Our website uses cookie to ensure the best user experience
Policy on the Processing of Personal Data and on the Implementation of Requirements for the Protection of Personal Data
6. Conditions of personal data processing
6.1. Processing of the personal data of the Company's personal data subjects is carried out for the purposes of ensuring compliance with laws and other regulatory legal acts of the Russian Federation, training personal data subjects who are employees of the Company, ensuring the personal safety of personal data subjects, controlling the quantity and quality of work performed and ensuring the safekeeping of the Company's property.
6.2. Personal data are processed by the Company with the consent of the personal data subjects, both with and without the use of automation tools.
6.3. The Company does not provide or disclose information containing the personal data of personal data subjects to a third party without the written consent of the personal data subject, except where this is necessary to prevent a threat to life or health, and in cases established by the current legislation of the Russian Federation in the field of personal data protection.
6.4. Upon a reasoned request from an authorised body and solely in the course of carrying out current legislation, the personal data of the subject may be transferred without his or her consent to:
— the judicial authorities in connection with the administration of justice;
— the bodies of the Federal Security Service;
— the public prosecution authorities;
— the police;
— other authorities and organisations in cases established by mandatory regulatory legal acts.
6.5. Where consent to the processing of personal data is obtained from a representative of the personal data subject, the powers of such representative to give consent on behalf of the personal data subject are verified by the Company.
6.6. Where a personal data subject withdraws consent to the processing of personal data, the Company is entitled to continue processing the personal data without the subject's consent if grounds specified in the current legislation are present.
6.7. Publication (dissemination) of personal data to an indefinite circle of persons, including on the Company's website, may be carried out only on the basis of a separate consent of the Personal Data Subject, drawn up taking into account the statutory requirements. If subjects establish additional conditions / prohibitions on the subsequent processing of personal data, the Company shall communicate this information by placing the conditions / prohibitions on the relevant pages of the website on which the personal data are disseminated.
6.8. Personal data are processed by the Company and also by other third parties engaged by the Company in the processing, or to whom personal data are transferred for the purposes specified above in accordance with the legislation of the Russian Federation. Such third parties may include, in particular:
— counterparties of the Company providing services for supporting the operation of the information systems used, services for providing advertising and information services, and other services purchased by the Company for the purposes specified above;
— other affiliates of the Company (members of the Group of companies) for the purposes of ensuring intra-group cooperation.
6.9. The Company has the right to engage third parties in the processing of personal data obtained and / or to transfer to them the data obtained, and also to receive data from them for the purposes indicated, without additional consent of the subject, provided that confidentiality and security of personal data during processing is ensured by such third parties. Processing of personal data by such third parties is permitted with or without the use of automation tools, and the performance by them of any actions in respect of personal data that do not contradict the legislation of the Russian Federation is permitted. Processing of personal data by a third party may be carried out only on the basis of a contract that defines the list of actions (operations) that will be performed with personal data and the purposes of processing, as well as provisions on ensuring the security of personal data, including the requirement not to disclose or disseminate personal data without the subject's consent, unless otherwise provided for by the legislation of the Russian Federation, as well as the requirements pursuant to Article 19 of the Personal Data Law.
6.10. The Company undertakes to take the legal, organisational and technical measures necessary for the protection of the personal data received against unlawful or accidental access, destruction, modification, blocking, copying, provision and dissemination of personal data and other unlawful actions in relation to personal data, and to observe the principles and rules of personal data processing established by the Personal Data Law and other relevant regulatory acts.
6.11. Organisation of personal data storage:
6.11.1. Processing, including storage, of Personal Data at the Company is carried out for no longer than the purposes of processing of the Personal Data require.
6.11.2. Personal Data are stored on physical (paper) media and in electronic form.
6.11.3. The right of access to specific Personal Data of subjects is granted to (held by) those employees of the Company for whom it is necessary in order to perform their job duties and who have been vested with the corresponding powers and access rights to Personal Data in accordance with the Company's internal regulatory document.
6.11.4. When physical media of personal data are organised for storage, conditions are observed that ensure the safety of personal data and exclude unauthorised access to them.
6.11.5. Personal Data may be stored for the period established by:
— the contract to which the Personal Data subject is a party, beneficiary or guarantor;
— the consent of the Personal Data subject;
— the applicable legislation of the Russian Federation;
— a local regulatory act of the Operator regulating the procedure and time limits for the storage of documents containing personal data.
6.11.6. The Company arranges the storage of Personal Data for the period of time set by the requirements of the legislation governing archival storage and by other regulatory acts containing rules on the storage of personal data.
6.12. Once the purposes of personal data processing have been achieved, and also in the case of withdrawal of consent to processing, Personal Data shall be subject to destruction, unless:
— otherwise provided for by the contract to which the Personal Data subject is a party, beneficiary or guarantor, or by the legislation of the Russian Federation;
— the Operator is entitled to carry out processing without the consent of the personal data subject on the grounds provided for by Federal Law No. 152-FZ «On Personal Data» or by other federal laws.
6.13. The destruction of documents containing personal data is carried out by any means that exclude the possibility of unauthorised persons becoming acquainted with the materials being destroyed and the possibility of restoring their text.
6.14. Special features of the processing of Personal Data on the website / in the mobile application:
6.14.1. The personal data subject may, on his or her own, when registering (creating a personal account) in mobile applications, when arranging services remotely online via the Company's website and mobile application, when leaving a request for cooperation / pre-contractual consultation on a service, or when arranging subscriptions, provide the Company with his or her personal data by filling in fields in the registration form on the website / in the mobile application.
6.14.2. During the visit by Personal Data Subjects to the Company's website or mobile application and the use of its functionality, technical information may be collected by various technologies and methods, including «cookie» technologies, which make it possible to monitor the quality of operation of the website and the characteristics of its use, and also to optimise marketing activities on the Internet.
The Company may process information contained in cookies. The Cookie Processing Policy is published on the Internet at https://mgrani.ru and forms an integral part of this Policy.
6.2. Personal data are processed by the Company with the consent of the personal data subjects, both with and without the use of automation tools.
6.3. The Company does not provide or disclose information containing the personal data of personal data subjects to a third party without the written consent of the personal data subject, except where this is necessary to prevent a threat to life or health, and in cases established by the current legislation of the Russian Federation in the field of personal data protection.
6.4. Upon a reasoned request from an authorised body and solely in the course of carrying out current legislation, the personal data of the subject may be transferred without his or her consent to:
— the judicial authorities in connection with the administration of justice;
— the bodies of the Federal Security Service;
— the public prosecution authorities;
— the police;
— other authorities and organisations in cases established by mandatory regulatory legal acts.
6.5. Where consent to the processing of personal data is obtained from a representative of the personal data subject, the powers of such representative to give consent on behalf of the personal data subject are verified by the Company.
6.6. Where a personal data subject withdraws consent to the processing of personal data, the Company is entitled to continue processing the personal data without the subject's consent if grounds specified in the current legislation are present.
6.7. Publication (dissemination) of personal data to an indefinite circle of persons, including on the Company's website, may be carried out only on the basis of a separate consent of the Personal Data Subject, drawn up taking into account the statutory requirements. If subjects establish additional conditions / prohibitions on the subsequent processing of personal data, the Company shall communicate this information by placing the conditions / prohibitions on the relevant pages of the website on which the personal data are disseminated.
6.8. Personal data are processed by the Company and also by other third parties engaged by the Company in the processing, or to whom personal data are transferred for the purposes specified above in accordance with the legislation of the Russian Federation. Such third parties may include, in particular:
— counterparties of the Company providing services for supporting the operation of the information systems used, services for providing advertising and information services, and other services purchased by the Company for the purposes specified above;
— other affiliates of the Company (members of the Group of companies) for the purposes of ensuring intra-group cooperation.
6.9. The Company has the right to engage third parties in the processing of personal data obtained and / or to transfer to them the data obtained, and also to receive data from them for the purposes indicated, without additional consent of the subject, provided that confidentiality and security of personal data during processing is ensured by such third parties. Processing of personal data by such third parties is permitted with or without the use of automation tools, and the performance by them of any actions in respect of personal data that do not contradict the legislation of the Russian Federation is permitted. Processing of personal data by a third party may be carried out only on the basis of a contract that defines the list of actions (operations) that will be performed with personal data and the purposes of processing, as well as provisions on ensuring the security of personal data, including the requirement not to disclose or disseminate personal data without the subject's consent, unless otherwise provided for by the legislation of the Russian Federation, as well as the requirements pursuant to Article 19 of the Personal Data Law.
6.10. The Company undertakes to take the legal, organisational and technical measures necessary for the protection of the personal data received against unlawful or accidental access, destruction, modification, blocking, copying, provision and dissemination of personal data and other unlawful actions in relation to personal data, and to observe the principles and rules of personal data processing established by the Personal Data Law and other relevant regulatory acts.
6.11. Organisation of personal data storage:
6.11.1. Processing, including storage, of Personal Data at the Company is carried out for no longer than the purposes of processing of the Personal Data require.
6.11.2. Personal Data are stored on physical (paper) media and in electronic form.
6.11.3. The right of access to specific Personal Data of subjects is granted to (held by) those employees of the Company for whom it is necessary in order to perform their job duties and who have been vested with the corresponding powers and access rights to Personal Data in accordance with the Company's internal regulatory document.
6.11.4. When physical media of personal data are organised for storage, conditions are observed that ensure the safety of personal data and exclude unauthorised access to them.
6.11.5. Personal Data may be stored for the period established by:
— the contract to which the Personal Data subject is a party, beneficiary or guarantor;
— the consent of the Personal Data subject;
— the applicable legislation of the Russian Federation;
— a local regulatory act of the Operator regulating the procedure and time limits for the storage of documents containing personal data.
6.11.6. The Company arranges the storage of Personal Data for the period of time set by the requirements of the legislation governing archival storage and by other regulatory acts containing rules on the storage of personal data.
6.12. Once the purposes of personal data processing have been achieved, and also in the case of withdrawal of consent to processing, Personal Data shall be subject to destruction, unless:
— otherwise provided for by the contract to which the Personal Data subject is a party, beneficiary or guarantor, or by the legislation of the Russian Federation;
— the Operator is entitled to carry out processing without the consent of the personal data subject on the grounds provided for by Federal Law No. 152-FZ «On Personal Data» or by other federal laws.
6.13. The destruction of documents containing personal data is carried out by any means that exclude the possibility of unauthorised persons becoming acquainted with the materials being destroyed and the possibility of restoring their text.
6.14. Special features of the processing of Personal Data on the website / in the mobile application:
6.14.1. The personal data subject may, on his or her own, when registering (creating a personal account) in mobile applications, when arranging services remotely online via the Company's website and mobile application, when leaving a request for cooperation / pre-contractual consultation on a service, or when arranging subscriptions, provide the Company with his or her personal data by filling in fields in the registration form on the website / in the mobile application.
6.14.2. During the visit by Personal Data Subjects to the Company's website or mobile application and the use of its functionality, technical information may be collected by various technologies and methods, including «cookie» technologies, which make it possible to monitor the quality of operation of the website and the characteristics of its use, and also to optimise marketing activities on the Internet.
The Company may process information contained in cookies. The Cookie Processing Policy is published on the Internet at https://mgrani.ru and forms an integral part of this Policy.
5. Conditions for terminating personal data processing
The conditions for terminating personal data processing at the Company may include:
— achievement of the purposes of personal data processing;
— expiry of the term of consent to the processing of personal data or of the contract with the personal data subject;
— withdrawal by the subject of consent to the processing of his or her personal data (in the absence of other legal grounds for processing);
— detection of unlawful processing of personal data;
— liquidation of the Company.
— achievement of the purposes of personal data processing;
— expiry of the term of consent to the processing of personal data or of the contract with the personal data subject;
— withdrawal by the subject of consent to the processing of his or her personal data (in the absence of other legal grounds for processing);
— detection of unlawful processing of personal data;
— liquidation of the Company.
4. Purposes of personal data processing
4.1. The Company processes only those personal data that are necessary for the provision of services and for the conduct of its activities, as well as for ensuring the rights and lawful interests of third parties, provided that the rights of the personal data subject are not violated. The purposes of personal data processing and the list of personal data of the Company are set out in Annex No. 1.
4.2. The Company does not process special categories of personal data concerning racial or ethnic origin, political views, religious beliefs or state of health, nor biometric personal data. The processing of information about the state of health of employees is carried out exclusively in accordance with the current legislation, including the Labour Code of the Russian Federation.
4.2. The Company does not process special categories of personal data concerning racial or ethnic origin, political views, religious beliefs or state of health, nor biometric personal data. The processing of information about the state of health of employees is carried out exclusively in accordance with the current legislation, including the Labour Code of the Russian Federation.
3. Legal grounds for personal data processing
3.1. Personal data processing at the Company is carried out in accordance with Federal Law No. 152-FZ of 27 July 2006 «On Personal Data», Article 53 of Federal Law No. 126-FZ of 7 July 2003 «On Communications», the Labour Code of the Russian Federation, Federal Law No. 402-FZ of 6 December 2011 «On Accounting», Federal Law No. 27-FZ of 1 April 1996 «On Individual (Personalised) Accounting in the System of Mandatory Pension Insurance», Government Decree of the Russian Federation No. 1119 of 1 November 2012 «On Approval of the Requirements for the Protection of Personal Data Processed in Personal Data Information Systems», Government Decree of the Russian Federation No. 687 of 15 September 2008 «On Approval of the Regulation on the Particularities of Processing of Personal Data Performed without the Use of Automation Tools», the Company's Charter and other regulatory legal acts in the field of personal data protection.
3.2. The grounds for processing are:
3.2.1. Contracts concluded between the Company and the personal data subject, as well as contracts under which the subject is the beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the personal data subject or of a contract under which the personal data subject will be a beneficiary or guarantor.
3.2.2. The personal data subjects' consent to the processing of personal data.
3.2.3. The protection of the rights and lawful interests of the Operator and third parties, or the achievement of socially significant aims, provided that this does not violate the rights and freedoms of the personal data subject.
3.2.4. The Operator's participation in constitutional, civil, administrative, criminal proceedings, or in proceedings before commercial (arbitration) courts.
3.2.5. The achievement of purposes provided for by an international treaty of the Russian Federation or by law, in order to exercise and perform the functions, powers and obligations assigned to the Company by the legislation of the Russian Federation.
3.2. The grounds for processing are:
3.2.1. Contracts concluded between the Company and the personal data subject, as well as contracts under which the subject is the beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the personal data subject or of a contract under which the personal data subject will be a beneficiary or guarantor.
3.2.2. The personal data subjects' consent to the processing of personal data.
3.2.3. The protection of the rights and lawful interests of the Operator and third parties, or the achievement of socially significant aims, provided that this does not violate the rights and freedoms of the personal data subject.
3.2.4. The Operator's participation in constitutional, civil, administrative, criminal proceedings, or in proceedings before commercial (arbitration) courts.
3.2.5. The achievement of purposes provided for by an international treaty of the Russian Federation or by law, in order to exercise and perform the functions, powers and obligations assigned to the Company by the legislation of the Russian Federation.
2. Principles of personal data processing at the Company
2.1. Personal data are processed on a lawful and fair basis.
2.2. Personal data processing is limited to the achievement of specific, pre-defined and lawful purposes. Processing of personal data that is incompatible with the purposes of personal data collection is not permitted.
2.3. Combining databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other, is not permitted.
2.4. Only personal data that correspond to the purposes of their processing are subject to processing; processing of personal data that is incompatible with the purposes of personal data collection is not permitted.
2.5. The content and volume of personal data processed correspond to the declared purposes of processing and are not excessive in relation to those declared purposes.
2.6. When processing personal data, the accuracy of personal data, their sufficiency and, where necessary, their currency in relation to the purposes of processing are ensured. The necessary measures are taken to delete or clarify incomplete or inaccurate data.
2.7. Personal data are stored in a form that makes it possible to identify the personal data subject, for no longer than the purposes of processing the personal data require, unless the storage period for the personal data is established by federal law or by a contract to which the personal data subject is a party, beneficiary or guarantor.
2.8. Personal data processed shall be destroyed once the purposes of processing have been achieved or in the event that the need to achieve such purposes is lost, unless otherwise provided for by federal law.
2.9. When personal data are collected, including via the information and telecommunications network «Internet», the recording, systematisation, accumulation, storage, clarification (updating, amendment) and extraction of the personal data of citizens of the Russian Federation are carried out using databases located on the territory of the Russian Federation.
2.10. Personal data processing is not used for the purpose of causing material and / or moral harm to personal data subjects or of obstructing the exercise of their rights and freedoms.
2.2. Personal data processing is limited to the achievement of specific, pre-defined and lawful purposes. Processing of personal data that is incompatible with the purposes of personal data collection is not permitted.
2.3. Combining databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other, is not permitted.
2.4. Only personal data that correspond to the purposes of their processing are subject to processing; processing of personal data that is incompatible with the purposes of personal data collection is not permitted.
2.5. The content and volume of personal data processed correspond to the declared purposes of processing and are not excessive in relation to those declared purposes.
2.6. When processing personal data, the accuracy of personal data, their sufficiency and, where necessary, their currency in relation to the purposes of processing are ensured. The necessary measures are taken to delete or clarify incomplete or inaccurate data.
2.7. Personal data are stored in a form that makes it possible to identify the personal data subject, for no longer than the purposes of processing the personal data require, unless the storage period for the personal data is established by federal law or by a contract to which the personal data subject is a party, beneficiary or guarantor.
2.8. Personal data processed shall be destroyed once the purposes of processing have been achieved or in the event that the need to achieve such purposes is lost, unless otherwise provided for by federal law.
2.9. When personal data are collected, including via the information and telecommunications network «Internet», the recording, systematisation, accumulation, storage, clarification (updating, amendment) and extraction of the personal data of citizens of the Russian Federation are carried out using databases located on the territory of the Russian Federation.
2.10. Personal data processing is not used for the purpose of causing material and / or moral harm to personal data subjects or of obstructing the exercise of their rights and freedoms.
1. General provisions and terms used in the Policy
1.1. This document defines the Policy of Limited Liability Company «Mnogogranniki» (ООО «Многогранники»), Taxpayer Identification Number (INN) 3123410813, Primary State Registration Number (OGRN) 1173123012127, registered address: Russia, 308519, Belgorod Region, Belgorod District, Severny urban-type settlement, Severny Industrial Park territory, building 11, telephone: 8-800-777-12-06, dedicated e-mail for personal data subjects' inquiries: info@mgrani.ru (hereinafter — the «Company») on the processing of personal data and on the implementation of requirements for the protection of personal data (hereinafter — the «Policy») in accordance with the requirements of Article 18.1 of Federal Law No. 152-FZ of 27 July 2006 «On Personal Data» (hereinafter — the «Personal Data Law»).
1.2. The following key concepts are used in this Policy:
personal data — any information relating, directly or indirectly, to an identified or identifiable natural person (the personal data subject);
processing of personal data — any action (operation) or set of actions (operations) performed with personal data, with or without the use of automation tools, including collection, recording, systematisation, accumulation, storage, clarification (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalisation, blocking, deletion and destruction of personal data;
automated processing of personal data — processing of personal data by means of computer equipment;
dissemination of personal data — actions aimed at disclosing personal data to an indefinite circle of persons;
provision of personal data — actions aimed at disclosing personal data to a specific person or to a specific circle of persons;
blocking of personal data — the temporary cessation of the processing of personal data (except where processing is necessary for the clarification of personal data);
destruction of personal data — actions as a result of which it becomes impossible to restore the contents of personal data in the personal data information system and / or as a result of which the physical media of personal data are destroyed;
depersonalisation of personal data — actions as a result of which it becomes impossible, without the use of additional information, to determine the attribution of personal data to a specific personal data subject;
personal data information system — a set of personal data contained in databases together with the information technologies and technical facilities that enable their processing;
personal data subject — a natural person to whom personal data directly or indirectly relate.
1.2. The following key concepts are used in this Policy:
personal data — any information relating, directly or indirectly, to an identified or identifiable natural person (the personal data subject);
processing of personal data — any action (operation) or set of actions (operations) performed with personal data, with or without the use of automation tools, including collection, recording, systematisation, accumulation, storage, clarification (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalisation, blocking, deletion and destruction of personal data;
automated processing of personal data — processing of personal data by means of computer equipment;
dissemination of personal data — actions aimed at disclosing personal data to an indefinite circle of persons;
provision of personal data — actions aimed at disclosing personal data to a specific person or to a specific circle of persons;
blocking of personal data — the temporary cessation of the processing of personal data (except where processing is necessary for the clarification of personal data);
destruction of personal data — actions as a result of which it becomes impossible to restore the contents of personal data in the personal data information system and / or as a result of which the physical media of personal data are destroyed;
depersonalisation of personal data — actions as a result of which it becomes impossible, without the use of additional information, to determine the attribution of personal data to a specific personal data subject;
personal data information system — a set of personal data contained in databases together with the information technologies and technical facilities that enable their processing;
personal data subject — a natural person to whom personal data directly or indirectly relate.
10. Liability
The liability of employees and officials of the Company who have access to personal data for non-compliance with the requirements of the rules governing the processing and protection of personal data shall be determined in accordance with the current legislation of the Russian Federation and the internal regulatory documents of the Company.
9. Measures aimed at ensuring the fulfilment by the Company of the duties provided for in Articles 18.1 and 19 of Federal Law No. 152-FZ of 27 July 2006 «On Personal Data»
9.1. The Company takes all the legal, organisational and technical measures provided for by the relevant regulatory legal acts to ensure the security of personal data when they are processed in the Company's personal data information systems.
9.2. When processing personal data, the Company:
9.2.1. appoints a person responsible for organising the Processing of Personal Data;
9.2.2. adopts local regulatory acts defining the policy and matters of processing and protection of Personal Data;
9.2.3. conducts internal scheduled and ad-hoc audits on a regular basis and monitors the conformity of the Processing of Personal Data processes with the Legislation;
9.2.4. regularly assesses the harm that may be caused to personal data subjects in the event of violation of their rights and of the requirements of the Legislation;
9.2.5. has established at the Company a procedure for access to information resources and maintains records of the positions of those employees of the Company whose access to personal data processed both with and without the use of automation tools is necessary for the performance of their official (work) duties;
9.2.6. in cases provided for by the legislation of the Russian Federation, applies, within the framework of the personal data protection system, information protection tools that have passed the conformity assessment procedure in accordance with the established procedure. The commissioning of new information systems is carried out only after the procedures for assessing the effectiveness of the measures taken to ensure the security of personal data have been completed;
9.2.7. keeps records of the categories and list of personal data processed at the Company, of the categories of subjects whose personal data are processed, of the storage periods and of the procedure for destruction of such personal data;
9.2.8. keeps records of the machine media of personal data and of the Company's information systems in which personal data are processed;
9.2.9. determines the level of security required for personal data processed in the Company's personal data information systems;
9.2.10. identifies threats to the security of personal data during their processing in information systems.
9.3. Within the framework of the personal data protection system, the Company implements:
— security of the building, including the premises housing the technical facilities of the personal data information systems;
— equipping the Company's premises with lockable doors and video surveillance;
— application of the necessary software and software-and-hardware protection tools, in particular tools for protection against unauthorised access, tools for differentiating access and registering user actions, antivirus protection tools, security analysis tools, backup tools, firewalls and information leakage protection tools;
— organisational measures to ensure the security of personal data, in particular procedures for establishing rules of access to personal data and for the registration and recording of all actions performed with personal data.
9.4. When personal data are processed without the use of automation tools, the requirements set out in Government Decree of the Russian Federation No. 687 of 15 September 2008 «On Approval of the Regulation on the Particularities of Processing of Personal Data Performed without the Use of Automation Tools» are observed.
9.5. The Company ensures that the employees of the Company who are directly engaged in the processing of personal data are familiarised with the provisions of the legislation of the Russian Federation on personal data (including the requirements for the protection of personal data) and with local acts on matters of personal data processing. The Company trains its employees on a regular basis and communicates the requirements of the Legislation to them.
9.6. The Company shall bear liability for breach of obligations to ensure the security and confidentiality of personal data during their processing in accordance with the legislation of the Russian Federation.
9.7. In order to ensure unrestricted access to the Company's Policy on the Processing of Personal Data and to information about the measures implemented to protect personal data, the text of this Policy is published on the Company's official website (https://mgrani.ru).
9.2. When processing personal data, the Company:
9.2.1. appoints a person responsible for organising the Processing of Personal Data;
9.2.2. adopts local regulatory acts defining the policy and matters of processing and protection of Personal Data;
9.2.3. conducts internal scheduled and ad-hoc audits on a regular basis and monitors the conformity of the Processing of Personal Data processes with the Legislation;
9.2.4. regularly assesses the harm that may be caused to personal data subjects in the event of violation of their rights and of the requirements of the Legislation;
9.2.5. has established at the Company a procedure for access to information resources and maintains records of the positions of those employees of the Company whose access to personal data processed both with and without the use of automation tools is necessary for the performance of their official (work) duties;
9.2.6. in cases provided for by the legislation of the Russian Federation, applies, within the framework of the personal data protection system, information protection tools that have passed the conformity assessment procedure in accordance with the established procedure. The commissioning of new information systems is carried out only after the procedures for assessing the effectiveness of the measures taken to ensure the security of personal data have been completed;
9.2.7. keeps records of the categories and list of personal data processed at the Company, of the categories of subjects whose personal data are processed, of the storage periods and of the procedure for destruction of such personal data;
9.2.8. keeps records of the machine media of personal data and of the Company's information systems in which personal data are processed;
9.2.9. determines the level of security required for personal data processed in the Company's personal data information systems;
9.2.10. identifies threats to the security of personal data during their processing in information systems.
9.3. Within the framework of the personal data protection system, the Company implements:
— security of the building, including the premises housing the technical facilities of the personal data information systems;
— equipping the Company's premises with lockable doors and video surveillance;
— application of the necessary software and software-and-hardware protection tools, in particular tools for protection against unauthorised access, tools for differentiating access and registering user actions, antivirus protection tools, security analysis tools, backup tools, firewalls and information leakage protection tools;
— organisational measures to ensure the security of personal data, in particular procedures for establishing rules of access to personal data and for the registration and recording of all actions performed with personal data.
9.4. When personal data are processed without the use of automation tools, the requirements set out in Government Decree of the Russian Federation No. 687 of 15 September 2008 «On Approval of the Regulation on the Particularities of Processing of Personal Data Performed without the Use of Automation Tools» are observed.
9.5. The Company ensures that the employees of the Company who are directly engaged in the processing of personal data are familiarised with the provisions of the legislation of the Russian Federation on personal data (including the requirements for the protection of personal data) and with local acts on matters of personal data processing. The Company trains its employees on a regular basis and communicates the requirements of the Legislation to them.
9.6. The Company shall bear liability for breach of obligations to ensure the security and confidentiality of personal data during their processing in accordance with the legislation of the Russian Federation.
9.7. In order to ensure unrestricted access to the Company's Policy on the Processing of Personal Data and to information about the measures implemented to protect personal data, the text of this Policy is published on the Company's official website (https://mgrani.ru).
8. Exercise of the rights of personal data subjects
8.1. The personal data subject has the right to receive information concerning the processing of his or her personal data, including information containing:
8.1.1. confirmation of the fact of personal data processing by the Company;
8.1.2. the legal grounds and purposes of personal data processing;
8.1.3. the purposes and methods of personal data processing applied by the Company;
8.1.4. the name and location of the Company, information about the persons (other than employees of the Company) who have access to personal data or to whom personal data may be disclosed under a contract with the Company or on the basis of a federal law of the Russian Federation;
8.1.5. the processed personal data relating to the relevant personal data subject, the source from which they were obtained, unless a different procedure for the provision of such data is provided for by a federal law of the Russian Federation; Federal Law No. 152-FZ of 27 July 2006 «On Personal Data»;
8.1.6. the periods of personal data processing, including the periods of their storage;
8.1.7. the procedure for the personal data subject to exercise the rights provided for by Federal Law No. 152-FZ of 27 July 2006 «On Personal Data»;
8.1.8. information about cross-border transfer of data that has been or is intended to be carried out;
8.1.9. the name or surname, first name, patronymic and address of the person carrying out the processing of personal data on the instructions of the Company, if processing has been or will be entrusted to such person;
8.1.10. other information provided for by Federal Law No. 152-FZ of 27 July 2006 «On Personal Data» or by other federal laws of the Russian Federation.
8.2. The personal data subject has the right to demand from the Company the clarification of his or her personal data, the blocking or destruction thereof, if the personal data are incomplete, outdated, inaccurate, obtained unlawfully or are not necessary for the declared purpose of processing, and to take measures provided for by law to protect his or her rights. In the event of any questions or inquiries concerning personal data processing, the personal data subject may apply by sending the relevant inquiry to the e-mail address info@mgrani.ru.
8.3. The personal data subject is entitled, inter alia, to withdraw consent to the Processing of Personal Data by sending the relevant request to the Operator's e-mail address info@mgrani.ru, provided that the withdrawal is signed with a qualified electronic signature in accordance with part 1 of Article 6 of Federal Law No. 63-FZ of 6 April 2011 «On Electronic Signature», or by sending the relevant application to the Operator's registered address.
8.4. Upon receipt of a User's request for information concerning the Processing of personal data, the Operator undertakes to provide such information to the User free of charge in an accessible form within the period established by the Legislation.
8.5. The Operator blocks Personal Data for the period of an internal verification in the event of detection of:
8.5.1. Unlawful Processing of Personal Data;
8.5.2. Inaccurate Personal Data;
8.5.3. The impossibility of destroying Personal Data within the period specified by the Legislation in the field of Personal Data or by local regulatory acts.
8.6. The Operator undertakes to cease the Processing and to destroy Personal Data in the following cases:
8.6.1. Where it is impossible to ensure the lawful processing of Personal Data;
8.6.2. Upon achievement of the purpose of the Processing of Personal Data;
8.6.3. In the event of expiry of the term, or withdrawal by the User, of consent to the Processing of Personal Data;
8.6.4. Upon expiry of the established period of Processing of Personal Data.
8.7. If the personal data subject considers that the Company is processing his or her personal data in violation of the requirements of Federal Law No. 152-FZ of 27 July 2006 «On Personal Data» or otherwise violates his or her rights and freedoms, the personal data subject has the right to appeal against the Company's actions or omissions to the body for the protection of the rights of personal data subjects (the Federal Service for Supervision in the Field of Communications, Information Technology and Mass Media — Roskomnadzor) or to a court.
8.8. The personal data subject has the right to the protection of his or her rights and lawful interests, including the right to compensation for losses and / or compensation for moral harm by way of judicial proceedings.
8.9. In the event of any questions or inquiries concerning personal data processing, the Personal Data Subject may contact the e-mail address info@mgrani.ru or send a written inquiry to the Company's address.
8.1.1. confirmation of the fact of personal data processing by the Company;
8.1.2. the legal grounds and purposes of personal data processing;
8.1.3. the purposes and methods of personal data processing applied by the Company;
8.1.4. the name and location of the Company, information about the persons (other than employees of the Company) who have access to personal data or to whom personal data may be disclosed under a contract with the Company or on the basis of a federal law of the Russian Federation;
8.1.5. the processed personal data relating to the relevant personal data subject, the source from which they were obtained, unless a different procedure for the provision of such data is provided for by a federal law of the Russian Federation; Federal Law No. 152-FZ of 27 July 2006 «On Personal Data»;
8.1.6. the periods of personal data processing, including the periods of their storage;
8.1.7. the procedure for the personal data subject to exercise the rights provided for by Federal Law No. 152-FZ of 27 July 2006 «On Personal Data»;
8.1.8. information about cross-border transfer of data that has been or is intended to be carried out;
8.1.9. the name or surname, first name, patronymic and address of the person carrying out the processing of personal data on the instructions of the Company, if processing has been or will be entrusted to such person;
8.1.10. other information provided for by Federal Law No. 152-FZ of 27 July 2006 «On Personal Data» or by other federal laws of the Russian Federation.
8.2. The personal data subject has the right to demand from the Company the clarification of his or her personal data, the blocking or destruction thereof, if the personal data are incomplete, outdated, inaccurate, obtained unlawfully or are not necessary for the declared purpose of processing, and to take measures provided for by law to protect his or her rights. In the event of any questions or inquiries concerning personal data processing, the personal data subject may apply by sending the relevant inquiry to the e-mail address info@mgrani.ru.
8.3. The personal data subject is entitled, inter alia, to withdraw consent to the Processing of Personal Data by sending the relevant request to the Operator's e-mail address info@mgrani.ru, provided that the withdrawal is signed with a qualified electronic signature in accordance with part 1 of Article 6 of Federal Law No. 63-FZ of 6 April 2011 «On Electronic Signature», or by sending the relevant application to the Operator's registered address.
8.4. Upon receipt of a User's request for information concerning the Processing of personal data, the Operator undertakes to provide such information to the User free of charge in an accessible form within the period established by the Legislation.
8.5. The Operator blocks Personal Data for the period of an internal verification in the event of detection of:
8.5.1. Unlawful Processing of Personal Data;
8.5.2. Inaccurate Personal Data;
8.5.3. The impossibility of destroying Personal Data within the period specified by the Legislation in the field of Personal Data or by local regulatory acts.
8.6. The Operator undertakes to cease the Processing and to destroy Personal Data in the following cases:
8.6.1. Where it is impossible to ensure the lawful processing of Personal Data;
8.6.2. Upon achievement of the purpose of the Processing of Personal Data;
8.6.3. In the event of expiry of the term, or withdrawal by the User, of consent to the Processing of Personal Data;
8.6.4. Upon expiry of the established period of Processing of Personal Data.
8.7. If the personal data subject considers that the Company is processing his or her personal data in violation of the requirements of Federal Law No. 152-FZ of 27 July 2006 «On Personal Data» or otherwise violates his or her rights and freedoms, the personal data subject has the right to appeal against the Company's actions or omissions to the body for the protection of the rights of personal data subjects (the Federal Service for Supervision in the Field of Communications, Information Technology and Mass Media — Roskomnadzor) or to a court.
8.8. The personal data subject has the right to the protection of his or her rights and lawful interests, including the right to compensation for losses and / or compensation for moral harm by way of judicial proceedings.
8.9. In the event of any questions or inquiries concerning personal data processing, the Personal Data Subject may contact the e-mail address info@mgrani.ru or send a written inquiry to the Company's address.
7. Confidentiality of personal data
7.1. Information relating to personal data which has become known in connection with the implementation of labour relations, the performance of provisions of a civil-law contract to which the personal data subject is a party, or in connection with the provision of services by the Company, is confidential information and is protected by the current legislation of the Russian Federation.
7.2. Persons who have obtained access to processed personal data have signed an undertaking on the non-disclosure of confidential information and have been warned of possible disciplinary, administrative, civil and criminal liability in the event of violation of the norms and requirements of the current legislation of the Russian Federation in the field of personal data protection.
7.3. Persons who have obtained access to processed personal data do not have the right to disclose personal data of a personal data subject to a third party without the written consent of such subject, except where this is necessary in order to prevent a threat to the life and health of the personal data subject, and in cases established by the legislation of the Russian Federation.
7.4. Persons who have obtained access to personal data undertake not to disclose personal data for commercial purposes without the written consent of the personal data subject. Processing of personal data of personal data subjects for the purpose of promoting goods, works or services on the market through direct contacts with the potential consumer by means of communication is permitted only with his or her prior consent.
7.2. Persons who have obtained access to processed personal data have signed an undertaking on the non-disclosure of confidential information and have been warned of possible disciplinary, administrative, civil and criminal liability in the event of violation of the norms and requirements of the current legislation of the Russian Federation in the field of personal data protection.
7.3. Persons who have obtained access to processed personal data do not have the right to disclose personal data of a personal data subject to a third party without the written consent of such subject, except where this is necessary in order to prevent a threat to the life and health of the personal data subject, and in cases established by the legislation of the Russian Federation.
7.4. Persons who have obtained access to personal data undertake not to disclose personal data for commercial purposes without the written consent of the personal data subject. Processing of personal data of personal data subjects for the purpose of promoting goods, works or services on the market through direct contacts with the potential consumer by means of communication is permitted only with his or her prior consent.
Categories of subjects whose personal data are processed
Applicants (candidates) for vacant positions; persons placed in the personnel reserve.
Categories of personal data
surname, first name, patronymic; date of birth; place of birth; e-mail address; address of residence; citizenship; details of the identity document; place of study or work; employment history, length of service; mobile telephone number; military duty status; marital status, presence of children; other personal data necessary to achieve the purpose of personal data processing, the collection of which is carried out where there are legal grounds for personal data processing and taking such grounds into account.
Attracting and selecting candidates for employment with the Company and with its affiliates, assisting with subsequent employment with the Company and with third parties — the Company's partners, and forming, for these purposes, a personnel reserve.
Purpose 8
Categories of subjects whose personal data are processed
Natural persons in respect of whom information is provided in response to requests from authorised bodies, including bodies carrying out operational search activity, as well as personal data subjects; natural persons in respect of whom compliance with the requirements of regulatory legal acts regarding the transfer of information to third parties is ensured; natural persons whose personal data are processed for the purposes of organising accounting records and tax reporting; natural persons whose personal data are processed for the exercise and performance of the functions, powers and duties assigned to the Company by the legislation of the Russian Federation, including participants, beneficiaries and natural persons sitting on the management / supervisory bodies of the Company and of subsidiaries and dependent companies; authorised representatives.
Categories of personal data
surname, first name, patronymic; e-mail address; address of residence; mobile telephone number; SNILS; INN; citizenship; position held; details of the identity document; date and place of birth; ownership interests in legal entities; place of work; education, including the name of the educational institution, date of graduation, qualification awarded, specialisation; previous employment history, profession; photographic image; information on payments; bank account details; information on knowledge of foreign languages and on skills; other personal data necessary to achieve the purpose of personal data processing, the collection of which is carried out where there are legal grounds for personal data processing and taking such grounds into account.
Ensuring compliance with the requirements of laws and other regulatory legal acts of the Russian Federation — processing only those categories of personal data that are necessary for compliance with the requirements of the relevant regulatory legal act.
Purpose 7
Categories of subjects whose personal data are processed
Natural persons who have entered into a contract on the basis of, and in performance of, which the Company provides services; authorised representatives of the personal data subjects listed above.
Categories of personal data
surname, first name, patronymic; date of birth; SNILS (Individual Insurance Account Number); INN (Individual Taxpayer Identification Number); citizenship; details of the identity document; contact telephone number; e-mail address; other personal data necessary to achieve the purpose of personal data processing, the collection of which is carried out where there are legal grounds for personal data processing and taking such grounds into account.
Performance of a contract to which the personal data subject is a party, beneficiary or guarantor, as well as the conclusion of a contract at the initiative of the personal data subject or of a contract under which the personal data subject will be a beneficiary or guarantor, including contracts for the provision of services and for the rendering of services and solutions of the Company and of third parties — partners of the Company, on the basis of the contracts concluded.
Purpose 6
Categories of subjects whose personal data are processed
Persons whose personal data processing has been entrusted to the Company on the basis of contracts concluded with other operators of personal data processing (including users of applications / services, employees of counterparties under civil-law contracts concluded with the Company, etc.).
Categories of personal data
surname, first name, patronymic; date of birth; e-mail address; telephone number; data of the identity document.
Performance of obligations under contracts concluded by the Company.
Purpose 5
Categories of subjects whose personal data are processed
Clients that have entered into service contracts with the Company; visitors to the Company's websites; users of the Company's services; prospective clients.
Categories of personal data
surname, first name, patronymic; date of birth; sex; e-mail address; city of residence; telephone number.
Conduct of marketing, statistical, analytical and other research activities of the Company.
Purpose 4
Categories of subjects whose personal data are processed
Clients; visitors to the Company's websites; users of the mobile application of the Company's services; prospective clients.
Categories of personal data
surname, first name, patronymic; date of birth; address of residence; personal account number; bank account number; details of the identity document; contact telephone number; e-mail address; subscriber number; cookies; ClientID (user identifier); information collected via metric programmes such as Yandex.Metrica; other personal data necessary to achieve the purpose of personal data processing, the collection of which is carried out where there are legal grounds for personal data processing and taking such grounds into account.
Provision of information and reference services to natural persons, supplying information about the services of the Company and the Company's partners, including interaction with natural persons via the website, platforms and mobile application of services — processing only those categories of personal data that are necessary for the relevant type of service or interaction.
Purpose 3
Categories of subjects whose personal data are processed
Employees, former Employees.
Categories of personal data
surname, first name, patronymic; date and place of birth; information contained in identity documents; sex; citizenship; address of registration; address of actual residence; photographic image; place of work; subscriber telephone number (work, personal); Individual Taxpayer Identification Number (INN); number of the certificate of mandatory pension insurance (SNILS); information regarding military duty and military registration; information contained in documents on education and qualifications; information on the position held; information on work history, including information from previous places of employment; information on payments and deductions received in the performance of labour duties; data on bonus categories, ratios and bonus amounts; e-mail address; information on marital status; information on family composition; information contained in documents on awards; information on knowledge of foreign languages; information on academic degrees and academic titles; information on attestation; address for performing the labour function remotely; identifier (user ID) in the Employer's information systems; information from the attendance log; personnel number; bank account details and bank card number; information on a driving licence; information on issued powers of attorney; information on social benefits and information on the facts that serve as grounds for the provision of guarantees and benefits provided for by regulatory legal acts in the field of the labour legislation of the Russian Federation, directed at the employee receiving any social guarantees and benefits; results of a medical examination for fitness to perform labour duties; results of assessment activities / tests carried out; information from corporate calendar systems; information about achievements; information about awards and incentives.
Ensuring labour rights and the labour guarantees granted to the Company's employees, including compliance with the labour legislation of the Russian Federation and other acts containing rules of labour law; ensuring and regulating labour and production processes; information support; assisting employees in employment, training and career advancement; performance of labour and official functions; provision of tools for the performance of job duties; ensuring the personal safety of employees; monitoring the quantity and quality of work performed; ensuring the safekeeping of property; organisation and conduct of corporate events — processing only those categories of personal data that are necessary for the corresponding interaction.
Purpose 2
Categories of subjects whose personal data are processed
Categories of personal data
Employees, employees of partners (Group of companies).
surname; first name; patronymic; employment information, including position, structural subdivision, personnel number, contact details (telephone number, e-mail address (personal / corporate), information about achievements, identifiers in automated systems); day and month of birth; social network link, information about hobbies and interests (where such information has been placed by the personal data subject independently in the Company's internal communication channels); photographic image.
Purpose 1
Ensuring unimpeded and effective informational interaction between the Company's employees themselves and with employees (representatives) of affiliated companies.
Annex No. 1 to the Policy on the Processing of Personal Data and on the Implementation of Requirements for the Protection of Personal Data