Personal Data Processing Policy at INNOTEC LLC

Last updated: January 23, 2024

The Personal Data Processing Policy (hereinafter referred to as the Policy) has been developed in accordance with Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006 (hereinafter referred to as FZ-152).

This Policy defines the procedure for processing personal data and measures to ensure the security of personal data in INNOTEC LLC (located at: 115280, Russia, Moscow, Leninskaya Sloboda St., 26, Omega-2 Business Center, Office 261, OGRN 1027700028696, INN 7719038373) (hereinafter referred to as the Operator) in order to protect the rights and freedoms of individuals during the processing of their personal data, including the protection of the right to privacy, personal and family secrets.

The following basic terms are used in the Policy:

• automated processing of personal data: processing of personal data using computing technology;
• blocking of personal data: temporary cessation of the processing of personal data (except when processing is necessary to clarify personal data);
• personal data information system: a set of personal data contained in databases and the information technologies and technical means that process them;
• depersonalization of personal data: actions that result in the impossibility of determining the ownership of personal data without using additional information;
• processing of personal data: any action (operation) or set of actions (operations) performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, usage, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal dataх;
• operator: a state body, municipal body, legal or physical person that independently or jointly with others organizes and (or) carries out the processing of personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data;
• personal data: any information related directly or indirectly to an identified or identifiable individual (personal data subject);
• provision of personal data: actions aimed at disclosing personal data to a specific person or a specific group of persons;
• distribution of personal data: actions aimed at disclosing personal data to an indefinite number of persons (transfer of personal data) or familiarizing an unlimited number of persons with personal data, including public disclosure of personal data in the media, placement in information and telecommunication networks, or providing access to personal data in any other way;
• cross-border transfer of personal data: transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual, or foreign legal entity;
• destruction of personal data: actions resulting in the inability to restore personal data content in the personal data information system and (or) resulting in the destruction of physical media containing personal data.

2.1. Principles of Personal Data Processing

The processing of personal data by the Operator is based on the following principles:

• legality and fairness;
• limitation of processing of personal data to the achievement of specific, predetermined, and lawful purposes;
• prevention of processing of personal data incompatible with the purposes of collecting personal data;
• prohibition of combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
• processing only those personal data that meet the purposes of their processing;
• compliance of the content and volume of processed personal data with the stated purposes of processing;
• prohibition of processing of personal data redundant in relation to the stated purposes of their processing;
• ensuring the accuracy, sufficiency, and relevance of personal data to the purposes of their processing;
• Destruction or anonymization of personal data upon achieving the purposes of their processing or in case of loss of the need to achieve these purposes, if the Operator cannot eliminate the violations of personal data, unless otherwise provided by federal law.

2.2. Conditions of Personal Data Processing

The Operator processes personal data if at least one of the following conditions is met:

• processing of personal data is carried out with the consent of the personal data subject to the processing of their personal data;
• processing of personal data is necessary for the fulfillment of the purposes provided for by an international treaty of the Russian Federation or by law, for the exercise and performance of functions, powers, and duties assigned by the legislation of the Russian Federation to the Company;
• processing of personal data is necessary for the administration of justice, the execution of a court decision, a decision of another authority or official, subject to enforcement in accordance with the legislation of the Russian Federation on enforcement proceedings;
• processing of personal data is necessary for the performance of a contract, where the data subject is a party to the contract, a beneficiary, or a guarantor under which the personal data subject is, as well as for the conclusion of a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor;
• processing of personal data is necessary to exercise the rights and legitimate interests of the Company or third parties or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the personal data subject;
• processing of personal data for which the personal data subject has provided unrestricted access or at their request (hereinafter referred to as publicly available personal data);
• processing of personal data subject to publication or mandatory disclosure in accordance with federal law.

2.3. Confidentiality of Personal Data

The Operator and other individuals who have access to personal data are obligated not to disclose or distribute personal data to third parties without the consent of the data subject, unless otherwise provided by federal law.

2.4. Public Sources of Personal Data

For informational purposes, the Operator may create public sources of personal data of data subjects, including directories and address books. With the written consent of the data subject, their surname, first name, patronymic, date and place of birth, position, contact phone numbers, email address, and other personal data provided by the data subject may be included in public sources of personal data.

Information about the data subject must be excluded from public sources of personal data at any time upon the request of the data subject, the authorized body for the protection of the rights of data subjects, or by court decision.

2.5. Assignment of Personal Data Processing to Another Party

The Operator has the right to assign the processing of personal data to another party with the consent of the data subject, unless otherwise provided by federal law, based on a contract concluded with this party. The party processing personal data on behalf of the Operator must comply with the principles and rules of personal data processing provided for by Federal Law No. 152 and this Policy.

2.6. Processing of Personal Data of Russian Citizens

In accordance with Article 2 of Federal Law No. 242-FZ of July 21, 2014, "On Amending Certain Legislative Acts of the Russian Federation Regarding Clarification of the Procedure for Processing Personal Data in Information and Telecommunication Networks," when collecting personal data, including through the Internet, the Operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), extraction of personal data of Russian citizens using databases located on the territory of the Russian Federation, except in cases:

• to achieve the goals provided for by international treaties of the Russian Federation or by law, for the exercise and performance of functions, powers, and duties imposed by the legislation of the Russian Federation on the Company;
• for the administration of justice, the execution of a judicial act, an act of another body or official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
• for the execution of the powers of federal executive bodies, bodies of state extra-budgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, bodies of local self-government, and functions of organizations participating in the provision of respective state and municipal services, as provided by Federal Law No. 210-FZ of July 27, 2010, "On the Organization of the Provision of State and Municipal Services," including the registration of personal data subjects on the unified portal of state and municipal services and/or regional portals of state and municipal services;
• for the performance of professional activities of a journalist and / or legitimate activities of a mass media outlet or scientific, literary, or other creative activities, provided that the rights and legitimate interests of the personal data subject are not violated.

2.7. Purpose of Personal Data Processing

2.7.1. The Operator processes personal data for the following purposes:

• recruiting candidates for employment vacancies at the Operator;
• selecting candidates to form the Operator's "personnel reserve.";
• managing personnel records, including employee recruitment, organizing business trips, processing leave requests, sick leave certificates, updating employee profile data, staff transfers, issuing certificates and statements, and employee terminations;
• compiling and submitting reports to state and supervisory authorities and funds;
• fulfilling obligations under local regulations and employment contracts;
• entering into, managing, and terminating civil contracts, calculating and disbursing remuneration, payment for work and services to contractors under civil contracts;
• executing contracts with counterparties;
• hosting various events.

2.7.2. To achieve the purposes of personal data processing, the Operator performs the following operations with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transmission (provision, access), anonymization, blocking, deletion, and destruction of personal data.

2.8. Obtaining Personal Data

2.8.1.  The Operator obtains personal data:

• directly from the data subject;
• from a person who is not the data subject;
• from publicly available sources.

2.8.2. The Operator obtains the consent of the data subject:

• on the website innotec.ru, by checking a box next to the text "I confirm that I have read the policy and consent to the processing of my personal data.";
• in writing, by sending a consent form for personal data processing to the email address 7376377@innotec.ru or to the Operator's location;
• in any other form that confirms the receipt of consent.

2.8.3. Obtaining personal data from a person who is not the data subject is carried out under certain grounds, including the initiation of a contract at the data subject's initiative and others:

• for entering into a contract at the initiative of the data subject, as well as for the performance of a contract where the data subject is a party or a beneficiary or guarantor thereof;
• for achieving purposes stipulated by the legislation of the Russian Federation or for the implementation and fulfillment of functions, powers, and duties assigned to the Operator by the legislation of the Russian Federation;
• for protecting the rights and legitimate interests of the Operator or third parties, provided that the rights and freedoms of the data subject are not violated;
• when processing personal data made publicly available by the data subject themselves or at their request (personal data made public by the data subject);
• when processing personal data that are subject to publication or mandatory disclosure in accordance with federal legislation;
• when processing personal data on behalf of another legal entity, provided that the consent of such entity to the processing of personal data by the Operator is obtained.

2.8.4. The Operator processes personal data both with and without the use of automation tools.

2.8.5. The Operator does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health status, or intimate life.

2.8.6. The Operator does not process biometric personal data.

2.9. Storage of Personal Data

2.9.1. Personal data processing by the Operator is carried out no longer than necessary to achieve the purposes of processing personal data.

2.9.2. The Operator organizes the storage of personal data for the period specified by the requirements of Federal Law No. 125-FZ "On Archival Affairs in the Russian Federation" and the "List of Standard Management Archival Documents Generated in the Activities of State Bodies, Local Self-Government Bodies, and Organizations, with Indication of Storage Periods" (Appendix to the Order of the Ministry of Culture of the Russian Federation No. 558 of August 25, 2010), as well as, in some cases, for the period specified in the contract, the other party of which, the beneficiary or the guarantor of which is the data subject.

2.9.3. Upon achieving the purposes of processing personal data or upon the expiry of the storage periods for personal data, the processed personal data are destroyed.

3.1. Consent of the personal data subject to the processing of their personal data

The personal data subject makes a decision to provide their personal data and gives consent to their processing freely, by their own will, and in their own interests. Consent for the processing of personal data may be given by the personal data subject or their representative in any form that allows confirming the fact of its receipt, unless otherwise provided by federal law.

3.2. Rights of the Personal Data Subject

The personal data subject has the right to obtain information from the Company regarding the processing of their personal data, unless such right is restricted in accordance with federal laws. The personal data subject is entitled to request the Company to clarify their personal data, block or delete it if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated processing purposes, as well as to take measures provided by law to protect their rights.

Processing of personal data for the purpose of promoting services on the market by making direct contacts with the personal data subject (potential consumer) using communication means, as well as for political campaigning, is permitted only with the prior consent of the personal data subject.

The Operator must immediately cease processing the personal data of the data subject for the above purposes upon the data subject's request.

It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences for the personal data subject or otherwise affect their rights and legitimate interests, except in cases provided by federal laws or with the written consent of the personal data subject.

If the personal data subject believes that the Operator is processing their personal data in violation of the requirements of Federal Law No. 152 or otherwise infringing their rights and freedoms, the personal data subject has the right to appeal the actions or inaction of the Company to the Authorized Body for Personal Data Protection or in court.

The personal data subject has the right to protect their rights and legitimate interests, including compensation for damages and/or compensation for moral harm.

The security of personal data processed by the Operator is ensured by implementing legal, organizational, and technical measures necessary to comply with the requirements of federal legislation in the field of personal data protection.

To prevent unauthorized access to personal data, the following organizational and technical measures are applied by the Operator:

• appointment of responsible personnel in charge of organizing the processing and protection of personal data;
• limitation of the circle of persons authorized to access personal data processing;
• familiarization of data subjects with the requirements of federal legislation and the Company's regulatory documents on the processing and protection of personal data;
• organization of accounting, storage, and handling of media containing information with personal data;
• identification of threats to the security of personal data during their processing and development of threat models based on them;
• development of a personal data protection system based on threat models;
• verification of the readiness and effectiveness of using information security measures;
• differentiation of user access to information resources and hardware and software tools for processing information;
• registration and accounting of user actions in personal data information systems;
• use of antivirus tools and recovery tools for personal data protection systems;
• application of network segmentation, intrusion detection, security analysis, and cryptographic information protection tools where necessary;
• organization of access control on the Company's premises and protection of premises with technical means of personal data processing.

Other rights and obligations of the Operator in connection with the processing of personal data are determined by the legislation of the Russian Federation in the field of personal data.

Employees of the Operator who are guilty of violating the norms regulating the processing and protection of personal data bear material, disciplinary, administrative, civil, or criminal liability in accordance with the procedure established by federal laws.

We reserve the right to periodically make changes or additions to this Policy.

When such changes occur, we will update the document's revision date at the top of this page. Changes or additions to this Policy will come into effect as of the date of the last update.