MAX FABRIQUE Personal Data
Protection and Processing Policy
1. General Provisions
1.1. This policy
on protection and processing of personal data (hereinafter referred to as
the “Policy”) is drawn up in accordance with
clause 2 of Article 18.1 of the Federal Law dated July 27, 2006 No. 152-FZ “On
Personal Data” (hereinafter referred to as the Personal Data Act), as well as
other regulatory acts in the field of personal data protection and processing
and is applied to all personal data (hereinafter referred to as the PD) that
TRIFYT TECHNOLOGIES Limited Liability Company (OGRN 1167746607632, address:
143026, Moscow, territory of the Skolkovo Innovation Center, Lugovaya Street, Building 4, Building 5, Floor 3 hours, apt.11)
and
MAX FABRIQUE Limited Liability
Company, a company registered in the Russian Federation. The main state
registration number is 1117847286226. The head office of the company is located
at: 191015, Russian Federation, Saint Petersburg, Voskresenskaya
embankment, 4 lit. A, apt 96N.
(hereinafter - the
Companies) can receive from the personal data subject.
1.2. The Companies ensure the
protection of processed PD from unauthorized access and disclosure, misuse or
loss in accordance with the Personal Data Act.
1.3. Policy Change:
1.3.1. The Companies have the
right to make changes to this Policy. When making changes, the heading of the
Policy indicates the date of the last update. The new version of the Policy
comes into legal force from the moment it is posted on the site, unless other
stated by the new version of the Policy.
2. Terms and Acronyms
Personal data (PD)
- any information relating directly or indirectly to a specific or determinable
individual (PD subject).
Personal data processing -
any action (operation) or a set of actions (operations) performed using
automation tools or without using such tools with PD, including collection,
recording, systematization, accumulation, storage, clarification (updating,
changing), retrieval, use, transfer (distribution, provision, access),
depersonalization, blocking, deletion, destruction of PD.
Automated processing of
personal data - PD processing via using computer
technology.
Personal data information
system (PDIS) - a set of PD
contained in databases and information technologies and technical means which
enables processing of personal data.
Personal data made publicly
available by the subject of personal data is PD access
of the unlimited number of persons to which is provided by the subject of
personal data or at his / her request.
Personal data blocking-
temporary termination of the PD processing (unless processing is required for
PD clarification).
Destruction of personal data -
actions as a result of which it becomes impossible to restore the PD content in
the PDIS and (or) as a result of which material carriers of PD are destroyed.
Operator -
an organization that independently or jointly with other persons organizes the
PD processing, as well as defines the goals of PD processing, actions
(operations) performed with PD. The operators are the Companies (TRYFIT
TECHNOLOGIES LLC and MAX FABRIQUE LLC).
3. Personal Data Processing
3.1. Receiving PD:
3.1.1. All PD should be
obtained from the subject directly. If PD can be obtained only from a third
party the subject must be notified about this or consent must be obtained from
him / her.
3.1.2. The Companies have to
inform the subject about the goals, the alleged sources and methods of PD
obtained, the list of PD to be received, the list of actions to be performed
with PD, the period during which the consent is valid, and the procedure for
its withdrawal, as well as the consequences of the refusal of providing the
consent.
3.2. PD processing;
3.2.1. PD processing is
carried out:
·
with the consent for PD processing of the PD subject;
·
in cases when PD processing is required for the performance and
fulfilment of the functions and duties prescripted by
the legislation of the Russian Federation;
·
in cases when access for an unlimited circle of persons to PD is
provided by the subject of the PD or upon his request (hereinafter referred to
as PD made by the publicly available subject of PD).
3.2.2. PD processing is
carried out:
·
using
automation tools;
·
without
using automation tools.
3.3. PD storage:
3.3.1. PD can be obtained,
undergo further processing and transferred to storage both on paper and in
electronic forms.
3.3.2. PD on paper is stored
in locked cabinets or in locked rooms with limited access.
3.3.3. PD processed with using
automation tools for different purposes are stored in different folders.
3.3.4. It is not allowed to
store and place documents containing PD in open electronic directories (file
sharing) in PDIS.
3.3.5. Storage of PD in a form
that allows to determine the subject of PD is carried out no longer than the
goals of their processing require, and they must be destroyed upon achievement
of the processing goals or in case of loss of need to achieve them.
3.4. Destruction of PD:
3.4.1. Destruction of
documents (media) containing PD is carried out by burning, crushing (grinding),
chemical decomposition, transformation into a shapeless mass or powder. For the
destruction of paper documents allowed the use of a shredder.
3.4.2. PD on electronic media
are destroyed by erasing or formatting the media.
3.4.3. The fact of the
destruction of PD is documented by the media destruction act.
3.5. PD Transmission:
3.5.1. The Companies transfer
PD to third parties, including for cross-border transfer of PD, in the
following cases:
·
the subject has expressed consent to such actions;
·
the transfer is provided by Russian or other applicable legislation in
accordance with the procedure established by law.
4. PD Protection
4.1. In accordance with the
requirements of regulatory documents the Companies have created a PD protection
system (PDPS), consisting of legal, organizational and technical protection
subsystems.
4.2. The legal protection
subsystem is a complex of legal, organizational, administrative and regulatory
documents that ensure creation, operation and improvement of the PDPS.
4.3. The organizational
protection subsystem includes arrangement of the PDPS management structure, the
licensing system, and the information protection during working with employees,
partners, and third parties.
4.4. The subsystem of
technical protection includes a complex of technical, software and hardware
tools that provides PD protection.
4.5. The main PD protection
measures used by the Companies are:
4.5.1. Appointment of a person
responsible for PD processing, who arrange PD processing procedure, training
and briefing, internal control of the Companies’ employees
compliance with the PD protection requirements.
4.5.2. Identification of
current threats to PD security during its processing in PDIS and development of
measures and activities to protect PD.
4.5.3. Development a Policy
regarding PD processing.
4.5.4. Establishing access
rules to PD processed in PDIS, as well as ensuring the registration and
recording of all actions performed with PD in PDIS.
4.5.5. Individual passwords establishment
for access to the information system for employees in accordance with their
responsibilities.
4.5.6. The use of information
security tools that have passed the prescribed assessment procedure.
4.5.7. Certified antivirus
software with regularly updated databases.
4.5.8. Compliance with the
conditions ensuring PD safety and excluding unauthorized access to them.
4.5.9. Detection of facts of
unauthorized access to PD and taking measures.
4.5.10. Recovery of PD
modified or destroyed due to unauthorized access to them.
4.5.11. Training of the
Companies’ employees directly involved in PD processing on PD legislation of
the Russian Federation, including the requirements for the PD protection,
Companies’ documents and policies related to PD processing, local acts on the
processing of PD.
4.5.12. Implementation of
internal control and audit.
5. Basic rights and obligations
of PD subject and the Companies
5.1. Fundamental rights of the
subject of PD.
The subject has the right to
get access to PD and the following information:
·
confirmation of the fact of PD processing by the Companies;
·
legal grounds and goals of PD processing;
·
goals and methods of processing PD applied by the Companies;
·
the title and location of the Companies, information about persons (with
the exception of the names of the employees of the Companies) who have access
to PD or to whom PD can be disclosed on the basis of an agreement with the
Companies or on the basis of a federal law;
·
terms of PD processing, including period of their storage;
·
the procedure for exercising of the PD subject’s rights provided by this
Policy and the Personal Data Act;
·
name or surname, name, patronymic and address of the person processing
PD on behalf of the Companies, if the processing is entrusted or will be entrusted
to such a person;
·
appeal to the Companies and sending inquiries;
·
appeal of actions or inaction of the Companies.
5.2. Rights and Obligations of
the Companies.
The Companies have the right:
·
entrust the processing of PD to another person on the basis of the
relevant agreement concluded with this person, which will be entrusted with the
duty of processing PD in accordance with this Policy and principles and the
rules for PD processing provided by the Personal Data Act.
The Companies undertakes:
·
while collecting PD provide information on PD processing;
·
notify the subject of PD in case PD was not received from the PD subject
directly;
·
explain the consequences of refusal to provide PD in case of such
refusal;
·
publish or provide unrestricted access to the document defining PD
processing policy, to information on the ongoing requirements for the PD
protection;
·
take the necessary legal, organizational and technical measures or
ensure their adoption to protect PD from unlawful or accidental access to them,
destruction, alteration, blocking, copying, provision, distribution of PD, as
well as from other illegal actions in relation to PD;
·
provide answers to inquiries and appeals of PD subjects, their representatives
and the authorized body for the protection of the rights of PD subjects.