ICLC-Consultant Personal Data Processing POLICY
1. General
1.1. The Personal Data Processing Policy of ICLC-Consultant OOO (hereinafter the ‘Policy’) has been developed in accordance with Federal Law No. 152–ФЗ dated July 27, 2006 “On Personal Data” and other federal laws and regulations of the Russian Federation that set out the instances and specific features of personal data processing and ensure safety and confidentiality of such information (hereinafter the ‘personal data laws’).
1.2. The Policy has been developed to meet legal requirements
for personal data and is aimed to ensure the protection of human and civil rights and freedoms in personal data processing by ICLC-Consultant (hereinafter the ‘Company’).
1.3. The Policy sets out:
· the purposes of personal data processing;
· classification of personal data and data subjects;
· a list of personal data processing activities;
· general principles governing the processing of personal data;
· key approaches to the personal data processing management system.
1.4. The provisions of the Policy provide a basis for organization of personal data processing activities in the Company, including development of internal local regulations (rules of procedure, methods, instructions, etc.) governing personal data processing in the Company.
1.5. The provisions of the Policy are binding on all Company employees who have access to personal data.
1.6. The Policy is publicly available and can be found on the official website of the Company. You can review the Policy by visiting the above-mentioned website at: https://nalogov.net /.
2. Purposes of personal data processing
The Company shall process personal data for the following purposes:
2.1. conduct business in accordance with the Company’s articles of association;
2.2. ensure compliance with the laws and other regulations of the Russian Federation;
2.3. enter into and perform contracts and agreements within the framework of employment, independent contracting and other relations;
2.4. ensure personal safety of employees, control quantity and quality of work and safeguard property.
3. Classification of personal data and data subjects
3.1. Personal data means any information relating to a directly or indirectly identified or identifiable natural person (personal data subject) that is processed by the Company to fulfill predetermined purposes.
3.2. The Company shall not process special categories of personal data revealing racial or ethnic origin, political views, religious and philosophical beliefs, intimate life, criminal records of individuals, unless otherwise required by the laws of the Russian Federation.
Biometric personal data shall be processed by the Company with the data subject’s written consent, unless otherwise required by law.
3.3. The Company shall process personal data of the following data subject categories:
· job applicants, i.e. individuals who have filled out a job application form for further cooperation with the Company based on an employment contract, or individuals who have provided their personal data to enter into an independent contractor contract;
· employees, i.e. individuals who have entered into an employment relationship with the Company;
· the Company’s counterparties, i.e. individuals who make transactions directly with the Company other than through employment contracts, or representatives (employees) of legal entities (organizations) with which the Company has legal relationships;
· visitors to the Company’s official website at: https://nalogov.net /.
3.4. Personal data of job applicants is processed for the purpose of finding suitable candidates to fill vacancies, enter into independent contractor contracts.
The contents of job applicants’ personal data are determined by the contents of their application forms and necessary documents they provide to enter into and secure the contracts, including:
- last name, first name, patronymic;
- gender, age;
- phone number (home, mobile);
- email address;
- details of documents confirming education, qualification, vocational training, information on advanced training, details of documents proving special knowledge, academic degree, academic title, information on awards and titles;
- marital status;
- employment records, work experience.
3.5. Personal data of an employee means information that is required by the employer
in connection with the employment relationship and concerns a particular employee.
Personal data of Company employees is processed for the following purposes:
▪ ensure compliance with the laws and regulations;
▪ enter into and govern employment relationships and other relations directly associated with employment;
▪ record information in HR documents;
▪ run payroll;
▪ calculate and pay taxes, fees and contributions for compulsory social and pension insurance required by the laws of the Russian Federation;
▪ submit employer reports concerning natural persons as required by law;
▪ provide information to credit institutions for issuing bank cards and/or transferring salaries and wages;
▪ provide information to third parties for issuing a voluntary health insurance policy;
▪ provide tax deductions;
▪ keep military service records;
▪ provide information to customers, public procurement authorities, local government customers, and specialized organizations to enable the Company to participate in procurement of goods, works, services to meet state and municipal needs;
▪ provide security;
▪ control the quantity and the quality of work;
▪ safeguard the Company’s property;
▪ publish articles, comments, etc. (including electronic ones) written by the employees for mass media as part of their employment duties;
▪ enable employees to represent the Company as a speaker at various seminars, webinars, conferences and other public events;
▪ implement the provisions of the Company’s articles of association, including informing clients and potential clients about the Company’s services, legal education.
The contents of employee personal data:
- last name, first name, patronymic;
- image (photo and video);
- gender, age;
- date and place of birth;
- passport details;
- permanent registration address and actual residence address;
- phone number (home, mobile);
- email address;
- details of the documents confirming education, qualification, vocational training, information on advanced training, details of the documents proving special knowledge, academic degree, academic title, information on awards and titles;
- marital status, information on family members that the employer might need to secure benefits provided by the employment and tax laws;
- military service obligation;
- employment records, work experience, previous salary information;
- SNILS (Individual Insurance Account Number);
- INN (Taxpayer Identification Number);
- information on admission, transfer, dismissal and other events relating to employment with the Company, employee earnings in the Company;
- job title;
- information on professional and personal qualities as evaluative judgment;
- bank account details.
3.6. Personal data of the counterparties of the Company is processed under the contracts for the provision of paid services in order to perform contractual obligations.
The contents of personal data of the Company’s counterparties are determined by the details they provide to enter into the contract, including:
- last name, first name, patronymic;
- gender, age;
- date and place of birth;
- passport details;
- permanent registration address and actual residence address;
- phone number (home, mobile);
- email address;
- SNILS (Individual Insurance Account Number);
- INN (Taxpayer Identification Number);
- details of the documents confirming education, qualification, vocational training, information on advanced training, details of the documents proving special knowledge;
- information on professional and personal qualities as evaluative judgment;
- bank account details.
3.7. Personal data of the visitors to the Company’s official website is processed to identify visitors, familiarize them with the list of services provided by the Company and legal documents of the Company, establish feedback, including sending notifications and requests concerning the provision of services, processing requests and orders received from the website visitors.
The contents of personal data of the visitors to the Company’s official website are determined by the contents of their application forms required to enter into and secure the contracts, including:
- last name, first name, patronymic;
- email address;
- mobile phone number;
- user data (location, OS type and version, browser type and version, device type and screen resolution, source of the request to the website, activities performed on the website, IP address, cookies).
4. List of personal data processing activities
4.1. The Company collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (provides, accesses), depersonalizes, blocks, deletes and destroys personal data.
4.2. Personal data of citizens of the Russian Federation is recorded, systematized, accumulated, stored, clarified (updated, modified), extracted, including through the information and telecommunications network Internet,
using databases located in the territory of the Russian Federation.
4.3. Personal data processed by the Company shall be destroyed or depersonalized once the processing purpose is fulfilled or it is no longer necessary
to fulfill these purposes, unless otherwise required by federal law.
5. General principles governing the processing of personal data
5.1. The Company shall process personal data based on the following general principles:
· purposes and methods of personal data processing are predetermined, specific and lawful;
· proper protection of personal data is ensured;
· the actual purposes of personal data processing correspond to the predetermined purposes specified when the data was collected;
· the scope, nature and methods of personal data processing correspond to the personal data processing purposes;
· personal data is accurate and sufficient for the processing purposes; it is not allowed to hold more personal data than you need to fulfill the purposes specified when the data was collected;
· it is not allowed to combine databases containing personal data processed for incompatible purposes;
· personal data in a form that allows to identify the data subject should not be retained longer than required by the processing purposes;
· personal data should be destroyed or depersonalized once the processing purpose is fulfilled, unless the laws of the Russian Federation or an agreement to which the data subject is a party, beneficiary or guarantor set forth a specific retention period for such personal data;
· confidentiality and security of processed personal data is ensured.
6. Rights of the data subject and the Company
6.1. The data subject has the right to:
· obtain information regarding the processing of his or her personal data in the manner, form and within the time set forth in the personal data laws;
· demand to clarify, block or destruct his or her personal data if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, no longer needed for the specified purpose or used for any purpose other than specified when the data subject agreed to the processing;
· take actions permitted by the law to protect his or her rights;
· withdraw his or her consent to the processing of personal data.
6.2. The Company has the right to:
· process the data subject’s personal data for the specified purpose;
· demand that the data subject provides accurate personal data required to perform the contract, provide the services, identify the data subject and in other cases provided by the personal data laws;
· process publicly available personal data of individuals;
· process personal data that is subject to publication or mandatory disclosure in accordance with the laws of the Russian Federation;
· engage third parties to process personal data with the data subject’s consent.
7. Organization of a personal data processing management system
7.1. Personal data shall be processed both with and without the use of automated means.
7.2. Time limits for personal data processing shall be determined by the Company
in accordance with regulations of the Russian Federation, local regulations of the Company, terms and conditions of contracts and other agreements made with data subjects.
7.3. Personal data of a data subject shall be processed with his or her consent, or without such consent if the processing of personal data is necessary to perform the agreement to which the data subject is a party or beneficiary or guarantor, to enter into an agreement on the initiative of the data subject or an agreement under which the data subject will be the beneficiary or guarantor, or in other cases provided by the personal data laws.
7.4. The Company may engage third parties to process personal data
with the data subject’s consent, unless otherwise provided by federal law. Such personal data processing may be performed only based on an agreement entered into between the Company and the third party, which sets out:
· a list of activities (operations) with personal data that will be performed by the third-party processor;
· the purposes of personal data processing;
· obligations of the third-party processor to maintain confidentiality of personal data, ensure its safety during processing, and meet requirements for the protection of processed personal data.
7.5. The Company shall disclose personal data to government authorities acting within their power in accordance with the laws of the Russian Federation.
7.6. The Company shall be responsible to the data subject for the actions of third parties engaged by the Company to process the data subject’s personal data.
7.7. Access to processed personal data shall be provided only to Company employees who need it in connection with the performance of their job duties and in compliance with the principles of personal responsibility.
7.8. The Company shall stop processing personal data once the specified purpose is fulfilled, or upon expiration of the period set forth in the laws, contract or data subject’s consent to the processing of his or her personal data. If the data subject withdraws the consent to the processing of his or her personal data, the Company has the right to continue processing the personal data without the data subject’s consent, if such processing is required by the agreement to which the data subject is a party, beneficiary or guarantor, another agreement between the Company and the data subject, or if the Company is entitled to process personal data without the data subject’s consent on the grounds set forth in the laws and regulations.
7.9. Personal data shall be processed in a confidential manner, which implies the obligation not to disclose personal data to third parties and not to disseminate it without the data subject’s consent, unless otherwise required by the laws of the Russian Federation.
7.10. The Company shall maintain confidentiality of the data subject’s personal data and ensure that Company employees who have access to the personal data of individuals keep it confidential and use it solely for the purposes permitted by the law, contract or other agreement entered into with the data subject.
7.11. The Company shall ensure safety of personal data undergoing processing within the framework of a single integrated system of organizational, technical and legal measures to protect information constituting a trade secret, subject to the requirements set forth in the personal data laws and regulations adopted in accordance with these laws. The Company continuously develops and improves its information security system based on the requirements of international and national information security standards and international best practices.
7.12. When processing personal data, the Company shall take required legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, disclosure, dissemination and other unlawful activities with personal data.
7.13. The Company shall independently determine the contents and list of measures necessary and sufficient to ensure the performance of obligations set forth in Federal Law No. 152-ФЗ dated July 27, 2006 on Personal Data and regulations adopted in accordance with this law, unless otherwise provided by federal laws.
8. Final provisions
The Company, its officials and employees shall have civil, administrative and other liability for failure to comply with the principles and conditions of processing personal data of individuals, as well as for disclosure or unlawful use of personal data in accordance with the legislation of the Russian Federation.
1.1. The Personal Data Processing Policy of ICLC-Consultant OOO (hereinafter the ‘Policy’) has been developed in accordance with Federal Law No. 152–ФЗ dated July 27, 2006 “On Personal Data” and other federal laws and regulations of the Russian Federation that set out the instances and specific features of personal data processing and ensure safety and confidentiality of such information (hereinafter the ‘personal data laws’).
1.2. The Policy has been developed to meet legal requirements
for personal data and is aimed to ensure the protection of human and civil rights and freedoms in personal data processing by ICLC-Consultant (hereinafter the ‘Company’).
1.3. The Policy sets out:
· the purposes of personal data processing;
· classification of personal data and data subjects;
· a list of personal data processing activities;
· general principles governing the processing of personal data;
· key approaches to the personal data processing management system.
1.4. The provisions of the Policy provide a basis for organization of personal data processing activities in the Company, including development of internal local regulations (rules of procedure, methods, instructions, etc.) governing personal data processing in the Company.
1.5. The provisions of the Policy are binding on all Company employees who have access to personal data.
1.6. The Policy is publicly available and can be found on the official website of the Company. You can review the Policy by visiting the above-mentioned website at: https://nalogov.net /.
2. Purposes of personal data processing
The Company shall process personal data for the following purposes:
2.1. conduct business in accordance with the Company’s articles of association;
2.2. ensure compliance with the laws and other regulations of the Russian Federation;
2.3. enter into and perform contracts and agreements within the framework of employment, independent contracting and other relations;
2.4. ensure personal safety of employees, control quantity and quality of work and safeguard property.
3. Classification of personal data and data subjects
3.1. Personal data means any information relating to a directly or indirectly identified or identifiable natural person (personal data subject) that is processed by the Company to fulfill predetermined purposes.
3.2. The Company shall not process special categories of personal data revealing racial or ethnic origin, political views, religious and philosophical beliefs, intimate life, criminal records of individuals, unless otherwise required by the laws of the Russian Federation.
Biometric personal data shall be processed by the Company with the data subject’s written consent, unless otherwise required by law.
3.3. The Company shall process personal data of the following data subject categories:
· job applicants, i.e. individuals who have filled out a job application form for further cooperation with the Company based on an employment contract, or individuals who have provided their personal data to enter into an independent contractor contract;
· employees, i.e. individuals who have entered into an employment relationship with the Company;
· the Company’s counterparties, i.e. individuals who make transactions directly with the Company other than through employment contracts, or representatives (employees) of legal entities (organizations) with which the Company has legal relationships;
· visitors to the Company’s official website at: https://nalogov.net /.
3.4. Personal data of job applicants is processed for the purpose of finding suitable candidates to fill vacancies, enter into independent contractor contracts.
The contents of job applicants’ personal data are determined by the contents of their application forms and necessary documents they provide to enter into and secure the contracts, including:
- last name, first name, patronymic;
- gender, age;
- phone number (home, mobile);
- email address;
- details of documents confirming education, qualification, vocational training, information on advanced training, details of documents proving special knowledge, academic degree, academic title, information on awards and titles;
- marital status;
- employment records, work experience.
3.5. Personal data of an employee means information that is required by the employer
in connection with the employment relationship and concerns a particular employee.
Personal data of Company employees is processed for the following purposes:
▪ ensure compliance with the laws and regulations;
▪ enter into and govern employment relationships and other relations directly associated with employment;
▪ record information in HR documents;
▪ run payroll;
▪ calculate and pay taxes, fees and contributions for compulsory social and pension insurance required by the laws of the Russian Federation;
▪ submit employer reports concerning natural persons as required by law;
▪ provide information to credit institutions for issuing bank cards and/or transferring salaries and wages;
▪ provide information to third parties for issuing a voluntary health insurance policy;
▪ provide tax deductions;
▪ keep military service records;
▪ provide information to customers, public procurement authorities, local government customers, and specialized organizations to enable the Company to participate in procurement of goods, works, services to meet state and municipal needs;
▪ provide security;
▪ control the quantity and the quality of work;
▪ safeguard the Company’s property;
▪ publish articles, comments, etc. (including electronic ones) written by the employees for mass media as part of their employment duties;
▪ enable employees to represent the Company as a speaker at various seminars, webinars, conferences and other public events;
▪ implement the provisions of the Company’s articles of association, including informing clients and potential clients about the Company’s services, legal education.
The contents of employee personal data:
- last name, first name, patronymic;
- image (photo and video);
- gender, age;
- date and place of birth;
- passport details;
- permanent registration address and actual residence address;
- phone number (home, mobile);
- email address;
- details of the documents confirming education, qualification, vocational training, information on advanced training, details of the documents proving special knowledge, academic degree, academic title, information on awards and titles;
- marital status, information on family members that the employer might need to secure benefits provided by the employment and tax laws;
- military service obligation;
- employment records, work experience, previous salary information;
- SNILS (Individual Insurance Account Number);
- INN (Taxpayer Identification Number);
- information on admission, transfer, dismissal and other events relating to employment with the Company, employee earnings in the Company;
- job title;
- information on professional and personal qualities as evaluative judgment;
- bank account details.
3.6. Personal data of the counterparties of the Company is processed under the contracts for the provision of paid services in order to perform contractual obligations.
The contents of personal data of the Company’s counterparties are determined by the details they provide to enter into the contract, including:
- last name, first name, patronymic;
- gender, age;
- date and place of birth;
- passport details;
- permanent registration address and actual residence address;
- phone number (home, mobile);
- email address;
- SNILS (Individual Insurance Account Number);
- INN (Taxpayer Identification Number);
- details of the documents confirming education, qualification, vocational training, information on advanced training, details of the documents proving special knowledge;
- information on professional and personal qualities as evaluative judgment;
- bank account details.
3.7. Personal data of the visitors to the Company’s official website is processed to identify visitors, familiarize them with the list of services provided by the Company and legal documents of the Company, establish feedback, including sending notifications and requests concerning the provision of services, processing requests and orders received from the website visitors.
The contents of personal data of the visitors to the Company’s official website are determined by the contents of their application forms required to enter into and secure the contracts, including:
- last name, first name, patronymic;
- email address;
- mobile phone number;
- user data (location, OS type and version, browser type and version, device type and screen resolution, source of the request to the website, activities performed on the website, IP address, cookies).
4. List of personal data processing activities
4.1. The Company collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (provides, accesses), depersonalizes, blocks, deletes and destroys personal data.
4.2. Personal data of citizens of the Russian Federation is recorded, systematized, accumulated, stored, clarified (updated, modified), extracted, including through the information and telecommunications network Internet,
using databases located in the territory of the Russian Federation.
4.3. Personal data processed by the Company shall be destroyed or depersonalized once the processing purpose is fulfilled or it is no longer necessary
to fulfill these purposes, unless otherwise required by federal law.
5. General principles governing the processing of personal data
5.1. The Company shall process personal data based on the following general principles:
· purposes and methods of personal data processing are predetermined, specific and lawful;
· proper protection of personal data is ensured;
· the actual purposes of personal data processing correspond to the predetermined purposes specified when the data was collected;
· the scope, nature and methods of personal data processing correspond to the personal data processing purposes;
· personal data is accurate and sufficient for the processing purposes; it is not allowed to hold more personal data than you need to fulfill the purposes specified when the data was collected;
· it is not allowed to combine databases containing personal data processed for incompatible purposes;
· personal data in a form that allows to identify the data subject should not be retained longer than required by the processing purposes;
· personal data should be destroyed or depersonalized once the processing purpose is fulfilled, unless the laws of the Russian Federation or an agreement to which the data subject is a party, beneficiary or guarantor set forth a specific retention period for such personal data;
· confidentiality and security of processed personal data is ensured.
6. Rights of the data subject and the Company
6.1. The data subject has the right to:
· obtain information regarding the processing of his or her personal data in the manner, form and within the time set forth in the personal data laws;
· demand to clarify, block or destruct his or her personal data if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, no longer needed for the specified purpose or used for any purpose other than specified when the data subject agreed to the processing;
· take actions permitted by the law to protect his or her rights;
· withdraw his or her consent to the processing of personal data.
6.2. The Company has the right to:
· process the data subject’s personal data for the specified purpose;
· demand that the data subject provides accurate personal data required to perform the contract, provide the services, identify the data subject and in other cases provided by the personal data laws;
· process publicly available personal data of individuals;
· process personal data that is subject to publication or mandatory disclosure in accordance with the laws of the Russian Federation;
· engage third parties to process personal data with the data subject’s consent.
7. Organization of a personal data processing management system
7.1. Personal data shall be processed both with and without the use of automated means.
7.2. Time limits for personal data processing shall be determined by the Company
in accordance with regulations of the Russian Federation, local regulations of the Company, terms and conditions of contracts and other agreements made with data subjects.
7.3. Personal data of a data subject shall be processed with his or her consent, or without such consent if the processing of personal data is necessary to perform the agreement to which the data subject is a party or beneficiary or guarantor, to enter into an agreement on the initiative of the data subject or an agreement under which the data subject will be the beneficiary or guarantor, or in other cases provided by the personal data laws.
7.4. The Company may engage third parties to process personal data
with the data subject’s consent, unless otherwise provided by federal law. Such personal data processing may be performed only based on an agreement entered into between the Company and the third party, which sets out:
· a list of activities (operations) with personal data that will be performed by the third-party processor;
· the purposes of personal data processing;
· obligations of the third-party processor to maintain confidentiality of personal data, ensure its safety during processing, and meet requirements for the protection of processed personal data.
7.5. The Company shall disclose personal data to government authorities acting within their power in accordance with the laws of the Russian Federation.
7.6. The Company shall be responsible to the data subject for the actions of third parties engaged by the Company to process the data subject’s personal data.
7.7. Access to processed personal data shall be provided only to Company employees who need it in connection with the performance of their job duties and in compliance with the principles of personal responsibility.
7.8. The Company shall stop processing personal data once the specified purpose is fulfilled, or upon expiration of the period set forth in the laws, contract or data subject’s consent to the processing of his or her personal data. If the data subject withdraws the consent to the processing of his or her personal data, the Company has the right to continue processing the personal data without the data subject’s consent, if such processing is required by the agreement to which the data subject is a party, beneficiary or guarantor, another agreement between the Company and the data subject, or if the Company is entitled to process personal data without the data subject’s consent on the grounds set forth in the laws and regulations.
7.9. Personal data shall be processed in a confidential manner, which implies the obligation not to disclose personal data to third parties and not to disseminate it without the data subject’s consent, unless otherwise required by the laws of the Russian Federation.
7.10. The Company shall maintain confidentiality of the data subject’s personal data and ensure that Company employees who have access to the personal data of individuals keep it confidential and use it solely for the purposes permitted by the law, contract or other agreement entered into with the data subject.
7.11. The Company shall ensure safety of personal data undergoing processing within the framework of a single integrated system of organizational, technical and legal measures to protect information constituting a trade secret, subject to the requirements set forth in the personal data laws and regulations adopted in accordance with these laws. The Company continuously develops and improves its information security system based on the requirements of international and national information security standards and international best practices.
7.12. When processing personal data, the Company shall take required legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, disclosure, dissemination and other unlawful activities with personal data.
7.13. The Company shall independently determine the contents and list of measures necessary and sufficient to ensure the performance of obligations set forth in Federal Law No. 152-ФЗ dated July 27, 2006 on Personal Data and regulations adopted in accordance with this law, unless otherwise provided by federal laws.
8. Final provisions
The Company, its officials and employees shall have civil, administrative and other liability for failure to comply with the principles and conditions of processing personal data of individuals, as well as for disclosure or unlawful use of personal data in accordance with the legislation of the Russian Federation.