1.General Provisions1.1.This document defines the policy of Arno Legal LLC (the “
Operator”) in relation to personal data processing (the “
Policy”), developed taking into account the requirements of the Federal Law No. 152-FZ “On Financial Data” of 27 July 2006 and in accordance with the recommendations of Roskomnadzor for drafting a document defining the policy of the operator when processing personal data.
2.Legal basis for personal data processing2.1. The legal basis for personal data processing is the set of regulatory and legal acts, pursuant to which and in accordance with which the Operator processes personal data, including:
2.2. Constitution of the Russian Federation;
2.3. Labor Code of the Russian Federation;
2.4. Civil Code of the Russian Federation;
2.5. Tax Code of the Russian Federation;
2.6. Federal Law No. 402-FZ “On Accounting” of 6 December 2011;
2.7. Federal Law No. 114-FZ “On the procedure for leaving the Russian Federation and entering the Russian Federation” of 15 August 1996;
2.8. other regulatory acts in accordance with the legislation of the Russian Federation;
2.9. Operator's charter.
3.Main definitionsThe following terms are used in this document:
3.1. personal data – any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data);
3.2. operator – a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons, organizing and (or) carrying out personal data processing, as well as determining the purposes of personal data processing, the composition of personal data subject to processing, actions (operations) performed with personal data;
3.3. personal data processing – any action (operation) or set of actions (operations) performed with using automation tools or without using such tools with personal data, including input, systematization, storage (in electronic form and on paper), clarification, updating, change, modification, depersonalization, blocking, deletion, destruction, transfer of personal data to regulatory authorities: the Federal Tax Service, the Pension Fund, the Social Insurance Fund, Federal State Statistics Service in accordance with the legislation of the Russian Federation; banking organizations for the purpose of calculating wages, vacation pay and other payments to employees, as well as payments under contracts; to the landlord for the purpose of issuing passes to the building; consulates and embassies for the purpose of issuing visa documents for foreign business trips of employees, visa documents and job invitations for the Operator's clients;
3.4. automated personal data processing – processing of personal data using computer technology;
3.5. distribution of personal data – actions aimed at disclosing personal data to an indefinite number of persons;
3.6. provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons;
3.7. blocking of personal data – temporary interruption of personal data processing (except in cases where processing is necessary to clarify personal data);
3.8. destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the tangible media of personal data are destructed;
3.9. depersonalization of personal data – actions as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information;
3.10.personal data information system – a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
4.Basic rights and obligations of personal data subjects4.1. Any subject whose personal data is processed by the Operator has the right to receive information regarding the processing of his or her personal data, including:
4.1.1. confirmation of the fact of personal data processing by the Operator;
4.1.2. legal grounds and purposes of personal data processing;
4.1.3. purposes and methods of personal data processing used by the Operator;
4.1.4. the name and location of the Operator, information about persons (except for the Operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
4.1.5. processed personal data related to the relevant personal data subject, the source of their receipt, unless another procedure for submitting such data is provided for by federal law;
4.1.6. terms of personal data processing, including the terms of their storage;
4.1.7. the procedure for the exercise by the subject of personal data of the rights provided for by this Federal Law;
4.1.8. the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if the processing is or will be entrusted to such person;
4.1.9. other information provided for by the legislation of the Russian Federation.
4.2. The personal data subject has the right to protect his or her rights and legitimate interests, including compensation for damages and/or moral harm, in court.
4.3. The personal data subject has the right to request the correction of incorrect or incomplete personal data, as well as data processed in violation of the requirements of the legislation of the Russian Federation.
4.4. The personal data subject has the right to revoke consent to the processing of their personal data; to appeal the actions or inactions of the Operator when processing their personal data in accordance with the legislation of the Russian Federation.
4.5. The personal data subject has the right to exercise other rights provided for by the legislation of the Russian Federation.
5. Provision of information5.1. The information specified in paragraph 4.1 shall be provided to the personal data subject by the Operator in an accessible form, and shall not contain personal data relating to other personal data subjects, except in cases where there are legal grounds for disclosure of such personal data.
5.2. To obtain the information specified in paragraph 4.1, the personal data subject or their representative must submit a corresponding request to the Operator. The request must contain the number of the identity document of the personal data subject or their representative, information on the date of issue of the said document and the issuing authority, information confirming the personal data subject's participation in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and/or other information), or information otherwise confirming the fact of personal data processing by the Operator, and the signature of the personal data subject or their representative. The request may be sent in the following forms:
5.2.1.in the form of a document on paper to the Operator's postal address: Russian Federation, 127030, Moscow, Novoslobodskaya St., 23.
5.2.2. in the form of an electronic document signed with an electronic signature in accordance with the legislation of the Russian Federation to the email address:
vyacheslav.khayryuzov@arnolegal.com.
5.3. The operator has the right to refuse the personal data subject's request for access to his or her personal data, in accordance with federal laws, including if the personal data subject's access to his or her personal data violates the rights and legitimate interests of third parties.
5.4. If a personal data subject believes that the Operator is processing his or her personal data in violation of the requirements of the law or otherwise violates his or her rights and freedoms, the personal data subject has the right to appeal the actions or inaction of the Operator to the authorized body for the protection of the rights of personal data subjects or in court.
6.Main responsibilities of the Operator6.1. The Operator is obliged to take the necessary measures to fulfill the Operator's obligations stipulated by the legislation of the Russian Federation in the field of processing and protecting personal data.
6.2. The Operator is obliged to terminate the processing of personal data in accordance with the legislation of the Russian Federation.
6.3. When collecting personal data, the Operator is obliged to provide the personal data subject, at his or her request, with the information specified in paragraph 4.1 of this Policy.
6.4. If the personal data subject is required to provide his or her personal data to the Operator in accordance with legal requirements, the Operator is obliged to explain to the personal data subject the legal consequences of refusing to provide his or her personal data.
6.5. If personal data is received by the Operator not from the personal data subject, the Operator is obliged to provide the personal data subject with the following information before commencing the processing of such personal data:
6.5.1. name or surname, first name, patronymic and address of the operator or his or her representative;
6.5.2. the purpose of personal data processing and its legal basis;
6.5.3. intended users of personal data;
6.5.4. the rights of the subject of personal data established by this Federal Law;
6.5.5. source of personal data.
7.Purposes of collecting personal data7.1. The Operator's processing of personal data is limited to achieving specific, predetermined, and legitimate purposes. Processing of personal data incompatible with the purposes for which it was collected is prohibited.
7.2. The Operator processes personal data for the following purposes.
7.2.1. implementation of personnel selection;
7.2.2. conclusion and execution of employment contracts;
7.2.3. conclusion and execution of civil law contracts;
7.2.4. informing clients;
7.2.5. processing of work visas and work invitations.
8.Volume and categories of personal data processed, categories of personal data subjects8.1. The content and volume of personal data processed by the Operator are determined based on the purposes of processing.
8.2. The Operator processes personal data belonging to the following categories of subjects:
8.2.1. employees who are in employment relationships with the Operator;
8.2.2. relatives of employees;
8.2.3. representatives of the Operator’s counterparties;
8.2.4. individuals – parties to contracts for the provision of services for a fee;
8.2.5. applicants for a vacant position;
9. Procedure and conditions for personal data processing9.1. List of actions and methods of personal data processing
9.1.1. When processing personal data, the Operator carries out the following list of actions: input, systematization, storage (in electronic form and on paper), clarification, updating, change, modification, depersonalization, blocking, deletion, destruction, transfer of personal data to regulatory authorities: the Federal Tax Service, the Pension Fund, the Social Insurance Fund, Federal State Statistics Service in accordance with the legislation of the Russian Federation; banking organizations for the purpose of calculating salaries, vacation pay and other payments to employees, as well as payments under contracts; to the landlord for the purpose of issuing passes to the building; consulates and embassies for the purpose of issuing visa documents for foreign business trips of employees, visa documents and job invitations for the Operator's clients.
9.2. Methods of personal data processing used by the Operator:
9.2.1. using automation tools (automated processing);
9.2.2. without using automation tools (non-automated processing).
9.3. Personal data processing is carried out by the Operator through mixed processing with the transfer of information via the internal network (information is available only to strictly defined employees of the Operator), as well as with the transfer of information via public Internet.
9.4. The conditions for termination of personal data processing may be:
9.4.1. expiration of the document storage periods established by the legislation of the Russian Federation;
9.4.2. achievement of the purposes of personal data processing;
9.4.3. termination of the Operator’s activities;
9.4.4. revocation of consent of the personal data subject;
9.4.5. detection of unlawful personal data processing;
9.4.6. other cases provided for by law.
9.5. The Operator shall store personal data in a form that allows the identification of the subject of personal data for no longer than is required by the purposes of personal data processing, except in cases where the storage period of personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary, or guarantor.
9.6. Arno Legal LLC, as the personal data Operator, has servers physically located within the Russian Federation for storing personal data of Russian citizens.
10.Interaction with third parties10.1. In order to achieve the purposes of personal data processing specified in clause 7.2 of this Policy, the Operator interacts with third parties.
10.2.The Operator has the right to transfer personal data to inquiry and investigative bodies and other authorized bodies on the grounds stipulated by the current legislation of the Russian Federation.
10.3.Operators and other persons who have gained access to personal data are obliged not to disclose to third parties or distribute personal data without the consent of the personal data subject, unless otherwise provided by federal law.
11.Updating, correcting, deleting and destruction of personal data, responding to requests from subjects for personal data accessUpdating, correcting, deleting, and destruction of personal data, and responding to requests from subjects for personal data access, are regulated by a separate internal document of the Operator called “Procedure for responding to requests from personal data subjects and the authorized body for the protection of the rights of personal data subjects”.