Policy on Personal Data Processing

1. General Provisions

1.1. The policy for the processing of personal data at LLC 'CAPITAL GROUP' (hereinafter referred to as the 'Company') defines the basic principles, purposes, conditions, and methods of processing personal data, lists of subjects and personal data processed in the Company, the Company's functions in processing personal data, the rights of personal data subjects, as well as the requirements for personal data protection implemented by the Company.

1.2. The policy has been developed in accordance with the requirements of the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation in the field of personal data.

1.3. The provisions of the policy serve as the basis for the development of local regulatory acts regulating in the Company the issues of processing personal data of the Company's employees and other personal data subjects.

2. Legal Basis for Personal Data Processing

2.1. Processing of personal data in the Company is carried out in accordance with the following regulatory legal acts:

  • Labor Code of the Russian Federation;
  • Federal Law of July 27, 2006, No. 152-FZ 'On Personal Data';
  • Decree of the President of the Russian Federation of March 6, 1997, No. 188 'On Approval of the List of Information of a Confidential Nature';
  • Resolution of the Government of the Russian Federation of September 15, 2008, No. 687 'On Approval of the Regulation on Features of Personal Data Processing Carried Out without Using Automation Tools';
  • Resolution of the Government of the Russian Federation of July 6, 2008, No. 512 'On Approval of Requirements for Material Carriers of Biometric Personal Data and Technologies for Storing Such Data Outside Information Systems of Personal Data';
  • Resolution of the Government of the Russian Federation of November 1, 2012, No. 1119 'On Approval of Requirements for the Protection of Personal Data during their Processing in Information Systems of Personal Data';
  • Order of the Federal Service for Technical and Export Control of February 18, 2013, No. 21 'On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during their Processing in Information Systems of Personal Data';
  • Order of the Federal Service for Supervision of Communications, Information Technology, and Mass Media of September 5, 2013, No. 996 'On Approval of Requirements and Methods for Anonymization of Personal Data';
  • Order of the Federal Service for Supervision of Communications, Information Technology, and Mass Media of February 24, 2021, No. 18 'On Approval of Requirements for the Content of Consent to the Processing of Personal Data Permitted by the Subject of Personal Data for Distribution'; ¹
  • other regulatory legal acts of the Russian Federation and regulatory documents of authorized government bodies.

2.2. In order to implement the provisions of the Policy in the Company, relevant local regulatory acts and other documents are developed, including:

  • regulation on the processing of personal data in the Company;
  • regulation on ensuring the security of personal data during their processing in the information systems of the Company;
  • list of positions of the Company's structural units, where the processing of personal data is carried out; other local regulatory acts and documents regulating in the Company the issues of personal data processing.

¹ Comes into force from 01.09.21 and is valid until 01.09.27.

3. Key Terms and Definitions

Personal data - any information relating directly or indirectly to a specifically identified or identifiable individual (personal data subject).

Personal data permitted by the personal data subject for distribution - personal data for which the personal data subject has granted unlimited access to a circle of individuals by providing consent for the processing of personal data permitted by the personal data subject for distribution in the manner provided by federal law.

Information - data (messages, facts) regardless of their presentation form.

Controller (Operator) - a government body, municipal body, legal entity, or individual acting alone or jointly with other persons organizing and/or carrying out the processing of personal data. They also determine the purposes of personal data processing, the composition of personal data subject to processing, and actions (operations) performed with personal data.

Personal data processing - any action (operation) or a set of actions (operations) performed with or without the use of automation tools involving personal data, including collection, recording, systematization, accumulation, storage, updating, modification, extraction, use, transmission (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.

Automated processing of personal data - processing of personal data using computer technology.

Providing personal data - actions aimed at disclosing personal data to a specific person or a specific group of people.

Distribution of personal data - actions aimed at disclosing personal data to an indefinite group of people.

Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to the authorities of a foreign state, foreign individuals, or foreign legal entities.

Blocking of personal data - temporary suspension of personal data processing (except in cases where processing is necessary to clarify personal data).

Destruction of personal data - actions that make it impossible to restore the content of personal data in the information system of personal data and/or actions resulting in the destruction of material carriers of personal data.

Anonymization of personal data - actions that make it impossible, without using additional information, to determine the belonging of personal data to a specific personal data subject.

Information system of personal data - a set of databases of personal data and information technologies ensuring their processing, along with technical means.

4. Principles of Personal Data Processing

4.1. Processing of personal data within the Company is carried out with the aim of ensuring the protection of the rights and freedoms of the Company's employees and other subjects of personal data, including the right to privacy, personal and family secrets, based on the following principles:

  • processing of personal data is carried out within the Company on a lawful and fair basis;
  • processing of personal data is limited to the achievement of specific, predetermined, and legitimate purposes;
  • processing of personal data that is incompatible with the purposes of collecting personal data is not allowed;
  • the combining of databases containing personal data processed for incompatible purposes is not permitted;
  • only personal data that meets the purposes of their processing are subject to processing;
  • the content and volume of processed personal data correspond to the declared purposes of processing. Redundancy of processed personal data in relation to the declared purposes of their processing is not allowed;
  • when processing personal data, their accuracy, sufficiency, and, where necessary, relevance to the purposes of processing personal data are ensured. The Company takes necessary measures or ensures their adoption to delete or clarify incomplete or inaccurate personal data;
  • storage of personal data is carried out in a form that allows determining the data subject for no longer than necessary for the purposes of processing personal data, unless the storage period for personal data is established by federal law, a contract, the beneficiary or the guarantor under which is the data subject;
  • processed personal data are destroyed or anonymized upon achieving the purposes of processing or in case of the loss of the need to achieve these purposes unless otherwise provided by federal law.

5. Purposes of Processing Personal Data

5.1. As the operator of personal data, the Company processes the personal data of its employees and other subjects of personal data who are not in an employment relationship with the Company.

5.2. Personal data is processed within the Company for the following purposes:

5.2.1. promoting goods, works, services on the market, including by establishing direct contacts with potential consumers through communication means (by phone, email, postal mailing, on the Internet, etc.);

5.2.2. preparing, concluding, executing, and terminating contracts with counterparties;

5.2.3. managing labor relations with Company employees and related employment processes such as training, career advancement, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring property security, etc.;

5.2.4. fulfilling functions, powers, and obligations entrusted by the legislation of the Russian Federation to the Company, including providing personal data to state authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, and other state authorities;

5.2.5. providing additional guarantees and compensations to Company employees and their family members, including non-state pension provision, voluntary health insurance, medical services, and other types of social security;

5.2.6. protecting the life, health, or other vital interests of the subjects of personal data;

5.2.7. organizing loyalty programs, marketing and/or advertising campaigns, research, surveys, and other activities by the Company (including involving third parties);

5.2.8. ensuring access control and internal regime in premises and on construction sites of the Company;

5.2.9. compiling reference materials for internal informational support of the Company's activities and its partners;

5.2.10. enforcing court decisions, acts of other authorities or officials, subject to enforcement under the legislation of the Russian Federation on enforcement proceedings;

5.2.11. exercising the rights and legitimate interests of the Company within the scope of its activities provided by the Charter and other local regulatory acts of the Company or third parties or achieving socially significant goals; for other purposes not contradicting the legislation.

6. Subjects of Personal Data

6.1. The Company processes personal data of the following categories of subjects:

  • company employees;
  • counterparties (potential counterparties) of the Company;
  • individuals entering or passing through the Company's premises;
  • individuals contacting the Company (including using electronic communication means);
  • other subjects of personal data, processing of whose personal data is carried out for the purposes specified in Section 5 of the Policy.

7. List of Personal Data Processed in the Company

7.1. The list of personal data processed in the Company is determined in accordance with the legislation of the Russian Federation and the local regulatory acts of the Company, considering the purposes of processing personal data specified in Section 5 of the Policy.

7.2. Processing of special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, intimate life, is not carried out in the Company.

8. List of Actions with Personal Data and Methods of Their Processing

8.1. The Company carries out the collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.

8.2. Processing of personal data in the Company is carried out by the following methods:

  • non-automated processing of personal data;
  • automated processing of personal data with the transfer of received information via information and telecommunication networks or without such transfer;
  • mixed processing of personal data.

9. Procedure for Processing Personal Data

9.1. Non-automated processing of personal data is carried out provided that the following actions are performed:

  • Processing of personal data is conducted in such a way that the storage locations of personal data (physical media) for each category of personal data can be identified;
  • The Company establishes a list of individuals processing personal data or having access to them;
  • Separate storage of personal data (physical media) processed for different purposes is ensured;
  • The Company ensures the security of personal data and takes measures to prevent unauthorized access to personal data.

9.2. Automated processing of personal data is conducted provided that the following actions are performed:

  • The Company carries out technical measures aimed at preventing unauthorized access to personal data and/or their transmission to unauthorized persons;
  • Protective tools are configured to timely detect cases of unauthorized access to personal data;
  • Technical means of automated personal data processing are isolated to prevent any impact that could disrupt their functioning;
  • The Company performs data backups to promptly restore modified or destroyed personal data due to unauthorized access;
  • Continuous monitoring is conducted to ensure the security level of personal data.

10. Conditions for Processing Personal Data

10.1. Processing of personal data in the Company is carried out with the consent of the personal data subject to process their personal data, unless otherwise provided by the legislation of the Russian Federation in the field of personal data.

10.2. The Company does not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.

10.3. The Company has the right to delegate the processing of personal data to another entity with the consent of the personal data subject, unless otherwise provided by federal law, based on an agreement concluded with this entity, including a state or municipal contract, or by adopting a relevant act by a state or municipal authority (hereinafter - operator's assignment). The entity processing personal data by operator's assignment must comply with the principles and rules of personal data processing established by the legislation.

10.4. Processing of personal data permitted by the personal data subject for dissemination is carried out in accordance with the specifics provided by federal law. The requirements for the content of consent to process personal data permitted by the personal data subject for dissemination are established by the authorized body for the protection of the rights of personal data subjects.

11. Disclosure (Provision) of Personal Data

11.1. The Company does not provide or disclose information containing personal data of individuals to another (third) party without the written consent of the personal data subjects, except in cases where it is necessary to prevent threats to life and health, as well as in cases established by federal laws.

11.2. Upon request and solely for the purpose of performing functions and powers imposed by the legislation, personal data of the personal data subject may be transferred without their consent to:

  • judicial authorities in connection with the administration of justice;
  • state security authorities;
  • prosecution authorities;
  • police authorities;
  • investigative authorities;
  • other bodies and organizations in cases established by regulatory legal acts that are mandatory for execution.

Company employees responsible for processing personal data do not respond to inquiries related to the transfer of personal data over the phone or by fax.

12. Rights of Personal Data Subjects

12.1. Personal data subjects have the right to:

  • receive complete information about their personal data processed by the Company;
  • access their personal data, except in cases provided by federal law;
  • update their personal data, block or delete them if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or are not necessary for the stated processing purpose;
  • withdraw consent to the processing of personal data;
  • take legal actions to protect their rights;
  • exercise other rights provided by the legislation of the Russian Federation.

13. Measures Taken by the Company to Ensure Compliance with the Operator's Obligations in the Processing of Personal Data

13.1. The measures necessary and sufficient to ensure the Company's compliance with the operator's obligations under the legislation of the Russian Federation on personal data include:

  • appointing a person responsible for organizing the processing of personal data in the Company;
  • adopting local regulations and other documents in the field of processing and protecting personal data;
  • organizing training and conducting methodological work with employees of the Company's structural units occupying positions included in the list of positions of the Company's structural units, for which the processing of personal data is carried out when replaced;
  • obtaining consent from the subjects of personal data to process their personal data, except in cases provided by the legislation of the Russian Federation;
  • separating personal data processed without using automation tools from other information, in particular by recording them on separate material carriers of personal data, in special sections;
  • ensuring separate storage of personal data and their material carriers processed for different purposes and containing different categories of personal data;
  • storing material carriers of personal data in compliance with conditions ensuring the security of personal data and preventing unauthorized access to them;
  • conducting internal control to ensure compliance with the processing of personal data under the Federal Law 'On Personal Data,' the requirements for the protection of personal data, this Policy, and the Company's local regulations;
  • other measures provided by the legislation of the Russian Federation on personal data.

15. Final Provisions

15.1. This Policy is subject to change and amendment in the event of the appearance of new legislative acts and special regulatory documents on the processing and protection of personal data.

15.2. This Policy is an internal document of the Company and must be posted on the Company's official website.