Policy concerning personal data processing
1. Purpose and scope of the document
The Company's Personal data processing policy (hereinafter referred to as Policy) defines the Company's position and intent concerning processing and protection of personal data, respect of the rights and basic liberties of every individual and especially the right for privacy, personal and family secrets, protection of his or her honor and reputation.
The policy is to be studied and rigorously followed by managers and employees of all business units of the Company; it is also to be brought to the attention of persons that have contractual, civil legal or other relationships with the Company, of partners and other interested parties.
2. Composition of personal data processed by the Company
The Company processes the following personal data of the customers:
- Surname, name, patronymic of a customer who is a natural person (individual) or of an individual who is a representative of the Company's legal entity customer
- Delivery address
- Contact telephone number
- Bank details
- Choices Relating to Cookies
The Company processes personal data of job applicants in the scope required for making a decision about employing the applicant.
The Company processes personal data of employees in the scope required for performance of duties stipulated for the employer by the statutes in place.
The Company does not process biometric personal data as well as special categories of personal data (except for employee health data related to the issue of whether such employees would be able to execute their job functions).
3. The purposes of processing personal data
The Company processes personal data for the purposes of:
- informing the customers about new goods and services offered by the Company, exhibitions in which the Company participates (mailing catalogs, information leaflets, electronic messages to the e-mail addresses of subscribing customers with information and advertising materials related to goods offered by the Company)
- individual records of customers' orders for the purposes of fulfilling the agreements with the customers
- studying the opinions of the customers about the Company and the goods that it offers through feedback from customers (by recording reviews left at the Company website, collecting questionnaires and inquiry forms sent by e-mail and filled by customers)
- taking on new employees of the Company and fulfilling the obligations of the Company that are stipulated for an employer in accordance with the requirements of the laws of the Russian Federation towards the employees during the process of their working activities
- making decisions on the possibility of concluding employment contracts with people applying for open job positions
4. Provisions of the Policy
The Company implements the processing and provides the security of personal data in accordance with the requirements of the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Federal Law No. 152-FZ "On Personal Data", the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
When processing personal data, the Company adheres to the following principles:
- The Company implements personal data processing only on a lawful and equitable basis.
- The Company shall not disclose to third parties or spread personal data without the consent of the individual (unless otherwise stated in the current legislation of the Russian Federation).
- The Company only collects the personal data which is necessary and sufficient for the stated purpose of processing.
- Personal data processing by the Company is limited to achievement of specific predetermined and legitimate purposes.
- The Company destroys or anonymizes personal data after the achievement of processing purposes or in case no further need of these objectives’ achievement.
- The Company has a right to assign personal data processing (with the agreement of the individual) to third parties by virtue of contracts concluded with these parties.
- Third parties processing personal data on behalf of the Company commit themselves to follow the principles and rules of processing and protection the personal data stipulated by the Federal Law No. 152-FZ "On Personal Data" and the General Data Protection Regulation (GDPR).
- In case of the Company crossborder transferring the individuals’ personal data to the foreign state’s territory, the above-noted crossborder transfer should be implemented according to the requirements of current Russian legislation as well as international legal acts. The receiving party for such transfer may be only the countries that are party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108, 28.01.1981) and providing adequate protection of personal data owners’ rights.
5. Individuals' rights concerning processing personal data
An individual whose personal data is processed by the Company has a right to:
- receive from the Company:
- confirmation of the fact of personal data being processed by the Company
- information regarding legal basis and purposes for processing personal data
- information about methods of personal data processing used by the Company
- information regarding the Company's name and location
- information on persons (except for the employees of the Company) which have access to personal data or to which personal data may be disclosed by virtue of a contract with the Company or by virtue of the federal law
- list of personal data being processed that concerns the individual who has sent the request, and information on the data sources
- information on deadlines for personal data processing, including time limits for its storage
- information on conducted or proposed cross-border transfer of personal data
- name and address of the person implementing personal data processing on behalf of the Company
- other information stipulated by the Federal Law "On Personal Data" No. 152-FZ or GDPR
- demand the update of his personal data, its blocking or destruction in case the personal data is incomplete, outdated, incorrect, unlawfully received or is not needed for the stated purpose of processing
- withdraw consent for personal data processing by sending a written request e-mail to the email address firstname.lastname@example.org on the Company’s address: LTD «PANNA» 5th Kabelnaya str, building 7, 111024 Moscow, Russia.
- opt out at any moment of an e-mail list in the e-mail message to email address email@example.com.
- demand the correction of unlawful actions of the Company on his or her personal data
- demand compensation for damages and/or moral injury by judicial procedure.
- Information regarding implemented requirements for personal data protection
When processing personal data, the Company takes necessary legal, organizational and technical measures to provide the confidentiality of personal data and to protect it from unlawful actions:
- implements access of employees to personal data processed within the information system of the Company as well as to its physical storage media only for the purpose of performing their job obligations
- establishes the rules for access to personal data processed in the Company's information system as well as provides registration and recording of all the activities concerning this data
- determines security threats to personal data while it is being processed within the Company's information system
- apply organizational and technical measures and uses means of information protection necessary for achieving the established level of personal data protection
- detects the instances of unauthorized access to personal data and takes response measures, including informing about leak within the period and according to the procedure stipulated by the GDPR as well as restores personal data modified or destroyed because of unauthorized access to it
- evaluates the efficiency of measures taken to provide the security of personal data
- performs internal control of compliance of personal data processing with the FZ " On Personal Data ", the GDPR and the regulatory and legal acts and local statutes adopted in accordance with them
- evaluation of efficiency of measures adopted for providing personal data security before commissioning the personal data information systems
- compliance with conditions excluding unauthorized access to physical storage media of personal data and providing security of personal data
- familiarization of the Company’s employees directly involved in personal data processing with the provisions of personal data legislation, including the requirements of personal data protection, with the local statutes concerning the issues of personal data’ processing and protection, and training the Company’s employees
Individuals whose personal data is being processed by the Company can receive full clarification of the issues on their personal data’ processing by sending an official request to e-mail address firstname.lastname@example.org or to mailing address:
5th Kabelnaya str, building 7, 111024 Moscow, Russia
In case of sending an official request to the Company the request has to include:
- the individual's surname, first name
- number of the basic document which certifies the identity of a citizen, information on its issue date of and issuing authority
- information confirming the relationship with the Company (contract number, customer number) or information confirming in another way the fact of personal data being processed by the Company
- signature of the individual
If the request is sent in the electronic format, it has to be executed as an electronic document and signed with an electronic signature in accordance with the laws of the Russian Federation.