Contact Us
Personal Data Processing Policy
1. General Provisions
1.1. This Policy of LLC "Graphite Formula" regarding the processing of personal data (hereinafter - the Policy) is developed in fulfillment of the requirements of Part 1, Clause 2, Article 18.1 of the Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter – the Personal Data Law) to ensure the protection of human and civil rights and freedoms during the processing of their personal data, including the protection of the rights to privacy, personal and family secrets.1.2. The Policy applies to all personal data processed by Limited Liability Company "Graphite Formula" (hereinafter - the Operator, LLC "Graphite Formula").
1.3. The Policy applies to relations in the field of personal data processing that arose for the Operator both before and after the approval of this Policy.
1.4. In fulfillment of the requirements of Part 2, Article 18.1 of the Personal Data Law, this Policy is published in free access on the Internet on the Operator's website.
2. Terms and Abbreviations
Personal Data (PD) – any information relating to a directly or indirectly identified or identifiable individual (data subject).Personal Data Authorized by the Data Subject for Dissemination – personal data, access to which by an unlimited number of persons has been provided by the data subject by giving consent to the processing of personal data permitted by the data subject for dissemination.
Personal Data Operator (operator) – a state body, municipal body, legal entity or individual, independently or jointly with other persons, organizing and (or) carrying out the processing of personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.
Processing of Personal Data – any action (operation) or a set of actions (operations) performed with personal data, with or without the use of automation tools. Processing of personal data includes, but is not limited to:
- Collection
- Recording
- Systematization
- Accumulation
- Storage
- Clarification (updating, modification)
- Retrieval
- Use
- Transfer (provision, access)
- Dissemination
- Depersonalization
- Blocking
- Deletion
- Destruction
Provision of Personal Data – actions aimed at disclosing personal data to a specific person or a specific circle of persons.
Dissemination of Personal Data – actions aimed at disclosing personal data to an unlimited number of persons.
Blocking of Personal Data – temporary cessation of personal data processing (except for cases where processing is necessary to clarify personal data).
Destruction of Personal Data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.
Depersonalization of Personal Data – actions as a result of which it becomes impossible, without the use of additional information, to determine the ownership of personal data to a specific data subject.
Personal Data Information System – the totality of personal data contained in databases and information technologies and technical means that ensure their processing (PDIS).
Cross-Border Transfer of Personal Data – transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual, or a foreign legal entity.
Protection of Personal Data – activities aimed at preventing the leakage of protected personal data, and unauthorized and unintentional impacts on protected personal data.
3. Procedure and Conditions for Processing and Storing Personal Data
3.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.3.2. The processing of personal data is carried out with the consent of the data subjects to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.
3.3. Consent to the processing of personal data authorized by the data subject for dissemination is executed separately from other consents of the data subject to the processing of their personal data.
- 3.4. Consent to the processing of personal data authorized by the data subject for dissemination may be provided to the operator:
- Directly
- Using the information system of the authorized body for the protection of the rights of personal data subjects.
- 3.5. The Operator carries out both automated and non-automated processing of personal data.
- 3.6. Only employees of the Operator whose job responsibilities include the processing of personal data are permitted to process personal data.
- 3.7. The processing of personal data is carried out by:
- Receiving personal data orally and in writing directly with the consent of the data subject for the processing or dissemination of their personal data;
- Entering personal data into the Operator's logs, registers, and information systems;
- Using other methods of personal data processing.
3.9. The transfer of personal data to inquiry and investigation bodies, the Federal Tax Service, the Social Fund, and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
- 3.10. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, distribution, and other unauthorized actions, including:
- Identifying threats to the security of personal data during their processing;
- Adopting internal regulations and other documents governing relations in the field of processing and protection of personal data;
- Appointing persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
- Creating the necessary conditions for working with personal data;
- Organizing the accounting of documents containing personal data;
- Organizing work with information systems in which personal data is processed;
- Storing personal data under conditions that ensure their safety and prevent unauthorized access to them;
- Organizing training for the Operator's employees who process personal data.
3.12. When collecting personal data, including via the Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in the Personal Data Law.
3.13. Purposes of personal data processing:
3.13.1. Only personal data that meets the purposes of their processing is subject to processing.
- 3.13.2. The Operator processes personal data for the following purposes:
- Ensuring compliance with the Constitution, federal laws, and other regulatory legal acts of the Russian Federation;
- Carrying out its activities in accordance with the Charter of LLC "Graphite Formula";
- Maintaining personnel records;
- Assisting employees in employment, education, and career advancement, ensuring personal safety of employees, controlling the quantity and quality of work performed, ensuring the safety of property;
- Attracting and selecting candidates for employment with the Operator;
- Organizing the registration of employees for individual (personalized) accounting in the mandatory pension insurance system;
- Completing and submitting required reporting forms to executive authorities and other authorized organizations;
- Exercising civil-law relations;
- Implementing access control procedures.
3.15. Categories of personal data subjects.
- PD of the following data subjects are processed:
- Individuals in an employment relationship with LLC "Graphite Formula";
- Individuals who have resigned from LLC "Graphite Formula";
- Individuals who are job candidates;
- Individuals in civil-law relationships with LLC "Graphite Formula".
- 3.16. PD processed by the Operator:
- Data obtained in the course of employment relationships;
- Data obtained for the purpose of selecting job candidates;
- Data obtained in the course of civil-law relationships.
3.17.1. PD of subjects may be obtained, undergo further processing, and be transferred for storage on both paper and electronic media.
3.17.2. PD recorded on paper media are stored in locked cabinets or in locked premises with limited access rights.
3.17.3. PD of subjects processed using automation tools for different purposes are stored in different folders.
3.17.4. Storage and placement of documents containing PD in open electronic catalogs (file sharing systems) in the PDIS is not permitted.
3.17.5. Storage of PD in a form that allows the identification of the data subject is carried out for no longer than required by the purposes of their processing, and they are subject to destruction upon achieving the processing purposes or in case of loss of the necessity to achieve them.
3.18. Destruction of PD.
3.18.1. Destruction of documents (media) containing PD is carried out by shredding (pulverizing) or burning in a location permitted by labor safety standards, in the presence of a commission. The use of a shredder is permitted for the destruction of paper documents.
3.18.2. PD on electronic media are destroyed by erasing or formatting the media.
3.18.3. The fact of PD destruction is documented by a certificate of media destruction.
4. Protection of Personal Data
4.1. In accordance with the requirements of regulatory documents, the Operator has created a Personal Data Protection System (PDPS), consisting of legal, organizational, and technical protection subsystems.4.2. The legal protection subsystem is a set of legal, organizational, administrative, and regulatory documents ensuring the creation, functioning, and improvement of the PDPS.
4.3. The organizational protection subsystem includes the organization of the PDPS management structure, an authorization system, and information protection when working with employees, partners, and third parties.
4.4. The technical protection subsystem includes a set of technical, software, and hardware-software tools that ensure the protection of PD.
4.5. The main PD protection measures used by the Operator are:
4.5.1. Appointment of a person responsible for the processing of PD, who organizes the processing of PD, conducts training and instruction, and performs internal control over the compliance of the institution and its employees with the requirements for PD protection.
4.5.2. Identification of current threats to PD security during their processing in the PDIS and development of measures and actions for PD protection.
4.5.3. Development of a policy regarding the processing of personal data.
4.5.4. Establishment of rules for access to PD processed in the PDIS, as well as ensuring the registration and accounting of all actions performed with PD in the PDIS.
4.5.5. Establishment of individual access passwords for employees in the information system according to their job responsibilities.
4.5.6. Use of information security tools that have undergone the established conformity assessment procedure.
4.5.7. Certified antivirus software with regularly updated databases.
4.5.8. Compliance with conditions ensuring the safety of PD and preventing unauthorized access to them.
4.5.9. Detection of facts of unauthorized access to personal data and taking measures.
4.5.10. Restoration of PD modified or destroyed due to unauthorized access.
4.5.11. Training of the Operator's employees who directly carry out the processing of personal data, on the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, documents defining the Operator's policy regarding the processing of personal data, and local acts on the processing of personal data.
4.5.12. Implementation of internal control and audit.
5. Basic Rights of the PD Subject and Obligations of the Operator
5.1. Basic Rights of the PD Subject:The Subject has the right to access their personal data and the following information:
- Confirmation of the fact of PD processing by the Operator;
- The purposes of PD processing;
- The methods of PD processing used by the Operator;
- The name and location of the Operator, information about persons (except for the Operator's employees) who have access to the PD or to whom the PD may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
- The time limits for processing personal data, including their storage periods;
- The procedure for the PD Subject to exercise the rights provided for by this Federal Law;
- The name or surname, first name, patronymic, and address of the person processing PD on behalf of the Operator, if the processing is assigned or will be assigned to such a person;
- To contact the Operator and send requests to them;
- To appeal against the actions or inaction of the Operator.
The Operator is obliged to:
When collecting PD, provide information about the processing of PD;
If access to PD is refused, explain to the subject the consequences of such refusal;
Publish or otherwise ensure unrestricted access to the document defining its policy regarding the processing of PD, and to information about the implemented requirements for the protection of PD;
Take the necessary legal, organizational, and technical measures or ensure their adoption to protect PD from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of PD, as well as from other unlawful actions in relation to PD;
Respond to requests and appeals from PD Subjects, their representatives, and the authorized body for the protection of the rights of PD subjects.
6. Updating, Correction, Deletion and Destruction of Personal Data, Responses to Subject Requests for Access to Personal Data
6.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of the Personal Data Law, shall be provided by the Operator to the personal data subject or their representative upon request. The information provided shall not include personal data relating to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data.The request must contain:
- The number of the primary identity document of the personal data subject or their representative, information about the date of issue of said document and the issuing authority;
- Information confirming the participation of the personal data subject in relations with the Operator (contract number, contract date, conditional verbal designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator;
- Signature of the personal data subject or their representative.
If the appeal (request) of the personal data subject does not contain all the necessary information as required by the Personal Data Law, or if the subject does not have the right to access the requested information, a reasoned refusal shall be sent to them. The right of the personal data subject to access their personal data may be restricted in accordance with Part 8 of Article 14 of the Personal Data Law, including if the access of the personal data subject to their personal data violates the rights and legitimate interests of third parties.
6.2. If inaccurate personal data are identified upon an appeal by the personal data subject or their representative, or upon their request or a request from Roskomnadzor, the Operator shall block the personal data relating to this personal data subject from the moment of such appeal or receipt of the specified request for the period of verification, provided that blocking the personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
If the inaccuracy of the personal data is confirmed, the Operator, based on the information provided by the personal data subject or their representative, or by Roskomnadzor, or other necessary documents, shall correct the personal data within seven working days from the date of submission of such information and remove the blocking of the personal data.
6.3. If unlawful processing of personal data is identified upon an appeal (request) by the personal data subject or their representative, or by Roskomnadzor, the Operator shall block the unlawfully processed personal data relating to this personal data subject from the moment of such appeal or receipt of the request.
6.4. Upon achieving the purposes of personal data processing, as well as in the event the personal data subject withdraws their consent to their processing, the personal data shall be destroyed, unless:
- Otherwise provided by a contract to which the personal data subject is a party, beneficiary, or guarantor;
- The Operator is not entitled to process the data without the consent of the personal data subject on the grounds provided for by the Personal Data Law or other federal laws;
- Otherwise provided by another agreement between the Operator and the personal data subject.
7. Final Provisions
7.1. Liability for violation of the requirements of the legislation of the Russian Federation and regulatory documents of LLC "Graphite Formula" in the field of personal data shall be determined in accordance with the legislation of the Russian Federation.7.2. This Policy comes into force from the moment of its approval and remains in effect indefinitely until a new Policy is adopted.
7.3. All changes and additions to this Policy must be approved by the Director of LLC "Graphite Formula".