1. General terms
1.1. This policy (hereinafter the "Policy") is written consistent with article 18.1 of the Federal law of Russian Federation dated 27.07.2006 # 152-ФЗ "About personal data" (hereinafter the "Law about PD") and is the local regulatory document of the company TGPO Consult, Ltd. (hereinafter the "Company"), determining the key moments of the Company's work concerning processing and protection of personal data (hereinafter "PD"), whose operator is the Company.
1.2. The Policy was created with the goal of implementing legal requirements concerning processing and protection of PD as one of the legal measures taken for protecting the rights and freedom of people and citizens when using their PD in the Company.
1.3. The Policy document applies to all processing and protection of PD obtained by the Company before and after the confirmation of the Policy, excluding those situations, when for legal, organizational, or other reasons the Policy cannot be applied to the processing and protection of PD obtained before the Policy's confirmation.
1.4. The Policy and other local regulatory documents of the Company concerning protection of PD apply to processing and protection of PD by legal successors and/or representatives of the subjects of PD, even if those bodies are not explicitly mentioned in the regulatory documents of the Company.
1.5. The Policy is published on the site of the Company https://tgpo.ru with the goal of allowing anyone to become acquainted with it.
2. Basis and goals of processing personal data in the Company
2.1. Processing PD in the Company is done in the process of Company operations, including for labour and other connected aspects, where the Company is the employer.
2.2. In connection with labour and other connected aspects in which the Company is the employer, the PD is processed of people who apply for employment in the Company, current employees of the Company (hereinafter "Employees"), and previous Employees, in compliance with labour law.
2.3. In connection with implementation of its rights and obligations as a legal entity in compliance with part 2 of article 22 of the Law on PD, the Company also processes PD:
- of individuals working as providers (potential providers) of the Company by civil-legal contracts, PD of managers, members of the managing bodies and representatives of legal entities, PD of other individuals representing participants of tenders, including PD obtained in open, publicly-available registers and IT systems, with the goal of signing contracts in compliance with the requirements of the law and fulfilling obligations of the Company;
- of citizens and representatives of organizations that have applied to the Company in written form on questions of the Company's activities (other than entities mentioned in point 2.2 of the Policy) and indicated in the applications (claims, etc.) their PD with the goal of providing to them answers and providing information.
2.4. PD is obtained and processed by the Company with the consent of the subject of the PD or on the basis of federal laws and other regulatory acts of the Russian Federation that do not require the consent of the subject.
2.5. Where written agreement of the subject of PD is obtained in the operations of the Company by the process of delegating the processing of PD to third parties.
2.6. The Company provides PD processed by it to government and municipal organs, to organs of other government foundations, and also to organizations having a right by federal law to receiving the PD.
2.7. In the processing of PD, the accuracy, necessity, and sufficiency, and when required the currency of the data to the goals of processing are performed by the Company. The Company takes needed measures for deleting or clarifying insufficient or inaccurate PD.
3. Principles of providing security for personal data
3.1. The basic task of providing security for PD during their processing in the Company is preventing unsanctioned access to the data by third parties, excessive software/technical and other processing of the data for the purposes of stealing PD, corrupting or distorting them in during processing.
3.2. To provide security of PD the Company is guided by the following principles:
- legality: the protection of PD is based on the regulatory acts and methodical documents of the state organs empowered in the area of processing and protecting PD;
- completeness: the protection of PD is built using a set of legal and organizational measures and functional possibilities of the Company's IT systems;
- constancy: the protection of PD is performed at all steps of their access, collection, processing, up until their destruction;
- timeliness: measures for providing the needed level of security for PD are taken before beginning their processing;
- continuous process improvement: the Company fixes non-compliance with the law in the processing and protection of PD, modernizes and improves the resources for protecting PD, including on the basis of assessing new threats to the security of PD;
- personal responsibility: responsibility for providing the security of PD lies on specific Employees within the limits of their obligations connected with processing and protecting PD;
- minimal access: access to PD is provided to Employees only in the amount required for performing their job requirements;
- flexibility: protection of PD is provided regardless of variation in their volume and content;
- observation and transparency: measures for providing security of PD are planned such that the results of their application can be measured in a transparent way and may be assessed by those implementing control, as well as by the subject of PD, including the processes for receipt and answer to written applications;
- constancy of control and assessment: there are periodic processes of verifying the compliance of the protective measures, recorded in a journal.
4. Access to processed personal data
4.1. Access to PD processed in the Company is provided to Employees, whose authority is confirmed in written form, as well as to those to whom the Company has delegated the processing of PD on the basis of a signed contract.
4.2. Access of Employees to processed PD is done in compliance with their job requirements and the requirements of local regulatory documents of the Company.
4.3. The process for access of subjects of PD to their PD, that has been processed by the Company, is determined in compliance with the law and is performed in compliance with local regulatory documents of the Company.
4.4. Questions and applications of the subjects of PD for receiving information, concerning the processing of their PD, must be sent to the Company at the following address: 16k2 Letchika Babushkina street, Moscow 129344, Russian Federation.
5. Implemented measures for protecting personal data
5.1. The contents of legal, organizational, and technical measures are determined, and local regulatory documents about the processing and protection of PD are confirmed (published) by the Company, based on the requirements of the Law on PD, chapter 14 of the Labour codes of Russian Federation, and also on other regulatory acts of Russian Federation on the processing and protection of PD.
5.2. The Company requires all of its Employees involved directly in the processing of PD to be familiar with the laws on PD, including the requirements for protecting PD, the Policy, and other local regulatory documents concerning PD, providing training to the Employees on processing and protecting PD when required.
Version dated 09.03.2020