PERSONAL DATA PROCESSING POLICY

• “Personal data” means any information relating to a directly or indirectly identified or identifiable individual
  
• “Personal data operator” (hereinafter referred to as the “Operator”) means state authority, municipal authority, legal entity or individual person, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data, subject to processing, actions (operations) performed with personal data
  
• “Personal data processing” means any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modifying), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data
  
• “Provision of personal data” means actions aimed at disclosure of personal data to a certain person or a certain circle of persons
  
• “Dissemination of personal data” means actions aimed at disclosure of personal data to a certain person or a certain circle of persons
  
• “User" means a person who has access to the site, services via the Internet and uses the site, services
  
• “Automated personal data processing” means processing of personal data using computer technology
  
• “Destruction of personal data” means actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and/or as a result of which the material carriers of personal data are destroyed
  
• “Personal data information system” means a set of personal data contained in databases and information technologies and technical means that ensure their processing
  
• “Cross-border transfer of personal data” means the transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual person or a foreign legal entity
  

• The personal data processing is carried out in the Company on a legal and fair basis
  
• The personal data processing is limited to the achievement of specific, predetermined and legitimate purposes
  
• It is not allowed to process the personal data incompatible with the purposes of personal data collection.
• It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other
  
• Only personal data that meet the purposes of their processing are subject to processing
• The content and scope of the processed personal data correspond to the stated purposes of processing. Redundancy of the processed personal data in relation to the stated purposes of their processing is not allowed
• When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance in relation to the purposes personal data processing, are ensured. The Company takes the necessary measures to delete or clarify incomplete or inaccurate personal data
• Storage of personal data is carried out in a form that allows determining the subject of personal data, no longer than the purposes of personal data processing require if the period of storage of personal data is not under federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor
• The processed personal data is destroyed or depersonalized upon achievement of the processing purposes or in case of loss of the need to achieve these purposes, unless otherwise under federal law
  

• Ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, local regulations of the Company
• Performing the functions, powers and obligations assigned by the legislation of the Russian Federation to the Company, including the provision of personal data to state authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, as well as other state authorities
• Regulation of labor relations with the Company’s employees (assistance in employment, training and promotion, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property)
• Providing the Company’s employees with additional guarantees and compensations, including voluntary medical insurance, medical care and other types of social security
• Protection of life, health or other vital interests of personal data subjects
• Preparation, conclusion, execution and termination of contracts with counterparties
• Execution of judicial acts, acts of other authorities or officials subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings
• For other legitimate purposes

• Candidates for vacant positions of the Company
  
• The Company’s employees, relatives of the Company’s employees, within the limits determined by the legislation of the Russian Federation, if information about them is given by the employee
• Individuals with whom the Company enters into independent contractor agreement
• Representatives of legal entities – counterparties of the Company
• Counterparties of the Company – individual entrepreneurs
• Users of the services and the website owned by the Company: http://www.teamidea.ru/en/
• Other subjects of personal data

• Non-automated personal data processing
  
• Automated personal data processing with or without transmission of the received information via information and telecommunication networks
  
• Mixed personal data processing
  

• Takes measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Russian Federation and local regulations of the Company in the field of personal data
  
• Takes legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data
  
• Appoints a person responsible for organizing the personal data processing in the Company
• Issues local regulations that determine the policy and issues of processing and protecting personal data in the Company
• Familiarizes the Company’s employees directly engaged in the personal data processing with the provisions of the legislation of the Russian Federation and local regulations of the Company in the field of personal data, including the requirements for the protection of personal data, and training of these employees
• Publishes or otherwise provides unrestricted access to this Policy
• Informs the personal data subjects or their representatives in accordance with the established procedure about the availability of personal data related to the relevant subjects, provides an opportunity to get acquainted with these personal data when applying and (or) receiving requests from the specified personal data subjects or their representatives, unless otherwise under the legislation of the Russian Federation Federations
  
• Terminates processing and destroys personal data in cases under the legislation of the Russian Federation in the field of personal data
• Performs other actions under the legislation of the Russian Federation in the field of personal data

• Receive full information about their personal data processed by the Company
• Demand clarification of their personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing
• Demand the adoption of measures under law to protect their rights
• Get access to their personal data with the right to receive a copy of any record containing their personal data, except as otherwise under federal law
• Withdraw consent to the personal data processing
• Appeal against the actions or inaction of the Company to the authorized authority for the protection of the rights of personal data subjects or in court
• Conduct other rights under the legislation of the Russian Federation

• To provide the personal data subject, upon his request, with information concerning his personal data processing, or legally provide a refusal within thirty days from the receipt date of the request of the personal data subject or his representative
  
• To explain to the personal data subject, the legal consequences of refusing to provide his personal data, if the provision of personal data is mandatory in accordance with federal law
  
• To take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data
• To publish on the Internet and provide unrestricted access using the Internet to the document defining its policy regarding the personal data processing, to information about the implemented requirements for the personal data protection
• To block illegally processed personal data related to the personal data subject
• To clarify the personal data of the subjects
• To terminate illegal personal data processing in case of detection of illegal personal data processing carried out by the Company
• To terminate the personal data processing and destroy personal data upon achievement of the purpose of personal data processing, unless otherwise under the agreement to which the personal data subject is a party, beneficiary or guarantor, if the purpose of personal data processing is achieved
• To terminate personal data processing and destroy personal data if the personal data subject withdraws consent to the personal data processing, if the Company does not have the right to process personal data without the consent of the personal data subject
• To perform other obligations under the legislation of the Russian Federation

• To get acquainted with the Policy and internal documents regulating the personal data processing, and comply with the requirements of these documents
• To process personal data only within performing their work duties
• Not to disclose personal data, access to which was obtained within performing their work duties
• To inform the employer about the facts of disclosure (destruction, distortion) of personal data
  

• Appointment of a person responsible for organizing the personal data processing in the Company
• Adoption of local regulations and other documents in the field of processing and protection of personal data
• Conduction of training and methodological work with the Company’s employees responsible for organizing the personal data processing
• Obtaining consents of personal data subjects to the processing of their personal data, except as otherwise under the legislation of the Russian Federation
• Separation of personal data processed without the use of automation tools from other information, in particular by fixing them on separate material carriers of personal data, in special sections
• Ensuring separate storage of personal data and their material carriers, the processing of which is carried out for different purposes and which contain different categories of personal data
• Storage of material carriers of personal data in compliance with the conditions that ensure the personal data safety and exclude unauthorized access to them
• Implementation of internal control over the compliance of the personal data processing with the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it, the requirements for the personal data protection, this Policy, local regulations of the Company
• Other measures under the legislation of the Russian Federation in the field of personal date

• When changing the legislation of the Russian Federation in the field of personal data processing and protection
• In cases of receipt of instructions from the competent state authorities to eliminate inconsistencies affecting the scope of the Policy
• By decision of the Company’s management
• When changing the purposes of personal data processing
  
• When changing the organizational structure, the structure of information and/or telecommunication systems (or introducing new ones)
• When applying new technologies for processing and protecting personal data (including transmission, storage)
• If there is a need to change the process of personal data processing related to the Company’s activities