Approved by the Order of
No. 231117-1 dated 23/11/17
1. Purpose and scope of the Policy
This Personal Data Policy (hereinafter referred to as the Policy) of Mybill LLC (hereinafter referred to as the Company) defines the Company's position and intentions in the field of personal data processing and protection, observance of rights and fundamental freedoms of each individual and, in particular, the right to privacy, personal and family secrets, protection of its honour and good name.
The Policy is intended for study and strict implementation by the manager and all employees of the Company and is subject to bringing to the attention of persons who are in contractual, civil or other relations with the Company, partners and other interested parties.
2 Terms of the Policy
Personal data refers to any information relating to a directly or indirectly defined or identifiable individual (citizen).
Such information includes, but is not limited to: full name, year, month, date and place of birth, address, information about family, social, property status, information about education, profession, income, as well as other information related to the citizen.
The processing of personal data means any action (operation) or a set of actions (operations) with personal data performed with or without the use of automation. Such actions (operations) include: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.
Security of personal data means protection of personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions in relation to personal data.
The Personal data information system refers to the set of personal data contained in databases and the information technology and technical means that support their processing.
3. Purposes of personal data processing
The Company processes personal data for the purposes of:
- Concluding contracts and agreements with the Company's clients, partners and users of the Company's website by accepting the relevant public offers posted on the Company's website at: mybill.ru
- Informing the Company's clients about the Company's activities and services, its counterparties, as well as sending information and advertising materials related to the Company's and its counterparties' activities to clients;
- Individual registration of clients, their appeals to the Company for services, for execution of contracts with clients;
- Registration of the Company's employees in accordance with the requirements¹ of the legislation of the Russian Federation or conclusion of other civil contracts with individuals providing services to the Company or performing work for the Company's needs;
- Making a decision on the possibility to conclude an employment contract with persons applying for the Company's open positions.
4. Provisions of the Policy
Understanding the importance and value of information about the individual and taking care to respect the constitutional rights of citizens of the Russian Federation, the Company provides reliable protection of personal data.
Processing and security of personal data in the Company is carried out in accordance with the requirements of the Constitution of the Russian Federation, the Labour Code of the Russian Federation, the Federal Law № 152-FZ “On Personal Data”, regulations, other federal laws that define the cases and features of personal data processing, guidelines and methodological documents of FSTEC of Russia and the FSB of Russia.
When processing personal data, the Company adheres to the following principles:
- The Company only processes personal data on a lawful and fair basis;
- The Company does not disclose or distribute personal data to third parties without the consent of the citizen (unless otherwise required by applicable laws of the Russian Federation);
- The Company determines the specific lawful purpose before processing (including the collection) of personal data;
- The Company only collects personal data that are necessary and sufficient for the stated purpose of processing;
- The processing of personal data in the Company is limited to achieving specific, predetermined and legitimate objectives²;
- The Company shall destroy or depersonalise personal data once the purposes of processing have been achieved or when it is no longer necessary to achieve the purposes.
In cases established by the legislation of the Russian Federation, the Company has the right to transfer citizens' personal data.
The Company has the right to assign the processing of personal data (with the consent of the citizen³) to third parties, based on an agreement (commission) concluded with these parties, including through the exchange of electronic documents.
Persons engaged in the processing of personal data on behalf of the Company shall be obliged to comply with the principles and rules of processing and protection of personal data provided by the Federal Law № 152-FZ “On Personal Data”. For each third party in the agreement (the commission) determines the list of actions (operations) with personal data, which will be performed by the person performing the processing of personal data, processing purposes, establishing the obligation of the person to ensure confidentiality and security of personal data during their processing, also contains requirements for the protection of processed personal data.
If the Company transfers personal data of citizens across borders to a foreign country, the mentioned cross-border transfer must be carried out in compliance with the applicable laws of the Russian Federation, as well as with international legal acts. Only countries that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and that provide adequate protection of the rights of personal data subjects can be recipients. The recipient of personal data by the Company shall be obliged to protect the rights of subjects of personal data under the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981 (Strasbourg).
The transfer of personal data is carried out in accordance with the requirements of the legislation of the Russian Federation regarding the processing and protection of personal data.
5. Rights of citizens with regard to personal data processing
A citizen whose personal data is processed by the Company has the right to:
- receive from the Company:
- Confirmation of the fact of processing of personal data by the Company;
- Information about the legal basis and purpose of the processing of personal data;
- Information about the methods of personal data processing used by the Company;
- Information about the name and location of the Company;
- Information about persons (excluding employees and representatives of the Company) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Company or under federal law;
- a list of personal data being processed pertaining to the citizen from whom the request was made, and information on the sources of such data, unless another procedure for providing such data is prescribed by federal law;
- Information about the period of processing of personal data, including the period of their storage;
- Information about ongoing or suspected trans-border transfer of personal data;
- Name (full name) and address of the person processing the personal data on behalf of the Company;
- Information about how the citizen may exercise his or her rights under the Federal Law No. 152-FZ “On Personal Data”;
- Other information as provided by the Federal Law No. 152-FZ "On Personal Data" or other federal laws;
- Demand that his/her personal data should be clarified, blocked or destroyed if the personal data is incomplete, outdated, inaccurate, illegally obtained or unnecessary for the stated purpose of processing;
- Withdraw his/her consent to the processing of personal data;
- Demand elimination of unlawful actions of the Company in relation to his/her personal data;
- Complain against the Company's acts or omissions to the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) or in court, if a citizen believes that the Company is processing his/her personal data in violation of the requirements of the Federal Law № 152-FZ "On Personal Data" or otherwise violates their rights and freedoms;
- Protect their rights and legitimate interests, including compensation for losses and/or compensation for moral damage in court.
6. Information on the implemented requirements for the protection of personal data
6.1 When processing personal data, the Company shall take necessary legal, organisational and technical measures to protect personal data from unlawful or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data.
6.2 The measures referred to in para. 6.1 of the Policy, in accordance with Articles 18.1 and 19 of Federal Law No. 152-FZ “On Personal Data”, in particular include:
6.2.1. Appointment of a person responsible for organisation of personal data processing and persons responsible for ensuring security of personal data, or performance of these functions by the Head of the Company;
6.2.2. Development and approval of local acts on processing and protection of personal data, including such processing through the Company's Website, and/or posting of the relevant user agreement (offer) stipulating such terms on the Company's Website;
6.2.3. Application of legal, organisational and technical measures to ensure security of personal data
- Identification of threats to the security of personal data during its processing in personal data information systems;
- Application of organisational and technical measures to ensure security of personal data during its processing in personal data information systems, necessary to meet the requirements for protection of personal data, implementation of which ensures the established levels of protection of personal data;
- Application of information security tools, duly passed the conformity assessment procedure (if any);
- Evaluation of efficiency of measures taken to ensure security of personal data prior to commissioning of personal data information systems;
- Detection of facts of unauthorized access to personal data and taking measures;
- Restoration of personal data modified or destroyed as a result of unauthorized access to such data;
- Establishing the rules for access to personal data, processed in personal data information systems, and ensuring registration and accounting of all actions, performed with personal data in personal data information systems;
- Execution of internal control and/or audit of compliance of personal data processing with Federal Law No.152-FZ “On personal data”, bylaws and local acts of the Company;
- Assessment of damage which may be caused to citizens in case of violation of Federal Law No.152-FZ “On Personal Data”, correlation of such damage and measures taken by the Company to ensure fulfillment of obligations under Federal Law No.152-FZ “On Personal Data”;
- Compliance with conditions preventing unauthorized access to tangible personal data carriers and ensuring safety of personal data;
- Familiarization of the Company's employees directly engaged in processing of personal data with the provisions of the personal data legislation of the Russian Federation, including requirements for protection of personal data, local acts on processing and protection of personal data, and training of the Company's employees.
7. Final Provisions
7.1 This Policy shall be reviewed by the Company from time to time, as necessary, and in the following cases:
- In case of changes in the legislation of the Russian Federation in the field of processing and protection of personal data;
- In case of changes in the purposes for processing of personal data, in the structure of information and/or telecommunication systems (or introduction of new ones);
- In case of application of new technologies for processing of personal data (including transfer, storage);
- In case of necessity to change the process of personal data processing related to the Company's activities;
- Upon results of control over compliance with requirements for processing and protection of personal data;
- Upon the decision of the Head of the Company.
7.2 After the revision of the provisions of this Policy, its updated version may be published on the Company's website and/or posted in the public domain at the Company's address, as well as made available for inspection on request of the subject of personal data.
In case of non-compliance with the provisions of this Policy, the Company shall be liable in accordance with the applicable laws of the Russian Federation.
7.3 Citizens whose personal data is processed by the Company, can obtain clarification on the processing of their personal data by sending an official request by e-mail to the Company's email address listed on the Company's website, or by mail to the Russian postal address of the Company.
If an official request is sent to the Company, the request must include:
- Surname, first name, patronymic of the citizen or his/her representative;
- Number of the main identity document of the citizen (or his/her representative), information on the date of issue of the document and the authority that issued it;
- Information confirming participation in a relationship with the Company (e.g. contract number) or information otherwise confirming the processing of personal data by the Company;
- Signature of the citizen (or his/her representative). If the request is sent electronically, it must be in the form of an electronic document and signed by electronic signature in accordance with Russian law.
¹ including exercising the functions, powers and duties imposed on the Company by the legislation of the Russian Federation in accordance with the Tax Code of the Russian Federation, federal laws, in particular: “On individual (personalised) accounting in the mandatory pension insurance system”, “On personal data”, as well as local acts of the Company assistance in employment, training, ensuring personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property, and voluntary insurance of employees.
2 Unless otherwise stipulated by the contract between the Company and the citizen, other agreement between the Company and the citizen or unless the Company has the right to process personal data without the consent of the citizen's personal data on the grounds provided by the Federal Law № 152-FZ “On Personal Data” or other federal laws.
³ Unless otherwise stipulated by federal law.