Data Confidentiality Protection Policy

Personal Data
Privacy and Confidentiality Policy
JSC Grasys

This Personal Data Confidentiality and Privacy Policy (further referred to as the Privacy Policy) is applicable to all potential information JSC Grasys (further referred to as the Operator) may receive about Users particularly but not exclusively through the Operator’s data resource visited by Users at key provision for Privacy Policy implementation is to ensure the desired and sufficient security level of information and specifically of personal data.

This Privacy Policy establishes general terms and conditions for personal information collection, storage, transfer and other processing kinds at JSC Grasys as well as applicable and implemented personal data protection requirements. All such Privacy Policy requirements have been developed in line with the current legislation of the Russian Federation striving to improve safety level of confidential information and specifically of personal data and aiming to enhance monitoring strategies and tactics for personal data protection.


1. This Privacy Policy contains terms as follows:

1.1. Personal data means any information directly or indirectly concerning a natural person who is defined or is being defined (personal data Subject);

1.2. Operator means a governmental body, a municipal body, a legal entity or a natural person that on its/his/her own or jointly with other persons organises and/or realises the processing of personal data, and also defines the purposes of personal data procession, the composition of the personal data which are subject to processing and the actions (operations) involving personal data. In this Privacy Policy context the Operator shall mean including but not limited to JSC Grasys.

1.3. Processing of personal data is any action (operation) or a set of actions (operations) realised by means of automation facilities or without such facilities as involving personal data, including the gathering, recording, systematising, accumulating, storing, updating (renewing and altering), retrieving, using, transmitting (disseminating, providing and accessing), depersonalising, blocking, deleting and destroying personal data.

1.4. Automated personal data processing means processing of personal data by means of computers;

1.5. Dissemination of personal data means actions aimed at disclosing personal data to an unlimited group of persons.

1.6. Provision of personal data means actions aimed at disclosing personal data to a certain person or a certain group of persons.

1.7. Blocking personal data means temporary termination of personal data processing (except for cases when processing is needed for adjusting personal data).

1.8. Destruction of personal data means actions resulting in the impossibility of restoring the content of personal data in information systems dedicated to personal data and/or in the destruction of personal data material media.

1.9. Depersonalisation of personal data means actions resulting in the impossibility of identifying -- without the use of additional information - the belonging of personal data to a specific personal data Subject.1

1.10. The Website administration (further referred to as the Website administration) - acting on behalf of JSC Grasys officers in charge for the website who organise and/or process personal data and define objectives of personal data processing, the data scope subject to processing, actions (operations) to be further performed.

1.11. Personal data confidentiality manes a binding for the Operator or another party having access to personal data requirement not to allow their disclosure without consent of the personal data Subject or where legally unpermitted.

1.12. The Website user (further referred to as the User) is a person who accesses and makes use of the Website through the Internet.

1.13. Cookies mean a small chunk of data submitted by Web server and stored on the User's computer that is sent to the Web server by Web client or Web browser as HTTP request each time when attempting to open up the page of the relevant Website.

1.14. The Operator’s information resource stands for a Website with the domain name

1.15. An IP address is a unique identifier for a node or host connection on an IP network.

1.16. The information resource Operator is JSC Grasys that owns and manages the information resource performing such functions as personal data collection and processing.

1.17. The personal data Subject is the User who transfers his/her personal data to the Operator.


2.1. Personal data is any information that directly or indirectly relates to identified or identifiable individual, the detailed list of which is established by JSC Grasys’ in-house policies and procedures.

2.2. All personal data processed by JSC Grasys are closely guarded and treated as confidential information.

2.3. The Operator handles personal data with a focus on executing labor relations, contractual arrangements, tax management, HR record-keeping, accountancy; aiming to complete the Operator’s obligations under the signed agreements, research practice, Operator’s products/operations/services promotion as well as Operator’s customers/partners using direct contacts through various communication means including but not limited to E-mail, phone, teletype, fax and for other purposes allowed by law.2


3.1. By deploying the Operator’s information resource, the User consents to this Privacy Policy and to the User’s personal data processing environment.

3.2. If disagreed with any term of this Privacy Policy, the User shall stop using of the Website.

3.3. This Privacy Policy applies only to the Operator’s information resource – The Operator neither checks the third party’s Websites nor bears any responsibility in case the User is found to follow a link available on the Website.

3.4. The Website administration accepts no responsibility for accuracy of the personal data provided by the Website User.

3.5. The User provides personal data processable under this Privacy Policy by completing the Registration Form at in sections: Request for Equipment, Request for Services, Request for Training, Request for Service Department Callback. Personal data comprise information as follows:

  • The User’s surname, first name, patronymic;
  • The User’s phone number;
  • E-mail;
  • The corporate name;
  • The User feedback methods;
  • Products the User takes interest in;
  • The User training program;
  • The required type of work;
  • Type of equipment to render services;
  • Сommunication channel.

3.6. The Operator’s information resource protects data automatically transferred when viewing commercial pods and visiting pages where the system’s statistical script is installed («pixel»):

  • The IP address;
  • The Cookies information;
  • Information on browser (or another program providing access to the online advertising view);
  • The access time;
  • The commercial pod page address;
  • The referrer (the previous page’s address).

Disabling cookies may lead to inability to access those parts of the Website that require authorization. The Website gathers statistics on the visitors’ IP addresses. This information is used to identify and solve technical problems.

3.7. Any other non-specific personal information (such as contact history, the used browsers, etc.) is subject to reliable storage and non-disclosure except for the cases stipulated in subparagraphs 5.2. and 5.3. of this Privacy Policy.

3.8. The User agrees that the information resource Operator may deploy the User’s personal data with a view to:

  • Granting the User access to the Website personalized resources;
  • Establishing feedback with the User through sending notifications, requests for using the Website, rendering services, processing the User’s requests and applications;
  • Locating the User to ensure security and to prevent a fraud;
  • Providing the User with product updates, special offers, pricing information, newsletters and other information on behalf of the Website or the Website’s partners;
  • Promotional activities;
  • Granting the User access to the partners’ websites or services aiming to receive products, updates and services.


4.1. Personal data processing with automation tools is subject to technical measures aimed at preventing unauthorized access to personal data and/or transferring them to parties excludable from such information access.

4.2. Special mechanisms for personal data protection are configured to timely detect unauthorized access to personal data; personal data automatic processing hardware shall be isolated with a view of preventing any impact that may result in malfunctioning.

4.3. The Operator performs backing up so that personal data either modified or destroyed due to unauthorized access could be immediately restored and keeps monitoring for the personal data protection level.

4.4. Personal data processing without automation tools is performed in such a way that storage location could be identified for each personal data category and material carriers.

4.5. The Operator makes a list of those who process personal data or can access them and ensures segregated storage for personal data and tangible media processable for various purposes.

4.6. The Operator ensures personal data safety and takes measures to prevent unauthorized access to personal data.

4.7. The User agrees that the Operator may transfer personal data to third parties in particular to delivery services, post offices, telecommunication operators for the limited purpose of completing the User’s order placed on the Operator’s information resource.

4.8. The User’s personal data may be transferred to competent public authorities of the Russian Federation solely in the manner and on the grounds established by the Russian legislation.

4.9. In case personal data are lost or disclosed, the Operator shall inform the User on such loss or disclosure accordingly.

4.10. The Operator together with the User shall take all required measures to prevent loss or other adverse effects caused by the User’s personal data loss or disclosure.

4.11. The Operator shall store personal data for 5 years from the receipt date. Upon expiry of the specified period personal data shall be destroyed except for cases when the Operator is liable for saving personal data in line with the Russian legislation.


5.1. While processing personal data, the Operator:

  • Defines threats to personal data security, on their basis forms threat models, develops personal data protection systems neutralizing alleged threats using personal data protection methods provided for information systems of the relevant class;
  • Develops Inspection Plan for new data protection facilities ready for use and drawing up conclusions on their operation feasibility;
  • Installs data protection facilities in line with operational and technical documentation;
  • Provides training in work practices for those who use data protection facilities deployed in information systems;
  • Performs record-keeping of the applied data protection facilities, their operational and technical documentation, personal data storage media;
  • Performs record-keeping of officers authorized to work with personal data in information system;
  • Monitors for compliance with the terms of use for data protection facilities stipulated in operational and technical documentation;
  • Holds proceedings on non-compliance with conditions for personal data media storage, using data protection facilities which may result in breach of personal data confidentiality or other violations causing decline in personal data protection level, development and adoption of measures to prevent potential hazardous consequences of such violations;
  • Keeps available personal data protection system descriptions.

5.2. Operator’s Information Technology Division is held responsible for development and implementation of specific measures to ensure personal data security while the Operator or another authorized party processes the said data in information system. Parties that are required to be granted with access to personal data processed in the information system aiming to perform official (work-related) duties are allowed to the relevant personal data according to the list approved by the Operator. The information system Users’ requests to receive personal data as well as personal data submission under such requests are recorded in electronic Communication History by information system automated facilities.


6.1. Being personal data Operator, JSC Grasys may advocate its interests in court, provide third parties with personal data of the Subjects in case it is stipulated by current legislation (tax offices, law enforcement authorities, etc.), refuse to provide personal data in cases provided for by law, use personal data of the Subjects without their consent where statutorily provided.

6.2. The Operator shall be bound to use the received information solely for the purposes specified in this Privacy Policy, to ensure keeping confidential information secret, not to disclose any data without the User’s prior written approval and not to sell, exchange, publish or disclose otherwise the submitted User’s personal data unless expressly permitted by law, take precautions to protect the User’s personal data privacy in line with the usual and customary business practice for such information protection, to block the particular User-related personal data upon call or request of the User or his/her legal representative or authorized body for rights protection of the personal data Subjects for verification period in case inaccurate personal data or illegal actions have been revealed.

6.3. The personal data Subject may demand rectification of his/her personal data, their blocking or destruction if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not required for the declared processing purpose as well as take measures prescribed by law to protect his/her rights; demand a list of his/her personal data processed by Operator and the data origination; obtain information on the personal data processing time including retention period; demand to notify all the parties that have earlier been provided with incorrect or incomplete personal data on all exceptions, amendments or supplements made to them; appeal to authorized body on the rights protection of personal data Subjects or appeal to a court inappropriate acts or omissions when processing his/her personal data, assert rights and legitimate interests including but not limited to compensation for losses and punitive damages through judicial procedures.


7.1. The Operator shall be liable for any damage caused to the personal data Subject due to the Operator’s abusive use of the personal data of the Subject under the Russian legislation.

7.2. In case personal data are lost or disclosed, the Operator shall not be held liable if the said personal data:

  • Have become public domain prior to their loss or disclosure;
  • Have been obtained from a third party before Operator’s receiving from the personal data Subject.
  • Have been disclosed with the consent of the personal data Subject or upon public authorities’ request.


8.1. This Privacy Policy is subject to alteration and amendments in case Personal Data Processing and Protection laws and regulations are modified.

8.2. The Operator is entitled to make changes to this Privacy Policy without the User’s consent.

8.3. The new Privacy Policy becomes effective on the date when it is posted on the Operator’s information resource unless otherwise provided by the updated Privacy Policy version.

8.4. This Policy is a JSC Grasys’ developed document and subject to posting on the official information resource

8.5. This Policy requirements compliance is monitored by officers in charge for personal data security in JSC Grasys.

Updated on January 20, 2020.

1 Terms 1.1−1.9 are brought in line with par.3 of the Federal Law No. 152-FZ On Personal Data of July 27, 2006.

2 Art. 22 of Federal Law No. 152-FZ, Art. 85−90 of the Russian Labor Code.

Ceci n’est pas une offre publique