PERSONAL DATA PROCESSING POLICY

 

Effective date: November 22, 2023 (as amended on November 22, 2023)

 

Terms and definitions

 

Personal data are any information referring directly or indirectly to a particular or identified individual (the personal data subject).

Personal data processing is any action (operation) or a combination of actions (operations) performed both automatically and manually with personal data, including collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, transfer (distribution, provision, access), anonymizing, blocking and destruction of the Personal data.

Personal data processor is the Sape Limited (OGRN 1077761463724, INN/KPP 7705813551/771301001, registered address: 125212, Moscow city, intracity territory Voykovskiy, Vyborgskaya ul., d. 16, str. 1, pomesch. 1/1).

Personal data distribution is actions related to making the Personal data available to indefinite range of persons.

Personal data blocking is the temporary cessation of the Personal data processing (except for the cases when the processing is needed for the Personal data specification);

Personal data destruction - actions performed on the Personal data contained in the respective database that prevent such data from being restored and (or) actions aimed at the physical destruction of the tangible medium of the Personal data.

Personal data anonymization - actions performed on the Personal data that do not permit the identity of the individual concerned to be verified solely from such anonymized data.

Personal data safety is the Personal data protection from unlawful and/or unauthorized access, destruction, alteration, blocking, copying, disclosure and distribution, as well as from any other unlawful actions.

Personal data information system is the database that contains the Personal data as well as information technologies and hardware used for the data processing;

Website is the web resource available online at www.sape.ru and its subdomains.

User is the person using the service owned by the Company and available at the Website.

Agreement with the user is any agreement concluded with the person - user of the Company’s Website on terms provided by offers available online at www.sape.ru or its subdomains, as well as all integral attachments thereto (including alterations agreed upon by the Parties in digital form or in the manner prescribed by agreements with the User).

Personal account is the personalized section of the service owned by the Company and available online at the Website, not available to the public. The Personal account may be accessed with the login and password of the registered User.

Personal data confidentiality is the legal order when the Operator and other persons who gained the access to the Personal data are obliged not to disclose the Personal data to any third parties or distribute the same without the consent of the Personal data subject, unless otherwise is provided for by the Russian Federation law.

 

1. General provisions

 

1.1. This Personal data processing policy (hereinafter referred to as the “Policy”) has been prepared in accordance with relevant requirements, including ch. 14 of the Russian Federation Labor code, the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data” (hereinafter referred to as the “Personal data law”), in order to completely comply with the current Russian Federation laws, and determines the position of the Sape Limited ( OGRN 1077761463724, INN/KPP 7705813551/771301001, registered address: 125212, Moscow city, intracity territory Voykovskiy, Vyborgskaya ul., d. 16, str. 1, pomesch. 1/1 (hereinafter referred to as the “Company”) concerning the Personal data processing and protection, observance of every person’s rights and freedoms and, in particular, the right right to the personal and family privacy.

1.2. This Policy determines:

•          purposes, order and conditions of the Personal data processing;

•          categories of subjects of the Personal data being processed, categories (lists) of the Personal data being processed, methods and terms of the Personal data processing and storage, procedures for such data destroying after achieving the purposes of its processing or in accordance with the law;

•          provisions relating to the Personal data protection, procedures for identifying and preventing violation of the Russian Federation law concerning the Personal data, and restoring of such violations consequences.

1.3. Terms and definitions used in the Policy have the same meanings as determined in the Personal data law.

1.4. This Policy may be revised, amended and/or supplemented by the Company from time to time under the terms and conditions determined in p. 10.2. of the Policy.

 

2. Scope of regulation

 

2.1. This Policy relates to the Personal data processed by the Operator, both before and after this Policy enters into force.

2.2. This Policy relates to the Personal data subjects being the Russian Federation citizens (save as otherwise provided by applicable laws) and the Personal data processed by the Operator, as well as to the Personal data processing by the Operator within the Russian Federation.

2.3. This Policy regulates the Personal data Processing including collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, transfer (distribution, provision, access), anonymizing, blocking and destruction of the Personal data, allowing to identify the Personal data subjects necessary for use and/or relating to use of the service owned by the Company and available at the Website as well as at other web-sited provided and operated by the Operator (if required by any applicable law), as well as for conclusion and execution by the Operator and/or its related persons of any agreements and contracts concluded with Users concerning use of the service available online at www.sape.ru or its subdomains.

2.4. Providing the Personal data with the service available online at www.sape.ru or its subdomains or otherwise accessing or using the service the Personal data subject confirms that he has read this Policy, understands its terms and agrees to be legally bounded by its terms without any limitation.

 

3. Categories (lists) of subjects of the Personal data being processed

 

3.1. The Company processes the Personal data of the following categories of the Personal data subjects:

•          registered users of the www.sape.ru Website or its subdomains;

•          visitors and potential Users of the www.sape.ru Website or its subdomains;

•          representatives of companies - contractors of the Company.

•          applicants for the Operator’s organization employment;

•          employees of the Operator’s organization;

•          former employees of the Operator’s organization;

•          members of families of the Operator’s organization employees if relevant data should be provided in accordance with acting laws and/or local orders; other persons whose Personal data the Operator’s organizations are required to process in accordance with labor laws and other labor regulations;

• shareholders (members) of the Operator’s organization;

• persons undertaking various internships (practical training) at the Operator’s organization;

• visitors of the Operator’s organization;

• other persons whose Personal data the Operator’s organizations are required to process in accordance with labor laws and other labor regulations.

 

4. Legal grounds, purposes, procedures and conditions of the Personal data processing

 

4.1. The Operator performs the Personal data Processing only for the following reasons:

4.1.1. the subject of the Personal data has given his consent to the processing of his Personal data;

4.1.2. the processing of the Personal data is required for achieving the purposes stipulated by an international agreement of the Russian Federation or by law, or to exercise and fulfil functions, powers and obligations imposed on Operators by the Russian Federation law. In particular the Operator and/or the contractor authorized by the Operator processing the Personal data (when and if applicable) collects, processes, stores and uses the Personal data solely for the lawful purposes specified in this Policy.

4.2. The purposes of the Personal data Processing, categories of Personal data, legal basis for the Personal data Processing, the list of actions with the Personal data, methods of the Personal Data processing, in accordance with which the Operator processes the Personal data, are provided in the table below.

 

Categories of the personal data subjects	Purpose of the personal data processing	Categories of the personal data	Legal basis for the personal data processing	List of actions with the personal data	Methods of the personal data processing
Registered Website Users: www.sape.ru or its subdomains	- Granting the personal data subject with access to to the service available at the Website: www.sape.ru or its subdomains; - Preparation and provision of services to the personal data subject under the Agreement(s); - Providing the personal data subject with the opportunity to execute the Agreement(s), including: -    registration of the User at the Website and conclusion of the relevant Agreements; -    providing the User with the functionality of the Company’s service available at the Website: www.sape.ru or its subdomains; -    entering, storing and processing of data to the database of persons providing services under the Agreement(s); -    creation, formation and direction of applications in accordance with concluded Agreement(s); -    processing, collection, work and provision of responds to the User’s questions/requests via the Company’s service available at the Website: www.sape.ru or its subdomains; -    saving the questions/requests of the User, list and contents of works / services / intellectual rights and projects created by the User via the Company’s service available at the Website: www.sape.ru or its subdomains; -    securing and/or accepting payments from Users being customers and/or principals and/or licensees under the relevant Agreements; -    securing and/or performing payments to Users being contractors and/or principals under the relevant Agreements; -    Communication with Users and provision of information to Users about operation of the service available at the Website: www.sape.ru or its subdomains: including by sending notifications, messages, mailing, advertisement, marketing emails and other promotional and/or informational materials concerning new functions and services available at the Website: www.sape.ru or its subdomains, products and services provided by associated companies, related persons or partners including marketing partners;	- Full name; - Date of birth; - Residential or registered address; - Email address; - Phone number; - Login and password used for the service; - Passport or other national ID details; - Taxpayer’s identification number; - Tax status; - Residential status; - Information concerning method of payments (via the payment card or by other means of payment), some first and/or last numbers of the card for payments vis the payment card; - IP-address, date and time of access to the service available at the Website: www.sape.ru or its subdomains, addresses of requested pages, browser details and other data transferred by the software and/or Internet connection; - Information concerning activity at the personal account;  - Certain dates and amounts of replenishments of the User’s Personal account;  - IDs of transactions;	Agreements: processing of personal data is required for performance of an agreement to which a personal data subject is a party or under which the data subject is a beneficiary or surety, or for conclusion of an agreement on the initiative of a personal data subject or an agreement under which a personal data subject shall be a beneficiary or surety (p. 5 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”). Rights and legitimate interests of the Operator and third persons: processing of personal data is required for realization of rights and legitimate interests of the Operator or third persons or for the attainment of socially significant objectives (in acc. with p. 7 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”). Compliance with the Operator's obligations under the current legislation personal data processing is required for achieving the purposes stipulated by an international agreement of the Russian Federation or by law, or for exercise and fulfillment of functions, powers and obligations imposed on the Operator by the Russian Federation law (in acc. with i. 2 p. 1 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”). Consent of the personal data subject to the processing of his personal data (in acc. with i. 1 p. 1 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”) (if applicable).	Collection; Recording: Arrangement; Accumulation; Storage; Specification (updating, changing); Use; Transfer (provision); Anonymizing; Blocking; Deleting; Destruction.	Mixed processing of personal data.
	-      Disputes settlement, mediation; -      Providing security of the Website and the service available at the Website: www.sape.ru or its subdomains from security threats, cyberattacks, spam threats, etc.; -      Improving of interaction between the Website’s User and the service available at the Website: www.sape.ru  or its subdomains including for the purposes of: (а) conduction of statistical studies  basing on the personal data of customers / principals / licensees and contractors / principals / licensees, including survey data; (b) the Website malfunction diagnosis (analysis of operational characteristics and functionality, error correction, etc.). The Operator may perform any other actions within the functionality of the service available at the Website: www.sape.ru or its subdomains.
Visitors and  potential Users of the Website www.sape.ru or its subdomains	- Processing, collection, work and provision of responds and/or information to questions/requests sent by Visitors and potential Users via the Company’s service available at the Website: www.sape.ru or its subdomains; - Collection, storing and processing of requests sent via the Website feedback form including the “request a callback: form; - Analysis, maintenance and storage of the Website traffic statistics; - Communication and provision of information about operation of the service available at the Website: www.sape.ru or its subdomains: including by sending notifications, messages, mailing, advertisement, marketing emails and other promotional and/or informational materials concerning new functions and services available at the Website: www.sape.ru or its subdomains, products and services provided by associated companies, related persons or partners including marketing partners; - Providing security of the Website and the service available at the Website: www.sape.ru or its subdomains from security threats, cyberattacks, spam threats, etc.; -      - Improving of interaction between the Website’s Visitors and potential users and the service available at the Website: www.sape.ru  or its subdomains including for the purposes of: (а) conduction of statistical studies  basing on the personal data of customers / principals / licensees and contractors / principals / licensees, including survey data; (b) the Website malfunction diagnosis (analysis of operational characteristics and functionality, error correction, etc.). The Operator may perform any other actions within the functionality of the service available at the Website: www.sape.ru or its subdomains.	- Full name; - Email address; - Phone number; - IP-address, date and time of access to the service available at the Website: www.sape.ru or its subdomains; - Addresses of requested pages; Browser details and other data transferred by the software and/or Internet connection .	Rights and legitimate interests of the Operator and third persons: processing of personal data is required for realization of rights and legitimate interests of the Operator or third persons or for the attainment of socially significant objectives (in acc. with p. 7 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”). Consent of the personal data subject to the processing of his personal data (in acc. with i. 1 p. 1 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”) (if applicable).	Collection; Recording: Arrangement; Accumulation; Storage; Specification (updating, changing); Use; Transfer (provision); Anonymizing; Blocking; Deleting; Destruction.	Mixed processing of personal data.
Representatives of companies - contractors of the Company	- Compliance with applicable contract laws; - Sending official requests and applications; - Granting the personal data subject with access to to the service available at the Website: www.sape.ru or its subdomains; - Preparation and provision of services to the personal data subject under the Agreement(s); - Providing the personal data subject with the opportunity to execute the Agreement(s), including: -    registration of the User at the Website and conclusion of the relevant Agreements; -    providing the User with the functionality of the Company’s service available at the Website: www.sape.ru or its subdomains; -    entering, storing and processing of data to the database of persons providing services under the Agreement(s); -    creation, formation and direction of applications in accordance with concluded Agreement(s); -    processing, collection, work and provision of responds to the User’s questions/requests via the Company’s service available at the Website: www.sape.ru or its subdomains; -    saving the questions/requests of the User, list and contents of works / services / intellectual rights and projects created by the User via the Company’s service available at the Website: www.sape.ru or its subdomains; -    securing and/or accepting payments from Users being customers and/or principals and/or licensees under the relevant Agreements; -    securing and/or performing payments to Users being contractors and/or principals under the relevant Agreements; Communication with Users and provision of information to Users about operation of the service available at the Website: www.sape.ru or its subdomains: including by sending notifications, messages, mailing, advertisement, marketing emails and other promotional and/or informational materials concerning new functions and services available at the Website: www.sape.ru or its subdomains, products and services provided by associated companies, related persons or partners including marketing partners; - Providing security of the Website and the service available at the Website: www.sape.ru or its subdomains from security threats, cyberattacks, spam threats, etc.; - Improving of interaction between the Website’s Visitors and potential users and the service available at the Website: www.sape.ru  or its subdomains including for the purposes of: (а) conduction of statistical studies  basing on the personal data of customers / principals / licensees and contractors / principals / licensees, including survey data; (b) the Website malfunction diagnosis (analysis of operational characteristics and functionality, error correction, etc.). The Operator may perform any other actions within the functionality of the service available at the Website: www.sape.ru or its subdomains.	- Email address; - Phone number (except for phone numbers registered by legal entities); - Login and password used for the service; - Information concerning method of payments (via the payment card or by other means of payment), some first and/or last numbers of the card for payments vis the payment card; - IP-address, date and time of access to the service available at the Website: www.sape.ru or its subdomains, addresses of requested pages, browser details and other data transferred by the software and/or Internet connection; - Information concerning activity at the personal account;  - certain dates and amounts of replenishments of the User’s Personal account;  - IDs of transactions.	Rights and legitimate interests of the Operator and third persons: processing of personal data is required for realization of rights and legitimate interests of the Operator or third persons or for the attainment of socially significant objectives (in acc. with p. 7 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”). Compliance with the Operator's obligations under the current legislation personal data processing is required for achieving the purposes stipulated by an international agreement of the Russian Federation or by law, or for exercise and fulfillment of functions, powers and obligations imposed on the Operator by the Russian Federation law (in acc. with i. 2 p. 1 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”). Consent of the personal data subject to the processing of his personal data (in acc. with i. 1 p. 1 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”) (if applicable).	Collection; Recording: Arrangement; Accumulation; Storage; Specification (updating, changing); Use; Transfer (provision); Anonymizing; Blocking; Deleting; Destruction.	Mixed processing of personal data.
Applicants for the Operator’s organization employment; Employees of the Operator’s organization; Former employees of the Operator’s organization; Members of families of the Operator’s organization employees if relevant data should be provided in accordance with acting laws and/or local orders; Other persons whose Personal data the Operator’s organizations are required to process in accordance with labor laws and other labor regulations; Shareholders (members) of the Operator’s organization; Persons undertaking various internships (practical training) at the Operator’s organization; Visitors of the Operator’s organization; Other persons whose Personal data the Operator’s organizations are required to process in accordance with labor laws and other labor regulations.	- Application and enforcement of labor laws concerning employment and other related relationship including: -  promotion of employment; - personnel and accounting records; - conclusion and management of employments and other related relationship between employees and the Operator; - confirmation of character and stages of working activity of an employee at the Operator’s company; - interactions between the Operator and state and local authorities, banks and auditors, consular offices; - assistance for employees with education and career promotion; - performance of awards and rewards; - provision by the Company of legislated work conditions, guarantees and compensations; - filling out and transfer to competent authorities of necessary reports; - provision of personal security for employees and safety for the property; - monitoring of the works quantity and quality; - social protection implementation, granting of various exemptions, bonuses and additional assistance including medical insurance; - informational support for the Operator’s activity by means of publication at the domestic web resource, creation of internal guide books and address books.	- Last name, first name, patronymic name (if any), as well as former ones (if any), date and place of alteration (in case of alteration); - Gender; - Date (day, month, year) and place of birth; - Photo; - Citizenship; - Type, series, number of an ID document, name of an issuing authority, date of issue; - Personal pension account number (SNILS); - Taxpayer identification number (INN); - Address and date of a residency registration, residence address; - Contact phone number, email address and(or) other means of communication; - Details of civil status certificates and information contained therein; - Details of marital status, family members (relation degree, last name, first name, patronymic name (if any), date (day, month, year) and place of birth); - details of parental status, children’s age, place of work (education); - Details of education and(or) qualification or specific knowledge (including name of an educational and(or) other establishment, graduation year, education level, qualification, details of education (training) certificates); - Number of an insurance policy (VHI) - Military service obligation status, - Details of military service in the Armed Forces, military rank, composition and branch of service, military registration and military registration documents: service record book, service registration certificate (series, number, date of issuance, name of an issuing authority); - Details of professional and additional education (name of and educational establishment, specialization and qualification in accordance with an educational certificate, educational certificate, qualification certificate, specific knowledge; name of an educational certificate, its series and number, date of issuance), details of specific knowledge degree (PC skills, foreign language, etc.), professional retraining, qualification improvement; - Employment history and details of previous employment, periods and length of work, employment record book and information contained therein; - Details of vacations and business trips, employment term, certification, rewards (promotions), penalties; - Information contained in documents entitling visiting the Russian Federation and employment in the Russian Federation (for foreign citizens arrived to the Russian Federation); - Information contained in a temporary resident permit, temporary resident educational permit (for foreign citizens temporary residing in the Russian Federation), residence permit (for foreign citizens permanently residing in the Russian Federation); - Profession, duty position, pay rate in accordance with professional and  qualification degree and group, compensation and incentive payments, remuneration, details of income, obligations on the basis of an enforcement document; - Banking details including including account number, plastic card number; - Medical details (for certain group of employments), presence and degree of a disability and limitation of work capability; - Details of presence (absence) of convictions and (or) investigations or criminal proceedings underway, or termination of a criminal prosecution on exonerative grounds (for certain group of employments); - Details of a driving license (series, number, category, date of issuance); -  Social benefits; - Other personal data contained in documents which should be provided in accordance with law if processing of such data corresponds with purpose of processing under this Policy; - other personal data which the employee considered desirable to be provided and processing of which corresponds with purpose of processing under this section of the Policy.	Rights and legitimate interests of the Operator and third persons: processing of personal data is required for realization of rights and legitimate interests of the Operator or third persons or for the attainment of socially significant objectives (in acc. with p. 7 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”). Compliance with the Operator's obligations under the current legislation personal data processing is required for achieving the purposes stipulated by an international agreement of the Russian Federation or by law, or for exercise and fulfillment of functions, powers and obligations imposed on the Operator by the Russian Federation law (in acc. with i. 2 p. 1 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”). Consent of the personal data subject to the processing of his personal data (in acc. with i. 1 p. 1 art. 6 of the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data”) (if applicable).	Collection; Recording: Arrangement; Accumulation; Storage; Specification (updating, changing); Use; Transfer (provision); Anonymizing; Blocking; Deleting.	Mixed processing of personal data.

 

4.3. The Company processes the Personal data of these Personal data subjects in order to exercise functions, powers and responsibilities of the Company under the Russian Federation laws, in accordance with federal laws, including, but not limited to the Russian Federation Civil Code, the Russian Federation Taxation Code, the Russian Federation Labor Code, , the Russian Federation Family Code, Federal law of April 01, 1996 No. 27-ФЗ “About individual (personalized) record-keeping in the compulsory pension insurance system”, Federal law of July 27, 2006 No. 152-ФЗ “About personal data”, Federal law of March 28, 1998 No. 53-ФЗ “About military duty and military service”, Federal law of February 26, 1997 No. № 31-ФЗ “About mobilization training and mobilization in the Russian Federation”, Federal law of February 08, 1998 No. 14-ФЗ “About limited liability companies”, Federal law of February 07, 1992 No. 2300-1 “About protection of consumers' right”, Federal law of November 21, 1996 No. 129-ФЗ “About accounting”, Federal law of November 29, 2010 No. 326-ФЗ “About compulsory medical insurance in the Russian Federation”, other labor regulations, Federal law of July 27, 2006 No. 152-ФЗ “About personal data”, the Russian Federation Law of April 19, 1991 No. 1032-1 “About employment in the Russian Federation”, Federal law of December 06, 2011 No. N 402-ФЗ “About accounting”, Decree of the Russian Government of November 27, 2006 No. 719 “About approval of the Regulations on military registration”.

The Operator may use data and information in the aggregate and in the anonymized form for better understanding of needs of users of the Company’s services and for the improvement of services quality. The Personal data should be processed in accordance with principles and conditions provided by the legislation in the field of Personal data and this Policy.

4.4. The Operator processes the Personal data in the following manner:

• non-automated processing of the Personal data;

• automated processing of the Personal data with or without transfer of information received via data telecommunications network;

• mixed processing of the Personal data.

4.5. Processing of the Personal data is carried out with the consent of the personal data subject to the processing of his Personal data unless otherwise is required by the legislation in the field of Personal data. The Personal data subject provides his consent in any form allowing to confirm its receipt including by written consent to the Operator in accordance with form provided in Attachment “A” to this Policy or in digital form online at the Website (the single opt-in).

4.5.1. Processing of the Personal data allowed by the subject to be made public may be performed in accordance with restraints and conditions provided by art. 10.1. of the Federal law “About personal data” of July 27, 2006 N 152-ФЗ.

4.5.2. Processing of the biometric Personal data is allowed only with the written consent of the personal data subject. The exception is provided by p. 1 art. 11 of the Federal law “About personal data” of July 27, 2006 N 152-ФЗ.

4.6. Processing of the Personal data should be performed by collection, recording, arrangement, accumulation, storage, specification (updating, changing), extraction, use, anonymizing, blocking, deleting and and destruction of the Personal data including by means of computer technology.

4.6.1. Collection, recording, arrangement, accumulation and specification (updating, changing) of the Personal data should be performed by:

• receiving the personal data through the Website and/or be means of the service available at the Website: www.sape.ru  or its subdomains;

• receiving original documents or copies;

• copying original documents;

• entering information into account forms in hard and soft copy;

• creating documents containing the Personal data in hard and soft copy;

• entering the Personal data into the Personal data information systems.

4.6.2. The Operator uses the following filing systems:

• corporate e-mail system;

• electronic document management system;

• Operator’s software and database available at the Website www.sape.ru or its subdomains;

• normative reference data system;

• personnel management system (1С);

• informational portal at the Company’s corporate website.

4.7. The Operator does not process any Personal data concerning racial or ethnic origin, political opinions, and religious, philosophical and other beliefs, sexual life and membership in non-governmental organization including employee organizations.

4.8. The Operator may assign processing of the Personal data to third persons with the consent of the Personal data subject under the agreement concluded with these persons, including in case of a consent with the user agreement and the personal data processing policy available at the Company’s Websites.

 

5. Terms of the Personal data processing and storing

 

5.1. The Operator ceases to process the Personal data in the following circumstances:

• if the Personal data are found to be unlawfully processed. Processing should be terminated within 3 (three) working days from the date of detection;

• upon achieving purposes of the processing (with some exceptions);

• upon the expiration or withdrawal of the consent to the processing of Personal data by the Personal data subject (with some exceptions) if processing is possible only with such consent in accordance with the Federal law “About personal data” of July 27, 2006 N 152-ФЗ;

• if the Personal data subject applies to the Operator with a demand of termination of his Personal data processing (except for cases provided by p. 5 art. 21 of the Federal law “About personal data” of July 27, 2006 N 152-ФЗ). Processing should be terminated within 10 (ten) working days after reception of the demand (with possibility to prolong it for not more than five working days if notice of prolongation reasons has been sent).

5.2. Personal data should be stored in a form that allows verification of the identity of the Personal data subject only to the extent necessary for processing purposes unless the Personal data storing term is not established by a federal law, agreement concluded with the Personal data subject as a beneficiary or guarantor party.

5.3. Personal data in hard and/or soft copies should be stored by the Operator for the storage periods of documents for which these periods are provided by legislation concerning archiving in the Russian Federation (the Federal law of October 22, 2004 N 125-ФЗ “About archiving in the Russian Federation” and List of administrative archive documents generated during operation of state authorities, local government bodies and organizations, indicating their storage periods (approved by order of the Federal Archival Agency of Russia of December 20, 2019 N 236)).

5.4. Storage period for the Personal data processed in the Personal data information systems corresponds with the storage period of the Personal data in hard copies.

 

6. Rights and obligations of the Personal data subjects and the Operator concerning the Personal data processing

 

6.1. The subject of the Personal data being processed by the Operator may:

- receive the following from the Company:

• confirmation of the processing of his Personal data and information on existence of the Personal data of the relevant subject;

• information on the legal basis and purposes of the Personal data processing;

• information on methods of the Personal data processing used by the Company;

• information on name and location of the Company;

• list of the subject’s Personal data being processed and information on its source if another manner of such Personal data provision is not provided by a federal law;

• information on terms of the Personal data processing including storage periods;

• information on procedures for execution by the Personal data subject his rights under the Personal data law;

• other information in accordance with the Law and other regulations;

- demand from the Company:

• clarification, blocking or destruction of his Personal data in the event that the personal data are incomplete, out-of-date, inaccurate or unlawfully obtained or are not needed for the stated purpose of the processing;

• withdraw of his consent to the processing of Personal data at any time (by general request to the customer support service at the Website only for Registered Users of the Website) and/or by written request sent to the Operator’s location by registered mail (for any Personal data subjects);

• elimination of the Company’s unlawful actions performed to his Personal data;

• appeal against the Operator’s actions and omission to the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications (Roscomnadzor) or to the court if the Personal data subject considers that the Operator processes his Personal data in violation of applicable laws and regulations or otherwise violates his rights and liberties;

• protection of his rights and legitimate interests.

6.2. The Operator during processing of the Personal data has to:

- provide the Personal data subject with any information relating to processing of his Personal data at his request or provide a legally reasoned rejection within 10 (ten) business days (with possibility to prolong it for not more than five working days if notice of prolongation reasons has been sent);

- explain to the Personal data subject the legal consequences of refusing to provide his Personal data where the provision of Personal data is compulsory in accordance with federal laws;

- take or arrange for the taking of such legal, organizational and technical measures as are necessary to protect Personal data against unlawful or accidental access to and destruction, alteration, blocking, copying, provision or dissemination of Personal data and against other unlawful actions in relation to Personal data;

- publish online and provide unlimited online access to this document setting out the Personal data processing policy and to information concerning requirements to be fulfilled with respect to the protection of Personal data;

- block unlawfully processed Personal data relating to that data subject or to arrange for them to be blocked (if the processing of Personal data is carried out by another person acting on the Operator’s instructions) if the Personal data are found to be unlawfully processed, upon the application of the Personal data subject or his representative or upon their request or a request of the authorized body for the protection of the Personal data subjects’ rights from the moment of such application or the moment of the receipt of such request for the period needed for an inspection;

- rectify the Personal data or to arrange for them to be rectified (if the processing of Personal data is carried out by another person acting on the Company’s instructions) within seven working days from the date of presentation of that information, and to remove the block on the Personal data in the event that the Personal data are confirmed to be inaccurate in accordance with information provided by the Personal data subject or his representative);

- cease the unlawful processing of the Personal data or to arrange for the unlawful processing of the Personal data to be terminated by the person acting on the Company’s instructions in the event that it is discovered that Personal data are being unlawfully processed by the Company or a person acting on the instructions of the Company within a period not exceeding three working days from the date of that discovery;

- cease the processing of the Personal data or to arrange for the processing of the Personal data to be ceased (if the Personal data processing is performed by the person acting under the agreement with the Operator) and destruct the Personal data or to arrange for the destruction of the Personal data (if the Personal data processing is performed by the person acting under the agreement with the Operator) upon achieving the set goals of the Personal data processing unless otherwise is stipulated by the agreement to which the Personal data subject is a party, a beneficiary or a guarantor;

- cease the processing of the Personal data or to arrange for the processing of the Personal data to be ceased and to destroy the Personal data or to arrange for the destruction of the Personal data if the Personal data subject withdraws his consent to the processing of his Personal data within 10 (ten) business days after receipt of the relevant demand (with possibility to prolong it for not more than five working days if notice of prolongation reasons has been sent) if the Operator is not authorized to process the Personal data without consent of the Personal data subject.

 

7. Personal data protection.  Procedures aimed at the prevention and detection of violations of the legislation and the remediation of the consequences of such violations

 

7.1. The Operator does not disclose to third parties and does not disseminate the personal data without the written consent of the Personal data subject unless otherwise is required by any federal law.

7.2. With the purpose of the personal data protection the following should be appointed (approved) by the relevant CEO orders at the Company, its affiliates and subsidiaries:

•          the officer responsible for the personal data processing management;

•          the list of job positions for which the Personal data should be processed in case of substitution;

•          the list of the Personal data available for officers engaged in the personal data processing;

•          the access procedure for the premises where the Personal data are processed;

•          procedures for the Personal data transfer within the Company;

•          the consent form for the Personal data processing, the consent form for processing the Personal data which the personal data subject allows to distribute;

•          procedures for protection of the Personal data during processing within the Personal data information systems;

•          procedures for internal investigations and inspections;

•          other local regulations adopted in accordance with requirements of the personal data legislation.

7.3. Officers engaged in the Personal data processing are allowed to perform the same after signing of the nondisclosure obligation.

7.4. Material media bearing the Personal data should be stored in key locking closets. Premises of the Operator where the mentioned closets are located should be equipped with locking devices. Keys for closets and premises should be provided to the officers against their signature.

7.5. Access to the personal data from the Operator’s information systems should be provided via individual passwords.

7.6. The Operator uses the Kaspersky virus protection software with regularly updated databases.

7.7. Officers of the Company engaged in the Personal data processing are taking training courses for the law requirements concerning the Personal data from time to time.

7.8. Regulations requiring the Company’s employees to inform immediately of any unauthorized access to the Personal data should be included to labor agreements with the Company’s employees engaged in the Personal data processing.

7.9. The Operator performs internal investigations if:

•          the Personal data are unlawfully or occasionally transferred (provided, disclosed, accessed) resulting in violation of rights of the Personal data subjects;

•          in other cases provided by the legislation in field of the Personal data.

7.10. The officer responsible for the Personal data processing management supervises the following:

•          compliance with requirement of the legislation in field of the Personal data and local regulations by the officers authorized for the Personal data processing;

•          compliance of the mentioned regulations with the legislation in field of the Personal data.

The internal supervision should be performed as internal inspections.

7.10.1. Internal routine inspections should be performed in accordance with the annual plan approved by the CEO.

7.10.2. Internal extraordinary inspections should be performed at resolution of the officer responsible for the Personal data processing arrangement. Such resolutions should be based on violation of the legislation in field of the Personal data reported verbally or in writing.

7.10.3. At the conclusion of the internal inspection an internal report should be issued to the Company’s CEO. If any violations revealed such report should include list of actions to remedy such violations and terms of such remedy.

7.11. The internal investigation should be performed once the Personal data are revealed to be unlawfully or occasionally transferred (provided, disclosed, accessed resulting in violation of rights of the Personal data subjects (hereinafter referred to as the “case”).

7.11.1. In the event of the case the Operator notifies the Roscomnadzor of the following within 24 hours:

•          the case;

•          its hypothetic causes and damage to the rights of the Personal data subject(s);

•          actions taken to remedy consequences of the case;

•          the Operator’s representative authorized to communicate with the Roscomnadzor concerning the case.

The notice should be sent in accordance with the Procedures for communication between the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications and the operators concerning keeping the register of cases in relation to the Personal data approved by the Roscomnadzor Order of November 14, 2022 N 187.

7.11.2. The Operator shall take the following actions within 72 hours:

•          notify the Roscomnadzor of the internal investigation findings;

•          provide information on persons whose actions caused the case (if any).

The Procedures for communication between the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications and the operators concerning keeping the register of cases in relation to the Personal data approved by the Roscomnadzor Order of November 14, 2022 N 187 should be taken into account when sending the notice.

7.12. If the personal data subject (his representative) provides confirmed information that his personal data are complete, out-of-date or inaccurate such personal data should be amended within seven business days. The Operator notifies the personal data subject (his representative) in written of alterations made and informs (via email) third persons to whom the personal data have been transferred of the same.

7.13. The Operator notifies the Personal data subject (his representative) of elimination of violation regarding to the unlawful Personal data processing. The Roscomnadzor should also be notified if it transferred the application of the Personal data subject (his representative) or made the request by itself.

7.13.1. When deleting the unlawfully processed Personal data the notice should be sent in accordance with art. 7.13 of the Policy.

7.14. When deleting the unlawfully obtained or unnecessary for the stated purpose of processing the Operator notifies the Personal data subject (his representative) in written of actions taken. The Operator also notifies third persons to whom such Personal data have been transferred via email.

 

8. Responsibility for violation of regulations for the Personal data processing

 

8.1. Persons responsible for the violation of the Russian Federation laws concerning the Personal data while processing the Personal data are subject to disciplinary and financial liability as prescribes by the Russian Federation Labor code and other federal laws. Furthermore such persons are subject to administrative, civil and criminal liability as prescribed by federal laws.

8.2. Moral damage caused to the Personal data subject as a result of violation of his rights, violation of regulations concerning the Personal data processing and requirements concerning protection of the Personal data which have been established in accordance with the Federal law of July 27, 2006 N 152-ФЗ “Concerning personal data” shall be compensated in accordance with the Russian Federation laws.  Compensation for moral damage shall be provided irrespective of whether compensation is provided for material damage and losses suffered by the personal data subject.

 

9. Procedures for the Personal data Blocking and Deleting

 

9.1. The Operator blocks the Personal data pursuant to the terms and conditions provided by the legislation in the field of the Personal data.

9.2. When achieving purpose for which the Personal data were processed or when there is no further need in achieving such purpose the Personal data should be destroyed or anonymized. The federal law may provide for exceptions.

9.3. The unlawfully receives Personal data or those unnecessary for the purposes of processing should be destroyed within seven business days after the Personal data subject (his representative) provided confirming information.

9.4. The Personal data processing of which has been terminated due to its unlawfulness and lawfulness of processing of which is not possible to secure should be destroyed within 10 business days after such unlawful processing reveled.

9.5. The Personal data should be destroyed within 30 days from the date of the achievement of the purpose for which the Personal data were processed, unless otherwise provided by a contract to which the Personal data subject is a party (beneficiary or guarantor) or by agreement between the Operator and the Personal data subject or unless the Operator has the right to process the Personal data without the consent of the Personal data subject on grounds provided for by federal laws.

9.5.1. When the maximum storing period for documents containing the Personal data is reached the Personal data should be destroyed within 30 days.

9.6. The Personal data should be destroyed (unless their storage is necessary for the purpose for which the Personal data are processed) within 30 days after receipt of the Personal data subject’s withdrawal of his consent to his Personal data procession. Other terms and conditions may be provided by a contract to which the Personal data subject is a party (beneficiary or guarantor) or by agreement between the Operator and the Personal data subject. The Personal data should also be destroyed within the mentioned period if the Operator has the right to process the Personal data without the consent of the Personal data subject on grounds provided for by federal laws.

9.7. Selection of material media (documents, hard drives, flash drives, etc.) and (or) information from the information systems bearing the Personal data to be destroyed should be performed by the Operator’s branches processing the Personal data.

9.8. Destruction of the Personal data should be performed by the committee established by the CEO order.

9.8.1. The committee creates a list of documents, other material media and (or) data from information systems with Personal data to be destroyed.

9.8.2. Personal data in hard copy are destroyed by a paper shredding machine. Personal data in digital copies are destroyed by physical damage to data carriers making it impossible to read or restore the Personal data and also by deleting the data at the digital carriers by means and applications for assured deleting of residual content.

9.8.3. The committee approves the destruction of Personal data mentioned in paragraphs 9.4, 9.5 and 9.6 of the Policy in accordance with requirements for approval of the Personal data deleting approved by the Roscomnadzor order of October 28, 2022 N 179, namely:

• by a Personal data destruction certificate for the data processed without the use of automation facilities;

• by a Personal data destruction certificate and the Personal data information system event log output for the data processed with the use of automation facilities or simultaneously with and without the use of such facilities.

The certificate may be executed either in hard or in a digitally signed soft copy.

Forms of certificates and event log outputs are approves by the CEO order with respect to information which must be contained therein.

9.8.4. After execution of the Personal data destruction certificate and the Personal data information system event log output the committee shall provide the mentioned documents to the general department for further storage. Certificates and event log outputs are stored within three years after the Personal data destruction.

9.8.5. The destruction of Personal data not mentioned in p. 9.8.3 of the Policy shall be confirmed by the destruction certificate which shall be executed immediately after destruction of such data. Form of such certificate shall be approved by the CEO order.

9.9. If the Personal data are processed by the Operator with the use of automated facilities the destruction of such Personal data shall be confirmed by the Personal data destruction certificate (hereinafter referred to as the “Certificate”) which shall comply with requirements stated in paragraphs 9.10.1 and 9.10.2 of this Policy and the Personal data information system event log output (hereinafter referred to as the log output).

9.10.1. The Personal data destruction certificate must contain the following:

a) name and address of the Operator;

b) name (for the legal entity) or full name - last name, first name, patronymic (if any) (for individual persons) and address of persons performing (which used to perform) the Personal data processing of the Personal data subject(s) at the Operator’s instruction (if the processing have been instructed to such person(s);

c) last name, first name, patronymic (if any) of the subject(s) and other information relating to certain individual person(s) whose Personal data have been destroyed;

d) last name, first name, patronymic (if any) of the person(s) destroyed the Personal data of the Personal data subject and the signature of such person(s);

e) list of categories of destroyed Personal data of the Personal data subject(s);

f) name of the destroyed material media bearing the Personal data of the Personal data subject(s) detailing the number of sheets for each material media (if the Personal data are processed without the use of automated facilities);

g) name of the Personal data information system(s) where the Personal data of the Personal data subject have been destroyed (if the Personal data are processed with the use of automated facilities);

h) manner of the Personal data destruction;

i) reason for the Personal data destruction;

j) date of destruction of the Personal data of the Personal data subject(s).

9.10.2. The Operator may execute the Personal data destruction certificate in digital form digitally signed in accordance with the Russian Federation laws by the officer(s) mentioned in subparagraph d of p. 9.10.1 of this Policy.

9.11. The log output must contain the following:

a) last name, first name, patronymic (if any) of the subject(s) and other information relating to certain individual person(s) whose Personal data have been destroyed;

b) list of categories of destroyed Personal data of the Personal data subject(s);

c) name of the Personal data information system(s) where the Personal data of the Personal data subject have been destroyed (if the Personal data are processed with the use of automated facilities);

d) reason for the Personal data destruction;

e) date of destruction of the Personal data of the Personal data subject(s).

9.12. If the log output does not allow detailing any information mentioned in p. 9.11 of this Policy such missing information shall be added to the Personal data destruction certificate.

9.13. If the Personal data processing is performed by the Operator simultaneously with and without the use of automated facilities such Personal data destruction shall be confirmed by the Personal data destruction certificate complying with requirements stated in paragraphs 9.10.1 and 9.10.2 of this Policy and the log output stated in paragraph 9.11 of this Policy.

9.14. The personal data destruction certificate and the log output shall be stored by the Operator for 3 years after the Personal data destruction.

 

10. Final provisions

 

10.1. This Policy is available online at the Website at www.sape.ru or its subdomains.

10.2. This Policy may be modified by publication of the new edition of this Policy online at the Website at www.sape.ru or its subdomains and the new edition becomes valid immediately after publication if another term is not mentioned. If the User provides any Personal data via the service available at the Website or otherwise accesses or uses the service he shall be treated as acknowledged with and accepted the relevant edition of this Policy. If the User does not accept terms and conditions of the Personal data processing including collection, processing, arrangement and storing stated by this Policy, such User has an option not to provide any of his Personal data via the service available online at the Website or otherwise use the service available at the Website.

Attachment «А» to the Personal data processing policy

(FORM)

CONSENT TO THE EMPLOYEES’ PERSONAL DATA PROCESSING

            I, __________________________________________________________________________________________,

                                                        (full name)

registered address: (as it appears on the passport)_____________________________________________________________

passport _____________________________________________________________________________________________

_____________________________________________________________phone number__________________________

      (series and number of the document of identification date of issue and issuing authority)

in accordance with article 9 of the Federal law of July 27, 2006 N 152-ФЗ "About personal data", acting of my own free will and volition and for my own benefit do hereby give my consent the Sape Limited (hereinafter referred to as the Company), registered address: 125212, Moscow city, intracity territory Voykovskiy, Vyborgskaya ul., d. 16, str. 1, pomesch. 1/1, OGRN 1077761463724, INN 7705813551, https://www.sape.ru, to the processing in accordance with applicable laws and regulations of my following personal data obtained by the Company: Biometric personal data - photo, Personal data - Last name, first name, patronymic, information concerning the change of the last name, first name, patronymic, date and place of change (if any), sex, year, month and day of birth, place of birth, citizenship, document of identification (type, series, number, date of issue and issuing authority), registered address and date of registration, place of residence, phone numbers (stationary, cell), e-mail address and (or) other means of communication, marital status, family membership (relation degree, last name, first name, patronymic name (if any), date (day, month, year) and place of birth), details of civil status certificates and information contained therein, military service obligation status, military rank, composition and branch of service, military service record book, military service registration certificate, details of parental status, children’s age, place of work (education), details of military registration and service in the Armed Forces, details of professional and additional education (name of and educational establishment, specialization and qualification in accordance with an educational certificate, educational certificate, qualification certificate, specific knowledge; name of an educational certificate, its series and number, date of issuance, details of specific knowledge degree (PC skills, foreign language, etc.), professional retraining, qualification improvement, employment history and details of previous employment, periods and length of work, employment record book and information contained therein, medical details and comply of the employee’s health with his job, details of vacations and business trips, employment term, certification, rewards (promotions), penalties, taxpayer identification number (INN), personal pension account number (SNILS), insurance policy details, information contained in documents entitling visiting the Russian Federation and employment in the Russian Federation (for foreign citizens arrived to the Russian Federation), information contained in a temporary resident permit, temporary resident educational permit (for foreign citizens temporary residing in the Russian Federation), residence permit (for foreign citizens permanently residing in the Russian Federation), profession, duty position, pay rate in accordance with professional and  qualification degree and group, compensation and incentive payments, remuneration, details of income, obligations on the basis of an enforcement document, banking details including including account number, plastic card number, medical details (for certain group of employments), presence and degree of a disability and limitation of work capability, details of presence (absence) of convictions and (or) investigations or criminal proceedings underway, or termination of a criminal prosecution on exonerative grounds (for certain group of employments), details of a driving license (series, number, category, date of issuance), social benefits; and other personal data, events and facts of my life provided to the Company for my employment, keeping of personal and accounting records, conclusion and management of employment and other related relationship between me and the Company as the employer, confirmation of character and stages of my working activity in the Company, his interactions with state and local authorities, banks and auditors, consular offices, assistance for me with education and career promotion, performance of awards and rewards, provision by the Company of legislated work conditions, guarantees and compensations, filling out and transfer to competent authorities of necessary reports, provision of personal security for employees and safety of the property, monitoring of the works quantity and quality, social protection implementation, granting of various exemptions, bonuses and additional assistance including medical insurance, informational support for the Company’s activity by means of publication at the domestic web resource, creation of internal guide books and address books by means of the following actions: collection, recording, arrangement, accumulation, storage, specification, updating, changing, use, transfer (provision), anonymizing, blocking, deletion and destruction of personal data in accordance with applicable laws and regulations either with or without the use of automated facilities (mixed processing). 

This Consent is valid during the term of the labor contract with the operator and also after termination of labor agreement for the term or period provided for by the Federal law of October 22, 2004 N 125-ФЗ "About archiving in the Russian Federation" with respect to requirements of other laws and regulations of the Russian Federation concerning content and storing periods of certain documents.

I am aware that this Consent may be withdrawn by me at any time by the written application (notice) to the Company.

I am aware that it is an offence to make a false statement of provided personal data and information. I am aware of consequences of denial to provide personal data and information and/or consent to the processing of personal data and information when it is obligatory.

«___»  _____2023 г.                                ____________                                  ________________________

(signature)                                      (last name, initials)