Basic Terms
– Personal data — any information relating to a directly or indirectly identified or identifiable individual (personal data subject).
– Personal data operator (operator) — a state authority, municipal authority, legal entity or individual that independently or jointly with other persons organizes and/or carries out the processing of personal data, and determines the purposes of personal data processing, the composition of personal data subject to processing, and the actions (operations) performed with personal data.
– Personal data processing — any action (operation) or a set of actions (operations) performed with personal data using automation tools or without the use of such tools. Personal data processing includes, among other things:
– collection;
– recording;
– systematization;
– accumulation;
– storage;
– clarification (updating, modification);
– extraction;
– use;
– transfer (distribution, provision, access);
– depersonalization;
– blocking;
– deletion;
– destruction.
– Automated personal data processing — processing of personal data using computer technology.
– Distribution of personal data — actions aimed at disclosure of personal data to an indefinite number of persons.
– Provision of personal data — actions aimed at disclosure of personal data to a specific person or a specific group of persons.
– Blocking of personal data — temporary cessation of personal data processing (except where processing is required for clarification of personal data).
– Destruction of personal data — actions that make it impossible to restore the content of personal data in a personal data information system and/or actions that result in the destruction of physical media containing personal data.
– Depersonalization of personal data — actions as a result of which it becomes impossible, without the use of additional information, to determine the belonging of personal data to a specific personal data subject.
– Personal data information system — a set of personal data contained in databases and information technologies and technical means ensuring their processing.
– Cross-border transfer of personal data — transfer of personal data to the territory of a foreign state to a foreign government authority, foreign individual or foreign legal entity.
– Confidentiality of personal data — the obligation of the operator and other persons who have gained access to personal data not to disclose personal data to third parties and not to distribute personal data without the consent of the personal data subject unless otherwise provided by law.
-
1. General Provisions
1.1. The Personal Data Processing Policy of Business Design LLC (hereinafter — the Policy) defines the main principles, purposes, conditions and methods of personal data processing, the categories of personal data subjects and the lists of personal data processed by Business Design LLC (hereinafter — the Operator or the Company), the functions performed during personal data processing, the rights of personal data subjects, and the requirements implemented by the Operator to ensure the protection of personal data.
1.2. The Policy has been developed taking into account the requirements of the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation in the field of personal data.
The Operator notifies Roskomnadzor about personal data processing.
1.3. The provisions of this Policy serve as the basis for the development of local regulatory acts governing issues of personal data processing of the Operator’s employees and other personal data subjects.
1.4. In accordance with Part 2 of Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”, this Policy is published in open access on the Operator’s website on the Internet information and telecommunications network.
-
2. Legislative and Other Regulatory Legal Acts of the Russian Federation Defining the Policy
2.1. The Company’s personal data processing policy is determined in accordance with the following regulatory legal acts:
– The Labor Code of the Russian Federation;
– Federal Law dated July 27, 2006 No. 152-FZ “On Personal Data”;
– Decree of the President of the Russian Federation dated March 6, 1997 No. 188 “On Approval of the List of Confidential Information”;
– Resolution of the Government of the Russian Federation dated September 15, 2008 No. 687 “On Approval of the Regulation on the Peculiarities of Personal Data Processing Carried Out Without the Use of Automation Tools”;
– Resolution of the Government of the Russian Federation dated July 6, 2008 No. 512 “On Approval of Requirements for Physical Media of Biometric Personal Data and Technologies for Storing Such Data Outside Personal Data Information Systems”;
– Resolution of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On Approval of Requirements for the Protection of Personal Data When Processed in Personal Data Information Systems”;
– Order of the Federal Service for Technical and Export Control of Russia dated February 18, 2013 No. 21 “On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data During Their Processing in Personal Data Information Systems”;
– Order of Roskomnadzor dated September 5, 2013 No. 996 “On Approval of Requirements and Methods for Depersonalization of Personal Data”;
– other regulatory legal acts of the Russian Federation and regulatory documents of authorized government authorities.
2.2. In order to implement the provisions of this Policy, the Company develops relevant local regulatory acts and other documents, including:
– Regulations on the processing of personal data of the Operator’s employees;
– other local regulatory acts and documents regulating personal data processing issues within the Company.
-
3. Purposes of Processing, Categories of Personal Data Subjects, Categories and Lists of Personal Data Processed, Methods and Periods of Processing and Storage, Procedure for Destruction of Personal Data
3.1 Categories of Personal Data Subjects
3.1.1 Individuals who are in employment relations with the Operator, including individuals who have left the Company
– In this category of subjects, the operator processes personal data for the purposes of personnel management and employee accounting, regulation of labor and related relations, and compliance with labor legislation, tax legislation, military registration, state statistical accounting and other requirements provided by applicable legislation.
– List of personal data processed:
surname, name, patronymic, phone number, email address, passport details (series, number, issuing authority and date of issue), date of birth, place of birth, citizenship, gender, tax identification number (INN), insurance number (SNILS), information on education and qualifications, information on awards, incentives and honorary titles, information contained in education documents, information on employment history and work experience, information on marital status, series and number of the document confirming surname change, information contained in military registration documents, information required for payroll calculation and other payments, information on health condition, residential and/or registration address, photograph, academic titles and regalia, driver’s license information.
– Method of processing: mixed (automated and non-automated).
– Processing and storage periods: in accordance with labor and tax legislation.
– Procedure for destruction: personal data are destroyed by the operator’s responsible person with the preparation of a relevant act.
3.1.2 Individuals who are job candidates
– In this category the operator processes personal data for the purpose of attracting and selecting candidates for employment in the Company.
– Categories of subjects: candidates applying for vacant positions in the Company.
– List of personal data processed:
surname, name, patronymic, phone number, email address, information on education, information on work experience, and other information that the applicant may provide in their resume or application form.
– Method of processing: mixed (automated and non-automated).
– Processing and storage periods: until a decision is made regarding employment or the candidate’s mismatch with the vacancy.
– Procedure for destruction: personal data are destroyed by the operator’s responsible person with the preparation of a relevant act.
3.1.3 Clients and counterparties of the Operator (individuals)
– In this category, the operator processes personal data obtained for the purpose of concluding and executing a contract to which the personal data subject is a party.
– List of personal data processed:
surname, name, patronymic, phone number, email address, passport details (series, number, issuing authority and date of issue), tax identification number (INN), insurance number (SNILS), residential and/or registration address, bank details.
– Method of processing: mixed (automated and non-automated).
– Processing and storage periods: in accordance with the requirements of current tax and accounting legislation.
– Procedure for destruction: personal data are destroyed by the operator’s responsible person with the preparation of a relevant act.
3.1.4 Representatives/employees of clients and counterparties of the Operator (legal entities)
– In this category, the operator processes personal data obtained for the purpose of executing a contract where the client/counterparty (legal entity) is a party.
– List of personal data processed: surname, name, patronymic, phone number, email address.
– Method of processing: mixed (automated and non-automated).
– Processing and storage periods: until the expiration of the contract or replacement of representatives/employees of legal entity counterparties interacting under the contract.
– Procedure for destruction: personal data are destroyed by the operator’s responsible person with the preparation of a relevant act.
3.1.5 Clients and potential clients
– In this category, the Operator processes personal data of clients and potential clients for the purpose of informing them about products, services, news, promotions and offers via telephone communication, SMS and email from the Company and its partners.
– List of personal data processed: surname, name, patronymic, phone number, email address, region and/or city of the Russian Federation, profession and/or position.
– Method of processing: mixed (automated and non-automated).
– Processing and storage periods: until withdrawal of consent for personal data processing.
– Procedure for destruction: personal data are destroyed by the operator’s responsible person with the preparation of a relevant act.
3.1.6 Personal data of Website Users (https://redin.ru)
Personal data of website users are processed for the following purposes:
– sending advertising messages and informational newsletters about the Operator’s/Owner’s products and services and those of its partners, including special offers, promotional campaigns, giveaways, contests and surveys via email, SMS messages and push notifications;
– creating personalized service offers based on user preferences using targeted advertising;
– establishing feedback with the website user, including sending notifications, requests and processing such requests, as well as processing inquiries and applications from the user for the purpose of further conclusion and execution of contracts;
– receiving and publishing reviews;
– recruitment;
– maintaining statistics and analyzing website performance;
– concluding contracts and fulfilling the Operator’s/Owner’s obligations to the user;
– publishing materials on the website, official social media groups and other online communities of the Operator/Owner, as well as in other advertising and informational sources for purposes not related to identifying the user;
– improving the quality of user service and website modernization by processing user requests and applications, as well as recording telephone conversations with the Operator/Owner to improve service quality and preserve evidence in the event of disputes between the Operator/Owner and the user.
– The user may always unsubscribe from informational messages by sending an email to info@redindesign.ru with the subject line:
“Refusal of notifications about new products and services and special offers”.
3.1.7 Other personal data subjects (to ensure the implementation of the processing purposes specified in Section 4 of the Policy)
– Categories and lists of personal data processed in relation to other personal data subjects, as well as the processing and storage periods and the procedure for destruction of personal data upon achievement of processing purposes or upon other legal grounds, are determined in accordance with the legislation of the Russian Federation and the Operator’s local regulatory acts, taking into account the purposes of personal data processing.
3.2 Special categories of personal data
Processing of special categories of personal data relating to racial or ethnic origin, political views, religious or philosophical beliefs, or intimate life is not carried out by the Company.
3.3 Website analytics
For statistical purposes and website performance analysis, the Operator processes data using the Google Analytics and Yandex Metrica metric services, including:
– IP address;
– browser information;
– data from cookies;
– access time;
– referrer (address of the previous page).
3.4 Cross-border transfer
Cross-border transfer of personal data by the Operator is not carried out.
3.5 Biometric personal data
Processing of biometric personal data is not carried out by the Operator.
3.6 Distribution of personal data
Processing of personal data authorized by the personal data subject for distribution is carried out by the Company on the basis of the subject’s consent to distribution and in compliance with the restrictions and conditions established by the subject for processing personal data.
3.7 Purposes of personal data processing
3.7.1 Personnel and accounting administration, as well as execution of pre-contractual labor relations (relations arising between candidates for positions offered by the Operator and the Operator);
3.7.2 Conclusion, execution and termination of transactions with the Operator’s counterparties;
3.7.3 Protection of the rights and legitimate interests of the Operator;
3.7.4 Compliance with the requirements of current legislation of the Russian Federation (for example, provision of data to the Federal Tax Service of Russia, courts, the Federal State Statistics Service (Rosstat)).
3.8 Principles of personal data processing
Personal data processing by the Operator is carried out in compliance with the principles and rules established by the legislation of the Russian Federation.
Processing includes collection, recording, systematization, storage, clarification (updating, modification), use, transfer (distribution, provision, access), blocking, depersonalization and destruction of personal data.
Processing of personal data is permitted only if at least one of the following conditions is met:
– consent of the personal data subject has been obtained;
– processing is necessary for the execution of a contract to which the subject is a party;
– processing is required to fulfill the Operator’s obligations established by legislation of the Russian Federation;
– processing is necessary to protect the rights and legitimate interests of the Operator or third parties, provided that the rights and freedoms of the personal data subject are not violated;
– in other cases directly provided by the legislation of the Russian Federation.
3.9 Methods, processing periods, storage and destruction procedure
3.9.1 Method of processing
Mixed method, including:
– automated processing (using computer technology);
– non-automated processing (without the use of computer technology).
3.9.2 Processing and storage periods
Processing and storage periods are determined according to:
– purposes of processing;
– requirements of Russian legislation;
– limitation periods for obligations.
Storage periods
3.9.2.1 No longer than required by the processing purposes (Article 5 of Federal Law No. 152-FZ “On Personal Data”).
3.9.2.2 Employee HR documents — from 3 to 75 years.
3.9.2.3 Contracts and other transactions — 5 years.
3.9.2.4 Marketing data (email, phone number) — until consent is withdrawn.
3.10 Destruction of personal data
Personal data are destroyed upon achievement of processing purposes or upon other legal grounds within a period not exceeding 30 (thirty) days.
Destruction is carried out by:
– deletion of electronic data from storage media without the possibility of recovery;
– physical destruction of paper media.
The destruction of personal data is documented by an appropriate act.
Personal data are destroyed in the following cases:
– the purpose of processing has been achieved;
– the storage period has expired;
– the subject has withdrawn consent (and there are no other legal grounds for storage);
– the data were processed unlawfully;
– the Operator has been liquidated or ceased operations.
-
4. Functions of the Operator in Personal Data Processing
When processing personal data, the Operator:
– takes necessary and sufficient measures to ensure compliance with the legislation of the Russian Federation and local regulatory acts in the field of personal data;
– takes legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution and other unlawful actions;
– appoints a person responsible for organizing personal data processing in the Company;
– issues local regulatory acts governing personal data processing and protection;
– familiarizes employees directly involved in personal data processing with the requirements of legislation and internal regulations;
– publishes or otherwise ensures unrestricted access to this Policy;
– provides personal data subjects or their representatives with information about the existence of personal data relating to them and provides access upon request unless otherwise provided by law;
– terminates processing and destroys personal data in cases provided by law;
– performs other actions provided by the legislation of the Russian Federation in the field of personal data.
-
5. Main Rights of Personal Data Subjects
Personal data subjects have the right to:
– receive full information about their personal data processed by the Operator;
– access their personal data, including the right to receive a copy of any record containing their personal data, except in cases provided by Russian legislation.
The Operator undertakes to provide access within 30 working days from the date of receiving the request;
– clarification, blocking or destruction of their personal data if the data are incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the declared processing purpose;
– withdraw consent to personal data processing;
– take legal measures to protect their rights;
– appeal actions or inaction of the Operator violating personal data legislation to the authorized supervisory authority or to the court;
– exercise other rights provided by the legislation of the Russian Federation.
