Policy of Limited Liability Company

Scientific and Production Enterprise Mashproject

On Personal Data Processing

1. General

1.1. This Policy of Limited Liability Company Scientific and Production Enterprise Mashproject on Personal Data Processing (hereinafter referred to as the “Policy”) has been developed in accordance with Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter referred to as the “Personal Data Law”) in order to ensure the protection of the rights and freedoms of individuals and citizens when processing their personal data, including protection of rights to privacy as well as personal and family confidentiality.

1.2. The Policy shall apply to all personal data to be processed by Limited Liability Company Scientific and Production Enterprise Mashproject (hereinafter referred to as the “Operator” or LLC SPE Mashproject).

1.3. The Policy applies to personal data processing activities carried out by the Operator both before and after the approval of this Policy.

1.4. Pursuant to Part 2, Article 18.1 of the Personal Data Law, this Policy shall be published with open access on the Internet on the Operator’s website.

1.5. Key terms used in the Policy:

Personal Data shall mean any information relating to a directly or indirectly identified or identifiable individual (personal data subject).

Personal Data Operator (Operator) shall mean a legal entity (LLC SPE Mashproject) that independently or jointly with other persons organizes and/or performs the processing of personal data as well as determines the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) to be performed with personal data.

Processing of Personal Data shall mean any action (operation) or a set of actions (operations) performed with personal data with or without automation tools. Such actions shall include, among other things:

• collection,
• recording,
• systematization,
• accumulation,
• storage,
• clarification (updating, modification),
• retrieval,
• use,
• transfer (distribution, provision, access),
• anonymization,
• blocking,
• deletion,
• destruction.

Automated Processing of Personal Data shall mean processing of personal data using computer technology.

Distribution of Personal Data shall mean actions aimed at disclosing personal data to any number of unspecified persons.

Provision of Personal Data shall mean actions aimed at disclosing personal data to a specific person or a specific group of persons.

Blocking of Personal Data shall mean temporary suspension of personal data processing (except in cases where processing is necessary to clarify the personal data).

Destruction of Personal Data shall mean actions resulting in the impossibility of restoring the content of personal data in a personal data information system and/or destruction of material media containing personal data.

Anonymization of Personal Data shall mean actions resulting in the impossibility of determining the affiliation of personal data with a particular personal data subject without the use of additional information.

Personal Data Information System shall mean a set of personal data contained in databases together with information technologies and technical means ensuring their thereof.

1.6. Rights and Obligations of the Operator.

1.6.1. The Operator shall have the right to:

1. independently determine the scope and list of measures necessary and sufficient to ensure compliance with the obligations stipulated by the Personal Data Law and regulatory legal acts adopted thereupon, unless otherwise provided by the Personal Data Law or other federal laws;
2. entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of a contract concluded with that person. The person processing personal data on behalf of the Operator shall comply with the principles and rules for personal data processing established by the Personal Data Law, protect the confidentiality of personal data, and take necessary measures to ensure compliance with the obligations stipulated by the Personal Data Law;
3. continue processing personal data without consent (in case of withdrawal thereof) of the personal data subject if such processing is permitted by the Personal Data Law.

1.6.2. The Operator shall:

1. organize the processing of personal data in accordance with the Personal Data Law;
2. respond to requests and inquiries from personal data subjects and their legal representatives in accordance with the Personal Data Law;
3. provide the authorized body for protection of rights of personal data subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) with necessary information upon request within 10 business days from the date of receipt of such request. This period may be extended by no more than five business days, provided that a reasoned notification is sent by the Operator to Roskomnadzor indicating the reasons for extending the deadline;
4. in accordance with the procedure established by the federal executive authority authorized in the field of security, ensure cooperation with state systems for detection, prevention, and elimination of consequences of computer attacks on information resources of the Russian Federation, including informing authorities of computer-related incidents that resulted in unlawful transfer (provision, distribution, access) of personal data.

1.7. Rights of Personal Data Subjects. A personal data subject shall have the right to:

1. obtain information regarding the processing of their personal data, except where restricted by federal laws. Such information shall be provided by the Operator in an accessible form and shall not contain personal data relating to other personal data subjects unless there are statutory grounds for such disclosure. The list of information and the procedure for obtaining such information shall be established by the Personal Data Law;
2. request clarification, blocking, or destruction of personal data by the Operator if the data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
3. give prior consent for processing of personal data for the purposes of promoting goods, works, and services on the market or acquiring goods, works, and services;
4. appeal unlawful actions or inaction of the Operator to Roskomnadzor or to a court when processing their personal data.

1.8. Compliance with the requirements of this Policy shall be supervised by a person authorized by the Operator to oversee personal data processing.

1.9. Liability for violation of the legislation of the Russian Federation and internal regulations of LLC SPE Mashproject in the field of personal data processing and protection shall be determined in accordance with the legislation of the Russian Federation.

2. Purposes of Personal Data Collection

2.1. Personal data shall be processed solely for specific, predetermined, and lawful purposes. Processing incompatible with the purposes of collection shall not be permitted.

2.2. Only personal data that correspond to the purposes of their processing shall be processed.

2.3. The Operator shall process personal data for the following purposes:

• conducting business activities in accordance with the Charter of LLC SPE Mashproject, including entering into and fulfilling contracts;
• processing requests from potential customers for the acquisition/use/lease of goods and services of LLC SPE Mashproject;
• compliance with labor legislation within labor and related relations, including: assisting employees with employment, training, and career advancement, recruitment and selection of candidates for the Operator, ensuring personal safety of employees, monitoring the quantity and quality of work performed, property safekeeping, maintaining personnel and accounting records, preparing and submitting mandatory reports to authorized bodies, organizing individual (personalized) registration of employees in statutory pension and social insurance systems;
• processing of information on job applicants for employment in LLC SPE Mashproject;
• maintenance of access control procedures.

2.4. Employees’ personal data may be processed exclusively for the purpose of ensuring compliance with laws and other regulatory legal acts.

3. Legal Grounds for Personal Data Processing

3.1. The legal grounds for personal data processing shall refer to the totality of regulatory legal acts in accordance with which the Operator processes personal data, including:

• Constitution of the Russian Federation;
• Civil Code of the Russian Federation;
• Labor Code of the Russian Federation;
• Tax Code of the Russian Federation;
• Federal Law No. 14-FZ dated February 08, 1998 “On Limited Liability Companies”;
• Federal Law No. 402-FZ dated December 06, 2011 “On Accounting”;
• Federal Law No. 167-FZ dated December 15, 2001 “On Statutpry Pension Insurance in the Russian Federation”; 
• other regulatory legal acts governing relations related to the Operator’s activities.

3.2. Legal grounds fpr personal data processing shall additionally include:

• the Charter of LLC SPE Mashproject;
• contracts concluded between the Operator and personal data subjects;
• consent of personal data subjects to the processing of their personal data.

4. Scope and Categories of Personal Data Processed,

Categories of Personal Data Subjects

4.1. The content and scope of personal data to be processed shall correspond to the stated purposes of processing provided for in Section 2 hereof. Personal data to be processed shall not be excessive in relation to the stated purposes of their processing.

4.2. The Operator may process personal data of the following categories of personal data subjects.

4.2.1. Job applicants for the Operator — for the purposes of compliance with labor legislation within labor and related relations and ensuring access control procedures:

• last name, first name, patronymic;
• sex;
• citizenship;
• date and place of birth;
• image (photograph);
• passport details;
• contact details;
• information on education, work experience, and qualifications;
• military registration information;
• other personal data provided by the applicants in CV’s and cover letters.

4.2.2. Employees and former employees of the Operator — for the purposes of compliance with labor legislation within labor and related relations and ensuring access control procedures:

• last name, first name, patronymic;
• sex;
• citizenship;
• date and place of birth;
• image (photograph);
• passport details;
• residential registration address;
• residence address;
• contact details;
• taxpayer identification number;
• insurance number of the individual personal account (SNILS);
• information on education, qualifications, vocational and advanced training;
• marital status, parental status, family relationships;
• information on professional experience, including incentives, awards and/or disciplinary sanctions;
• marriage registration records;
• military registration information;
• information on disabilities;
• information on alimony deductions;
• information on income at previous place of employment;
• other personal data provided by employees in accordance with labor legislation requirements.

4.2.3. Family members of the Operator’s employees — for the purposes of compliance with labor legislation within labor and related relations:

• last name, first name, patronymic;
• familial relationship;
• year of birth;
• other personal data provided by employees in accordance with labor legislation requirements.

4.2.4. Clients and counterparties of the Operator (individuals), including potential ones — for the purposes of carrying out activities in accordance with the Charter of LLC SPE Mashproject and ensuring access control procedures:

• last name, first name, patronymic;
• date and place of birth;
• passport details;
• residential registration address;
• contact details;
• job title;
• taxpayer identification number;
• account number;
• other personal data provided by clients and counterparties (individuals) necessary for concluding and performing contracts.

4.2.5. Representatives (employees) of clients and counterparties of the Operator, including potential ones (legal entities) — for the purposes of carrying out activities in accordance with the Charter of LLC SPE Mashproject and ensuring access control procedures:

• last name, first name, patronymic;
• passport details;
• contact details;
• job title;
• other personal data provided by representatives (employees) of clients and counterparties necessary for concluding and performing contracts.

4.3. The Operator shall process biometric personal data (information characterizing physiological and biological features of a person on the basis of which their identity can be established) in accordance with the legislation of the Russian Federation.

4.4. The Operator shall not process special categories of personal data relating to: racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, details of intimate life, except in cases stipulated by the legislation of the Russian Federation.

5. Procedure and Conditions for Personal Data Processing

5.1. Personal data processing shall be carried out by the Operator in accordance with the legislation of the Russian Federation.

5.2. Personal data shall be processed with the consent of personal data subjects, as well as without such consent in cases stipulated by the legislation of the Russian Federation.

5.3. The Operator shall process personal data for each purpose using the following methods:

• non-automated processing of personal data;
• automated processing of personal data with or without transfer of information via information and telecommunications networks;
• mixed processing of personal data.

5.4. Only employees of the Operator whose job responsibilities include personal data processing shall be allowed to process personal data.

5.5. Processing of personal data for each purpose specified in Clause 2.3 hereof shall be carried out as follows:

• obtaining personal data in oral or written form directly from personal data subjects;
• entering personal data into logs, registers, and information systems of the Operator;
• using other methods of personal data processing.

5.6. Disclosure to third parties and distribution of personal data without the consent of the personal data subject shall not be permitted unless otherwise stipulated by federal laws. Consent for processing of personal data permitted for distribution by the personal data subject shall be executed separately from other consents for personal data processing.

Requirements for the content of such consent for processing of personal data shall be established by Roskomnadzor Order No. 18 dated February 24, 2021.

5.7. Transfer of personal data to inquiry and investigation authorities, the Federal Tax Service, the Social Fund of Russia, and other authorized executive bodies and organizations shall be carried out in accordance with the Russian legislation.

5.8. The Operator takes necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, distribution, and other unauthorized actions, including:

• identification of security threats to personal data during processing thereof;
• adopting local regulatory acts governing relations in the field of personal data processing and protection;
• appointment of persons to be responsible for ensuring personal data security in structural subdivisions and information systems of the Operator;
• creating conditions necessary for working with personal data;
• organization of record-keeping of documents containing personal data;
• organization of work with personal data information systems;
• storage of personal data under the conditions ensuring their integrity and preventing unauthorized access thereto;
• training of employees of the Operator processing personal data.

5.9. The Operator shall store personal data in a form allowing to identify the personal data subject for a period no longer than that required for the purposes of processing thereof, unless personal data storage periods are established by a federal law or a contract.

5.9.1. Personal data in paper form shall be stored at LLC SPE Mashproject for the documentation storage periods established by the legislation on archival records of the Russian Federation, including: Federal Law No. 125-FZ dated October 22, 2004 “On Archival Affairs of the Russian Federation”, List of Standard Management Archival Documents Generated in the Course of Activities of State Bodies, Local Government Bodies and Organizations, Indicating Their Storage Periods (approved by Order of Rosarchive No. 236 dated December 20, 2019)).

5.9.2. The storage period for personal data in information systems shall correspond to the storage period for paper-based records.

5.10. The Operator shall terminate personal data processing in the following cases:

• in case of detection of unlawful processing, within three business days;
• in case of achievement of the purpose of processing;
• in case of expiration or withdrawal of the consent of the personal data subject for processing of the data, when such processing is allowed only with consent as stipulated by the Personal Data Law.

5.11. Upon achieving the purposes of processing or withdrawal of consent for the processing by the personal data subject, the Operator shall terminate processing unless:

• otherwise provided by a contract to which the personal data subject is a party, beneficiary, or guarantor;
• the Operator is entitled to process data without the consent of the personal data subject under the Personal Data Law or other federal laws;
• otherwise provided by another agreement between the Operator and the personal data subject.

5.12. Upon request of a personal data subject to terminate the data processing, the Operator shall stop the processing within 10 business days, except where otherwise stipulated by the Personal Data Law. This period may be extended by not more than five business days subject to a reasoned notice  to be sent by the Operator to the personal data subject with indication of the reasons for extending the deadline.

5.13. When collecting personal data via the Internet, the Operator shall ensure that Russian citizens’ personal data shall be recorded, stored, and processed using databases located within the territory of the Russian Federation, except in cases provided by the Personal Data Law.

6. Updating, Correction, Deletion and Destruction of Personal Data, Responses to Subjects’ Requests for Access toPersonal Data

6.1. Confirmation of personal data processing by the Operator, legal grounds and purposes of such processing, and other information specified in Article 14 of the Personal Data Law shall be provided by the Operator to the personal data subject or their representative within 10 business days from the date of application or receipt of the request from the personal data subject or their representatives. This period may be extended by no more than five business days, provided that a reasoned notification is sent by the Operator to the personal data subject indicating the reasons for extending the deadline for provision of the requested information.

The request shall not include personal data relating to other personal data subjects unless there are statutory grounds for such disclosure.

The request must contain:

• primary identity document number of the personal data subject or representative, information on the issue date of such document and issuing authority;
• information confirming the participation of the personal data subject in relations with the Operator (contract number and date, conventional verbal designation and/or other information), or information otherwise confirming the fact of processing of personal data by the Operator;
• signature of the personal data subject or representative.

The request may also be sent electronically and signed with an electronic signature in accordance with the laws of the Russian Federation.

The Operator shall provide the information specified in Part 7 of Article 14 of the Personal Data Law to the personal data subject or their representative in the form of the relevant request or appeal, unless otherwise specified in the request or appeal.

If a personal data subject’s request (appeal) does not contain all the necessary information in accordance with the requirements of the Personal Data Law, or if the subject does not have the right to access the requested information, a reasoned refusal shall be sent.

Personal data subject’s right to access their personal data may be limited in accordance with Part 8 of Article 14 of the Personal Data Law, including if the subject’s access to their personal data violates the rights and legitimate interests of third parties.

6.2. If inaccurate personal data are discovered upon request by a personal data subject or their representative, or at their request, or at the request of Roskomnadzor, the Operator shall block the personal data related to that subject from the moment of such request or receipt of the said request for the duration of the verification, provided that blocking of the personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

If personal data is confirmed to be inaccurate, the Operator, based on information provided by the personal data subject or their representative, or Roskomnadzor, or other required documents, shall clarify the personal data within seven business days of the date of submission of such information and unblock the personal data.

6.3. If unlawful processing of personal data is detected upon request (appeal) from the personal data subject or their representative, or Roskomnadzor, the Operator shall block the unlawfully processed personal data relating to that personal data subject from the moment of such request or receipt of the request.

6.4. If the Operator, Roskomnadzor, or another interested party discovers an unauthorized or accidental transfer (provision, distribution) of personal data (or access to personal data) that has resulted in a violation of the rights of personal data subjects, the Operator shall:

• within 24 hours — notify Roskomnadzor of the incident, the presumed causes that led to the violation of the rights of personal data subjects, the presumed damage caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident, and provide information about the person authorized by the Operator to interact with Roskomnadzor on matters related to the incident;
• within 72 hours — notify Roskomnadzor of the results of the internal investigation of the identified incident and provide information about the persons whose actions caused it (if any).

6.5. Procedure for Personal Data Destruction by the Operator.

6.5.1. Conditions and Deadlines for Destruction of Personal Data by the Operator:

• achievement of the purpose of personal data processing or lack of further need to achieve this purpose — within 30 days;
• reaching the maximum retention period for documents containing personal data — within 30 days;
• confirmation by the personal data subject (or their representative) that the personal data was obtained illegally or is not necessary for the stated purpose of processing — within seven business days;
• withdrawal by the personal data subject of the consent to the processing of their personal data if their storage for the purpose of processing is no longer required — within 30 days.

6.5.2. When the purpose of personal data processing has been achieved, or if the personal data subject withdraws their consent to the processing, the personal data shall be destroyed unless:

• otherwise provided by a contract to which the personal data subject is a party, beneficiary, or guarantor;
• the Operator is entitled to process data without the consent of the personal data subject under the Personal Data Law or other federal laws;
• otherwise provided by another agreement between the Operator and the personal data subject.

6.5.3. The destruction of personal data shall be carried out by a committee established by Order of the General Director of LLC SPE Mashproject.

6.5.4. The methods for destroying personal data shall be established in the Operator’s internal regulations.