Personal Data Processing Policy

Purpose and scope

This document describes the policy of processing, accumulation and storage of documents containing information related to personal data.

The purpose of formulation of this Policy is the provision of protection of human and civil rights and freedoms while processing their personal data, including the right to personal and family privacy, as well as establishment of responsibility of officials, having access to personal data, for the noncompliance with the regulations related to personal data processing and protection.

Abbreviations, basic definitions and terms

Personal data — any information related to directly or indirectly specified individual (personal data subject);

Operator — state authority, municipal authority, legal entity or individual, who independently or jointly with other persons arranges and/or performs personal data processing, as well as defines the purposes of personal data processing, the volume of personal data subject to processing and actions performed towards personal data;

Personal data processing — any action (operation) or a series of actions (operations) performed towards personal data with or without use of the software, including collection, recording, systematization, accumulation, storage, update and alteration, extraction, use, transfer (distribution, presentation, providing access), depersonalization, blocking, deleting and annihilation of personal data;

Automated personal data processing — personal data processing via PC software;

Personal data distribution — actions aimed at personal data disclosure to uncertain group of persons;

Personal data presentation — actions aimed at personal data disclosure to a certain person or a certain group of persons;

Personal data blocking — temporary interruption of personal data processing (except where processing is required for personal data update or alteration);

Personal data annihilation — actions making it impossible to restore personal data volume in the personal data information system and/or resulting in the elimination of tangible media;

Personal data depersonalization — actions making it impossible to identify personal data as related to a certain data subject without involving additional information;

Personal data information system — a set of personal data included into personal data databases, as well as the software and tools used for their processing;

Trans-border transfer of personal data — transfer of personal data to a foreign territory, foreign government body, to a foreign individual or a foreign legal entity;

Information — messages, data independently of their particular representation.

Legal basis for personal data processing

The Policy is based on the following statutes and regulations of the Russian Federation:

Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dated January 28, 1981 as amended and approved by the Committee of Ministers of the Council of Europe on June 15, 1999, ratified by the Federal Law of the Russian Federation No. 160-FZ “On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ” dated December 19, 2005 within statements determined by this Federal Law; Constitution of the Russian Federation; Civil Code of the Russian Federation; Administrative Violations Code of the Russian Federation; Labour Code of the Russian Federation; Criminal Code of the Russian Federation; Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 (hereinafted — Federal Law No. 152-FZ); Federal Law No.149-FZ “On Information, Information Technologies and the Protection of Information” dated July 27, 2006; List of confidential information approved Edict of the President of the Russian Federation No. 188 dated March 6, 1997; Regulations on details of non-automated personal data processing approved by the decision of the Government of the Russian Federation No. 687 dated September 15, 2008; Requirements to protection of personal data while it is processed in information systems of personal data, by the decision of the Government of the Russian Federation No. 1119 dated November 1, 2012.

JSC Tander performs personal data processing on a legitimate equitable basis. The legal basis for personal data processing is a set of legal acts in compliance with which JSC Tander performs personal data processing:

Labour Code of the Russian Federation Agreements concluded between JSC Tander and a personal data subject Agreements concluded between JSC Tander and other legal entities under which personal data processing is involved Consent to personal data processing, etc.

Purposes for personal data collection and processing in JSC Tander

Purposes for personal data processing are the following:

conclusion of employment agreements with individuals; performance of functional duties of a legal entity as employer; maintenance of financial and operating performance of a company; market promotion; access control; conclusion of agreements with individuals; determination of a medical diagnosis and provision of medical services for medical and prophylactic purposes organization of participation in corporate social events

Volume and categories of personal data processed, categories of personal data subjects

Content and volume of personal data processed fully meet the specified purposes.

JSC Tander carries out collection and further processing of the following categories of personal data subjects:

employees former employees, nearest relatives of employees, contractors, job applicants, clients, visitors of JSC Tander buildings, lessees, individuals who are civil law contractors, employees requesting medical assistance, individuals requesting medical assistance, employees of affiliated companies.

Procedure and terms of personal data processing

JSC Tander shall receive all personal data of subjects from these subjects or from their legal representatives.

Personal data processing shall be carried out in accordance with the current legislation of the Russian Federation on the basis of consent of the personal data subject, except as otherwise provided in the Federal Law No. 152-FZ. Adjustment of a form of consent of a subject to standard forms of documents containing personal data of a subject (for example: questionnaire, letterheads) shall be allowed.

Personal data processing means actions (operations) with personal data including:

collection, storage, update and alteration; systematization, accumulation; use, distribution, transfer; depersonalization, blocking, annihilation.

The personal data subject shall make a decision on provision of their personal data and give a consent to their processing wilfully and for their own benefit.

Obtainment of personal data of the subject from the third parties shall be possible only upon prior notification of the subject and subject to their written approval.

Personal data of subjects of JSC Tander shall be processed in structural divisions in accordance with functions performed.

Access to personal data processed without the use of automation facilities shall be exercised in accordance with the list approved.

Access to personal data processed in personal data information systems shall be exercised in accordance with the list and procedure approved by JSC Tander.

Authorized persons allowed to receive personal data of subjects of JSC Tander shall have a right to obtain only personal data of a subject that are necessary for fulfillment of certain functions in compliance with job description of the authorized persons.

Non-automated personal data processing shall be performed in compliance with “The provisions on details of non-automated personal data processing” approved by the Russian Federation Government Resolution No. 687 dated September 15, 2008.

Personal data processed in this way shall be separated from other information, in particular, by fixing it on separate material media bearing the personal data, in special sections or on forms (letterheads) margins.

Personal data shall be stored in the form which allows to determine the personal data subject not longer than it is required by a purpose of their processing.

Personal data shall be annihilated or depersonalized in the following cases:

objects of processing are achieved or their achievement becomes unnecessary; withdrawal of consent of the personal data subject to personal data processing is received; the personal data subject or their legal representative provide information confirming that the personal data have been received illegally or are not necessary for the declared purpose of their processing; detection of unlawful processing of personal data when the personal data subject or their legal representative informs of it, and it is impossible to provide lawful processing of personal data.

Material media bearing the personal data shall be stored in specially fitted cabinets and safe boxes. Storage places shall be determined by the order on approval of storage places for JSC Tander material media bearing the personal data.

Within 7 business days from the day of provision by the personal data subject or their legal representative of information confirming that the personal data are incomplete, inaccurate or outdated, JSC Tander shall make adjustments as required and notify the subject of the alterations.

Annihilation of personal data shall be fulfilled within 30 business days from the moment of achieving the purpose of personal data processing unless otherwise provided for by the federal laws of the Russian Federation.

Annihilation of personal data shall be fulfilled within 30 business days from the moment of withdrawal of consent of the personal data subject to personal data processing.

Annihilation of personal data shall be fulfilled within 7 business days from the moment of provision by the personal data subject or their representative of information confirming that the personal data have been received illegally or are not necessary for the declared purpose of their processing.

In case of detection of unlawful processing of personal data when the personal data subject or their legal representative informs of it, and if it is impossible to provide lawful personal data processing, annihilation of personal data shall be fulfilled within 10 business days from the moment of detection of unlawful processing of personal data. Decision on the unlawfulness of personal data processing and the necessity of their annihilation shall be made by the person responsible for organization of personal data processing who shall inform the management of it. JSC Tander shall inform a personal data subject or their legal representative of annihilation of personal data.

Annihilation of personal data shall be fulfilled by the committee consisting of employees of the structural division which processed personal data of the subject and established the necessity of annihilation of personal data under the control of a director of this structural division.

The method of annihilation of material media bearing the personal data shall be determined by the committee. The use of the following methods shall be admitted:

burning; shredding (chopping); transfer to special-purpose grounds (landfills); chemical treatment.

An act shall be drawn up and signed by a chairman of the committee that performed annihilation of material media bearing the personal data.

Special organizations may be involved if it is needed to annihilate a large number of material media or to apply special methods of annihilation. In this case the members of the committee responsible for personal data annihilation shall be present at annihilation of the material media bearing the personal data. The slip confirming transfer of material media bearing personal data, subject to annihilation, to a special organization, shall be attached to the act of annihilation.

Annihilation of JSC Tander data base fields containing personal data of the subject shall be fulfilled in the following cases:

objects of processing are achieved or their achievement becomes unnecessary; withdrawal of consent of the personal data subject to personal data processing is received; the personal data subject or their legal representative provide information confirming that the personal data have been received illegally or are not necessary for the declared purpose of their processing; detection of unlawful processing of personal data when the personal data subject or their legal representative informs of it, and it is impossible to provide lawful processing of personal data.

Annihilation shall be fulfilled by the committee consisting of persons that are responsible for the technical maintenance of automated systems and that own the databases.

Annihilation shall be fulfilled by erasing information from data storage media (including backup copies). The act shall be drawn up and approved by the person who is responsible for the technical maintenance of automated systems and who owns the databases.

Annihilation of electronic records archives and electronic communications protocols may not be fulfilled if their maintenance and security within a certain period are stipulated in the corresponding regulatory and/or contractual documents.

In the absence of technical capability to annihilate personal data contained in databases, depersonalization by rerecording of databases margins shall be acceptable. Rerecording shall be performed in such a way that the further identification of the personal data subject is impossible.

Monitoring of compliance with the procedures of annihilation of personal data shall be carried out by the person responsible for the organization of personal data processing.

Processing of biometric personal data (photograph used for identification, fingerprints, retinal pattern, etc.), according to article 11 of the Federal Law No. 152-FZ, shall be allowed with the consent of the subject. Adjustment of a form of consent of the subject to standard forms of documents containing personal data of the subject (for example, questionnaire, letterheads) shall be allowed.

A decision that produces legal effects concerning the personal data subject or otherwise involves their rights and legitimate interests may be made on the basis of entirely automated processing of their personal data with the express written agreement of the personal data subject.

Protection of personal data of the subjects from unlawful use or loss shall be provided by JSC Tander at its own expense in accordance with the procedure established by the legislation of the Russian Federation.

Necessary organizational and technical measures to ensure confidentiality of personal data shall be taken while processing.

Technical measures to protect personal data while processing with hardware shall be determined in accordance with:

Regulatory document of FSTEC of Russia — “Composition and content of organizational and technical measures to ensure safety of personal data while processing in information systems of personal data”. Ratified by the Order of FSTEC of Russia No. 21 dated February 18, 2013; Internal documents of JSC Tander operating in the information security sphere.

Personal data protection shall provide for restriction of access to them.

Internal policies and procedures, including the following documents, have been approved and accepted for execution by the order of JSC Tander CEO:

documents determining the procedure of personal data processing; orders on approval of storage places of material media bearing personal data; orders on determination of the list of persons carrying out processing of personal data or having access to them; forms of consent of subjects to processing of their personal data; documents determining the procedures aimed at prevention and detection of breaches of the Russian Federation legislation and remedial measures; documents regulating the procedure of internal control; documents aimed at estimation of damage that may be caused to personal data subjects in case of breach of the federal legislation relating to personal data; arrangement of access to rooms where personal data are processed; standard obligation of personal data nondisclosure; standard form of explanation to the personal data subject of the legal consequences of refusal to provide personal data; list of personal data information systems.

JSC Tander shall reserve the right to check completeness and accuracy of personal data provided with the consent of the personal data subject. In case of detection of erroneous or incomplete personal data, JSC Tander shall have a right to end all relationships with the personal data subject.

Procedure of processing applications and inquiries of subjects.

When receiving an application or a written inquiry from the personal data subject or their legal representative for the access to their personal data, JSC Tander shall follow the requirements of the articles 14, 18 and 20 of the federal law No. 152-FZ;

The access of the personal data subject or their legal representative to their personal data shall be provided by JSC Tander only under the control of the person responsible for the organization of personal data processing by JSC Tander.

Inquiries of the personal data subject or their legal representative shall be fixed in the registry of inquiries of citizens (personal data subjects) related to processing of personal data.

Written inquiries of the personal data subject or their legal representative shall be fixed in the registry of written inquiries of citizens for the access to their personal data.

The person responsible for the organization of personal data processing shall make a decision on providing access to personal data to the subject.

If the data provided by the subject are not enough for establishment of their identity or provision of personal data breaches constitutional rights and liberties of other persons, the person responsible for the organization of personal data processing shall prepare a substantive response containing a link to the provision of the part 8 article 14 of the Federal Law No. 152-FZ or another federal law, that is the ground for such refusal, within thirty business days from the day of inquiry of the personal data subject or their legal representative or from the date of receipt of the inquiry of the personal data subject or their legal representative.

In order to provide access to personal data of the subject to this subject or their representative, the person responsible for the organization of personal data processing shall involve an employee (employees) of the structural division processing personal data of the subject upon the agreement with a director of this structural division.

Information on availability of personal data shall be provided by JSC Tander to the personal data subject in an intelligible form, and it shall not contain personal data related to other personal data subjects. Control over provision of information to the subject or their legal representative shall be carried out by the person responsible for the organization of personal data processing.

Information on availability of personal data shall be provided to the subject upon the respond to the inquiry within thirty days from the date of receipt of the inquiry of the personal data subject or their legal representative.

Procedures in case of receiving inquiries from regulatory authorities.

In accordance with the part 4 article 20 of the Federal Law No. 152-FZ, JSC Tander shall provide the authorized body for protection of rights of personal data subjects upon its request with the information necessary for the operation of this body within thirty days from the date of receipt of such request.

Collection of information for preparation of the substantive response to the inquiry of regulatory authorities shall be carried out by the person responsible for the organization of personal data processing, if necessary involving JSC Tander employees.

Within the period established by the legislation the person responsible for the organization of personal data processing shall prepare the substantive response and other necessary documents and send them to the authorized body.