Personal Data Protection POLICY
in FM Logistic Vostok Joint-Stock Company
Company means FM Logistic Vostok Joint-Stock Company, FM Logistic Vostok JSC and all its affiliated companies. The term ‘affiliates companies’ is used herein in the meaning ascribed to it by the civil law.
Personal Data mean any information relating to a directly or indirectly identified or identifiable individual (‘data subject’).
Personal Data Processing means any action (operation) or set of actions (operations) performed on personal data, whether by automated means or manually, such as collecting, recording, structuring, accumulating, storing, modifying (updating, amending), retrieving, using, transferring (distributing, making available), redacting, blocking, deleting or destroying.
Automated Personal Data Processing means processing personal data using computing equipment.
Personal Data Information System means a set of personal data in databases and a set of information technology and technical means which are used for personal data processing.
Personal Data Carrier means a material medium, including a physical field, on which personal data is stored in the form of symbols, images, signals, technical solutions and processes, quantitative characteristics of physical quantities.
Personal Data Subject means an individual whose personal data is subject to processing by the Company in accordance with the Federal Law.
Controller means a person responsible for the internal control of the compliance by the Company and its employees with the personal data legislation of the Russian Federation, including the requirements for personal data protection.
Security Supervisor means a person who is responsible for the safety of personal data, the implementation and a continuous compliance with the established protection rules and who facilitates the operation of information protection media used in the personal data information system of the Company.
Processor means an employee of the Company who may perform certain processing actions (operations) on personal data in the personal data information system or using the results of its operation.
Personal Data Safety means a state of personal data security ensuring its confidentiality, availability and integrity.
Personal Data Confidentiality means a requirement, which is mandatory for a person accessing personal data, prohibiting the transfer of the personal data to third parties without the consent of its owner.
Personal Data Accessibility means a state of personal data in which subjects having access rights may exercise such rights without any obstructions.
Personal Data Integrity means a state of personal data in which it may only be amended deliberately by subjects who have the right to do so.
Personal Data Disclosure means actions aimed at disclosing personal data to a certain person or a certain number of persons.
Blocking Personal Data means a temporary termination of personal data processing (unless processing is necessary to modify the personal data).
Unauthorized Access (unauthorized actions) means access to personal data or operations with personal data which violate the rules of access privileges using authorized equipment provided by personal data information systems.
Federal Law means Federal Law No. 152-FZ ‘On Personal Data’ (amended on July 02, 2021) issued on July 27, 2006.
Cookies. When a PD Subject goes to the Company’s website, the Company sends one or several cookies to the Subject’s computer or device. A cookie is a small file containing a line of symbols and serves as the unique identifier of the browser of the PD Subject. Cookies are used to improve the quality of the provided services: save the settings of the PD Subject; improve search results; target advertisements; track trends typical for users, for example, search requests.
2. GENERAL PROVISIONS
2.1. The personal data protection policy of the Company (‘the Policy’) was developed in accordance with cl. 2 part 1 of art. 18.1 of the Federal Law and provides the basic guidelines, objectives and conditions for personal data processing (‘PD’) and the strategy of their protection in the Company.
This Policy is the main regulating internal document of the Company, which establishes the requirements for PD processing and safety.
Any internal documents of the Company governing the matters considered in this Policy should be developed on the basis of the provisions of this Policy and must not contradict them.
This Policy was develop in order to apply the provisions of the legislation of the Russian Federation regarding PD processing, the requirements of regulatory and methodological documents on PD protection and the requirements of the official body authorized to protect the rights of Personal Data Subjects.
3. COMPANY’S PRINCIPLES OF PERSONAL DATA PROCESSING
PD is processed by the Company on the basis of the following principles:
- legal and justified purposes and methods of PD Processing;
- the compliance of the purposes of PD Processing with legitimate objectives which were predefined and declared when collecting the PD, as well as with the powers vested in the Company;
- the compliance of the volume and content of the processed PD, the methods of its processing with the purpose of PD Processing;
- the accuracy of PD, their sufficiency and correspondence to the purpose of PD Processing;
- the limitation of PD Processing to the volume necessary to achieve the purposes declared when collecting the PD;
- the separability of incompatible PD databases;
- the storage of PD in a form which allows the identification of the PD Subject for a period not exceeding the time required by the purpose of PD Processing, the Federal Law determining such storage period, a contract to which the PD Subject is a party, a beneficiary or a guarantor;
- the destruction of PD after the purpose of its processing has been achieved, such purpose no longer needs to be achieved or the storage period determined by the Federal Law or a contract to which the PD Subject is a party, a beneficiary or a guarantor has expired.
The Company’s PD are processed by collecting, recording, structuring, accumulating, storing, modifying (updating, amending), retrieving, using, transferring (distributing, making available), blocking, deleting or destroying the PD.
Running its business, the Company assumes that a PD Subject provides accurate and reliable information to cooperate with the Company and will notify the Company’s representatives about any changes in the provided PD.
4. PURPOSES AND LEGAL GROUNDS OF PERSONAL DATA PROCESSING
The Company collects and processes personal data for the following purposes:
- making decisions on employment;
- ensuring compliance with laws and other legal acts; assisting employees in their employment, education and promotion; ensuring personal security of employees, number and quality control of the work performed by them and ensuring the safety of the property;
- fulfilling its duties by the Company while complying with laws and other regulatory legal statutes;
- organizing communication, business trips in FM Logistic group;
- making decisions on entering into contracts, concluding contracts, satisfying contractual obligations;
- ensuring the processing of orders and their delivery to individuals;
- arranging order logistics;
The legal grounds for the PD Processing by the Company are:
- Russian Federal Law No. 51-FZ “The Civil Code of the Russian Federation (part one)” issued on November 30, 1994;
- Russian Federal Law No. 14-FZ “The Civil Code of the Russian Federation (part two)” issued on January 26, 1996;
- Russian Federal Law No. 146-FZ “The Tax Code of the Russian Federation” issued on July 31, 1998;
- Russian Federal Law No. 197-FZ “The Labour Code of the Russian Federation” issued December 30, 2001;
- Russian Federal Law No. 149-FZ “On Information, Information Technologies and Information Protection” issued on July 27, 2006;
- Russian Federal Law No. 152-FZ “On Personal Data” (the Federal Law “On Personal Data”) issued on July 27, 2006;
- Russian Federal Law No. 115-FZ “On Countering Legalization (Laundering) of Illegal Earnings and Financing of Terrorism” issued on August 7, 2001;
- Russian Federal Law No. 27-FZ “On Individual (Personalized) Accounting in the System of Compulsory Pension Insurance” issued on April 1, 1996;
- Article 13.2 of Russian Federal Law No. 115-FZ “On Legal Status of Foreign Citizens in the Russian Federation” issued on July 25, 2002;
- Russian Federal Law No. 255-FZ “On Compulsory Social Insurance for Temporary Disability and Cases Related to Maternity” issued on December 29, 2006;
- Russian Federal Law No. 402-FZ “On Accounting” issued on December 6, 2011;
- Russian Federal Law No. 87-FZ “On Transport and Forwarding Activities” issued on June 30, 2003;
- Decree No. 1 of the Russian State Statistics Committee (Goskomstat) “On approval of unified forms of primary accounting documents for labour accounting and payroll” issued on January 5, 2004
- Decree No. 687 of the Russian State Statistics Committee (Goskomstat) “On approval of the Regulation on features of manual personal data processing” issued on September 15, 2008;
- Decree No. 1119 of the Government of the Russian Federation “On approval of requirements for personal data protection when processed in personal data information systems” (GD No. 1119); issued on November 1, 2012;
- a consent of personal data subjects to PD processing (cl. 1 part 1 of art. 6 of Federal Law No. 152-FZ “On Personal Data” issued on July 27, 2006);
- a contract with personal data operator which instructs the Company to process personal data;
- the Company’s Articles of Association.
The Company processes the PD which became known to the Company through the achievement of the objectives set in the Company’s incorporation documents and the purposes of the Company’s activities and, without limitation:
- the conclusion of civil law contracts;
- the conclusion of cooperation agreements;
- the issuance and / or obtaining powers of attorney (including on behalf of the Company);
- obtaining any other documents from clients, counterparties of the Company which are necessary to enter into contracts with such persons;
- the receipt by the Company of written appeals, requests, applications, complaints, petitions, including those in an electronic form;
- email correspondence;
- the receipt by the Company of visitors’ documents as they visit the Company’s premises;
- any other actions stipulated by the applicable legislation of the Russian Federation or internal policies of the Company.
5. PROCESSED PERSONAL DATA
The Company processes the PD of the following categories of PD Subjects:
- its prospective employees;
- its employees (including former ones);
- relatives of the employees;
- the employees of affiliated persons of FM Logistic group;
- the representatives of counterparties / clients, including potential ones;
- the recipients of orders;
- the drivers of transport companies of the Company’s clients;
- the drivers of the Company’s transport companies;
- the representatives of the Company’s service providers.
The Company processes personal data using automation tools and manually.
According to the provisions of GD No. 1119, the following categories of PD are processed by the Company:
- other categories of personal data – personal data which do not pertain to the categories of special, biometric and publicly available personal data;
- biometric categories of personal data – personal data characterizing the physiological and biological features of a person, on the basis of which it is possible to identify them and which are used by the Company to identify the personal data subject.
The following PD categories are processed in the Company manually:
- other categories of personal data – personal data which do not pertain to the categories of special, biometric and publicly available personal data.
The complete list of PD and the categories of PD Subjects is approved by the “List of Processed Personal Data”.
6. CONDITIONS OF PERSONAL DATA PROCESSING
The PD of the Company are processed in the following cases:
- with the consent of the PD Subject to such processing;
- on behalf of the Company’s counterparties;
- for the purposes of justice, enforcing a court ruling, a ruling of another body or an official which need to be enforced in accordance with the legislation of the Russian Federation;
- for the purpose of executing a contract to which the PD Subject is a party or a beneficiary or a guarantor, and entering into an agreement initiated by the PD Subject;
- for statistical or other research purposes provided that the PD are redacted;
- for the purpose of publishing or compulsory disclosure of the PD in accordance with the Federal Law.
The Company is entitled to assign PD Processing to another person with the consent of the PD Subject, unless otherwise provided by the Federal Law, based on a contract concluded with such person (or instructions for PD Processing). The PD Processor acting on behalf of the Company shall comply with the principles and rules for PD Processing established in the Federal Law “On Personal Data”.
The instructions to a third party shall contain the purpose of processing and a list of actions (operations) which may be performed with the PD, obligations of the third party to ensure the confidentiality and safety of the PD during their processing and the requirements for the protection of the processed PD in accordance with the Federal Law “On Personal Data”.
The Company may transfer the PD across border (to the territory of a foreign state, a foreign physical individual or a foreign legal entity) to the French Republic guided by the provisions of the Federal Law and this Policy. A foreign legal entity provides adequate protection for the rights of personal data subjects.
The Company does not create public sources of the PD (directories, address books).
The Company does not make decisions which may have legal implications towards personal data subjects or in any other way affect their rights and legitimate interests, on the basis of exclusively automated processing of their personal data.
The Company will terminate the PD Processing in the following cases:
- should any illegal activity with the PD be detected in a period not exceeding three (3) business days from the date of such detection, the Company shall eliminate the violations. If it is impossible to eliminate the violations, the Company shall destroy the PD within three (3) business days after detecting the illegal activity. The Company shall notify the PD Subject or its authorized representative about the elimination of the violations or the destruction of the PD as well as the corresponding authority if an application or a request was sent to such;
- as soon as the purpose of PD Processing has been achieved, the Company shall immediately terminates the PD Processing and destroy the PD within thirty business days upon achieving the purpose of the PD Processing;
- If the PD Subject withdraws its consent to the PD Processing, the Company shall terminates the PD Processing and destroy them (with the exception of the PD which are stored in accordance with the applicable legislation) within thirty business days upon receiving such withdrawal application. The Company shall notify the PD Subject about the destruction of the PD.
7. CONSENT TO PERSONAL DATA PROCESSING
The PD are accepted and processed by the Company in cases stipulated by the Federal Law “On Personal Data” and with the consent of the PD Subject, including the one given in writing.
The written consent granted by the PD Subject should contain:
- the surname, the name, the patronymic name and the address of the PD Subject, the number of the main identification document, the information about the date when such document was issued and the issuing authority;
- the name and the address of the Company;
- the purpose of the PD Processing;
- the list of PD to the processing of which the PD Subject grants its consent;
- the name or the surname, the name, the patronymic name and the address of the Processor acting on behalf of the Company if the processing is assigned to a third party;
- the list of operations authorized to be performed with the PD and the general description of the processing methods used by the Company;
- the effective period of the consent and the way of its withdrawal;
- the signature of the PD Subject.
The PD Subject grants the Company its consent to the PD Processing freely, willingly and in its own interest. The consent to the PD Processing may be withdrawn by the PD Subject by sending a written statement in a free form to the Company. In this case, the Company shall terminate the processing and destroy all the PD held by the Company within the period of time established by the Federal Law “On Personal Data”.
The Company is entitled to process the PD without the consent of the PD Subject (or when the PD Subject withdraws its consent) on the grounds specified in cl. 2-11 part 1 of art. 6, part 2 of art. 10 and part 2 of art. 11 of the Federal Law “On Personal Data”.
The PD may be transferred to third parties by the Company with the consent of the PD Subject in accordance with the requirements of the applicable legislation.
8. RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS
With the purpose of observing the rights of PD Subjects, the Company developed and introduced the procedure for handling claims and requests of PD Subjects and the procedure for the provision by PD Subjects of information prescribed by the personal data legislation of the Russian Federation.
A PD Subject is entitled to receive information with respect to the PD Processing by the Company, including:
- the confirmation of the PD Processing by the Company;
- legal grounds and purposes of the PD Processing;
- the purposes and applicable methods of the PD Processing applied by the Company;
- the name and the location of the Company, the information about persons (with the exception of the Company’s employees) having access to the PD or to which the PD may be disclosed on the basis of a contract with the Company or subject to the Federal Law;
- the processed PD belonging to such Subject, the source of such PD unless otherwise provided by the Federal Law;
- the period of the PD Processing, including the storage period;
- the procedure for exercising its rights by the PD Subject which rights are stipulated by the Federal Law “On Personal Data”;
- the information on completed or planned transfer of the data across the border;
- the name or the surname, the name, the patronymic name and the address of the Processor acting on behalf of the Company if the processing was or will be assigned to such a person;
- other information stipulated by the Federal Law “On Personal Data” or other federal laws.
The Company shall provide such information upon the corresponding written request of the PD Subject, containing: the number of the identification document; the information on the date of issuance of the document and the issuing body; the information confirming the relations of the PD Subject with the Company (the contract number, the contract date, an arbitrary verbal description and (or) other information) and the signature of the PD Subject.
The Company undertakes to inform the PD Subject within thirty days upon receiving the Request of the PD Subject that the PD relating to the corresponding PD Subject are available.
The PD Subject is entitled to require a modification of its PD, blocking or destroying them if the PD are incomplete, outdated, inaccurate, illegally obtained or not necessary for the declared purpose of processing, as well as to take measures within the scope of the law to protect its rights.
To implement and protect its rights and legitimate interests, the PD Subject may contact the Operator. The Operator considers any claims and complaints from PD Subjects, carefully investigates the facts of violations and takes all the necessary measures to immediately eliminate them, punish the parties at fault and resolve controversial and conflict situations out of court.
The PD Subject is entitled to have its rights and legitimate interests protected and to a compensation for damages and / or moral damage in court.
If the PD Subject believes that the Company is handling its PD in violation of the requirements of the Federal Law “On Personal Data” or in any other way violates its rights and freedoms, the PD Subject is entitled to appeal against the actions of the Company or omission thereof by the Company to the authorized body in charge of protecting the rights of PD Subjects or go to court.
The right of the PD Subject to access its PD may be limited in accordance with the federal laws, including cases when the access of the PD Subject to its personal data violates the rights and legitimate interests of third parties.
9. COMPANY’S RIGHTS AND OBLIGATIONS
- Providing the Personal Data Subject upon its written request with any information relating to the processing of its personal data or a refusal to provide such information based on legal grounds within a period not exceeding thirty (30) days upon receiving the corresponding request by the Company;
- Upon written request of the PD Subject, modifying the processed personal data, block or delete them within thirty (30) days upon receiving such request, if the personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for achieving the declared purpose of their processing;
- If the purpose of Personal Data Processing is achieved, immediately terminating personal data processing and destroying them within thirty (30) days upon achieving the purpose of personal data processing, unless otherwise provided by the contract to which the PD Subject is a party, a beneficiary or a guarantor, or any other agreement between the PD Subject and the Company;
- if the PD Subject withdraws its consent to processing its personal data, terminating such processing and destroying the personal data within thirty (30) upon receiving the withdrawal unless otherwise provided by an agreement between the Company and the PD Subject;
- when processing personal data, the Company shall takes all necessary legal, organizational and technical measures to protect the personal data from unauthorized or accidental access, their destruction, change, blockage, copying, disclosure, distribution and any other unlawful actions against the personal data.
10. PERSONAL DATA SAFETY
To ensure the safety of the PD, the Company uses necessary and sufficient organizational and technical measures to protect the PD of the Subjects from unauthorized or accidental access, their destruction, change, blockage, copying, distribution and any other unlawful actions. Such measures include:
- appointing a Controller and a Security Supervisor, defining their functions and powers;
- developing and regularly updating the set of internal regulatory documents regarding the PD Processing and protection;
- performing regular internal control measures and external audit of the compliance of the PD Processing with the requirements of the Federal Law “On Personal Data” and with the statutes adopted in accordance with this law;
- assessing harm, which can be caused to PD Subjects if the Federal Law “On Personal Data” is violated, and the equivalence of the PD protection measures to the amount of damage;
- familiarizing the employees of the Company directly processing the PD with the provisions of the legislation of the Russian Federation and the internal regulatory documents of the Company regarding the PD Processing and protection, regular training in the matters of PD Processing and protection;
- identifying safety threats while processing the PD in the PD Information System;
- applying information safety tools which passed the due assessment procedure;
- accounting for the employees having access to PD Processing;
- accounting for material PD carriers;
- detecting unauthorized access to PD and taking the appropriate measures;
- restoring the PD which were modified or destroyed due to an unauthorized access;
- establishing rules of accessing the PD processed in the PD Information System and ensuring registration and accounting of all operations performed with the PD in the Information System;
- controlling the measures taken to ensure the PD Safety and the level of PD Information System safety.
A set of activities and technical means to ensure the PD Safety in the Company is developed following the assessment of possible damage to the PD Subject which can be caused by the violation of PD Safety, the existence of threats to PD Safety and the level of PD protection.
11. PERSONAL DATA DESTRUCTION PROCEDURE
- The documents containing personal data processed in the Company’s functions shall be kept during the period established by the Federal Law;
- After the purpose of Personal Data Processing has been reached and any other legitimate grounds have occurred (for instance, the personal data no longer have a practical value or the storage period has expired), all the documents with personal data shall be destroyed in the manner prescribed by the legislation of the Russian Federation on archiving;
- If the consent to the PD Processing has been withdrawn, the Company shall terminate their processing and, if their storage is no longer required for processing, destroy them within thirty (30) days upon receiving the withdrawal and notify the PD Subject in writing on terminating the PD Processing;
- If the PD Subject withdraws its consent to the PD Processing, the Operator may continue the PD Processing without the consent of the PD Subject on the grounds specified in cl. 2-11 part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Federal Law;
- If any unlawful PD Processing is detected, the Operator shall destroy such personal data within ten (10) business days upon detecting the unlawful PD Processing;
- The PD Carriers to be destroyed are selected by the decision of the head of the corresponding subdivision of the Company holding such carrier due to its activity;
- Following the results of the selection, the Company creates a committee headed by the General Director of the Company or its substitute and a certificate for the destruction of documents and the inventory of destroyed documents are issued, the list of documents is verified. The certificate shall be signed by the chairman and the members of the committee;
- The material PD carriers are destroyed with the participation of the committee of authorized employees having access to the PD;
- The material PD carriers are destroyed by crushing, burning or a mechanical impact. An individual certificate is issued for each method of destruction;
- The removable machine information carriers (Flash, CD and DVD, etc.) are destroyed by deformation to a state in which they cannot be reused and afterwards they are burned. Before the destruction, all information on them shall be erased;
- After the material carriers are destroyed, the members of the committee shall sign a certificate for the destruction of personal data carriers.
12. CONTROL OF COMPLIANCE WITH RUSSIAN PERSONAL DATA LEGISLATION
The compliance with local regulatory documents of the Company related to PD is controlled in order to verify the conformity of the PD Processing and protection with the requirements of the Russian PD legislation and to identify possible leakage channels and unauthorized access to PD.
The compliance of the Company’s subdivisions with the requirements of the Russian PD legislation and local statutes of the Company related to PD is internally controlled by the Company’s authorized persons responsible for PD Processing and protecting.
The employees of the Company violating the rules regulating the PD Processing and protection which are established by the Company may be subject to disciplinary, material, civil-legal, administrative or criminal action in accordance with the legislation of the Russian Federation.
13. FINAL PROVISIONS
This Policy is public information and shall be made available on the official website of the Company.
This Policy may be amended due to changes in the legislation of the Russian Federation, the internal documents of the Company, the PD Information Systems, the PD protection system.
All amendments and additions made to this Policy shall be approved by the general director of the Company.
All employees of the Company shall read this Policy and be liable for the violation of its provisions according to the legislation of the Russian Federation.