Personal data processing policy
1. Basic provisions
1.1. This Policy regarding personal data processing (hereinafter referred to as the Policy) has been drawn up in accordance with paragraph 2 of Art. 18.1 of the Federal Law of the Russian Federation "Personal Data" No. 152-FZ dated July 27, 2006 and applies to all personal data processed by RD Investment Management LLC (hereinafter referred to as the Operator).
1.2. The purpose of this Policy is to determine the categories of personal data processed by the Operator, as well as the main principles used by the Operator when processing personal data.
1.3. Following this Policy's provisions is obligatory for all employees of the Operator, organizations that receive or provide personal data to the Operator, as well as individuals who are in a contractual relationship with the Operator.
1.4. Terms used in this Policy:
- personal data — any information that relates to a directly or indirectly identified or identifiable living individual (data subject);
- personal data operator (operator) — a state body, municipal body, legal entity or individual, independently or jointly with others organizing and (or) carrying out personal data processing, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data;
- processing of personal data — any action (operation) or a set of actions (operations) with personal data performed using automation tools or without them. Personal data processing includes, among other things:
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- clarification (update, change);
- extraction;
- use;
- transmission (distribution, provision, access);
- depersonalization;
- blocking;
- deletion;
- destruction.
- automated personal data processing — personal data processing using computer technology;
- dissemination of personal data — actions aimed at transferring personal data to an indefinite circle of persons;
- provision of personal data — actions aimed at transferring personal data to a certain person or a certain circle of persons;
- blocking of personal data — temporary suspension of personal data processing (unless such processing is necessary to clarify personal data);
- destruction of personal data — actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;
- depersonalization of personal data — actions as a result of which it becomes impossible to determine the belonging of personal data to a specific subject of personal data without using additional information;
- information system of personal data — a set of personal data contained in personal data databases, as well as information technologies and technical means that ensure such processing;
- cross-border transfer of personal data — transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity;
- confidentiality of personal data — the obligation of the Operator and other persons who have gained access to personal data not to disclose personal data to third parties and not to distribute personal data without the consent of the data subject, unless otherwise provided by federal law.
1.5. Data subjects or their legal representatives have the right to:
- obtain full information about their personal data and data processing (including automated processing);
- have free access to their personal data, including the right to receive copies of any record containing the subject's personal data, unless otherwise provided by federal law;
- demand incorrect or incomplete personal data, as well as data processed with violation of federal law, to be excluded or rectified;
- declare his disagreement in written form, providing an appropriate justification, if the Operator or a person authorized by the Operator refuses to exclude or rectify the subject's personal data;
- require the Operator or a person authorized by the Operator to notify all persons who were previously provided with incorrect or incomplete subject's personal data, about all amendments or exceptions made;
- appeal in court any illegal actions or inaction of the Operator or a person authorized by the Operator, carried out during the subject's personal data processing and protection.
1.6. Data subjects or their legal representatives are obliged to:
- provide the Operator with true and accurate personal data;
- notify the Operator of all changes in personal data in a timely manner
1.7. The Operator has the right to process personal data subject to the presence of legal grounds, the compliance of the processing with the stated purposes of such processing and federal law, this Policy's provisions and other local acts of the Operator
1.8. The Operator is obliged:
- at its own expense ensure personal data protection from unauthorized use or loss in accordance with federal law;
- provide the data subject, at his request, with information regarding his personal data processing, or provide a refusal based on law;
- provide the data subject with free access to his personal data, including the right to receive copies of any record containing his personal data, unless otherwise provided by federal law;
- at the request of the data subject, clarify the processed personal data, block or destruct them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- maintain a Journal of requests from data subjects, recording the requests of data subjects for obtaining personal data, as well as the facts of providing personal data on these requests;
- notify the data subject about personal data processing in case such personal data was not received from the data subject;
- if the purpose of personal data processing is achieved, immediately stop processing personal data and destroy the relevant personal data within a period not exceeding thirty business days from the date the purpose of processing personal data is achieved, unless otherwise provided by federal law;
- if the data subject sends a request to stop processing his personal data, stop processing his personal data and destroy it within a period not exceeding ten business days from the date of receiving such request. The period may be extended, but not more than for five business days, if the Operator sends a reasoned notice to the data subject, indicating the reasons for such extension. The Operator has the right to continue carrying out personal data processing in the cases provided in clauses 2-11 of part 1 of Art. 6, part 2 of Art. 10 and part 2 of Art. 11 of the Federal Law No. 152-FZ "Personal Data";
- provide the subject's personal data only to authorized persons and only to the extent that is necessary for them to perform their labor duties in accordance with this provision and federal law.
2. Purposes of personal data processing
2.1. The Operator defines and approves specific purposes of personal data processing for each category of personal data. Personal data processing that is incompatible with the stated purposes is not permitted.
2.2. Personal data is processed by the Operator for the following purposes:
- hiring new staff for the Operator's open vacancies, the applicant's assessment for the vacancy requirements;
- conducting personnel records management, fulfilling the employer's duties by employment contracts and federal law, accounting information needed to support labor relations between the employee and the employer in accordance with federal law, responding to requests from state bodies and employees of the Operator, including former employees;
- enrolling an employee to a salary project and receiving a bank card;
- access control organization and passes registration;
- business trips organization, tickets purchasing, hotel reservations, taxi orders;
- powers of attorney issuance to represent the Operator's interests, identification of contractors representatives;
- accounting and tax accounting, reports preparation and transferring to state bodies, data storage and system administration, auditing;
- corporate mobile communications registration;
- providing feedback, mailing;
- employees' business cards designing and production;
- voluntary medical insurance registration;
- contractors search, conclusion of the contract, fulfillment of contract obligations;
- organization and distribution of advertising, informational and technical messages;
- providing consultations regarding "Vremena Goda" functioning;
- website administration, including collecting statistics and tracking the total number of website visitors, recognizing new and old users;
- loyalty and bonus programs organization, inviting to events via calls and SMS, providing privileges to customers, birthday greetings;
- marketing activities, advertising campaigns, preferences analysis.
2.3. The processed personal data is subject to destruction or depersonalization upon expiration of the storage period, achievement of the processing purposes or in case of loss of the need to achieve such purposes, unless otherwise provided by federal law.
3. Legal grounds for personal data processing
The processing of personal data of the categories indicated below, among other things, is carried out in accordance with the requirements of the Tax Code of the Russian Federation, the Federal Law No. 402-FZ "Accounting", the Federal Law No. 125-FZ "Archives in the Russian Federation", Order of the Federal Archives dated 12/20/2019 No. 236, "Approval of the List of standard managerial archival documents generated by state bodies, local authorities and organizations, indicating the storage terms", as well as other regulatory legal acts of the Russian Federation, as part of implementing functions, powers and responsibilities, assigned by the federal law to Operator.
3.1. The applicants' personal data processing is carried out in accordance with labor law, the subject's consent to the personal data processing, contracts with recruitment sites and agencies, confirming the consent, or other legal grounds for transferring personal data to the Operator.
3.2. The employees' personal data processing is carried out in accordance with labor, retirement and tax federal law, state social assistance and social insurance law, the subject's consent to the personal data processing, the agreement where the data subject is the party and the beneficiary.
3.3. The dismissed employees' personal data processing is carried out in accordance with labor law, archives law, and the subject's consent to the personal data processing.
3.4. The contractor representatives' personal data processing is carried out in accordance with contracts confirming the consent, or other legal grounds for transferring personal data to the Operator.
3.5. The individual contractors' personal data processing is carried out in accordance with agreements where the data subject is the party and the beneficiary, tax law, and the subject's consent to the personal data processing.
3.6. The individuals' personal data processing is carried out in accordance with the subject's consent to the personal data processing.
4. The scope and categories of processed personal data, categories of data subjects
4.1. The Operator processes personal data of the following categories of subjects:
- Applicants for the position
- Employees
- Dismissed workers
- Contractors' representatives
- Individual contractors
- Individuals
- Website visitors
4.2. Personal data of applicants for the position includes the following information:
- Full Name;
- Gender;
- Date of Birth;
- Place of residence;
- Information about previous jobs (start date, end date, organization, city, position, reason for dismissal);
- Information about work experience;
- Basic skills;
- Possession of valid driver's license;
- Information about education (type; name of the institution; year of graduation; qualification according to the diploma, sphere, specialty according to the diploma);
- Additional training (start date; end date; type of training; name of institution);
- Professional retraining (start date; end date; specialty);
- Citizenship;
- Information about military registration;
- Marital status;
- The presence of children;
- Achievements;
- Special skills;
- Phone number;
- Email address.
4.3. Personal data of employees includes the following information:
- Full Name;
- Personnel Number;
- TIN;
- Social security number;
- Gender;
- Type of work (main, part-time);
- Date of Birth;
- Place of Birth;
- Citizenship;
- Information about education (type; name of the institution; year of graduation; qualification according to the diploma; name, series and number of the document on education, qualification or special knowledge; sphere, specialty according to the diploma);
- Record of service (general; continuous; giving bonuses for the length of service);
- Identity document information (name, series and number, date of issuance, name of the authority that issued the document, subdivision code);
- Residential address;
- Registration address;
- Information about military registration (reserve type; military rank; profile; military registration specialty; category of fitness for military service);
- Date of employment;
- Information about employment and transfer to another position;
- Place of work;
- Structural subdivision;
- Job title;
- Specialty;
- Profession;
- Tariff rate (salary);
- Vacation (type of vacation; period of work; number of calendar days of vacation; start and end dates);
- Information about business trips (date, destination, term, purpose; source of funding, task);
- Grounds for termination of the employment contract (dismissal);
- Date of dismissal;
- Number and date of the employment contract;
- Information about working hours (attendance and non-attendance);
- Tax residency;
- Income information;
- Information about insurance coverage;
- Financial information;
- Information about the vehicle (type, model and umber of the vehicle);
- Phone number;
- Email address.
4.4. Personal data of the dismissed employees include the following information:
- Full Name;
- Personnel Number;
- TIN;
- Social security number;
- Gender;
- Type of work (main, part-time);
- Date of Birth;
- Place of Birth;
- Citizenship;
- Information about education (type; name of the institution; year of graduation; qualification according to the diploma; name, series and number of the document on education, qualification or special knowledge; sphere, specialty according to the diploma);
- Record of service (general; continuous; giving bonuses for the length of service);
- Identity document information (name, series and number, date of issuance, name of the authority that issued the document, subdivision code);
- Residential address;
- Registration address;
- Phone number;
- Information about military registration (reserve type; military rank; profile; military registration specialty; category of fitness for military service);
- Information about employment and transfer to another position;
- Structural subdivision;
- Job title;
- Specialty;
- Profession;
- Tariff rate (salary);
- Vacation (type of vacation; period of work; number of calendar days of vacation; start and end dates);
- Grounds for termination of the employment contract (dismissal);
- Date of dismissal;
- Number and date of the employment contract;
- Information about business trips (date, destination, term, purpose; source of funding, task);
- Information about working hours (attendance and non-attendance).
4.5. Personal data of contractor's representatives include the following information:
- Full Name;
- Identity document information (name, series and number, date of issuance, name of the authority that issued the document, subdivision code);
- Registration address;
- Date of Birth.
4.6. Personal data of individual contractors include the following information:
- Full Name;
- Gender;
- Date of Birth;
- Identity document information (name, series and number, date of issuance, name of the authority that issued the document, subdivision code);
- Registration address;
- Citizenship;
- Tax residency;
- Income information;
- TIN;
- Social security number;
- The amount of payments.
4.7. Personal data of individuals (customers and visitors of "Vremena Goda") includes the following information:
- Full Name;
- Gender;
- Date of Birth;
- Clothing size;
- Shoe size;
- The presence of children and their age;
- Information about purchases made in "Vremena Goda";
- Brand preferences;
- Phone number;
- Email address.
4.8. Personal data of https://vremenagoda-moscow.ru/ website visitors includes the following information:
- IP address;
- Cookies information;
- Information about user's browser or another program used to access the website;
- Access time;
- The requested web page;
- Previously visited web page;
- Email address;
- Phone number;
- Full Name.
5. Procedure and conditions for personal data processing
5.1. The Operator receives all personal data directly from the data subject, from his representative or from the person who entrusted the Operator with the processing of personal data, unless otherwise provided by federal law.
5.2. Personal data processing is carried out with the consent of the data subject, unless otherwise provided by federal law. Consent can be expressed in various forms, allowing to confirm its fact, including conclusive actions, in writing in the form of a separate document, or as a part of any document signed by the data subject. Consent can be given by a representative of the data subject, providing the evidence of their authority.
5.3. Consent to personal data processing may be withdrawn by the data subject. In cases stipulated by federal law, personal data processing may be continued even after the data subject withdraws consent to such processing.
5.4. The Operator's decisions affecting the interests of the data subject are never based on the subject's personal data obtained solely as a result of automated processing.
5.5. Personal data is not used for the purpose of causing property and / or moral harm to citizens, making obstacles in exercising their rights and freedoms.
5.6. The Operator's employees who need personal data to perform their official duties have access to such personal data.
5.7. The employee's personal data transfer to third parties is carried out only with the written consent of the data subject, unless otherwise provided by federal law.
5.8. The Operator has the right to transfer personal data to the bodies of inquiry and investigation, other authorized bodies on the grounds provided for by federal law.
5.9. The Operator has the right to create open sources of personal data, which may include personal data of the data subject with his written consent.
5.10. The subject's personal data transfer for commercial purposes is not permitted without his written consent.
5.11. If it is necessary for the Operator to transfer personal data to third parties, it is carried out only after signing of non-disclosure agreement, unless otherwise provided by federal law.
5.12. Personal data processing is carried out both using computer technology and without it.
5.13. The terms for processing personal data by the Operator are determined in accordance with the terms specified by the Federal Law of July 27, 2006 No. 152-FZ “Personal Data”; the duration of the agreement; the terms specified in the order for the personal data processing; the validity period of documents established by the Federal Law No. 125-FZ "Archives in the Russian Federation", Order of the Federal Archives dated 12/20/2019 No. 236, "Approval of the List of standard managerial archival documents generated by state bodies, local authorities and organizations, indicating the storage terms", limitation period; the period of validity of the consent for processing given by the data subject; as well as other requirements of federal law.
5.14. Personal data during processing carried out without the use of automation tools are separated from other information, in particular by storing them on separate material carriers of personal data (hereinafter referred to as material carriers), in special sections or on the fields of forms.
5.15. When storing personal data on a material carrier, it is not permitted to use the same material carrier for storing different categories of personal data with incompatible purposes. For non-automated processing of different personal data categories a separate material carrier is used.
5.16. Persons processing personal data without using automation tools should be informed about the fact that they are processing personal data without using automation tools, as well as about the categories of personal data being processed, and features and rules for such processing.
5.17. When using standard document forms filled in by the data subject (hereinafter referred to as the standard form), the following conditions are met:
- The standard form or related documents (instructions for filling it out, cards, registers and magazines) must contain information about the purpose of processing personal data carried out without the use of automation tools, the name and address of the Operator, last name, first name, patronymic and address of the data subject, the source of obtaining personal data, the terms for processing personal data, a list of actions that will be performed during personal data processing, a general description of the methods used by the Operator to process personal data;
- The standard form should include a field in which the data subject can put a mark on his consent to personal data processing carried out without the use of automation tools — if necessary, obtaining written consent to personal data processing;
- The standard form should be drawn up in such a way that each data subject has the opportunity to see their personal data contained in the document without violating the rights and interests of other data subjects;
- The standard form should exclude the combination of fields used for processing of personal data with incompatible purposes.
5.18. Personal data is subject to destruction upon achievement of the purposes of processing, in case of loss of the need to achieve them, after the expiration of the storage period, upon revealing the fact of illegal processing, or at the request of the person who entrusted personal data processing within a period not exceeding ten business days from the date of achievement of the purpose of processing, or being informed about the withdrawal of the data subject consent. The period may be extended, but not more than for five business days, if the Operator sends a reasoned notice to the data subject, indicating the reasons for such extension. Destruction is carried out in the presence of the commission. As a result, an act of destruction is drawn up.
5.19. Cross-border transfer is not carried out by the Operator.
6. Personal data protection
6.1. The Operator ensures personal data protection from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as other illegal actions.
6.2. Personal data protection is provided by the Operator in accordance with the procedure established by federal law and local acts of the Operator, by performing organizational and technical measures to ensure data security.
6.3. All protection measures during the collection, processing, storage and transfer of the subject's personal data apply to both paper and electronic (automated) carriers.
7. Update, correction, deletion and destruction of personal data
7.1. The Operator has the right to enter, add, change, block or delete personal data in accordance with federal law.
7.2. At the request of the data subject, the Operator is obliged to:
- Provide information about the availability of the subject's personal data;
- Provide an opportunity to see the subject's personal data (exception: FZ-152 Art. 14 part 5);
- Amend inaccurate or changed personal data;
- Block or destroy personal data if they are illegally obtained, are not necessary for the stated purpose of processing, or the consent of the subject has been withdrawn.
7.3. The request of the data subject must be sent to the Operator in paper form and contain the number of the identity document of the data subject or his legal representative, information about the date of issuance of the specified document and the authority that issued it, and the handwritten signature of the data subject or his legal representative. A template is presented in Appendix 1 to this Policy.
7.4. The request can be sent in electronic form and signed with a digital signature in accordance with federal law to the following emails: arina.poplinskaya@vremenagoda.moscow, elena.alekseenko@vremenagoda.moscow.
7.5. Upon receiving a request, the Operator's employee must register such request in the registration log.
7.6. The response, or a reasoned refusal, must be sent to the data subject within ten business days from the date of receiving the request. The period may be extended, but not more than for five business days, if the Operator sends a reasoned notice to the data subject, indicating the reasons for such extension. The reply must be sent in the same form as the request, unless otherwise indicated in the request, and contain specific and comprehensive information relating to the essence of the issue.
8. Policy change
8.1. The Operator has the right to make changes to this Policy. When changes are made, the heading of the Policy indicates the date of the last revision. The new version of the Policy comes into force from the moment it is posted on the Operator's website, unless otherwise provided by the new version of the Policy.
8.2. The current version is stored at the location of the Operator's executive body: 121108, Moscow, Kutuzovsky pr-t, 48, fl. 5, room 55, electronic version of the Policy — on the Operator's website at https://vremenagoda-moscow.ru/privacy/
8.3. Federal law shall apply to this Policy and the relationship between the data subjects and the Operator.
9. Contacts
9.1. Email address: arina.poplinskaya@vremenagoda.moscow, elena.alekseenko@vremenagoda.moscow
9.2. Postal address: 121108, Moscow, Kutuzovsky pr-t, 48, fl. 5, room 55
9.3. Phone number: +7 (495) 822-48-48