ARDM JSC Personal Data Processing and Protection Policy
1. SCOPE
1.1.1 The purposes of the personal data processing and protection policy (hereinafter referred to as the “Policy”) are as follows:
− determine the procedure for processing and protection of the personal data of ARDM JSC personnel (hereinafter referred to as “ARDM”, “company”, “Operator”) and other personal data subjects whose personal data are subject to processing by ARDM;
− ensure protection of human and civil rights and freedoms;
− protect the right to privacy and personal and family privacy, as well as impose liability on officers having access to personal data for non-compliance with the personal data processing and protection regulations.
The policy applies to all personal data processed by ARDM.
1.1.2 Personal data subjects whose personal data are processed by ARDM shall familiarize themselves with the Policy individually.
1.1.3 The Policy comes into force on the date of its approval by a designated person and shall remain in force until its abolition.
1.2 The Policy covers all personnel of the company and other organizations having access to the company’s resources containing personal data in accordance with their professional duties and contractual arrangements.
1.2.1 A designated person responsible for managing personal data processing at ARDM ensures general control over ARDM compliance with legal requirements, the Policy, and local regulations. Designated persons responsible for managing personal data processing and ensuring personal data protection and their duties are specified by orders and local regulations.
1.2.2 Upon violation of legal requirements for personal data protection, perpetrators may be subject to criminal, administrative, public, material, or disciplinary liability.
2. TERMS AND DEFINITIONS
Beneficial owner, founder/stockholder, contractor’s governing body - individual persons related to potential, current, or past contractors or subcontractors of ARDM - to legal entities.
Designated beneficiary - an individual person designated as a beneficiary under a corresponding agreement, such as an insurance policy of a current or past ARDM employee, or an individual person (family member, other relative, dependent, heir) that receives compensations, benefits, material aid or other payments in connection with the death of an ARDM employee.
Personal data information system - a collection of personal data contained in databases and information technology and technical means ensuring their processing.
Contractor - individual persons, individual entrepreneurs, or self-employed persons who are potential, current, or past clients, suppliers, contractors, agents, partners, etc.
Operator - a government or municipal body, a legal entity, or an individual person, who, individually or alongside other legal entities or individual persons, manages and/or performs personal data processing and defines the purpose for personal data processing, the composition of personal data subject to processing, and actions (operations) performed with personal data.
Personal data (PD) - any information directly or indirectly related to an identified or identifiable individual person (personal data subject).
Website Visitor - an individual person who uses websites on the Internet that function for the benefit of ARDM.
Employee - an individual person who has signed a labor contract with ARDM (employer, Operator).
Employee’s relative - an adult or minor family member, other relative, care recipient, or dependent of a current and/or past ARDM employee.
Jobseeker (candidate) - an individual person seeking to fill a vacant position at ARDM (this person may also receive, accept/decline an offer from ARDM to fill a vacant position).
Student - an individual person undergoing (or having previously undergone) professional training at ARDM in the form of an apprenticeship or training (practical, academic, pre-graduation, or introductory).
Personal data subject - an individual person whose personal data are processed by the Operator.
Past employee - an individual person who previously had an employment relationship with ARDM.
Cookie - small fragments of data containing service information about website use that are sent by the server to a Website Visitor’s device.
3. SYMBOLS AND ABBREVIATIONS
ARDM - ARDM JSC;
PDIS - Personal data information system;
UAA - Unauthorized access;
PD - Personal data;
RIA - Results of intellectual activity;
4. PRINCIPLES OF PERSONAL DATA PROCESSING AND PROTECTION
4.1 PD are processed at ARDM based on the following principles:
PD processing is performed on a legal and equitable basis;
PD processing is limited to the achievement of specific, predetermined, and legal purposes;
PD processing not compatible with the purpose of PD collection is prohibited;
merging of databases containing PD with incompatible processing purposes is prohibited;
only PD meeting their processing purposes are subject to processing;
the contents and volume of PD subject to processing shall meet the declared processing purposes. PD subject to processing may not be redundant; during PD processing, accuracy, sufficiency and relevancy of PD in relation to the processing purposes shall be ensured and measures shall be taken to remove or specify incomplete or inaccurate PD;
PD shall be stored in a form allowing identification of the PD subject for no longer than required by the processing purposes, provided that no period for PD storage has been specified by legal requirements, consent to PD processing, or agreement in which such PD subject constitutes a party, beneficiary, or guarantor;
PD subject to processing are destroyed if the consent to processing is withdrawn once the processing purposes are achieved, or if there is no need anymore to achieve such purposes, unless otherwise provided for by the law;
PD processing is not carried out to cause property and/or emotional damage to PD subjects or to impair their rights and freedoms.
5. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
5.1 The following constitutes legal grounds for PD processing by ARDM:
PD subject’s consent to processing of their PD;
ARDM charter;
agreements;
legal acts regulating relationships related to ARDM activities and management of the PD processing and protection process.
6. VOLUME AND CATEGORIES OF PERSONAL DATA SUBJECT TO PROCESSING, CATEGORIES OF PERSONAL DATA SUBJECTS
6.1 The contents and volume of PD subject to processing shall meet the declared processing purposes set forth in Section 8 herein.
6.2 ARDM may process PD only for reasons for which they are collected and received.
6.3 PD subject to processing shall not be redundant in relation to the declared goals. Should redundant data be provided by the PD subject themselves, ARDM has the right to:
decline them;
destroy them in front of the PD subject.
Standard forms may be used to exclude collection of redundant PD.
6.4 ARDM may process PD from the following categories of PD subjects:
corporate employees;
relatives of corporate employees;
representatives of corporate employees;
past corporate employees;
jobseekers;
students;
contractors;
representatives of contractors;
contractor’s beneficial owner;
contractor’s founder/stockholder;
contractor’s governing body;
designated beneficiaries;
website visitors.
6.5 ARDM does not process biometric PD.
6.6 ARDM processes special categories of PD related to the health of PD subjects in accordance with the law.
7. PERSONAL DATA PROCESSING PURPOSES
7.1 PD are processed by the Operator to meet the following purposes:
personnel record keeping;
compliance with labor legislation;
compliance with legal requirements pertaining to military registration;
transfer of information to the Social Fund of Russia;
insurance;
implementation of social programs;
qualification upgrade, training, participation in contests and exhibitions, procurement of authentication documents, certificates, documents upon completion of training, and employee development;
marketing of goods, work, and services;
preparation, conclusion, performance and termination of agreements with contractors;
registration of electronic signatures;
compliance with legislation on combating legalization of financing of terrorism;
booking of tickets, accommodation, transfers;
recruitment of personnel (jobseekers) to vacant positions of the Operator;
ensured performance of introductory, practical, or pre-graduation training;
accounting;
preparation of analytical reports;
compliance with tax legislation;
execution of court rulings;
compliance with legislation concerning enforcement proceedings;
participation in constitutional, civil, administrative, criminal proceedings and legal proceedings in arbitration courts;
preparation of powers of attorney;
publication of information on corporate portals and websites, and in corporate handbooks;
registration and use of rights to RIA, including preparation, submission of an application for a patent on RIA and acquisition of a patent to RIA.
7.2 PD processing is limited to the achievement of the PD processing purposes only. PD processing for the purposes not included in Paragraph 7.1 is prohibited.
7.3 A list of PD subject to processing for each of the purposes in Paragraph 7.1 is given in the PD operators registry.
8. PERSONAL DATA PROCESSING PROCEDURE AND TERMS AND CONDITIONS
8.1 The following methods are used for PD processing at ARDM:
manual PD processing;
automated PD processing;
mixed PD processing (PD processing with automation tools and without them).
8.2 PD processing includes the following actions: collection, recording, classification, accumulation, storage, specification (update, modification), retrieval, use, transfer (provision, access, propagation), blocking, removal, destruction, backup of PD.
8.3 Should a PD subject consent to processing of PD approved for propagation, such consent is finalized separately from other consent given by the PD subject.
8.4 The storage period for PD processed in the PDIS corresponds to the storage period of PD in paper form.
8.5 ARDM ceases PD processing in the following cases:
detection of unlawful processing;
achievement of their processing purpose and loss of need to achieve such purpose;
expiration of validity or withdrawal of consent by the PD subject to processing of specified data when processing of such data is possible only with consent.
8.6 Once the PD processing purposes are achieved or if there is no need anymore to achieve such purposes, and upon withdrawal of consent to data processing by the PD subject, ARDM stops processing these data provided that:
there are no cases set forth in the legislation that permit PD processing without consent from the PD subject;
the agreement in which such PD subject constitutes a party, beneficiary, or guarantor, does not state otherwise;
another agreement between ARDM and the PD subject does not state otherwise.
8.7 Access to PD subject to processing is given only to those employees who require it to perform their professional duties and in compliance with the personal liability principles.
8.8 Persons with access to PD may not transfer them to third parties or propagate them without the PD subject’s consent, unless otherwise provided for by the law.
8.9 The ARDM employee who collects (receives) PD directly from PD subjects shall explain to them the legal consequences of refusal to provide PD and/or consent to their processing.
8.10 In addition to acting as a PD operator, ARDM may act as an entity engaged in PD processing at the instruction of other PD operators under contracts or other agreements.
8.11 ARDM has the right to involve third parties in PD processing as well as receive PD from them for the purposes set forth in 7.1 herein. When receiving PD from third parties, ARDM does not require consent to PD processing from a PD subject provided that PD processing principles are observed and there is a corresponding contract or agreement between ARDM and the third party.
8.12 ARDM shall take all the necessary legal, organizational, and technical measures or ensure their adoption to protect PD from unauthorized or accidental access, destruction, modification, blocking, copying, transmission, propagation, and other unlawful actions in relation to PD.
ARDM shall implement measures to manage PD processing and ensure PD protection as provided for by law.
8.13 ARDM does not transmit PD across borders.
8.14 ARDM may create publicly accessible PD sources (including catalogs and directories).
9. UPDATING, CORRECTION, REMOVAL, DESTRUCTION AND BLOCKING OF PERSONAL DATA, RESPONSES TO REQUESTS FROM PD SUBJECTS FOR ACCESS TO PERSONAL DATA
9.1 ARDM shall provide confirmation of PD processing by ARDM, legal grounds and purposes of PD processing, as well as other information to the PD subject or their representative within 10 business days from the day of request or reception of the request from the PD subject or their representative. This period may be extended by no more than 5 business days.
This information does not include PD that refer to other PD subjects, excluding cases when there are legal grounds for disclosure of such PD.
ARDM shall provide information to the PD subject or their representative on the same form as the one used for the corresponding submission or request, unless otherwise stated in the submission or request.
If the PD subject’s submission (request) does not reflect all the necessary information, or the subject has no right to access the requested information, they shall receive a reasonable denial.
The PD subject’s right to access their PD may be restricted in accordance with the law.
9.2 Should any inaccuracies be detected in the PD upon reception of a submission or request from the PD subject or their representative, ARDM shall block the PD related to that PD subject or ensure that they are blocked the moment such submission or request is received for an inspection period if such PD blocking does not violate the rights and legal interest of the PD subject or third parties.
Should ARDM confirm PD inaccuracies based on information provided by the PD subject or their representative or other necessary documents, ARDM shall specify PD or ensure they are specified within 7 business days from the day such information is provided and unblock the PD.
9.3 Should ARDM detect unlawful processing of PD, ARDM shall cease such unlawful processing or ensure cessation of it by a person authorized by ARDM within 3 business days from the day it is detected. If it is impossible to ensure lawful PD processing, ARDM shall destroy such PD or ensure their destruction within no more than 10 days from the day the unlawful PD processing is detected.
9.4 If destroying PD within the period established by the law is impossible, ARDM shall block such PD or ensure they are blocked and destroy them within no more than 6 months, unless other terms are specified by law.
9.5 Should the PD subject request ARDM to stop processing PD, ARDM shall cease PD processing or ensure its cessation within no more than 10 business days from the day of reception of such request, except for cases set forth by law. This term may be extended by no more than 5 business days.
9.6 Conditions and terms for PD destruction:
achievement of the PD processing purpose or loss of the need to achieve such purpose - within 30 days from the day of achievement of the PD processing purpose or loss of the need to achieve such purpose;
provision of a confirmation by the PD subject (or their representative) that PD have been obtained illegally and are not necessary for the declared processing purpose - within 7 business days from the day of receiving such information;
withdrawal of consent to PD processing by the PD subject if they no longer need to be stored for processing - within 30 days from the day of receiving such withdrawal.
9.7 Once the PD processing purposes are achieved and in case of withdrawal of consent to data processing by the PD subject, PD are subject to destruction provided that:
the contract/agreement in which such PD subject constitutes a party, beneficiary, or guarantor does not state otherwise;
ARDM has no right to process data without consent from the PD subject in accordance with the law.
9.8 Personal data may be destroyed:
in information systems - by removal using tools in the information system or the operating system, removal on a forensic data destruction device, etc.;
in paper form - by cutting or grinding the paper in a paper shredder, burning, mechanical destruction, redaction, etc.
9.9 A PD processing and protection commission created under a corresponding order carries out PD destruction.
9.10 The methods and procedure for destroying PD are set forth in local ARDM regulations.
10. PROCESSING OF ELECTRONIC USER DATA, INCLUDING COOKIES
10.1 For the processing purposes set forth herein, ARDM may automatically collect electronic user data, including cookies, on its websites without the need for website visitors to be involved or perform any actions to send their data. Such data need to be processed in order to market ARDM goods and services, including website adjustment.
10.2 The validity of electronic data collected this way is not checked; the data are processed in the same form as it is collected.
10.3 Processing (including transmission) of electronic user data, including cookies, is performed based on consent to PD processing granted by website visitors by performing the following implied actions:
pressing a button, e.g., “I Accept”;
closing a notification about collection and processing of such data;
continuing to use the websites.
10.4 Upon non-acceptance of the use of electronic user data, including cookies, website visitors may limit their utilization in browser settings (in this case, correct operation of all of the website’s functions cannot be guaranteed), or leave or refuse to use the ARDM websites.
10.5 Information about web usage and actions of visitors on the website may be recorded and provided to designated analytical services for the purposes set forth herein. Such services may include Yandex.Metrica, Yandex SmartCaptcha, Tilda statistics tools, etc. Data collected by such services may be accessed and processed by third parties such as OOO Yandex (privacy policy: https://yandex.ru/legal/confidential/), OOO Tilda Publishing (privacy policy: https://tilda.cc/ru/privacy/).
11. RIGHTS OF PERSONAL DATA SUBJECTS
11.1 PD subjects have the right to:
receive information related to the processing of their PD, except for cases set forth by the legislation;
request ARDM to specify their PD, or block or destroy them in cases when the PD are incomplete, outdated, inaccurate, obtained illegally, or are not necessary for the declared processing purposes, and take measures to protect their rights as provided for by the legislation;
legally challenge ARDM’s unlawful actions or failure to act when processing their PD;
protect their rights and legal interest, including reimbursement of damages and/or compensation for emotional damage by judicial process;
other rights provided for by the legislation.
12. RIGHTS AND OBLIGATIONS OF ARDM WHEN COLLECTING AND PROCESSING PERSONAL DATA
12.1 ARDM has the right to:
independently determine the composition and list of measures necessary and sufficient to ensure the performance of its obligations;
delegate PD processing to another entity without consent from the PD subject, unless otherwise provided for by law, in accordance with a contract made with such entity;
in case of withdrawal of consent to PD processing by the PD subject, ARDM has the right to continue PD processing without PD subject’s consent if there are legal reasons to do so;
other rights provided for by the legislation.
12.2 ARDM shall:
ensure PD processing in accordance with legal requirements;
respond to submissions and requests from PD subjects and their legal representatives in accordance with legal requirements;
perform other obligations as provided by the law.
1.1.1 The purposes of the personal data processing and protection policy (hereinafter referred to as the “Policy”) are as follows:
− determine the procedure for processing and protection of the personal data of ARDM JSC personnel (hereinafter referred to as “ARDM”, “company”, “Operator”) and other personal data subjects whose personal data are subject to processing by ARDM;
− ensure protection of human and civil rights and freedoms;
− protect the right to privacy and personal and family privacy, as well as impose liability on officers having access to personal data for non-compliance with the personal data processing and protection regulations.
The policy applies to all personal data processed by ARDM.
1.1.2 Personal data subjects whose personal data are processed by ARDM shall familiarize themselves with the Policy individually.
1.1.3 The Policy comes into force on the date of its approval by a designated person and shall remain in force until its abolition.
1.2 The Policy covers all personnel of the company and other organizations having access to the company’s resources containing personal data in accordance with their professional duties and contractual arrangements.
1.2.1 A designated person responsible for managing personal data processing at ARDM ensures general control over ARDM compliance with legal requirements, the Policy, and local regulations. Designated persons responsible for managing personal data processing and ensuring personal data protection and their duties are specified by orders and local regulations.
1.2.2 Upon violation of legal requirements for personal data protection, perpetrators may be subject to criminal, administrative, public, material, or disciplinary liability.
2. TERMS AND DEFINITIONS
Beneficial owner, founder/stockholder, contractor’s governing body - individual persons related to potential, current, or past contractors or subcontractors of ARDM - to legal entities.
Designated beneficiary - an individual person designated as a beneficiary under a corresponding agreement, such as an insurance policy of a current or past ARDM employee, or an individual person (family member, other relative, dependent, heir) that receives compensations, benefits, material aid or other payments in connection with the death of an ARDM employee.
Personal data information system - a collection of personal data contained in databases and information technology and technical means ensuring their processing.
Contractor - individual persons, individual entrepreneurs, or self-employed persons who are potential, current, or past clients, suppliers, contractors, agents, partners, etc.
Operator - a government or municipal body, a legal entity, or an individual person, who, individually or alongside other legal entities or individual persons, manages and/or performs personal data processing and defines the purpose for personal data processing, the composition of personal data subject to processing, and actions (operations) performed with personal data.
Personal data (PD) - any information directly or indirectly related to an identified or identifiable individual person (personal data subject).
Website Visitor - an individual person who uses websites on the Internet that function for the benefit of ARDM.
Employee - an individual person who has signed a labor contract with ARDM (employer, Operator).
Employee’s relative - an adult or minor family member, other relative, care recipient, or dependent of a current and/or past ARDM employee.
Jobseeker (candidate) - an individual person seeking to fill a vacant position at ARDM (this person may also receive, accept/decline an offer from ARDM to fill a vacant position).
Student - an individual person undergoing (or having previously undergone) professional training at ARDM in the form of an apprenticeship or training (practical, academic, pre-graduation, or introductory).
Personal data subject - an individual person whose personal data are processed by the Operator.
Past employee - an individual person who previously had an employment relationship with ARDM.
Cookie - small fragments of data containing service information about website use that are sent by the server to a Website Visitor’s device.
3. SYMBOLS AND ABBREVIATIONS
ARDM - ARDM JSC;
PDIS - Personal data information system;
UAA - Unauthorized access;
PD - Personal data;
RIA - Results of intellectual activity;
4. PRINCIPLES OF PERSONAL DATA PROCESSING AND PROTECTION
4.1 PD are processed at ARDM based on the following principles:
PD processing is performed on a legal and equitable basis;
PD processing is limited to the achievement of specific, predetermined, and legal purposes;
PD processing not compatible with the purpose of PD collection is prohibited;
merging of databases containing PD with incompatible processing purposes is prohibited;
only PD meeting their processing purposes are subject to processing;
the contents and volume of PD subject to processing shall meet the declared processing purposes. PD subject to processing may not be redundant; during PD processing, accuracy, sufficiency and relevancy of PD in relation to the processing purposes shall be ensured and measures shall be taken to remove or specify incomplete or inaccurate PD;
PD shall be stored in a form allowing identification of the PD subject for no longer than required by the processing purposes, provided that no period for PD storage has been specified by legal requirements, consent to PD processing, or agreement in which such PD subject constitutes a party, beneficiary, or guarantor;
PD subject to processing are destroyed if the consent to processing is withdrawn once the processing purposes are achieved, or if there is no need anymore to achieve such purposes, unless otherwise provided for by the law;
PD processing is not carried out to cause property and/or emotional damage to PD subjects or to impair their rights and freedoms.
5. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
5.1 The following constitutes legal grounds for PD processing by ARDM:
PD subject’s consent to processing of their PD;
ARDM charter;
agreements;
legal acts regulating relationships related to ARDM activities and management of the PD processing and protection process.
6. VOLUME AND CATEGORIES OF PERSONAL DATA SUBJECT TO PROCESSING, CATEGORIES OF PERSONAL DATA SUBJECTS
6.1 The contents and volume of PD subject to processing shall meet the declared processing purposes set forth in Section 8 herein.
6.2 ARDM may process PD only for reasons for which they are collected and received.
6.3 PD subject to processing shall not be redundant in relation to the declared goals. Should redundant data be provided by the PD subject themselves, ARDM has the right to:
decline them;
destroy them in front of the PD subject.
Standard forms may be used to exclude collection of redundant PD.
6.4 ARDM may process PD from the following categories of PD subjects:
corporate employees;
relatives of corporate employees;
representatives of corporate employees;
past corporate employees;
jobseekers;
students;
contractors;
representatives of contractors;
contractor’s beneficial owner;
contractor’s founder/stockholder;
contractor’s governing body;
designated beneficiaries;
website visitors.
6.5 ARDM does not process biometric PD.
6.6 ARDM processes special categories of PD related to the health of PD subjects in accordance with the law.
7. PERSONAL DATA PROCESSING PURPOSES
7.1 PD are processed by the Operator to meet the following purposes:
personnel record keeping;
compliance with labor legislation;
compliance with legal requirements pertaining to military registration;
transfer of information to the Social Fund of Russia;
insurance;
implementation of social programs;
qualification upgrade, training, participation in contests and exhibitions, procurement of authentication documents, certificates, documents upon completion of training, and employee development;
marketing of goods, work, and services;
preparation, conclusion, performance and termination of agreements with contractors;
registration of electronic signatures;
compliance with legislation on combating legalization of financing of terrorism;
booking of tickets, accommodation, transfers;
recruitment of personnel (jobseekers) to vacant positions of the Operator;
ensured performance of introductory, practical, or pre-graduation training;
accounting;
preparation of analytical reports;
compliance with tax legislation;
execution of court rulings;
compliance with legislation concerning enforcement proceedings;
participation in constitutional, civil, administrative, criminal proceedings and legal proceedings in arbitration courts;
preparation of powers of attorney;
publication of information on corporate portals and websites, and in corporate handbooks;
registration and use of rights to RIA, including preparation, submission of an application for a patent on RIA and acquisition of a patent to RIA.
7.2 PD processing is limited to the achievement of the PD processing purposes only. PD processing for the purposes not included in Paragraph 7.1 is prohibited.
7.3 A list of PD subject to processing for each of the purposes in Paragraph 7.1 is given in the PD operators registry.
8. PERSONAL DATA PROCESSING PROCEDURE AND TERMS AND CONDITIONS
8.1 The following methods are used for PD processing at ARDM:
manual PD processing;
automated PD processing;
mixed PD processing (PD processing with automation tools and without them).
8.2 PD processing includes the following actions: collection, recording, classification, accumulation, storage, specification (update, modification), retrieval, use, transfer (provision, access, propagation), blocking, removal, destruction, backup of PD.
8.3 Should a PD subject consent to processing of PD approved for propagation, such consent is finalized separately from other consent given by the PD subject.
8.4 The storage period for PD processed in the PDIS corresponds to the storage period of PD in paper form.
8.5 ARDM ceases PD processing in the following cases:
detection of unlawful processing;
achievement of their processing purpose and loss of need to achieve such purpose;
expiration of validity or withdrawal of consent by the PD subject to processing of specified data when processing of such data is possible only with consent.
8.6 Once the PD processing purposes are achieved or if there is no need anymore to achieve such purposes, and upon withdrawal of consent to data processing by the PD subject, ARDM stops processing these data provided that:
there are no cases set forth in the legislation that permit PD processing without consent from the PD subject;
the agreement in which such PD subject constitutes a party, beneficiary, or guarantor, does not state otherwise;
another agreement between ARDM and the PD subject does not state otherwise.
8.7 Access to PD subject to processing is given only to those employees who require it to perform their professional duties and in compliance with the personal liability principles.
8.8 Persons with access to PD may not transfer them to third parties or propagate them without the PD subject’s consent, unless otherwise provided for by the law.
8.9 The ARDM employee who collects (receives) PD directly from PD subjects shall explain to them the legal consequences of refusal to provide PD and/or consent to their processing.
8.10 In addition to acting as a PD operator, ARDM may act as an entity engaged in PD processing at the instruction of other PD operators under contracts or other agreements.
8.11 ARDM has the right to involve third parties in PD processing as well as receive PD from them for the purposes set forth in 7.1 herein. When receiving PD from third parties, ARDM does not require consent to PD processing from a PD subject provided that PD processing principles are observed and there is a corresponding contract or agreement between ARDM and the third party.
8.12 ARDM shall take all the necessary legal, organizational, and technical measures or ensure their adoption to protect PD from unauthorized or accidental access, destruction, modification, blocking, copying, transmission, propagation, and other unlawful actions in relation to PD.
ARDM shall implement measures to manage PD processing and ensure PD protection as provided for by law.
8.13 ARDM does not transmit PD across borders.
8.14 ARDM may create publicly accessible PD sources (including catalogs and directories).
9. UPDATING, CORRECTION, REMOVAL, DESTRUCTION AND BLOCKING OF PERSONAL DATA, RESPONSES TO REQUESTS FROM PD SUBJECTS FOR ACCESS TO PERSONAL DATA
9.1 ARDM shall provide confirmation of PD processing by ARDM, legal grounds and purposes of PD processing, as well as other information to the PD subject or their representative within 10 business days from the day of request or reception of the request from the PD subject or their representative. This period may be extended by no more than 5 business days.
This information does not include PD that refer to other PD subjects, excluding cases when there are legal grounds for disclosure of such PD.
ARDM shall provide information to the PD subject or their representative on the same form as the one used for the corresponding submission or request, unless otherwise stated in the submission or request.
If the PD subject’s submission (request) does not reflect all the necessary information, or the subject has no right to access the requested information, they shall receive a reasonable denial.
The PD subject’s right to access their PD may be restricted in accordance with the law.
9.2 Should any inaccuracies be detected in the PD upon reception of a submission or request from the PD subject or their representative, ARDM shall block the PD related to that PD subject or ensure that they are blocked the moment such submission or request is received for an inspection period if such PD blocking does not violate the rights and legal interest of the PD subject or third parties.
Should ARDM confirm PD inaccuracies based on information provided by the PD subject or their representative or other necessary documents, ARDM shall specify PD or ensure they are specified within 7 business days from the day such information is provided and unblock the PD.
9.3 Should ARDM detect unlawful processing of PD, ARDM shall cease such unlawful processing or ensure cessation of it by a person authorized by ARDM within 3 business days from the day it is detected. If it is impossible to ensure lawful PD processing, ARDM shall destroy such PD or ensure their destruction within no more than 10 days from the day the unlawful PD processing is detected.
9.4 If destroying PD within the period established by the law is impossible, ARDM shall block such PD or ensure they are blocked and destroy them within no more than 6 months, unless other terms are specified by law.
9.5 Should the PD subject request ARDM to stop processing PD, ARDM shall cease PD processing or ensure its cessation within no more than 10 business days from the day of reception of such request, except for cases set forth by law. This term may be extended by no more than 5 business days.
9.6 Conditions and terms for PD destruction:
achievement of the PD processing purpose or loss of the need to achieve such purpose - within 30 days from the day of achievement of the PD processing purpose or loss of the need to achieve such purpose;
provision of a confirmation by the PD subject (or their representative) that PD have been obtained illegally and are not necessary for the declared processing purpose - within 7 business days from the day of receiving such information;
withdrawal of consent to PD processing by the PD subject if they no longer need to be stored for processing - within 30 days from the day of receiving such withdrawal.
9.7 Once the PD processing purposes are achieved and in case of withdrawal of consent to data processing by the PD subject, PD are subject to destruction provided that:
the contract/agreement in which such PD subject constitutes a party, beneficiary, or guarantor does not state otherwise;
ARDM has no right to process data without consent from the PD subject in accordance with the law.
9.8 Personal data may be destroyed:
in information systems - by removal using tools in the information system or the operating system, removal on a forensic data destruction device, etc.;
in paper form - by cutting or grinding the paper in a paper shredder, burning, mechanical destruction, redaction, etc.
9.9 A PD processing and protection commission created under a corresponding order carries out PD destruction.
9.10 The methods and procedure for destroying PD are set forth in local ARDM regulations.
10. PROCESSING OF ELECTRONIC USER DATA, INCLUDING COOKIES
10.1 For the processing purposes set forth herein, ARDM may automatically collect electronic user data, including cookies, on its websites without the need for website visitors to be involved or perform any actions to send their data. Such data need to be processed in order to market ARDM goods and services, including website adjustment.
10.2 The validity of electronic data collected this way is not checked; the data are processed in the same form as it is collected.
10.3 Processing (including transmission) of electronic user data, including cookies, is performed based on consent to PD processing granted by website visitors by performing the following implied actions:
pressing a button, e.g., “I Accept”;
closing a notification about collection and processing of such data;
continuing to use the websites.
10.4 Upon non-acceptance of the use of electronic user data, including cookies, website visitors may limit their utilization in browser settings (in this case, correct operation of all of the website’s functions cannot be guaranteed), or leave or refuse to use the ARDM websites.
10.5 Information about web usage and actions of visitors on the website may be recorded and provided to designated analytical services for the purposes set forth herein. Such services may include Yandex.Metrica, Yandex SmartCaptcha, Tilda statistics tools, etc. Data collected by such services may be accessed and processed by third parties such as OOO Yandex (privacy policy: https://yandex.ru/legal/confidential/), OOO Tilda Publishing (privacy policy: https://tilda.cc/ru/privacy/).
11. RIGHTS OF PERSONAL DATA SUBJECTS
11.1 PD subjects have the right to:
receive information related to the processing of their PD, except for cases set forth by the legislation;
request ARDM to specify their PD, or block or destroy them in cases when the PD are incomplete, outdated, inaccurate, obtained illegally, or are not necessary for the declared processing purposes, and take measures to protect their rights as provided for by the legislation;
legally challenge ARDM’s unlawful actions or failure to act when processing their PD;
protect their rights and legal interest, including reimbursement of damages and/or compensation for emotional damage by judicial process;
other rights provided for by the legislation.
12. RIGHTS AND OBLIGATIONS OF ARDM WHEN COLLECTING AND PROCESSING PERSONAL DATA
12.1 ARDM has the right to:
independently determine the composition and list of measures necessary and sufficient to ensure the performance of its obligations;
delegate PD processing to another entity without consent from the PD subject, unless otherwise provided for by law, in accordance with a contract made with such entity;
in case of withdrawal of consent to PD processing by the PD subject, ARDM has the right to continue PD processing without PD subject’s consent if there are legal reasons to do so;
other rights provided for by the legislation.
12.2 ARDM shall:
ensure PD processing in accordance with legal requirements;
respond to submissions and requests from PD subjects and their legal representatives in accordance with legal requirements;
perform other obligations as provided by the law.
Contacts
© 2023 Axion – Rare and Noble Metals JSC
Premises 400, 401, 402, 403, floor 4, laboratory building 4, Industrial township Andreevka, Urban district Solnechnogorsk, Moscow Region, 141551