability of Company officials with access to personal data for failure to comply with the rules governing the processing and protection of personal data.

This Policy on personal data processing in the Company (hereinafter referred to as the Policy) has been developed in accordance with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data".

1. Concept and Composition of Personal Data

The list of personal data subject to protection in the Company is determined by the following regulations of the Russian Federation:

  • Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data";
  • Federal Law No. 197-FZ dated December 30, 2001 "Labor Code of the Russian Federation";
  • Federal Law No. 402-FZ dated December 6, 2011 "On Accounting";
  • Tax Code of the Russian Federation;
  • Civil Code of the Russian Federation;
  • Federal Law No. 27-FZ dated April 1, 1996 "On Individual (Personalized) Accounting in the Mandatory Pension Insurance System";
  • Labor Code of the Russian Federation and other regulatory legal acts.

In the Company, personal data means any information relating directly or indirectly to an identified or identifiable individual (personal data subject).

2. Purposes of Personal Data Processing

The Company processes personal data for the following purposes:

  • organizing the Company's personnel records;
  • ensuring compliance with laws and other regulatory legal acts;
  • maintaining HR records management;
  • fulfilling tax legislation requirements related to calculating and paying personal income tax, as well as unified social tax and pension legislation when forming and submitting personalized data on each income recipient accounted for when calculating mandatory pension insurance contributions and benefits;
  • completing primary statistical documentation in accordance with the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, federal laws, including "On Individual (Personalized) Accounting in the Mandatory Pension Insurance System", "On Personal Data", and other regulatory legal acts;
  • fulfilling contractual obligations, including warranty service for the Company's customers;
  • other activities in accordance with the Company's charter and applicable legislation of the Russian Federation.

3. Personal Data Processing Periods

Personal data processing periods are determined in accordance with the term of the agreement (contract) with the personal data subject, the statute of limitations, achievement of processing purposes, and other requirements of the legislation of the Russian Federation.

The Company creates and stores documents containing information about personal data subjects. Requirements for the use of standard document forms in the Company are established by Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008 "On Approval of the Regulation on Specifics of Personal Data Processing Carried Out Without the Use of Automation Tools".

4. Rights and Obligations

As a personal data operator, the Company has the right to:

  • defend its interests in court;
  • provide personal data of subjects to third parties where this is provided for by applicable legislation (tax authorities, law enforcement agencies, etc.) or by agreement with the personal data subject;
  • refuse to provide personal data in cases provided for by applicable legislation;
  • use a subject's personal data without consent in cases provided for by law.

A personal data subject has the right to:

  • request clarification, blocking, or destruction of his or her personal data if the data are incomplete, outdated, inaccurate, unlawfully obtained, or no longer necessary for the stated processing purpose, and to take measures provided by law to protect his or her rights;
  • request a list of his or her personal data processed by the Company and the source of their receipt;
  • receive information on the periods of processing of his or her personal data, including storage periods;
  • require notification of all persons to whom incorrect or incomplete personal data were previously disclosed about any exclusions, corrections, or additions made;
  • appeal to the authorized body for the protection of personal data subjects' rights or to a court against unlawful actions or inaction in the processing of his or her personal data.

5. Principles and Conditions of Personal Data Processing

Personal data processing in the Company is based on the following principles:

  • lawfulness of the purposes and methods of personal data processing;
  • compatibility of personal data processing purposes with the purposes predetermined and declared when personal data are collected;
  • compatibility of the scope and nature of processed personal data and the methods of processing with the purposes of personal data processing;
  • accuracy of personal data, their sufficiency for processing purposes, and inadmissibility of processing personal data excessive in relation to the purposes declared when personal data are collected;
  • inadmissibility of combining databases created for incompatible purposes that contain personal data;
  • storage of personal data in a form that makes it possible to identify the personal data subject no longer than required by the purposes of their processing;
  • destruction upon achievement of personal data processing purposes or if the need to achieve them ceases to exist.

Refusal by a customer of the Company's services to provide consent to the processing of his or her personal data makes it impossible to achieve the processing purposes.

6. Ensuring Personal Data Security

The Company takes the necessary organizational and technical measures to protect personal data against accidental or unauthorized access, destruction, modification, blocking of access, and other unauthorized actions.

To coordinate actions to ensure personal data security, the Company has appointed a person responsible for organizing personal data protection.

7. Final Provisions

This Policy is intended for publication on the Company's publicly available information resources.

This Policy is subject to amendment and supplementation when new legislative acts and special regulatory documents on personal data processing and protection appear, but at least once every three years.

Compliance with the requirements of this Policy is monitored by the person responsible for organizing personal data processing in the Company.

The liability of Company officials with access to personal data for failure to comply with the rules governing the processing and protection of personal data is determined in accordance with the legislation of the Russian Federation and the Company's internal documents.