Personal Data Processing Policy

1. General Terms

   1.1. his Personal Data Processing Policy has been executed in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, hereinafter referred to as the Law on Personal Data, and determines personal data processing procedures and personal data security measures undertaken by TEUSTAT LLC (TIN 9715438663), hereinafter referred to as the Data Processor.

   1.2. The Data Processor has a critical goal and a standard for its operations to observe human and civil rights and freedoms when processing their personal data, including the protection of rights for privacy, personal and family secrets.

   1.3. This Personal Data Processing Policy of the Data Processor, hereinafter referred to as the Policy, shall apply to all information that the Data Processor can obtain about visitors of the website https://teustat.ru.

   1.4. The Policy shall apply to the relationships in the context of personal data processing that the Data Processor has created both before and after the approval hereof.

   1.5. To the satisfaction of Part 2, Article 18.1 of the Law on Personal Data, this Policy is published in the public domain, in an online environment, on the Data Processor’s website.

   1.6. Basic definitions to be used in the Policy are as follows:

   1.6.1. Automated personal data processing is personal data processing by means of computer technology;

   1.6.2. Personal data blocking is suspension of personal data processing (except for cases when processing is required for personal data rectification);

   1.6.3. A website is a combination of graphic and information content, as well as application software and databases that ensure their online accessibility at https://teustat.ru;

   1.6.4. A personal data information system is a combination of personal data kept in databases and software and hardware ensuring their processing;

   1.6.5. Personal data depersonalization is an activity that makes it impossible to determine, without the use of additional information, the ownership of personal data by a particular User or any other personal data subject;

   1.6.6. Personal data processing is any action (operation) or cumulative actions (operations) performed with or without the use of automation means with regard to personal data, including collection, record, systemization, accumulation, storage, rectification (update, change), extraction, use, communication (distribution, sharing, access), depersonalization, blocking, erasure or destruction of personal data;

   1.6.7. A data processor is a government authority, a municipal body, an entity or an individual, which independently or jointly with other bodies arranges for and (or) performs personal data processing, as well as defines purposes of personal data processing, scope of personal data to be processed, and actions (operations) to be performed with regard to personal data;

   1.6.8. Personal data is any information expressly or implicitly related to an identified or identifiable User of the website https://teustat.ru

   1.6.9. Personal data authorized by a personal data subject for distribution is personal data, the access of general public to which is provided by the personal data subject by giving consent to processing of personal data allowed by the personal data subject for distribution under the current statutory procedure.

   1.6.10. A user is any visitor of the website https://teustat.ru

   1.6.11. Personal data sharing is actions aimed at disclosure of personal data to a certain person or a certain group of people;

   1.6.12.Personal data distribution is any actions aimed to disclosure of personal data to the public (personal data communication) or at familiarization of the general public with personal data, including publication of personal data in mass media, cyber placement, or granting access to personal data otherwise;

   1.6.13.International data transfer is communication of personal data to a foreign jurisdiction to a foreign public authority, a foreign individual, or a foreign entity;

   1.6.14. Personal data destruction is any actions, as a result of which personal data is destructed irretrievably, with no option to further recover the content of personal data in the personal data information system, and (or) physical personal data storage media are destroyed.

   1.7. Basic rights and duties of the Data Processor

   1.7.1. The Data Processor is entitled to:

   1) independently determine the scope and list of measures that are necessary and sufficient to ensure performance of obligations stipulated by the Law on Personal Data and laws and regulations enacted in accordance therewith unless otherwise stipulated by the Law on Personal Data or other federal laws;

   2) assign personal data processing to another body upon consent of the personal data subject unless otherwise stipulated by the federal law on grounds of a contract entered into with this body. The body processing personal data by the Data Processor’s order shall observe principles and rules of personal data processing stipulated by the Law on Personal Data, maintain confidentiality of personal data, undertake necessary measures aimed at ensuring performance of obligations stipulated by the Law on Personal Data;

   3) should the personal data subject withdraw their consent to personal data processing, the Data Processor is entitled to continue personal data processing without the consent of the personal data subject if eligible in accordance with the Law on Personal Data.

   1.7.2. The Data Processor is obliged to:

   1) arrange for processing of personal data, including one allowed by the personal data subject for distribution, in accordance with requirements of the Law on Personal Data;

   2) reply to inquiries and requests of personal data subjects and their legal representatives in accordance with requirements of the Law on Personal Data;

   3) communicate to a body authorized for protection of the rights of personal data subjects (Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)), upon request of this body, the information required within ten business days since the date of receipt of such a request. This period may be extended, but for no more than five business days. For this purpose, the Data Processor shall send Roskomnadzor a reasoned notice with indication of reasons to extend the period for provision of the information requested;

   4) in the manner defined by a federal executive agency authorized in safety provision, ensure interaction with the state system of detection, prevention and elimination of consequences of computer attacks on information resources of the Russian Federation, including the creation of its awareness of computer incidents that have caused unauthorized communication of (distribution of, sharing of, access to) personal data.

   1.8. Basic rights of the personal data subject. The personal data subject is entitled to:

   1) obtain information related to their personal data processing, except for the cases contemplated by federal laws. The data is provided to the personal data subject by the Data Processor in an intelligible form, and it shall not contain personal data related to other personal data subjects, except for the cases where there is a lawful basis for disclosure of such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;

   2) require of the Data Processor to rectify their personal data, block or destroy it if personal data is incomplete, out-of-date, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as undertake measures prescribed by law to protect their rights;

   3) give provisional consent for personal data processing for the purposes of promotion of goods, works, and services in the market;

   4) appeal to Roskomnadzor or to court against illegal actions or omissions of the Data Processor while their personal data being processed.

   1.9. The compliance with the requirements hereof shall be monitored by an authorized person responsible for arrangements of personal data processing on the part of the Data Processor.

   1.10. The liability for breaches in legislative requirements of the Russian Federation and regulations of TEUSTAT LLC in the field of personal data processing and protection shall be defined in accordance with law of the Russian Federation.

2. Scope and Categories of Personal Data Processed. Categories of Personal Data Subjects

   2.1. The content and scope of personal data processed shall correspond to the stated purposes of processing stipulated in Article 3 hereof. The personal data processed shall not be redundant with respect to the stated purposes of its processing.

   2.2. The Data Processor may process personal data of the following category of personal data subjects:

   2.2.1. Users:

   -Full name;

   -Email address;

   -Phone numbers;

   -User’s employer (legal name).

   2.2.2. Besides, the website accepts and processes anonymized data about visitors (including cookies) by means of online statistics services (Yandex.Metrica, Google Analytics and others), as well as through the Users’ clicks and queries.

   2.3. The aforementioned data are hereinafter generally classified as Personal Data.

   2.4. The Data Processor processes biometric personal data (data that describe human physiological and biological make-up, on the basis of which an identity can be established) in accordance with legislation of the Russian Federation

   2.5. The Data Processor does not process special categories of personal data related to race, nationality, political, religious, or philosophical views, and medical state, except for the cases contemplated by legislation of the Russian Federation.

3. Purposes of Processing

   3.1. Personal data processing shall be limited by fulfillment of specific, predetermined, and legitimate purposes. Personal data processing that is incompatible with purposes of personal data collection is not allowed.

   3.2. Only personal data meeting the purposes of its processing is subject to processing.

   3.3. The purpose of the User’s personal data processing is informing the User by sending emails; granting access to the User to services, information, and/or materials on the website.

   3.4. Besides, the Data Processor is entitled to send the User notifications of new products and services, special offers and various events. The User may always opt out of receiving information messages by clicking on ‘Unsubscribe’ at the bottom of the email.

   3.5. Users’ anonymized data collected via online statistics services are designed to collect data about the Users’ actions on the website and improve the website’s quality and content.

4. Legal Basis for Personal Data Processing

   4.1. The legal basis for personal data processing is a body of laws and regulations, in pursuance of and in accordance with which the Data Processor processes personal data.

   4.2. The Data Processor processes the User’s personal data only when it is filled in and/or submitted by the User on their own via special forms on the website https://teustat.ru. Filling in respective forms and/or sending their personal data to the Data Processor, the User expresses their consent herewith.

   4.3. The Data Processor processes anonymized data about the User when it is allowed in the User’s browser configuration (saving cookies and JavaScript use are on).

5. Procedure and Terms of Personal Data Processing

   5.1. Personal data shall be processed by the Data Processor in accordance with legislative requirements of the Russian Federation.

   5.2. Personal data shall be processed upon consent of personal data subjects to processing of their personal data, as well as without such where provided for by law of the Russian Federation.

   5.3. The Data Processor processes personal data for every purpose of its processing in the following ways:

   • non-automated personal data processing;
   • automated personal data processing, with or without communication of the information extracted via information and telecommunication networks;
   • mixed personal data processing.

   5.4. The access to personal data processing shall be granted to the Data Processor’s employees whose job duties include personal data processing.

   5.5. For every purpose of processing stated in Article 2 of the Policy, personal data shall be processed by means of:

   • acquisition of personal data in written form immediately from personal data subjects;
   • entering personal data into logs, registers, and information systems of the Data Processor;
   • other ways of personal data processing.

   5.6. It is not allowed to disclose to third parties and to distribute personal data without consent of the personal data subject unless otherwise stipulated by federal law. The consent to personal data processing allowed by the personal data subject for distribution shall be documented apart from other consents of the personal data subject to their personal data processing.

   5.7. Personal data shall be communicated to bodies of inquiry and investigation, to the Federal Tax Service, the Social Fund of Russia and other authorized executive authorities and organizations in accordance with legislative requirements of the Russian Federation.

   5.8. The Data Processor shall undertake necessary legal, managerial, and technical measures to protect personal data from unauthorized or accidental access thereto, destruction, change, blocking, distribution and other unauthorized actions, including the following ones:

   • determination of security threats to personal data during its processing;
   • enactment of local regulations and other documents regulating personal data processing and protection;
   • appointment of persons responsible for ensuring personal data security in the Data Processor’s business units and information systems;
   • creation of a favorable environment for personal data management;
   • arrangements for recording of documents containing personal data;
   • arrangements for dealing with information systems where personal data is processed;
   • storage of personal data in the conditions where its integrity is ensured and unauthorized access thereto is excluded;
   • arrangements for training of the Data Processor’s employees who process personal data.

   5.9. The Data Processor shall store personal data in a form allowing for identification of the personal data subject only as long as is needed for every purpose of personal data processing if the personal data retention period is not established by any federal law or contract.

   5.9.1. Personal data in paper form shall be stored in TEUSTAT LLC within the document retention periods, for which these periods are prescribed by legislation on archives in the Russian Federation (Federal Law No 125-FZ of October 22, 2004 “On Archives in the Russian Federation”, List of Standard Administrative Archive Documents Executed in the Course of Business of Public Authorities, Local Authorities and Organizations, with Indication of Their Terms of Retention (approved by Order N 236 of December 20, 2019 of the Federal Archival Agency of Russia)).

   5.9.2. The retention period for personal data processed in personal data information systems shall correspond to the retention period for personal data in paper form.

   5.10. The Data Processor shall discontinue personal data processing in the following instances:

   • a fact of its unauthorized processing has been elicited. The period shall be three business days since the date of elicitation;
   • a purpose of its processing has been accomplished;
   • the retention period has been expired or the consent of the personal data subject to processing of the data said has been withdrawn when the Law on Personal Data allows processing of this data only upon consent thereof.

   5.11. Upon fulfillment of purposes of personal data processing, as well as upon withdrawal of consent of the personal data subject to its processing, the Data Processor shall discontinue processing of this data in the following instances:

   • unless otherwise stipulated by a contract whereto or whereunder the personal data subject is a party, a beneficiary, or a guarantor;
   • when the Data Processor is not entitled to process data without the consent of the personal data subject on the grounds stipulated by the Law on Personal Data or other federal laws;
   • unless otherwise stipulated by another agreement between the Data Processor and the personal data subject.

   5.12. When the personal data subject applies to the Data Processor with a request to discontinue personal data processing within the period not exceeding ten business days since the date of receipt of the respective request by the Data Processor, personal data processing shall be discontinued except for the cases stipulated by the Law on Personal Data. The said period may be extended, but for no more than five business days. For this purpose, the Data Processor shall send the personal data subject a reasoned notice with indication of reasons to extend the period.

   5.13. When collecting personal data, including via the Internet, the Data Processor shall arrange recording, systemization, accumulation, storage, rectification (update, change), extraction of personal data of citizens of the Russian Federation with the use of databases in the territory of the Russian Federation, except as provided in the Law on Personal Data.

6. Update, Correction, Erasure, and Destruction of Personal Data. Replies to Subjects’ Requests for Access to Personal Data

   6.1. The proof of personal data processing by the Data Processor, legal ground and purposes of personal data processing, as well as other information specified in Part 7, Article 14 of the Law on Personal Data shall be provided by the Data Processor to the personal data subject or their representative within ten business days since the date of an address or a receipt of a request of the personal data subject or their representative. This period may be extended, but for no more than five business days. For this purpose, the Data Processor shall send the personal data subject a reasoned notice with indication of reasons to extend the period for provision of the information requested.

   The information provided shall not include personal data related to other personal data subjects except for the cases where there is a lawful basis for disclosure of such personal data. The request shall contain:

   • number of the primary ID document of the personal data subject or their representative, information about the date of issue of the said document and the issuing authority;
   • information confirming the involvement of the personal data subject into the relationship with the Data Processor (contract number, date of contract, verbal identification mark and (or) other information) or information otherwise proving the fact of personal data processing by the Data Processor;
   • signature of the personal data subject or their representative.

   The request may be submitted as an e-document and signed digitally in accordance with law of the Russian Federation.

   The Data Processor shall provide information specified in Part 7, Article 14 of the Law on Personal Data to the personal data subject or their representative in the same form as the respective address or request was submitted unless otherwise specified in the address or request.

   If the address (request) of the personal data subject does not present, in accordance with requirements of the Law on Personal Data, all necessary information or the subject does not have the rights of access to the information requested, a reasoned refusal shall be submitted thereto.

   The right of the personal data subject for access to their personal data may be abridged in accordance with Part 8, Article 14 of the Law on Personal Data, including the case when the access of the personal data subject to their personal data violates rights and legal interests of third parties.

   6.2. In the event of discovery of inaccurate personal data upon address of the personal data subject or their representative or upon their request or the request of Roskomnadzor, the Data Processor shall block personal data related to this personal data subject from the time of such address or receipt of the said request for the check-out period if personal data blocking does not violate rights and legal interests of the personal data subject or third parties.

   In the event that inaccuracy of the personal data is proven, the Data Processor, based on the information provided by the personal data subject or their representative or by Roskomnadzor or on other necessary documents, shall rectify personal data within seven business days since the date of provision of such information and unblock personal data.

   6.3. In the event of discovery of unauthorized personal data processing upon address (request) of the personal data subject or their representative or of Roskomnadzor, the Data Processor shall block wrongfully processed personal data related to this personal data subject from the time of such address or receipt of the request.

   6.4. If the Data Processor, Roskomnadzor or any other interested party discovers a fact of unauthorized or accidental communication (provision, distribution) of personal data (access to personal data) that has caused violation of rights of personal data subjects, the Data Processor shall:

   • within 24 hours, notify Roskomnadzor of the incident that has occurred, hypothetic causes of the violation of rights of personal data subjects, hypothetic damage done to the rights of personal data subjects, and measures undertaken to remedy consequences of the incident, as well as provide information about the person authorized by the Data Processor to interact with Roskomnadzor in the matter of the incident;
   • within 72 hours, notify Roskomnadzor of the results of an internal investigation of the incident discovered and provide information about persons whose actions have caused it (if any).

   6.5. Procedure for personal data destruction by the Data Processor.

   6.5.1. Terms and conditions of personal data destruction by the Data Processor:

   • fulfillment of a purpose of personal data processing or no further need to fulfill this purpose—within 30 days;
   • meeting deadlines for storage of documents containing personal data—within 30 days;
   • provision by the personal data subject (their representative) of evidence that personal data has been obtained illegally or is not necessary for the stated purpose of processing—within seven business days;
   • withdrawal, by the personal data subject, of consent to their personal data processing if its holding is no longer required for the purpose of its processing—within 30 days.

   6.5.2. Upon fulfillment of the purpose of personal data processing, as well as in the event of withdrawal, by the personal data subject, of consent to their personal data processing, personal data is subject to destruction in the following instances:

   • unless otherwise stipulated by a contract whereto or whereunder the personal data subject is a party, a beneficiary, or a guarantor;
   • when the Data Processor is not entitled to process data without the consent of the personal data subject on the grounds stipulated by the Law on Personal Data or other federal laws;
   • unless otherwise stipulated by another agreement between the Data Processor and the personal data subject.

   6.5.3. The ways to destroy personal data shall be established in local regulations of the Data Processor.

7. International Data Transfer

   7.1. Personal data shall be transferred cross-border in accordance with the Law on Personal Data and international treaties of the Russian Federation.

8. Final Provisions

   8.1. The User may call for any clarification of any points of interest with regard to processing of their personal data when addressing to the Data Processor at  info@teustat.ru.

   8.2. This document will represent any amendments of the Personal Data Processing Policy by the Data Processor. The Policy shall remain in force indefinitely until its substitution for a new version.

   8.3. The User shall monitor amendments to this Policy on their own.

   8.4. The most up-to-date version of the Policy is freely available online at https://teustat.ru/policy.