1. GENERAL PROVISIONS

1.1. The Personal Data Processing Policy of “BURINTEKH”, Ltd (hereinafter referred to as the “Policy”) sets out the basic principles, purposes, conditions and methods of personal data processing, the lists of data subjects and personal data processed at “BURINTEKH”, Ltd, “BURINTEKH”, Ltd functions in the processing of personal data, the rights of data subjects, and “BURINTEKH”, Ltd requirements to personal data protection.

1.2. The Policy has been developed in accordance with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation regarding personal data.

1.3. The Policy's provisions serve as the basis for the development of local regulations governing the processing of personal data in “BURINTEKH”, Ltd (hereinafter referred to as the “Enterprise”) its representatives, subsidiaries (hereinafter referred to as the “Enterprise group of companies”), processing of personal data of employees of the Enterprise and Enterprise group of companies, and other subjects of personal data.

1.4. The purpose of this Policy is to inform the subjects of personal data and persons involved in the processing of personal data about the observance by the Enterprise and Enterprise group of companies as an operator of the fundamental principles of legality, fairness, compliance of the content and volume of personal data being processed with the stated purposes of processing.

1.5. This Policy applies to all personal data processed by the Enterprise and Enterprise group of companies.

2. LEGISLATIVE AND OTHER STATUTORY ACTS OF RUSSIAN FEDERATION GOVERNING ENTERPRISE’S PERSONAL DATA PROCESSING POLICY

2.1. Enterprise Personal Data Processing Policy is based on the following statutory acts:

  • Labor Code of the Russian Federation;
  • Federal Law No. 152-FZ dated July 27, 2006, on Personal Data;
  • Federal Law No. 53-FZ dated March 28, 1998, on Military Conscription and Military Service;
  • Federal Law No. 31-FZ dated February 26, 1997, on Mobilization Training and Mobilization;
  • Decree of the President of the Russian Federation No. 188 dated March 6, 1997, on Approving the List of Confidential Data;
  • Russian Government Directive No. 687 dated September15,2008, on Approving the Provision Regarding the Specifics of Personal Data Processing without Automated Means;
  • Russian Government Directive No. 1119 dated November 1, 2012, on Approving the Requirements to the Protection of Personal Data Undergoing Processing in Personal Data Information Systems;
  • Order of the FSTEC of Russia No. 21 dated February 18, 2013, on Approving the List and Scope of Organizational and Technical Measures for Protection of Personal Data Undergoing Processing in Personal Data Information Systems;

2.2. With a view to implementing the Policy, Enterprise develops relevant local regulations.

3. BASIC TERMS AND DEFINITIONS USED IN LOCAL REGULATIONS OF ENTERPRISE GOVERNING PERSONAL DATA PROCESSING

Personal data means any information related to a directly or indirectly identified or identifiable natural person (data subject).

Operator means a government authority, a municipal authority, a legal or private person, which severally or jointly arranges and/or performs the processing of personal data, as well as defines the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.

Personal data processing means any action (operation) or a series of actions (operations) with personal data performed with or without automated means, including collection, recording, systematization, accumulation, storage, refinement (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data.

Automated personal data processing means the processing of personal data with the use of computers.

Provision of personal data means actions aimed at disclosing personal data to a specific person or a specific group of persons.

Dissemination of personal data means actions aimed at disclosing personal data to an indefinite number of persons.

Blocking of personal data means a temporary interruption of personal data processing (except where processing is required for personal data refinement).

Destruction of personal data means actions making it impossible to restore the content of personal data in the personal data information system and/or resulting in the destruction of physical media on which personal data are stored.

Depersonalization of personal data means actions making it impossible to establish a connection between personal data and a specific data subject without using additional information.

Personal data information system means a set of personal data contained in personal data databases, as well as information technologies and tools used for their processing.

Trans-border transfer of personal data means a transfer of personal data to a foreign country, specifically to a foreign government body or a foreign natural or legal person.

Employee means an individual who has created an employer-employee relationship with an employer.

Personal data subject means a natural person who is directly or indirectly identified or determined using personal data.

Counterparty means any Russian or foreign legal entity or individual with whom the Enterprise or Enterprise group of companies enters into contractual relations, with the exception of labor relations.

Confidentiality of personal data means the observance by the Operator or other persons who have gained access to personal data of the requirement not to disclose to third parties and not to provide personal data without the consent of the personal data subject or other legal grounds.

4. PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING

4.1. Enterprise, in its capacity as a personal data operator, processes the personal data of the employees of Enterprise and other data subjects for lawful purposes.

4.2. The processing of personal data at Enterprise in performed on the following principles:

  • Personal data processing at Enterprise is performed on a legal and equitable basis;
  • Personal data processing is limited to specific, predetermined and legitimate purposes;
  • Personal data processing is not allowed if such processing is incompatible with the purposes of personal data collection;
  • It is not allowed to combine databases containing personal data which are processed for incompatible purposes;
  • Personal data are not subject to processing unless they meet the purposes of their processing;
  • Scope and amount of personal data comply with the stated purposes of processing. Data redundancy in relation to the stated purposes is not allowed;
  • Personal data undergoing processing must be accurate, sufficient and, if necessary, relevant to the purposes of personal data processing.
  • Enterprise takes the required measures or makes efforts to delete or refine incomplete or inaccurate personal data;
  • Personal data are stored in the form that makes it possible to identify the data subject for no longer than required for the purposes of personal data processing unless the personal data retention period is set by federal law or an agreement under which the data subject acts as a party, beneficiary or guarantor;
  • Personal data undergoing processing are destroyed or depersonalized as soon as the purposes of processing are achieved or if the achievement thereof is no longer required, unless otherwise provided by federal law.

4.3. Enterprise processes personal data for the purposes of:

  • complying with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation, and local regulations of Enterprise;
  • exercising the functions, powers and duties imposed upon Enterprise by the Government of the Russian Federation, including those regarding the provision of personal data to government bodies, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund of the Russian Federation, and other state authorities;
  • execution of court orders, orders of other bodies or officials subject to execution in accordance with the Enforcement Law of the Russian Federation;
  • regulating labor relations with Enterprise employees;
  • protecting lives, health or other vital interests of data subjects and accident prevention;
  • creation of healthy and safe working conditions for employees;
  • confirmation of fitness of the worker or employee to the work status;
  • registration of documents necessary for the performance of labor functions by employees of the Enterprise including travel orders;
  • preparation, conclusion, execution and termination of contracts with counterparties;
  • preparation of powers of attorney issued to employees of the Enterprise and Enterprise group of companies;
  • development of internal reference materials of the Enterprise and Enterprise group of companies;
  • Other legitimate purposes.

5. LIST OF DATA SUBJECTS THAT HAVE THEIR PERSONAL DATA PROCESSED AT ENTERPRISE

5.1. The following categories of data subjects have their personal data processed at Enterprise:

  • employees of Enterprise subsidiaries and entities;
  • founders (individuals) of the Enterprise;
  • managers (representatives) of contractors;
  • managers (representatives) of potential contractors;
  • recipients of alimony from employees;
  • persons who were previously in labor relations with the Enterprise;
  • persons who are candidates for employment in the Enterprise;
  • potential contractors (individuals);
  • contractors (individuals);
  • founders (individuals) of potential contractors;
  • founders (individuals) of contractors;
  • notaries (representatives) interacting with the Enterprise;
  • subjects whose personal data processing is related to the fulfillment of the terms of concluded contracts;
  • other data subjects for legitimate purposes.

6. VOLUME OF PERSONAL DATA PROCESSED AT ENTERPRISE AND DATA ORIGINATION

6.1. The volume of personal data processed at Enterprise is defined on the basis of the laws of the Russian Federation and local regulations of Enterprise with a view to ensuring legitimate purposes of personal data processing.

6.2. Special categories of personal data are not subject to processing at Enterprise.

6.3. The Enterprise may carry out trans-border transfer of personal data to the territory of foreign states in compliance with the requirements of the law.

7. CONDITIONS OF PERSONAL DATA PROCESSING AT ENTERPRISE

7.1. The processing of personal data is carried out at Enterprise with consent from the data subject to have his/her personal data processed, unless otherwise provided by the laws of the Russian Federation on personal data.

7.2. Enterprise shall not disclose or disseminate personal data to third parties without consent of the data subject, unless otherwise provided by federal law.

7.3. Transfer personal data of personal data subjects within the Enterprise in accordance with this Policy.

7.4. Enterprise has the right to entrust other party to process personal data with consent from the data subject on the basis of an agreement with such third party. The agreement shall contain a list of actions (operations) to be performed with personal data by the person in charge of personal data processing, the purposes of processing, the obligation of such person to keep the personal data confidential and protected in the course of processing, as well as the requirements to the protection of processed personal data as per Federal Law on Personal Data.

7.5. For the purposes of information support, Enterprise may generate internal reference guides, directories containing necessary personal data unless otherwise provided by the laws of the Russian Federation.

8. LIST OF ACTIONS WITH PERSONAL DATA AND WAYS OF PROCESSING

8.1. Enterprise carries out the collection, recording, systematization, accumulation, storage, refinement (updating, amendment), extraction, use, transfer (dissemination, provision, and access), depersonalization, blocking, deletion and destruction of personal data.

8.2. The processing of personal data at Enterprise is carried out in the following ways:

  • manual processing of personal data;
  • automated processing of personal data with or without further transfer of the obtained information via communication networks;
  • combined processing of personal data.

9. FUNCTIONS OF ENTERPRISE IN PERSONAL DATA PROCESSING

9.1. While processing personal data, Enterprise:

  • takes legal, organizational and technical measures to protect personal data against illegal or accidental access, destruction, amendment, blocking, copying, provision, dissemination, as well as against other misconduct with regard to personal data;
  • issues local regulations outlining the policy and issues related to the processing and protection of personal data at Enterprise;
  • familiarizes the employees of Enterprise, its branches and representative offices who are directly involved in personal data processing with the laws of the Russian Federation and local regulations of Enterprise on personal data, including the requirements to personal data protection, and provides training for such employees;
  • publishes or otherwise provides unlimited access to this Policy;
  • informs data subjects or their representatives in due course of the available data related to such subjects, provides access to these personal data upon notification and/or request of the aforementioned data subjects or their representatives, unless otherwise provided by the laws of the Russian Federation;
  • ceases the processing and destroys personal data in the cases provided by the laws of the Russian Federation on personal data;
  • performs other activities provided by the laws of the Russian Federation on personal data.

10. RIGHTS OF DATA SUBJECTS

10.1. Data subjects have the right to:

  • obtain complete information about their personal data undergoing processing at Enterprise;
  • access their personal data, including the right to obtain a copy of any record containing their personal data, unless otherwise provided by federal law, as well as access to related medical data with the help of a medical expert of their choosing;
  • refine, block or destroy their personal data if such personal data are incomplete, outdated, inaccurate, illegally obtained or inessential for the stated purpose of processing;
  • revoke their consent to personal data processing;
  • take action to protect their rights as provided by law;
  • appeal against Enterprise action or inaction violating the laws of the Russian Federation with regard to personal data to a body authorized to protect the rights of data subjects or to a court;
  • exercise other rights provided by legislation of the Russian Federation.

11. INFORMATION ON THE IMPLEMENTED REQUIREMENTS FOR THE PROTECTION OF PERSONAL DATA ACCEPTED BY THE ENTERPRISE WHEN PROCESSING PERSONAL DATA

11.1. Enterprise takes measures necessary to fulfill operator duties set forth by Russian legislation in the field of personal data including:

  • issuance of local regulations on the processing and protection of personal data aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
  • taking legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
  • arranging training and guidance support, familiarizing the employees of the Enterprise and the Enterprise group of companies engaged in the processing of personal data by signing with the fact of participation in the processing of personal data, as well as with the rules for processing and protecting personal data established by regulatory legal acts of executive authorities and local regulatory acts of the Enterprise;
  • obtaining consent from data subjects to process their personal data, unless otherwise provided by the laws of the Russian Federation;
  • ensuring the security of premises in which material carriers of personal data are located, in accordance with the requirements of regulatory legal acts;
  • detecting facts of unauthorized access to personal data and taking appropriate measures;
  • compiling standard forms for the collection of personal data in such a way that each of the subjects of personal data has the possibility to get acquainted with their personal data without violating the rights and legitimate interests of other subjects of personal data;
  • other actions provided by the laws of the Russian Federation.

11.2. The measures for the protection of personal data undergoing processing in personal data information systems are established in accordance with “BURINTEKH”, Ltd local regulations, which govern issues related to personal data protection in the course of processing by means of personal data information systems of “BURINTEKH”, Ltd.

12. RESPONSIBILITY FOR VIOLATION OF PERSONAL DATA PROTECTION GUIDELINES AND REQUIREMENTS FOR THE PERSONAL DATA PROTECTION

12.1. Enterprise employees responsible for organizing the processing of personal data and ensuring the security of personal data involved in the processing of personal data bear disciplinary, civil, administrative or criminal liability in accordance with the current legislation of the Russian Federation for violation of Personal Data Protection Guidelines and requirements for the Personal Data protection.