Privacy policy
1. General Provisions
Goals and purposes of the Privacy Policy
The purpose of the Privacy Policy (hereinafter, Privacy Policy/Regulations) shall be to determine the procedure for processing and protecting individual personal data by Joint Stock Company Infotech Group (Personal Data Operator). The processing of employees’ personal data shall also be governed by the Regulations on the processing and protection of employees’ personal data. In the event of a conflict between this Privacy Policy and the Regulations on the processing and protection of employees’ personal data, the Privacy Policy shall be applicable.
The purpose of this Privacy Policy shall be to ensure the protection of human and civil rights and freedoms when processing personal data, including the protection of privacy and protection of personal and family secrets.
This Privacy Policy shall be applicable only to the website of JSC Infotech Group. JSC Infotech Group does not control the websites of third parties, which a User can open by clicking on the links available on the website of JSC Infotech Group.
Main terms and definitions
Personal Data Operator (hereinafter referred to as the operator, the Company) shall refer to JSC Infotech Group, located at: 39 Novocheremushkinskaya St., building 2, office 1, Russian Federation, Moscow, 117218, which processes personal data, and determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) to be performed involving personal data.
The Website (hereinafter referred to as the Website or Site) shall refer to the website https://infotech.group/, in which any Visitor can find information about the Company’s services and products.
Website User shall refer to a person who has access to the Website via the Internet and uses the Website.
Personal data (hereinafter referred to as Personal Data or Data) shall refer to any information relating directly or indirectly to a specific or an identifiable private individual (personal data subject).
Personal data processing shall refer to any activity (operation) or set of activities (operations) performed with personal data using automation tools or without using such tools. Personal data processing shall include:
- collecting
- recording
- systematization
- accumulation
- storage
- revision (updating, modification)
- extraction
- use
- transmission (distribution, provision, access)
- depersonalization
- blocking
- deletion
- destruction
Automated processing of personal data shall refer to the processing of personal data using computer facilities.
Dissemination of personal data shall refer to actions aimed at disclosing personal data to an indefinite group of persons.
Provision of personal data shall refer to actions aimed at disclosing personal data to a specific person or a certain group of persons.
Blocking personal data shall refer to the temporary termination of the processing of personal data (unless the processing is required to update personal data).
Destruction of personal data shall refer to actions which make it impossible to restore the contents of personal data in the personal data information system and (or) as a result of which the storage media for personal data are destroyed.
Depersonalization of personal data shall refer to actions that make it impossible to determine the ownership of personal data by a specific personal data subject without using additional information.
Information system of personal data shall refer to the entirety of personal data contained in the databases and the information technologies, and technical facilities that provide their processing.
Cross-border transfer of personal data shall refer to the transfer of personal data to the territory of a foreign state, to an authority of a foreign state, to a foreign individual or to a foreign legal entity.
Personal data privacy shall refer to the requirement to prevent the dissemination of data without the consent of the personal data subject or other legal grounds which are mandatory for the Operator or other persons who have access to personal data.
Cookies shall refer to a small fragment of data sent by a web server and stored on a User’s computer, that is sent to the web server by the web client or web browser each time an HTTP request appears when a User attempts to open a page of this website.
IP address is a unique network address of a node in a computer network built on the IP protocol.
The Operator’s main rights and obligations
In the course of data processing, the Company shall:
- provide the data subject, at his/her request, with information regarding the processing of his/her Personal Data, or provide a legal basis for refusal within thirty days from the date of receipt of such request from the data subject or his/her representative;
- explain the legal consequences of the data subject’s refusal to provide the Data if the provision of data is mandatory pursuant to a federal law;
- take the necessary legal, organizational and technical measures or ensure that these measures are taken to protect the Data from unauthorized or accidental access to them, destruction, revision, blocking, copying, provision, dissemination of Data, as well as from other illegal actions with respect to Data;
- post on the Internet and provide unrestricted Internet access to a document that defines its policy regarding data processing, and to the information on the current data protection requirements;
- to provide data subjects and/or their representatives, free of charge, with the opportunity to familiarize themselves with the Data in case they require it in the relevant form, within 30 days from the date when such request is received;
- block, for a verification period, unlawfully processed Data related to the Data Subject, or ensure that said Data are blocked (if data processing is performed by another person acting on behalf of the Company) from the time when an application or a request is received the unlawful processing of Data, and sent by the Data subject or his/her representative, or an authorized body protecting the rights of personal data subjects;
- update the Data or ensure the updating of said Data (if data processing is performed by another person acting on behalf of the Company) within seven working days from the date of the submission of information, and cancel the blocking of data in case the inaccuracy of data is confirmed on the basis of information submitted by the data subject or his/her representative;
- stop illegal processing of Data or ensure stoppage of the illegal processing of Data by a person acting on behalf of the Company, in the event of disclosure that that unlawful data processing is performed by the Company or a person acting on the basis of an agreement with the Company, within a period not exceeding three business days from the date of such disclosure;
- stop the processing of the Data or ensure its stoppage (if Data processing is performed by another person acting under a contract stipulated with the Company) and destroy the Data or ensure their destruction (if Data processing is performed by another person acting under a contract stipulated with the Company) upon the achievement of the purpose for which the Data was processed if the contract to which the data subject is a party, a beneficiary or a guarantor, does not stipulate otherwise, in the event of the achievement of the purpose for which the Data was processed;
- stop the processing of the Data or ensure its stoppage and destroy the Data or ensure their destruction in the event that the Data subject withdraws his/her consent to process the Data, if the Company is not entitled to process the Data without the consent of the data subject;
- keep a log recording the requests of Personal Data subjects, in which the requests of Data subjects for receiving Data are recorded, as well as instances involving the provision of Data pursuant to these requests;
- perform other duties stipulated by law.
When processing the data, the Company shall be entitled to:
- process personal data in accordance with these Regulations and the laws of the Russian Federation.
Main rights and duties of the subject(s) of personal data
The subject whose data is processed by the Company shall have the following rights:
-
to receive from the Company:
- confirmation concerning the instance of data processing and information about the presence of data relating to a relevant data subject;
- information concerning the legal grounds and purposes for which the Data is to be processed;
- information about the data processing methods used by the Company;
- information on the name and location of the Company;
- information about the persons (with the exception of the Company’s employees) who have access to the Data or who may obtain access to the Data on the basis of an agreement with the Company or on the basis of a federal law;
- a list of the data to be processed, relating to the data subject, and information on the source of these data, unless another procedure for providing such Data is specified by federal law;
- information on the processing terms for Data, including the terms of their storage;
- information on the procedure for exercising the rights provided for in the Law, by the subject of the Data;
- name (name and surname) and address of the person processing the data on behalf of the Company;
- other information envisaged by law or other regulatory legal acts of the Russian Federation.
- to require the Company to update his/her Data, block or destroy it in case the Data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- to withdraw consent for processing the Data at any time;
- to demand that any illegal actions committed by the Company be halted with respect to his/her Data;
- to appeal any actions or inaction of the Company to the Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor) or in court, if the data subject believes that the Company is processing his/her Data in violation of the requirements of the Law or otherwise violates his/her rights and freedoms;
- to protect their rights and legitimate interests, including compensation for damages and/or compensation for non-pecuniary damage in court.
A subject whose data is processed by the Company shall:
- provide only reliable information;
- never provide the personal data of third parties without the consent of these parties.
2. Purposes of collecting personal data
The processing of personal data shall be permitted only in order to achieve specific, pre-determined and legitimate purposes.
The Employees’ personal data shall be processed for the following purposes:
- to assist employees in employment, training and promotion;
- to calculate and pay salary;
- to arrange the employees’ business trips (missions);
- to register powers of attorney (including powers of attorney to represent the Company’s interests with regard to third parties);
- to comply with the access control rules and regulations on the premises of the Company;
- to record hours worked;
- the use of various types of benefits in accordance with the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, federal laws, as well as the Charter and regulations of the Company.
- providing employees with access to voluntary health insurance;
- providing third parties with information on the members of the Company’s governing bodies;
- providing third parties with information about the Company’s leading specialists;
- establishing communications with the Employee.
The personal data of Company employees’ relatives are processed for:
- compliance with the requirements of the legislation of the Russian Federation.
The personal data of candidates for vacant positions are processed in order to:
- make decisions about signing an employment contract with persons applying for vacancies.
The personal data of the members of the Company’s management bodies, who are not employees, shall be processed in order to:
- comply with the requirements stipulated by the legislation, including mandatory disclosure of information, audit, verification of the possibility of transactions, including related-party transactions and/or major transactions, meetings of the Board of Directors and the Board of Management of the Company, etc.
The personal data of the representatives of legal entities entering into contract with the Company shall be processed for the purpose of:
- negotiations, signing and execution of contracts for which personal data of employees of such legal entities are provided pursuant to the execution of contracts in various areas of the Company’s economic activities.
Personal data of the individual contract parties, including individual entrepreneurs, shall be processed in order to:
- sign and execute a contract with the individual or a self-employed enterpreneur as one of its parties;
- the company’s participation in the procurement of goods and services provided in accordance with Federal Law No.
44-FZ dated April 5, 2013 “On the Contract System Related to the Procurement of Goods, Works, and Services for Ensuring State and Municipal Needs” and Federal Law No.223-FZ dated July 18, 2011 “On the Procurement of Goods, Works, and Services by Certain Types of Legal Entities”; - consider opportunities for further cooperation.
Personal data of website users shall be processed for the purpose of:
- obtaining feedback from a website user;
- processing User requests;
- the Company’s in-house matters, such as: understanding the needs of website users, improving website operations, improving the Company’s range of available services and products.
3. Legal basis for processing personal data
The processing of personal data by the Operator shall be carried out in accordance with the requirements of the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Family Code of the Russian Federation, Federal Law No. 27-FZ dated January 4, 1996 “On individual (personal) records in the mandatory pension insurance system,” Federal Law No. 53-FZ dated March 28, 1998, “On Military Duty and Military Service,” Federal Law No. 31-FZ dated February 26, 1997 “On Mobilization Preparation and Mobilization in the Russian Federation,” Federal Law No. 208-FZ dated December 26, 1995 “On Joint Stock Companies,” Federal Law No. 402-FZ dated June 12, 2011 “On Accounting,” Federal Law No. 326-FZ dated November 29, 2010 “On Compulsory Medical Insurance in the Russian Federation,” other federal laws and bylaws of the Russian Federation, and also in accordance with contracts signed between the Operator and personal data subjects and consents to the processing of personal data (in cases not directly envisaged in the laws of the Russian Federation, but which fall within the scope of powers of the operator).
4. Scope and categories of personal data to be processed, categories of personal data subjects
The operator shall process the following personal data:
-
Regarding Employees:
- Last name;
- First name;
- Patronymic (if any);
- Date, month, year of birth;
- Information on citizenship (nationality);
- Taxpayer identification number;
- Employment data;
- Information on position held;
- Data of a citizen’s passport, including the passport data of a foreign citizen;
- Data on education documents;
- Data on individual (personal) records in the mandatory pension insurance system;
- Data on military duty and military service;
- Bank account details;
- Information on salaries and bank account details for the transfer of salaries and social benefits;
- Data on marital status and family structure, processed in accordance with the laws of the Russian Federation;
- A photograph;
- Numbers of home and/or mobile phones or information about other ways of communicating with the Employee;
- Information on the place of residence.
-
Regarding the relatives of the Company’s employees:
- Last name;
- First name;
- Patronymic (if any);
- Data of a citizen’s passport, including the passport data of a foreign citizen;
- Details of the bank account for the transfer of payments in accordance with the laws of the Russian Federation;
- Data on marital status.
-
Regarding candidates for vacant positions:
- Last name;
- First name;
- Patronymic (if any);
- Data on education documents.
- Numbers of home and/or cell phones or information about other ways of communication;
- A photograph (if available).
-
Regarding persons who are members of the Company’s management bodies but not employees:
- Last name;
- First name;
- Patronymic (if any);
- Data of a citizen’s passport, including the passport data of a foreign citizen;
- Details of the bank account for the transfer of payments in accordance with the laws of the Russian Federation;
- Numbers of home and/or cell phones or information about other ways of communication;
- A photograph (if available).
-
Regarding the representatives of legal entities being the Company’s business partners:
- Last name;
- First name;
- Patronymic (if any);
- Data of a citizen’s passport, including the passport data of a foreign citizen;
- Numbers of home and/or cell phones or information about other ways of communication.
-
Regarding individuals, including individual entrepreneurs who are the Company’s business partners
- Last name;
- First name;
- Patronymic (if any);
- Information on citizenship (nationality);
- Data of a citizen’s passport, including the passport data of a foreign citizen;
- Data on state registration as an individual entrepreneur (if available);
- Data on education documents;
- Data on individual (personal) records in the mandatory pension insurance system;
- details of the bank account to transfer the compensation;
- Taxpayer identification number;
- Numbers of home and/or mobile phones and information on other ways of communication;
- Information on the place of residence.
-
regarding Website users:
- Name;
- Phone number;
- Email address;
- Cookies;
Cookies are small data files that are stored on the data subject’s computer or device when visiting the Company’s website. Creating a cookie file is possible only if this is allowed by the web browser settings. In any browser, cookie files are only available to the Company’s website. Other websites will not have access to these files. Personal data subject may disable cookies in web browser or mobile device settings. Note that some functions of the website may become unavailable once cookies are disabled. - Anonymous data on website users obtained with software for tracking and web analytics: Yandex.Metrics and Google Analytics.
5. Procedure and conditions for processing personal data
The list of activities performed by the Company with the personal data of subjects:
- collection;
- recording;
- classification;
- accumulation;
- storage;
- clarification (update, revision);
- extraction;
- use;
- transfer (distribution, provision, access);
- depersonalization;
- blocking;
- removal;
- destruction.
The Biometric Data (information that characterizes the physiological and biological characteristics of a person, making it possible to establish his/her identity, which is used by the operator to identify the data subject) shall not be processed by the Company.
The company shall not perform cross-border data transfer.
The Company shall be entitled to transfer personal data to intelligence and investigative authorities or to other authorized bodies for reasons specified in the applicable legislation of the Russian Federation.
The operator and other persons who have access to personal data must not disclose or disseminate personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
Methods of processing personal data
The company shall use a mixed method of processing personal data (manual processing of personal data and automated processing of personal data with transmission over the operator’s internal network of the operator). Information about personal data shall be available only to the employees who are expressly qualified to deal with such data.
Data Processing Time
The timing of data processing shall be determined on the basis of data processing purposes, in accordance with the terms and conditions stipulated in the contract signed with the data subject, the requirements of federal laws, the main rules of archives of organizations, and the relevant statute of limitation.
Data whose processing time has expired must be destroyed, unless otherwise provided by federal law. The storage of data after the termination of the processing shall be permitted only after the depersonalization of data.
Data Protection Measures
When processing Data, the Company shall take the necessary legal, organizational and technical measures to protect the Data from illegal and/or unauthorized access to, data destruction, revision, blocking, copying, transfer, dissemination, and other unlawful actions with respect to Data.
Such measures shall include, in particular, in accordance with the Law:
- designating the person responsible for organizing the processing of the Data and the person responsible for ensuring the security of the Data;
- drafting and approving local acts on data processing and protection;
-
taking legal, organizational and technical measures to ensure the security of Data:
- identifying threats to data security when processing the Data in personal data information systems;
- taking organizational and technical measures to ensure the security of Data when said Data are processed in personal data information systems in order to to meet data protection requirements, the implementation of which is ensured by the data security levels established by the Government of the Russian Federation;
- implementing legally established procedures for assessing the compliance of information protection systems;
- evaluating the effectiveness of measures taken to ensure the security of data prior to the commissioning of personal data information system;
- accounting for computer data carriers, if the Data are stored on machine storage devices;
- detecting unauthorized access to the Data and taking measures to prevent similar incidents in the future;
- recovering the Data that are revised or destroyed as a result of unauthorized access;
- establishing rules for accessing Data processed in the personal data information system, as well as ensuring registration and recording all actions performed with the Data in the personal data information system.
- monitoring the measures taken to ensure Data security, and the level of security of personal data information systems;
- assessing any and all damaged that may be caused to data subjects in the event of violation of the requirements of the law, the extent of such harm and the measures taken by the Company to ensure the fulfillment of the obligations stipulated by the Law;
- complying with the conditions that prevent unauthorized access to the data storage devices and ensure data integrity;
- familiarizing the Company’s employees who directly process the Data with the provisions of the Russian legislation on Data, including data protection requirements, local acts on data processing and protection, and training of the Company’s employees.
Termination of the processing of personal data:
- achieving the purposes for which personal data are processed;
- expiration of the term of consent or withdrawal of the consent of the personal data subject to the processing of his/her personal data;
- identification of improper processing of personal data.
Personal data storage
The periods of Data storage shall be determined pursuant to the Data processing purposes, in accordance with the terms of the contract with the data subject, the requirements of federal laws, the main rules of the archives of organizations, and the statutes of limitation. When storing personal data, the Company undertakes to use databases located in the territory of the Russian Federation, in accordance with Part 5 of Article 18 of the Federal Law “On Personal Data”.
6. Updating, correction, removal and destruction of personal data, responses to the requests of subjects for access to personal data
If the inaccuracy of personal data or the illegality of their processing are confirmed, such personal data shall be updated by the Company. In this case, the processing of personal data shall be halted until any and all inaccuracies are eliminated.
When personal data processing purposes are achieved, or if the personal data subject withdraws his/her consent to their processing, personal data shall be destroyed unless:
- otherwise provided for under the contract to which the subject of personal data is a party, beneficiary or guarantor;
- the operator is entitled to process the personal data without the consent of the subject on the grounds provided for by the Federal Law “On Personal Data” or other federal laws;
- otherwise provided by other agreement between the operator and the personal data subject.
The operator shall notify the personal data subject or his/her representative about the processing of personal data of such a subject at the request of the latter.