This Personal Data Privacy Policy of JSC Grasys (further referred to as JSC Grasys, the Operator) in terms of personal data processing (further referred to as the Privacy Policy) has been developed in line with the requirements of Para. 2, Part 1 of Art. 18.1 of the Federal Law of July 27, 2006, No. 152-FZ On Personal Data (further referred to as the Federal Law) with a view to ensuring protection of the civil and political rights and freedoms in personal data processing, including protection of the rights to right to personal and family privacy.
The Privacy Policy is applicable to all personal data that Operator may receive about Users particularly but not exclusively through the Operator’s data resource visited by Users which located in the data telecommunications network Internet at www.grasys.com.
The Privacy Policy is applicable to personal data processing relationships that the Operator both has established before approval of this Privacy Policy and those appearing thereafter.
In implementation of the provisions of Part 2, Article 18.1 of the Federal Law The Privacy Policy is subject to being free to access in the data telecommunications network Internet, in particular in the Operator’s official website at www.grasys.com.
This Privacy Policy establishes general terms and conditions for personal data collection, storage, transfer and other processing kinds at JSC Grasys as well as information about the applicable and implemented personal data protection requirements. The Privacy Policy has been developed in line with the effective laws of the Russian Federation striving to improve safety level of confidential information and specifically of personal data and aiming to enhance monitoring strategies and tactics for personal data protection.
1. TERMS AND DEFINITIONS
This Privacy Policy describes terms as follows:
1.1. Personal data shall mean any information directly or indirectly concerning a natural person who is definitively stated or defined (Personal Data Subject).
1.2. Personal data permitted by Personal Data Subject for distribution shall mean personal data that are accessible to everyone by Personal Data Subject the subject of personal data by means of giving consent to the processing of personal data permitted by Personal Data Subject for distribution as prescribed by law.
1.3. Operator shall mean a governmental body, a municipal body, a legal entity or a natural person that on their own or jointly with other persons organises and/or implements personal data processing, and also defines the purposes of personal data processing, scope of personal data that are subject to processing and actions (operations) involving personal data. In this Privacy Policy context, the Operator shall mean including but not limited to JSC Grasys.
1.4. Personal data processing shall mean any action (operation) or a set of such actions (operations) implemented by means of automation facilities or without such facilities as involving personal data, including the gathering, recording, systematization, accumulation, storage, updating (renewing and altering), retrieving, using, transmitting (distribution, submission and access), anonymization, interlocking, deleting and destroying personal data.
1.5. Automated personal data processing shall mean processing of personal data by means of computer engineering means.
1.6. Personal data distribution shall mean actions aimed at disclosing personal data to any number of unspecified persons.
1.7. Personal data submission shall mean actions aimed at disclosing personal data to a certain person or a certain group of persons.
1.8. Personal data interlocking shall mean temporary termination of personal data processing (except for cases when processing is needed for rectification of personal data).
1.9. Destruction of personal data shall mean actions resulting in the impossibility of restoring the content of personal data in information system of personal data and/or resulting in the destruction of material media bearing the personal data.
1.10. Depersonalization of personal data shall mean actions resulting in the impossibility of identifying - without the use of additional information - the belonging of personal data to a specific Personal Data Subject.
1.11. Personal data information system shall mean the total of personal data contained in databases as well as information technologies, hardware and software that ensure their processing1.
1.12. The Website administration shall mean acting on behalf of JSC Grasys officers in charge for the website management that make arrangement and/or perform personal data processing as well as define objectives of personal data processing, the data scope subject to processing, actions (operations) with regard to the personal data to be further performed.
1.13. Personal data confidentiality shall mean a binding for the Operator or another party having access to personal data requirement not to allow their disclosure without consent of the Personal Data Subject or where there are other legitimate grounds.
1.14. The Website user (further referred to as the User) shall mean a person who has access and makes use of the Website through the Internet.
1.15. Cookies shall mean a small chunk of data submitted by Web server and stored on the User's computer that is sent to the Web server by Web client or Web browser as HTTP request each time when attempting to open up the page of the relevant Website.
1.16. The Operator’s information resource shall mean website with the domain name www.grasys.com.
1.17. Ip address shall mean a unique network level address of a node in a computer network built using the IP protocol.
1.18. The information resource Operator shall mean JSC Grasys that owns information resource www.grasys.com, exercises control over such resource, collects and processes personal data.
2. GENERAL PROVISIONS
2.1. Purposes of the personal data collection
2.1.1. Personal data processing shall be limited to the achievement of specific, predetermined and legitimate purposes. Personal data that are incompatible with the purposes of personal data collection may not be processed.
2.1.2. Only personal data that meet their processing purposes are subject to processing.
2.1.3. Personal data processing shall be carried out by the Operator to the following effect:
-
ensuring compliance with the Constitution of the Russian Federation, federal laws and other statutory instruments of the Russian Federation;
-
ensuring protection of the civil and political rights and freedoms in personal data processing, including protection of the rights to right to personal and family privacy;
-
promoting the Operator’s goods, works, services on the market by direct approaches with prospective consumers by making use of communication facilities;
-
implementing the corporate activities in line with the Articles of Association;
-
being involved in HR records-keeping activities;
-
rendering assistance to work force in employment, education and career progression, ensuring personal safety of employees, monitoring the quantity of work performed as well as performance standards, safekeeping of property;
-
reporting and transferring financial statements completed in the prescribed form to competent authorities and other agencies;
-
implementing civil-law relations;
-
accounting record-keeping;
-
establishing feedback with the Personal Data Subject, including sending notifications, requests related to the use of the Operator's information resource, services accomplishments, handling queries and applications;
-
localizing the User to provide safety precautions and prevent fraud;
-
providing users with efficient client and technical support should there be any issue involving the use of the Operator's website.
2.1.4. Personal data processing shall be carried out by the Operator with the sole purpose of ensuring compliance with the laws of the Russian Federation.
2.1.5. This Privacy Policy shall exclusively be applicable to the Operator’s information resources which include website www.grasys.com. The Operator shall neither exercise control nor bears responsibility for any third-party website which the Personal Data Subject may visit by following the links available on the Operator's website.
3. LEGAL FRAMEWORK FOR PERSONAL DATA PROCESSING
3.1. The legal framework for personal data processing shall be a set of statutory instruments in pursuance of which and in accordance with which the Operator processes personal data, including:
- The Constitution of the Russian Federation;
- Civil Code of the Russian Federation;
- Labor Code of the Russian Federation;
- Federal Law No. 208-FZ of December 26, 1995, On Joint Stock Companies;
- Federal Law No. 402- FZ of December 06, 2011, On Accounting;
- Federal Law No. 167-FZ of December 15, 2001, On Compulsory Pension Insurance in the Russian Federation;
- Other statutory instruments regulating relations related to the Operator’s activities.
3.2. In addition to the above-mentioned statutory instruments the legal ground for the personal data processing by the Operator shall be based on:
- JSC Grasys’ Articles of Association;
- Agreements concluded between the Operator and counterparties subsequently acting as Personal Data Subjects;
- Employment contracts concluded with work forces;
- Consent of Personal Data Subjects to their personal data processing provided inter alia by completing the forms Request for Equipment, Request for Services, Request for Training, Request a Callback from Service Provider, Order for Equipment, Feedback posted on the Operator's official website at www.grasys.com.
4. RIGHTS AND OBLIGATIONS OF THE PARTIES
4.1. Rights and obligations of the Operator.
4.1.1. The Operator shall be entitled:
- to have own control over the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Federal Law and the statutory instruments adopted under therewith unless otherwise stipulated by the Federal Law or other federal acts;
- to entrust personal data processing to another person with the consent of the Personal Data Subject unless otherwise stipulated by the Federal Law on the basis of agreement concluded with such person. The person engaged in personal data processing on behalf of the Operator shall be under duty of complying with the policies and guidelines for personal data processing of provided for by the Federal Law;
- should the Personal Data Subject withdraw consent to personal data processing, the Operator shall have the right to continue personal data processing without the consent of the Personal Data Subject if the grounds specified in the Federal Law are applicable.
The Operator shall have the right to perform personal data processing without notifying the authorized body for the protection of the rights of the Personal Data Subjects that are:
- processed in line with Labor Legislation;
- received by the Operator in connection with conclusion of an agreement to which the Personal Data Subject is a party if personal data are neither distributed nor provided to third parties without the consent of the Personal Data Subject but are used by the Operator solely for the execution of the such agreement and conclusion of contracts with the Personal Data Subject;
- permitted by the Personal Data Subject for distribution provided that the prohibited activities and provisions stipulated by Article 10.1 of the Federal Law are met by Operator;
- only last names, first names and patronymics of the Personal Data Subjects;
- necessary with the aim of a single pass of the Personal Data Subject to the territory where the Operator is located, or for other similar aims;
- included in personal data information systems and that in line with federal laws have the status of the state automated systems, as well as included in state personal data information systems established in order to protect state security and public peace;
- processed without the use of automation facilities in line with federal laws or other statutory instruments of the Russian Federation that establish requirements ensuring personal data security during their processing as well as requirements applied to respect for the Personal Data Subject rights;
- processed in cases provided for by the laws of the Russian Federation on transport security with a view to ensuring sustainable and accident-free performance of the transportation industry, protecting interests of the individuals, society and the state applicable to the transportation industry from acts of unlawful interference.
4.1.2. The Operator shall be under the duty of:
- making arrangements for personal data processing in line with the requirements of the Law;
- responding to requests and submissions from the Personal Data Subjects and their legal representatives as required by law;
- reporting to the authorized body for the protection of the Personal Data Subject rights (the Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor)) at their request the necessary information within 30 days from the date of receipt of such a request.
4.2. Rights of Personal Data Subjects:
4.2.1. Personal Data Subjects shall be entitled:
- to receive information related to their personal data processing except where the federal laws contemplate otherwise. The Operator shall provide information to the Personal Data Subject in an accessible form, and such information shall be free from personal data related to other Personal Data Subjects except in cases where there are legal grounds for such personal data disclosure. The information list and sourcing procedure are established by the Federal Law.
- to require of the Operator to update their personal data, interlock or destroy thereof in case personal data turns out to be incomplete, outdated, inaccurate, illegally obtained or fail to appear necessary for the stated processing purpose, as well as to take legal measures to protect their rights;
4.2.2. Personal Data Subjects shall be under duty of providing information on personal data named in Clause 5.2. of this Privacy Policy, as well as of updating and supplementing the provided personal data subject to alteration thereof.
5. PROCESSED PERSONAL DATA SCOPE AND CATEGORIES, PERSONAL DATA SUBJECTS CATEGORIES
5.1. The content and scope of the processed personal data shall comply with the stated processing purposes. The processed personal data shall not be redundant in relation to the stated purposes of their processing.
5.2. The Operator may process personal data of the following categories of the Personal Data Subjects:
- the Operator’s employees, former employees, candidates to fill the vacancies, as well as the employees’ extended families;
- the Operator’s customers and counterparties (individuals);
- representatives / employees of the Operator's customers and counterparties (legal entities).
5.2.1. Employment applicants to be hired by the Operator:
- Surname, first name and patronymic;
- Sex;
- Citizenship;
- Date and place of birth;
- Passport data;
- Military service record book;
- Contact details;
- Educational background, statement of work experience, credentials;
- Other personal data provided by applicants in CVs and covering letters.
5.2.2. The Operator’s employees (former employees):
- Surname, first name and patronymic;
- Sex;
- Citizenship;
- Date and place of birth;
- Picture (photo);
- Passport data;
- Military service record book;
- Registration address at the place of residence;
- Actual residence address;
- Contact details;
- Individual taxpayer number;
- Individual insurance account number;
- Educational and qualification background, professional development and enrichment details;
- Marital status;
- Employment history;
- Marriage record details;
- Military service details;
- Details on permanent disability;
- Maintenance deduction details;
- Income records of previous employer;
- Other personal data provided by employees as required by labor legislation.
- Surname, first name and patronymic;
- Familial relationship;
- Date of birth;
- Other personal data provided by employees as required by labor legislation.
- Surname, first name and patronymic;
- Date and place of birth;
- Passport data;
- Registration address at the place of residence;
- Contact details;
- Position held;
- Individual taxpayer number;
- Current account number;
- ther personal data provided by customers and counterparties (individuals) necessary for execution and performance of the agreements.
- Surname, first name and patronymic;
- Passport data;
- Contact details;
- Position held;
- Other personal data provided by representatives / employees of the customers and counterparties necessary for execution and performance of the agreements.
6. PROCEDURE AND PROVISIONS FOR PERSONAL DATA PROCESSING
6.1. Personal data processing shall be carried out by the Operator as required by laws of the Russian Federation.
6.2. Personal data processing shall be carried out with the consent of the Personal Data Subjects, as well as without it in cases provided for by laws of the Russian Federation.
6.3. The Operator shall carry out both automated and non-automated processing of personal data.
6.4. The Operator’s employees whose duties include personal data processing are allowed to process personal data.
6.5. Personal data processing shall be performed by means of:
- receiving personal data in both verbal and written form directly from the Personal Data Subjects;
- obtaining personal data from publicly available sources;
- entering personal data into the Operator’s logs, registers and information systems;
- using other procedures of personal data processing.
6.6. At no time shall personal data be either disclosed to third parties or distributed without the consent of the Personal Data Subject with the exception of cases except as otherwise provided by the Federal Law. Consent to personal data processing with respect of their distribution shall be issued separately from other consents of the Personal Data Subject given to the personal data processing.
With regard to the submitted data of the subjects the confidentiality of such shall be maintained except for cases of voluntary reporting by the subject of the specified information for public access to an unlimited range of persons.
6.7. The transfer of personal data to the bodies of inquiry and preliminary investigation, the Federal Taxation Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other competent executive authorities and agencies shall be carried out as required by law of the Russian Federation.
6.8. The Operator shall take the necessary legal, managerial and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, interlocking, distribution and other unauthorized actions, including without limitation:
- Identification of the threats to the personal data security during their processing;
- Adoption of local regulations and other instruments governing the relations applicable to personal data processing and protection;
- Appointment of persons responsible for personal data security in the Operator’s business units and information systems;
- Creation of conditions conducive to personal data management;
- Arrangements made for accounting of documents containing personal data;
- Personal data storage in conditions that ensure their safety and exclude unauthorized access;
- Arrangements made for training of the Operator's employees engaged in personal data processing.
6.9. The Operator shall store personal data in such a form that allows to determine the Personal Data Subject within a shorter period of time than that required by the personal data processing purposes unless the period for retaining personal data is established by the Federal Law or in the contract.
6.10. When collecting personal data including those obtained through the information and telecommunications network Internet, the Operator shall ensure recording, systematization, accumulation, storage, improvement (updating, alteration), retrieval of personal data of the Russian Federation citizens using databases located within the Russian Federation save as provided in the Federal Law.
7. PERSONAL DATA UPDATING, CORRECTION, DELETION AND DESTRUCTION. CONSIDERATION OF THE SUBJECT ACCESS REQUESTS
7.1. Proof of personal data processing by the Operator, legal grounds and purposes of personal data processing, as well as other information referred to in Part 7 of Article 14 of the Federal Law are provided by the Operator to the Personal Data Subject or their representative when applying or upon receiving a request from such persons
Personal data related to other Personal Data Subjects shall be excluded from the provided information unless there are legal grounds for such data disclosure.
7.2. Requirements to data access request.
The above request shall include:
- number of the base document proving identity of the Personal Data Subject or their representative, details on the issue date and the document issuer;
- information proving engagement of the Personal Data Subject in relations with the Operator (contract details, conditional verbal label and/or other details), or information otherwise proving personal data processing by the Operator;
- signature of the Personal Data Subject or their representative.
The request can be sent as electronic document and signed with electronic signature as required by laws of the Russian Federation.
7.3. In the event that the submission (request) of the Personal Data Subject fails to present all the necessary information as required by the Federal Law or such Subject enjoys no right to the requested information access, the Operator shall send a substantiated refusal.
The right of the Personal Data Subject to access their personal data may be limited in line with Part 8 of Article 14 of the Federal Law, and specifically where the Data Subject access to personal data violates the rights and legally protected interests of third parties.
7.4. In the event that inaccurate personal data are identified when the Personal Data Subject or their representative is applying or upon their request or as and when required by Roskomnadzor, the Operator shall block personal data related to such Personal Data Subject immediately after the submission is made or the specified request is received for the check-out period provided that such personal data blocking is performed without prejudice to the rights and legally protected interests of the Personal Data Subject or third parties.
In the event that inaccuracy of personal data is proved, the Operator relying on information provided by the Personal Data Subject or their representative or Roskomnadzor, or other necessary documents shall update personal data within seven working days as from the date of such information submission and remove the personal data blocking.
7.5. In the event that unlawful personal data processing is identified when a submission (request) is made by Personal Data Subject or their representative or Roskomnadzor, the Operator shall block the unlawfully processed personal data relating to such Personal Data Subject immediately after such a submission or request.
7.6. Upon reaching the aims of processing personal data, as well as in the event that the Personal Data Subject withdraws consent to their processing, personal data shall be destroyed:
- unless otherwise is provided by the agreement to which the Personal Data Subject is a party, beneficiary or guarantor;
- the Operator is not entitled to process personal data without the consent of the Personal Data Subject on the grounds provided for by the Federal Law or other federal acts;
- unless otherwise is provided by another agreement between the Operator and the Personal Data Subject.
8. LIABILITY AND RESPONSIBILITY OF THE PARTIES
8.1. Failing to fulfill obligations the Operator shall be liable for losses incurred by the User on account of unlawful use of personal data in accordance with the laws of the Russian Federation.
8.2. In the event that any confidential information has been lost or disclosed, the Site Administration shall not bear responsibility if such confidential information:
- has become public domain before its loss or disclosure;
- has been received from any third party prior to submission to the Site Administration;
- has been disclosed with the consent of the User.
9. DISPUTE SETTLEMENT
9.1. Prior to producing before the court statement of the dispute arising out of or relating to the relationship between the Operator and the Personal Data Subject submission of a claim (a written proposal for voluntary dispute settlement) by the Personal Data Subject shall be mandatory.
9.2. Within 30 calendar days as from the claim receipt the Claimee shall notify the claimant in writing of the results of its consideration.
9.3. If the parties fail to reach an agreement, the dispute shall be referred to the court under the applicable laws of the Russian Federation.
10. FINAL PROVISIONS
10.1. This Privacy Policy shall be subject to alteration and amendments in case Personal Data Processing and Protection laws and regulations are modified.
10.2. The new Privacy Policy becomes effective on the date when it is posted on the Website unless otherwise provided by the updated Privacy Policy version.
10.3. Any suggestions and questions related to this Privacy Policy should be reported by e-mail info@grasys.com.
10.4. The effective Privacy Policy is posted on the Operator’s official website to be found at www.grasys.com.
10.5. The website www.grasys.com serves for informational purposes only, and under no circumstances constitutes a public offer as defined by the provisions of Article 437(2) of the Civil Code of the Russian Federation.
In the event that any third-party users have registered or started using the website www.grasys.com, this implies complete and unconditional consent with these Guidelines for Using the Site. Should the Site User fail to agree with the said Guidelines, he/she must leave the Site.
By continuing to use our website, you consent to the processing of cookies (including the Yandex. Metrica service) and user data (details on location, OS type and version, browser type and version, device type and screen version, the source where from the user has entered the site, following which site or through which advertisement, OS and browser language, what webpages the user opens and what buttons the user clicks, IP address) with a focus on the website running, retargeting, statistical research and reviews.
The Guidelines for Using the Site www.grasys.com shall remain in full force and effect for an indefinite period or until the next website revision appears.
The website administrator shall have the right to make adjustments to these Guidelines, for this purpose, should the User continue to use the site, this implies that he/she automatically agrees with the amendments made.
1Article 3 of the Federal Law No. 152-FZ of July 27, 2006, On Personal Data.
Telegram-bot