Privacy and Confidentiality Policy
1. TERMS AND DEFINITIONS
1.1. Personal data means any information directly or indirectly concerning a natural person who is defined or is being defined (personal data Subject);
1.3. Processing of personal data is any action (operation) or a set of actions (operations) realised by means of automation facilities or without such facilities as involving personal data, including the gathering, recording, systematising, accumulating, storing, updating (renewing and altering), retrieving, using, transmitting (disseminating, providing and accessing), depersonalising, blocking, deleting and destroying personal data.
1.4. Automated personal data processing means processing of personal data by means of computers;
1.5. Dissemination of personal data means actions aimed at disclosing personal data to an unlimited group of persons.
1.6. Provision of personal data means actions aimed at disclosing personal data to a certain person or a certain group of persons.
1.7. Blocking personal data means temporary termination of personal data processing (except for cases when processing is needed for adjusting personal data).
1.8. Destruction of personal data means actions resulting in the impossibility of restoring the content of personal data in information systems dedicated to personal data and/or in the destruction of personal data material media.
1.9. Depersonalisation of personal data means actions resulting in the impossibility of identifying -- without the use of additional information - the belonging of personal data to a specific personal data Subject.1
1.10. The Website administration (further referred to as the Website administration) - acting on behalf of JSC Grasys officers in charge for the website who organise and/or process personal data and define objectives of personal data processing, the data scope subject to processing, actions (operations) to be further performed.
1.11. Personal data confidentiality manes a binding for the Operator or another party having access to personal data requirement not to allow their disclosure without consent of the personal data Subject or where legally unpermitted.
1.12. The Website user (further referred to as the User) is a person who accesses and makes use of the Website through the Internet.
1.13. Cookies mean a small chunk of data submitted by Web server and stored on the User's computer that is sent to the Web server by Web client or Web browser as HTTP request each time when attempting to open up the page of the relevant Website.
1.14. The Operator’s information resource stands for a Website with the domain name www.grasys.com.
1.15. An IP address is a unique identifier for a node or host connection on an IP network.
1.16. The information resource Operator is JSC Grasys that owns and manages the information resource www.grasys.com performing such functions as personal data collection and processing.
1.17. The personal data Subject is the User who transfers his/her personal data to the Operator.
2. GENERAL PROVISIONS
2.1. Personal data is any information that directly or indirectly relates to identified or identifiable individual, the detailed list of which is established by JSC Grasys’ in-house policies and procedures.
2.2. All personal data processed by JSC Grasys are closely guarded and treated as confidential information.
2.3. The Operator handles personal data with a focus on executing labor relations, contractual arrangements, tax management, HR record-keeping, accountancy; aiming to complete the Operator’s obligations under the signed agreements, research practice, Operator’s products/operations/services promotion as well as Operator’s customers/partners using direct contacts through various communication means including but not limited to E-mail, phone, teletype, fax and for other purposes allowed by law.2
3. SPECIAL CONDITIONS FOR USING THE OPERATOR'S INFORMATION RESOURCE
3.4. The Website administration accepts no responsibility for accuracy of the personal data provided by the Website User.
- The User’s surname, first name, patronymic;
- The User’s phone number;
- The corporate name;
- The User feedback methods;
- Products the User takes interest in;
- The User training program;
- The required type of work;
- Type of equipment to render services;
- Сommunication channel.
3.6. The Operator’s information resource protects data automatically transferred when viewing commercial pods and visiting pages where the system’s statistical script is installed («pixel»):
- The IP address;
- The Cookies information;
- Information on browser (or another program providing access to the online advertising view);
- The access time;
- The commercial pod page address;
- The referrer (the previous page’s address).
Disabling cookies may lead to inability to access those parts of the Website that require authorization. The Website gathers statistics on the visitors’ IP addresses. This information is used to identify and solve technical problems.
3.8. The User agrees that the information resource Operator may deploy the User’s personal data with a view to:
- Granting the User access to the Website personalized resources;
- Establishing feedback with the User through sending notifications, requests for using the Website, rendering services, processing the User’s requests and applications;
- Locating the User to ensure security and to prevent a fraud;
- Providing the User with product updates, special offers, pricing information, newsletters and other information on behalf of the Website or the Website’s partners;
- Promotional activities;
- Granting the User access to the partners’ websites or services aiming to receive products, updates and services.
4. THE PROCEDURE FOR PERSONAL DATA COLLECTION, STORAGE, TRANSFER AND OTHER PROCESSING KINDS. PERSONAL DATA RETENTION PERIOD
4.1. Personal data processing with automation tools is subject to technical measures aimed at preventing unauthorized access to personal data and/or transferring them to parties excludable from such information access.
4.2. Special mechanisms for personal data protection are configured to timely detect unauthorized access to personal data; personal data automatic processing hardware shall be isolated with a view of preventing any impact that may result in malfunctioning.
4.3. The Operator performs backing up so that personal data either modified or destroyed due to unauthorized access could be immediately restored and keeps monitoring for the personal data protection level.
4.4. Personal data processing without automation tools is performed in such a way that storage location could be identified for each personal data category and material carriers.
4.5. The Operator makes a list of those who process personal data or can access them and ensures segregated storage for personal data and tangible media processable for various purposes.
4.6. The Operator ensures personal data safety and takes measures to prevent unauthorized access to personal data.
4.7. The User agrees that the Operator may transfer personal data to third parties in particular to delivery services, post offices, telecommunication operators for the limited purpose of completing the User’s order placed on the Operator’s information resource.
4.8. The User’s personal data may be transferred to competent public authorities of the Russian Federation solely in the manner and on the grounds established by the Russian legislation.
4.9. In case personal data are lost or disclosed, the Operator shall inform the User on such loss or disclosure accordingly.
4.10. The Operator together with the User shall take all required measures to prevent loss or other adverse effects caused by the User’s personal data loss or disclosure.
4.11. The Operator shall store personal data for 5 years from the receipt date. Upon expiry of the specified period personal data shall be destroyed except for cases when the Operator is liable for saving personal data in line with the Russian legislation.
5. MEASURES TAKEN TO PROTECT PERSONAL DATA
5.1. While processing personal data, the Operator:
- Defines threats to personal data security, on their basis forms threat models, develops personal data protection systems neutralizing alleged threats using personal data protection methods provided for information systems of the relevant class;
- Develops Inspection Plan for new data protection facilities ready for use and drawing up conclusions on their operation feasibility;
- Installs data protection facilities in line with operational and technical documentation;
- Provides training in work practices for those who use data protection facilities deployed in information systems;
- Performs record-keeping of the applied data protection facilities, their operational and technical documentation, personal data storage media;
- Performs record-keeping of officers authorized to work with personal data in information system;
- Holds proceedings on non-compliance with conditions for personal data media storage, using data protection facilities which may result in breach of personal data confidentiality or other violations causing decline in personal data protection level, development and adoption of measures to prevent potential hazardous consequences of such violations;
- Keeps available personal data protection system descriptions.
5.2. Operator’s Information Technology Division is held responsible for development and implementation of specific measures to ensure personal data security while the Operator or another authorized party processes the said data in information system. Parties that are required to be granted with access to personal data processed in the information system aiming to perform official (work-related) duties are allowed to the relevant personal data according to the list approved by the Operator. The information system Users’ requests to receive personal data as well as personal data submission under such requests are recorded in electronic Communication History by information system automated facilities.
6. RIGHTS AND OBLIGATIONS OF THE OPERATOR AND PERSONAL DATA SUBJECT
6.1. Being personal data Operator, JSC Grasys may advocate its interests in court, provide third parties with personal data of the Subjects in case it is stipulated by current legislation (tax offices, law enforcement authorities, etc.), refuse to provide personal data in cases provided for by law, use personal data of the Subjects without their consent where statutorily provided.
6.3. The personal data Subject may demand rectification of his/her personal data, their blocking or destruction if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not required for the declared processing purpose as well as take measures prescribed by law to protect his/her rights; demand a list of his/her personal data processed by Operator and the data origination; obtain information on the personal data processing time including retention period; demand to notify all the parties that have earlier been provided with incorrect or incomplete personal data on all exceptions, amendments or supplements made to them; appeal to authorized body on the rights protection of personal data Subjects or appeal to a court inappropriate acts or omissions when processing his/her personal data, assert rights and legitimate interests including but not limited to compensation for losses and punitive damages through judicial procedures.
7. LIABILITY AND RESPONSIBILITY OF THE PARTIES
7.1. The Operator shall be liable for any damage caused to the personal data Subject due to the Operator’s abusive use of the personal data of the Subject under the Russian legislation.
7.2. In case personal data are lost or disclosed, the Operator shall not be held liable if the said personal data:
- Have become public domain prior to their loss or disclosure;
- Have been obtained from a third party before Operator’s receiving from the personal data Subject.
- Have been disclosed with the consent of the personal data Subject or upon public authorities’ request.
8. FINAL PROVISIONS
8.4. This Policy is a JSC Grasys’ developed document and subject to posting on the official information resource https://www.grasys.com/company.
8.5. This Policy requirements compliance is monitored by officers in charge for personal data security in JSC Grasys.
Updated on January 20, 2020.
1 Terms 1.1−1.9 are brought in line with par.3 of the Federal Law No. 152-FZ On Personal Data of July 27, 2006.
2 Art. 22 of Federal Law No. 152-FZ, Art. 85−90 of the Russian Labor Code.