1.2. This Policy is developed in accordance with the requirements of theFederal Law of 27.07.2006 #152-FZ "On Personal Data" (hereinafter -Federal Law #152), as well as other regulations of the Russian Federation inthe field of Personal Data.
1.3. The Companyshall process Personal Data in accordance with this Policy, other localregulations and laws of the Russian Federation.
2.1. One of the conditions of Company's activities realization is to ensure necessary and sufficient level of information security of Company's assets, which includes PD and processes, within which they are processed.
2.2. Ensuring lawful processing of PD and security of processed PD is one of the Company's top priorities.
2.3. The Policy defines the principles and conditions for collecting, processing, storing and protecting the Personal Data of website visitors, current and potential clients and consumers of products, as well as other subjects of Personal Data that may come into contact with the Company, and is designed to protect the human and citizen rights and freedoms when processing their Personal Data, including protection of the rights to privacy, personal and family secrets.
2.4. This Policy shall be binding on all employees of the Company.
2.5. Employees of the Company whose job duties involve access to Personal Data processed by the Company shall be familiarized with this Policy when hired and/or transferred to the relevant position/role, against their signature.
3.1. The Company considers it of primary importance to ensure lawful and fair processing of Personal Data, respect for the confidentiality and security of Personal Data processing.
3.2. Processing of Personal Data in the Company is based on the following principles:
4.1. Personal Data may be processed in the Company solely for the purposes for which it was obtained. Subject of Personal Data may be informed about Processing of Personal Data in the Policy, in the text of his/her consent to Processing of Personal Data, or in any other way.
In particular, the Company may process the following Personal Data for the specified purposes:
The Company does not process information related to race, ethnicity, political views, religious or philosophical beliefs, intimate life, as well as biometric Personal Data. The Company prohibits making decisions based solely on the automated processing of Personal Data that produce legal consequences with respect to the subjects or otherwise affect their rights and legitimate interests. The Company does not distribute PDs and does not put them in publicly available sources without PD subjects' consent.
Cookies are small files generated and stored by your browser when you visit the Company's websites. Cookies are stored on your device for a maximum of 6 months and allow us to track the quality and usage characteristics of websites and to optimize online marketing activities.
Visiting and using the websites by default involves the generation and storage of cookies. However, the user may delete cookies from the device at any time through the settings of the browser used. The user can also refuse to accept cookies, but this does not guarantee that all functions of the websites will work (e.g. remembering the visitor's language preferences).
The following types of web analytics tools are used on the Company's websites:
6.1. Processing of Personal Data in the Company shall be carried out in the following cases:
7.1. Processing of Personal Data by the Company is carried out both with and without the use ofautomated means. The Company also processes Personal Data in mixed ways.
7.2. Should the Company receive a subject's Personal Data from a third party, the Company shall notify the subject of Personal Data and advise them of the source of their Personal Data, their rights as regards the Personal Data being processed, the purposes and legal basis for processing such Personal Data, and their intended users, unless otherwise provided for by the law.
7.3. The Company may entrust the processing of Personal Data to a third party, unless otherwise provided for by the laws of the Russian Federation. In this case:
Such third parties may include, in particular, the Company's counterparties (in particular, those that provide support services for the information systems used), as well as public authorities in cases provided by law. Companies are also entitled to receive Personal Data from such third parties.
Data collected by web analytics systems used may also be received and processed by third party providers of such systems (in particular, Yandex LLC, Google LLC),including those located in other countries. In this case, the processing of Personal Data is carried out within the framework of providing web sites to users for the performance of the User Agreement.
7.4. The Company may transfer Personal Data across borders in cases stipulated by the laws of the Russian Federation, agreements with foreign companies and this User Agreement, including to the countries, which do not provide adequate protection of the rights of Personal Data subjects. At the same time, contracts with third parties shall include provisions to ensure adequate protection of the rights of Personal Data subjects (including provisions to ensure confidentiality and security of Personal Data).
7.5. The Company shall process employees' Personal Data, posted on the Company's web-sites, based on employees' consent to process Personal Data, authorized for distribution solely for the purposes of establishing business contacts related to the Company's activities, and promoting the Company's services. Subsequent distribution of Personal Data of the Company's employees for other purposes is not allowed.
7.6. The Company shall work to promptly identify and make changes to the processed Personal Data in order to ensure their accuracy, reliability and relevance, including with respect to the purposes of processing Personal Data.
7.7. Changes to Personal Data shall be made by an authorized employee of the Company only on the basis of duly submitted original documents or certified copies thereof. If the subject of Personal Data provides/changes his/her Personal Data when subscribing to information and advertising communications on the Company's websites, the subject of Personal Data shall be directly responsible for the accuracy of the data.
7.8. In case of identifying inaccurate Personal Data by the subject of Personal Data and upon the application of the subject of Personal Data or his/her legal representative, or at their request or at the request of the authorized body for the protection of the rights of Personal Data subjects, the Company shall ensure their blocking from the moment of such application or receipt of the said request for the period of inspection, if blocking of Personal Data does not violate the rights and legitimate interests of the subject of Personal Data or third parties.
7.9. If it is confirmed that the PD is inaccurate based on the information provided by the subject of PD or his/her representative, or by an authorized body for the protection of PD subjects' rights, or other necessary documents, the Company shall provide PD clarification within the period specified in FL#152 from the date of such information and unblock them.
7.10. If the fact of inaccuracy of PD is not confirmed on the basis of information provided by the subject of PD or his/her representative or by an authorized body for the protection of the rights of PD subjects, or other necessary documents, the Company shall remove their blocking.
7.11. When collecting Personal Data, recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of Personal Data of PD subjects, including citizens of the Russian Federation, shall be performed using databases located in the Russian Federation.
8.1. The Company has adopted a set of legal, organizational and technical measures to ensure the security of Personal Data aimed at preventing unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as other unlawful actions with them, including by third parties, in accordance with the requirements of FL#152 and its bylaws.
8.2. The Company's Personal Data security measures include, but are not limited to, the following:
8.3. The Company has appointed persons responsible for organizing PDprocessing and ensuring PD security.
9.1. Processing timeframes shall be determined in accordance with the requirements of the Russian Federation legislation, Company's internal regulations, terms of agreements, concluded with PD subjects, and terms of consent to PD processing.
9.2. Consents to process Personal Data provided by a subject of Personal Data when filling out forms on the Company's web-sites shall be valid for 3 years from the last time the subject of Personal Data used the relevant form. If consent to the processing of Personal Data is withdrawn in accordance with the procedure set out in Clause 10 of this Policy, it shall automatically expire.
10.1. The Company will help to execute legal rights of Personal Data subjects and respond to requests and applications from such subjects, including providing them with information related to processing their Personal Data, in accordance with the Russian Federal legislation.
10.2. Subject of PD shall be entitled to:
10.3. Subjects of Personal Data may send all inquiries concerning the processing of their Personal Data:
10.4. If there are subscriptions to receive information and advertising communications, in addition to the above methods, the subject of PD may request to unsubscribe from such communications by activating the automatic function "Unsubscribe" at the link present in the email containing the communication. In this case, the sending of communications to the e-mail address from which the function was activated will cease.
10.5. The Company shall respond to requests from Data Subjects within the time limits set forth in FL# 152. If circumstances arise which require additional information, in cases stipulated by FL#152, the Company has the right to extend the term of response to subject of PD by up to 5 working days subject to sending to subject of PD motivated notification of reasons for such extension.
10.6. Personal Data subject's representative (including a lawyer) shall be submitted to the PD subject in accordance with the procedure provided by the current legislation of the Russian Federation and to the extent prescribed by the order of the subject of the PD, provided one of the following duly executed documents is available:
10.7. If a person, who applied to the Company with a request to provide PD, is not authorized to receive information related to PD, the Company shall refuse to provide such information to the person with the relevant notice to that person of the refusal.
11.1. This Policy shall be approved by order of the CEO of the Company and shall be posted on the Company's public web sites at: https://www.ufgwm.com/ru/politika-po-obrabotke-personalnyh-dannyh. This is the English translation of the approved Policy.
11.2. The responsibility for monitoring compliance with this Policy shall be vested in the person responsible for organizing the processing of Personal Data in the Company.
11.3. The Policy shall be reviewed and updated if the laws of the Russian Federation regarding the processing and security of Personal Data change, as well as if the Company's Personal Data processing processes change, but at least once every three (3) years.
11.4. Any amendments and/or additions to this Policy shall become effective on the date of publication of the new version of the document approved by the Company’s CEO.
11.5. Matters not regulated by this Policy shall be resolved in accordance with the laws of the Russian Federation.
Version of the Policy dated October 4, 2022
Previous versions of the Policy may be provided upon the request.