TRY.FIT Personal
Data Protection and Processing Policy
Date
of last revision: March 2020
1. General
Provisions
1.1. This Policy on
protection and processing of personal data (hereinafter referred to as the
“Policy”) is drawn up in accordance with clause 2 of Article 18.1 of the
Federal Law dated July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter
referred to as the Personal Data Act), as well as other regulatory acts in the
field of personal data protection and processing and applies to all personal
data (hereinafter referred to as the PD) that TRIFYT TECHNOLOGIES Limited
Liability Company (TRIFYT TECHNOLOGIES, OGRN 1167746607632.
Legal address: 143026, Russian Federation, Moscow, Skolkovo territory of the
innovation center, Lugovaya street, 4, building 5, room 11; actual address:
121205, Moscow, territory of the Skolkovo Innovation Center, Bolshoy Boulevard,
42, bldg. 1) (hereinafter - the Company) can receive from the personal
data subject.
1.2 The Company
ensures the protection of processed personal data from unauthorized access and
disclosure, misuse or loss in accordance with the Personal Data Act.
1.3. Policy Change:
1.3.1. The company
has the right to make changes to this Policy. When making changes, the heading
of the Policy indicates the date of the last update. The new version of the
Policy comes into force from the moment it is posted on the site, unless
otherwise provided by the new version of the Policy.
2. Terms and
Acronyms
Personal data (PD)
- any information relating directly or indirectly to a specific or determinable
individual (PD subject).
Personal data
processing - any action (operation) or a set of actions (operations)
performed using automation tools or without using such tools with PD, including
collection, recording, systematization, accumulation, storage, clarification
(updating, changing), retrieval, use, transfer (distribution, provision,
access), depersonalization, blocking, deletion, destruction of PD.
Automated
processing of personal data - PD processing via
using computer technology.
Personal data
information system (PDIS) - a set of PD contained
in databases and information technologies and technical means which enables
processing of personal data.
Personal data made
publicly available by the subject of personal data is
PD, access of the unlimited number of persons to which is provided by the
subject of personal data or at his request.
Personal data blocking-
temporary termination of the PD processing (unless the processing is necessary
for PD clarification).
Destruction of
personal data - actions, as a result of which it
becomes impossible to restore the PD content in the PD information system and
(or) as a result of which material carriers of PD are destroyed.
Operator - an
organization that independently or jointly with other persons organizes the PD
processing, as well as defines the goals of PD processing to be executed,
actions (operations) performed with PD. The operator is the Company (TRYFIT
TECHNOLOGIES LLC).
3. PD Processing
3.1. Receiving PD:
3.1.1. All PD
should be obtained from the subject itself. If PD of the subject can be
obtained only from a third party, then the subject must be notified about this
or consent must be obtained from him;
3.1.2. The company
must inform the subject about the goals, the alleged sources and methods of PD
obtaining, the list of PD to be received, the list of actions to be performed
with PD, the period during which the consent is valid, and the procedure for
its withdrawal, as well as the consequences of the refusal of providing the
consent.
3.2. PD processing;
3.2.1. PD
processing is carried out:
· with the consent for PD processing
of the PD subject;
· in cases when PD processing is
necessary for the implementation and fulfilment of the functions and duties
assigned by the legislation of the Russian Federation;
· in cases when access for an
unlimited circle of persons to PD is provided by the subject of the PD or at
his request (hereinafter referred to as PD made by the publicly available
subject of PD).
3.2.2. PD
processing is carried out:
·
using automation tools;
·
without using automation tools.
3.3. PD Storage:
3.3.1. PD can be obtained,
undergo further processing and transferred to storage both on paper and in
electronic form.
3.3.2. PD on paper
is stored in locked cabinets or in locked rooms with limited access.
3.3.3. PD processed
with using automation tools for different purposes are stored in different
folders.
3.3.4. It is not
allowed to store and place documents containing PD in open electronic
directories (file sharing) in PDIS.
3.3.5. Storage of
PD in a form that allows to determine the subject of PD is carried out no longer
than the goals of their processing require, and they must be destroyed upon
achievement of the processing goals or in case of loss of need to achieve them.
3.4. Destruction of
PD:
3.4.1. Destruction
of documents (media) containing PD is carried out by burning, crushing
(grinding), chemical decomposition, transformation into a shapeless mass or
powder. For the destruction of paper documents allowed the use of a shredder.
3.4.2. PD on
electronic media are destroyed by erasing or formatting the media.
3.4.3. The fact of
the destruction of PD is documented by the act on the destruction of carriers.
3.5. PD
Transmission:
3.5.1. The Company
transfers PD to third parties, including for cross-border transfer of PD, in
the following cases:
· the subject has expressed consent to
such actions;
·
the transfer is provided for by Russian or other applicable legislation
in accordance with the procedure established by law.
4. PD Protection
4.1. In accordance
with the requirements of regulatory documents, the Company has created a PD
protection system (PDPS), consisting of legal, organizational and technical
protection subsystems.
4.2. The legal
protection subsystem is a complex of legal, organizational, administrative and
regulatory documents that ensure creation, operation and improvement of the
PDPS.
4.3. The
organizational protection subsystem includes arrangement of the PDPS management
structure, the licensing system, and the information protection while working
with employees, partners, and third parties.
4.4. The subsystem
of technical protection includes a complex of technical, software and hardware
tools that provides PD protection.
4.5. The main PD
protection measures used by the Company are:
4.5.1. Appointment
of a person responsible for PD processing, who arrange PD processing procedure,
training and briefing, internal control of the Company’s employees compliance
with requirements for the PD protection.
4.5.2.
Identification of current threats to PD security during its processing in PDIS
and development of measures and activities to protect PD.
4.5.3. Development
a Policy regarding PD processing.
4.5.4. Establishing
access rules to PD processed in PDIS, as well as ensuring the registration and
recording of all actions performed with PD in PDIS.
4.5.5. The
establishment of individual passwords to access the information system for
employees in accordance with their responsibilities.
4.5.6. The use of
information security tools that have passed the prescribed assessment
procedure.
4.5.7. Certified
antivirus software with regularly updated databases.
4.5.8. Compliance
with the conditions ensuring PD safety and excluding unauthorized access to
them.
4.5.9. Detection of
facts of unauthorized access to PD and taking measures.
4.5.10. Recovery of
PD modified or destroyed due to unauthorized access to them.
4.5.11. Training of
the Company’s employees directly involved in PD processing on PD legislation of
the Russian Federation, including the requirements for the PD protection,
Company’s documents and policies related to PD processing, local acts on the
processing of PD.
4.5.12.
Implementation of internal control and audit.
5. Basic Rights and
Obligations of the PD Subject and the Company
5.1. Fundamental
rights of the subject of PD.
The subject has the
right to access to PD and the following information:
· confirmation of the fact of PD
processing by the Company;
·
legal grounds and goals of PD processing;
·
goals and methods of processing PD applied by the Company;
·
the title and location of the Company, information about persons (with
the exception of employees of the Company) who have access to PD or to whom PD
can be disclosed on the basis of an agreement with the Company or on the basis
of a federal law;
·
terms of PD processing, including period of their storage;
·
the procedure for exercising of the PD subject’s rights provided by this
Policy and the Personal Data Act;
·
name or surname, name, patronymic and address of the person processing
PD on behalf of the Company, if the processing is entrusted or will be entrusted
to such a person;
·
appeal to the Company and sending inquiries;
·
appeal of actions or inaction of the Company.
5.2. Rights and
obligations of the Company.
The company has the
right:
· entrust the processing of PD to another
person on the basis of the relevant agreement concluded with this person, which
will be entrusted with the duty to process PD in accordance with this Policy
and principles and the rules for PD processing provided by the Personal Data
Act.
The company undertakes:
· while collecting PD provide
information on PD processing;
· notify the subject of PD in case PD
were received not from the PD subject directly;
· explain the consequences of refusal
to provide PD in case of such refusal;
· publish or provide unrestricted
access to the document defining PD processing policy, to information on the
ongoing requirements for the PD protection;
· take the necessary legal,
organizational and technical measures or ensure their adoption to protect PD
from unlawful or accidental access to them, destruction, alteration, blocking,
copying, provision, distribution of PD, as well as from other illegal actions
in relation to PD;
· provide answers to inquiries and
appeals of PD subjects, their representatives and the authorized body for the
protection of the rights of PD subjects