1. Policy's Purpose
1.1. This document defines the policy of Altus Capital LLC for processing personal data and ensuring its security (the “Policy”), and is public (publicly available).
1.2. The Policy has been developed to comply with the requirements of the Federal Law dated 27.07.2006, No. 152-FZ "On Personal Data", and other personal data regulations of the Russian
Federation, and applies to all personal data processed by Altus Capital LLC (the “Company”).
2. Terms and Definitions
For the purposes of this Policy, the following terms and definitions apply:
- Company means Altus Capital LLC.
- Information Security ("IS") means the state of security in the face of threats in the information sphere.
- Personal Data Information System ("PDIS") means a set of personal data contained in databases and information technologies and facilities ensuring its processing.
- Personal Data Processing means any personal data activity (operation) or a set of personal data activities (operations) performed with or without use of automation facilities, including collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transmission (dissemination, provision, access), depersonalization, blocking, deletion, destruction of personal data.
- Operator means a government authority, municipal authority, legal entity or individual who independently or in cooperation with other entities arranges and (or) performs personal data processing, and establishes the purposes of personal data processing, the composition of personal data to be processed, activities (operations) involving personal data.
- Personal Data ("PD") means any information related directly or indirectly to a particular or identifiable individual (personal data subject), as defined in section No. 5 of the Policy.
- Policy means this document.
- Personal Data Subject ("PDS") means an individual who owns personal data.
- FL No. 152 means the Federal Law dated 27.07.2006, No. 152-FZ “On Personal Data”.
- Cookies are small pieces of data that are stored in the browser of a computer, mobile phone or other device after visiting websites. Cookies are widely used to keep websites running and collect statistics.
3. General
3.1. One of the conditions for achieving the purposes of the Company's activities is to ensure the
required and sufficient level of information security of the Company's assets, which, among
other things, include personal data (PD) and the processes within the scope of which it is processed.
3.2. Ensuring the lawful PD processing and the security of the processed PD is one of the priority
objectives of the Company.
3.3. The Policy defines the principles, conditions and general procedure for the processing and
protection of PD of various categories of subjects whose PD is processed by the Company, and is
developed to ensure the protection of the individual's and citizen's civil rights and freedoms
when his/her personal data is being processed, including the protection of the rights for privacy,
personal and family secret.
3.4. PD falls into the definition of confidential information of the Company and it is subject to all
requirements for information security (IS), which apply in the Company with the aim of
protecting the confidential information, unless PD falls into the category of publicly available
and/or anonymized data.
3.5. The Policy is binding on all employees of the Company.
3.6. Employees of the Company, whose official duties involve access to PD processed in the
Company, shall be made familiar with this Policy against signature when being hiring and (or)
when being transferred to the relevant position/role.
4. Personal Data Processing Principles
4.1. The Company considers the most important objective is to ensure the lawfulness and
fairness of PD processing, to maintain its confidentiality and security of its processing.
4.2. The following principles underlie PD processing in the Company:
- processing personal data on a lawful and fair basis;
- limiting PD processing to achievement of particular, predetermined and lawful purposes;
- consistency of the content and scope of processed PD with the stated purposes of their processing, non-redundancy of processed PD in terms of the purposes of its processing;
- inadmissibility of combining databases that contain PD to be processed for incompatible purposes;
- ensuring the accuracy of PD, its sufficiency, and, where necessary, the relevance in terms of the purposes of PD processing;
- storing PD in a form that allows identifying the PD subject for no longer than the purpose of PD processing requires, unless a storage period for such personal data is set by the laws of the Russian Federation, an agreement to which the PD subject is a party, or under which the PD subject is a beneficiary or surety.
5. Categories of Processed Personal Data
5.1. The composition of PD processed in the Company is formed in accordance with FL No. 152,
regulations of the Russian Federation, and the Articles of Association of the Company,
agreements and business processes of the Company.
5.2. The Company shall not process special categories of PD related to race, ethnic origin,
political views, religious or philosophical views and intimate life, and shall not process biometric
PD.
6. Grounds for Processing Personal Data in the Company
6.1. PD shall be processed in the Company in the following cases:
- PD is processed with the PD subject's consent to the processing of his/her PD;
- PD processing is necessary to achieve the purposes stipulated by an international treaty of the Russian Federation or law, for the fulfilment and performance of the functions, powers and obligations vested in and imposed on the Company by the laws of the Russian Federation;
- PD processing is necessary to perform an agreement to which the PD subject is a party or under which the PD subject is a beneficiary or surety, or to enter into an agreement on the initiative of the PD subject or an agreement under which the PD subject will be a beneficiary or surety;
- PD processing is necessary to protect the life, health or other vital interests of the PD subject, where obtaining the consent of the PD subject is impossible;
- PD processing is necessary to exercise the rights and observe the lawful interests of the Company or third parties, or to achieve socially significant goals, unless the PD subject's rights or freedoms are infringed;
- processing of PD, access to which is granted by the PD subject or at his/her request to an unlimited number of persons (the “publicly available personal data”);
- processing of PD that is subject to publication or mandatory disclosure in accordance with the federal law.
7. Purposes of Processing Personal Data in the Company
7.1. The Company shall process PD for the particular, predetermined and lawful purposes and on
lawful grounds;
7.2. The information that the Company collects using cookies shall be used for the purpose of
analyzing the use of the Company's website and its subsequent improvement.
8. General Personal Data Processing Procedure
8.1. The Company shall process PD with or without use of automation facilities.
8.2. If subject’s PD is received from a third party, the Company shall notify the PD subject of
this and inform him/her of the source of the PD, his/her rights with regard to the processed PD,
the name and address of the Company, the purposes and legal ground for the processing of the
PD, expected users of the PD. The exceptions are cases where:
- the PD subject has been notified of the processing of his/her PD by the relevant operator;
- the PD has been provided to the Company pursuant to the requirements of federal law or in connection with the performance of an agreement to which the PD subject is a party or under which the PD subject is a beneficiary or surety;
- the PD is publicly available;
- the Company processes the PD on behalf of a third party operator under an agreement made between the Company and such third party;
- the provision of the PD subject with the information listed in this paragraph infringes on the rights or lawful interests of third parties.
8.3. The Company shall make available PD to government authorities and authorized persons
subject to the scope of their powers and competence in accordance with the laws of the Russian
Federation.
8.4. The PD shall be made available to a representative of the PD subject (including a lawyer) in
the manner regulated by the applicable laws of the Russian Federation and to the extent set out in
the order of the PD subject; provided that one of the following duly executed documents is presented:
- an original notarized power of attorney issued to such representative of the PD subject;
- an application from the PD to be written in the presence of an employee of the Company and certified by such employee of the Company who has accepted the application (or certified by a notary, if it has not been drawn up in the presence of an employee of the Company).
8.5. If the person who has applied to the Company with a request to provide PD is not authorized
to receive information falling into the definition of PD, the Company shall refuse to provide such
information and shall appropriately notify the said person of such refusal.
8.6. The Company may entrust PD processing to a third party, except as otherwise provided by
the laws of the Russian Federation. If this is the case:
- the PD provided to the Company by the PD subject (his/her legal representative) can be processed only with the consent of the PD subject (his legal representative), if such consent must be obtained in compliance with the requirements of FL No. 152;
- PD can be processed by a third party only by virtue of an agreement that defines a list of PD activities (operations) and the purposes of processing, and the PD security regulations, including the requirement not to disclose or distribute PD without consent of the PD subject, except as otherwise provided by the laws of the Russian Federation, and the requirements pursuant to article 19 of FL No. 152.
8.7. The Company may carry out cross-border transmission of PD in the cases stipulated by the
laws of the Russian Federation, contracts and agreements with international organizations or
companies. In this connection, provisions ensuring adequate protection of the PD subjects’ rights
(including provisions ensuring PD security) must be included in the said contracts and agreements.
8.8. The Company shall make arrangements to timely identify and modify the processed PD in
order to ensure its accuracy, reliability and relevance, in particular, in terms of the purposes of
PD processing.
8.9. Modifications to the PD shall be made by an authorized employee of the Company only by
virtue of duly executed original documents or their certified copies. If the subject
provides/modifies his/her PD when subscribing to the mailings of analytical materials on the
Company's website, the PD subject shall be directly responsible for the data accuracy.
8.10. If the PD subject detects inaccurate PD and when the PD subject or his/her legal
representative applies, or at their request or at the request of a competent authority that protects
PD subjects' rights, the Company shall ensure its blocking from the time of such appeal or
request for the check period, unless such blocking of the PD infringes on the rights and lawful
interests of the PD subject or third parties.
8.11. If the inaccuracy of the PD is ascertained on the basis of information provided by the PD
subject or his/her representative or the competent authority that protects PD subjects’ rights, or
other relevant documents, the Company shall ensure its updating within the period prescribed by
FL No. 152 from the day of provision of such information and shall unblock it.
8.12. If the inaccuracy of the PD is not ascertained on the basis of information provided by the
PD subject or his/her representative or the competent authority that protects PD subjects’ rights,
or other relevant documents, the Company shall unblock it.
8.13. Storage of PD in a form that allows identifying the PD subject shall last no longer than the
purposes of PD processing require, except as otherwise set out in the laws of the Russian
Federation or an agreement to which the PD subject is a party, or under which the PD subject is a
beneficiary or surety.
8.14. When collecting PD, recording, systematization, accumulation, storage, clarification
(updating, modification), extraction of PDo PD subjects, including citizens of the Russian
Federation, shall be carried out using databases located in the Russian Federation.
8.15. If the PD subject wants the Company to refuse to process cookies, then he/she must stop
using the Company's website or disable cookies in the browser settings.
9. Ensuring Personal Data Security
9.1. The Company has adopted a set of legal, organizational and technical measures to ensure PD
security, which are aimed at preventing unauthorized or accidental access to it, destruction,
modification, blocking, copying, dissemination, or other unlawful activities involving it, in
particular, by third parties, in compliance with the requirements of FL No. 152 and its by-laws.
9.2. The measures aimed at ensuring PD security in the Company include, among other things,
the following actions:
- appointing a person responsible for organizing PD processing in the Company;
- providing unlimited access to this Policy;
- keeping records of PD processed in the Company, categories of subjects whose PD is processed;
- keeping records of the Company's information systems in which PD is processed;
- appointing a Commission to determine the required level of protection of personal data processed in the Company's personal data information systems, and the destruction of personal data;
- formalizing and monitoring the implementation of the PD processing procedure in the Company;
- formalizing and monitoring the compliance with the PD and PD medium destruction requirements;
- keeping records of positions of the Company's employees who need access to personal data processed with and without the use of automation facilities in order to perform their job (employment) duties;
- ensuring that the employees of the Company who are directly involved in PD processing are made familiar with the PD processing and protection provisions of the laws of the Russian Federation, including the PD protection requirements, this Policy and other local PD processing and protection acts of the Company;
- controlling and delimiting access of the Company's employees and other persons to PD processed in the Company;
- restoring PD modified or destroyed as a result of unauthorized access to it;
- including the PD security ensuring provisions in contracts with third parties to whom the PD is provided, including the requirements to maintain the confidentiality of the provided PD;
- arranging procedures for ensuring the security of premises where PDIS are located, which will prevent an eventual uncontrolled entry by persons, who do not have the right to access such premises, into these premises, or their stay in these premises;
- carrying out regular internal monitoring/audit of the conformity of PD processing and security to the PD processing and security laws of the Russian Federation currently in force.
10. Personal Data Processing Timeframes
10.1. PD processing timeframes shall be determined in compliance with the requirements of the
laws of the Russian Federation currently in force, including the Order of the Federal Archival
Agency (Rosarkhiv) dated 20.12.2019, No. 236 "On Approval of the List of Standard
Administrative Archival Documents Generated in the Course of the Activities of Government
Authorities, Local Self-Government Authorities and Organizations, With Indication of Their
Storage Periods”, the internal documents of the Company, the terms of contracts made with the
PD subjects, and other requirements of the laws of the Russian Federation.
11. Termination of Personal Data Processing
11.1. PD processing shall be terminated, and the collected PD shall be destroyed or the
termination of PD processing and its destruction shall be ensured (if processing is carried out by
another person acting on behalf of the Company) in the following cases and within the
timeframes prescribed by FL No. 152, except as otherwise provided by the laws of the Russian
Federation:
- on expiration of the set PD processing period;
- on achievement of the purposes of PD processing or if there is no need to achieve them;
- on revocation by the PD subject of the consent to the processing of his/her PD, if such consent is required in accordance with the laws of the Russian Federation;
- at the request of the PD subject or the Competent Authority That Protects Rights of PD subjects, if the personal data is incomplete, outdated, unreliable, unlawfully obtained or is not necessary for the stated processing purpose;
- in case of detection of unlawful processing of PD by the Company or by a person acting on its behalf, if it is impossible to ensure the lawfulness of PD processing.
12. Interactions with Federal Executive Authorities
12.1. Interactions with federal executive authorities, in particular, with the competent authority
that protects PD subjects’ rights, on the issues related to processing and security of PD processed
by the Company, shall be based on the laws of the Russian Federation.
13. Interactions with Personal Data Subjects
13.1. The Company shall facilitate the exercising of the lawful rights of PD subjects and respond
to requests and appeals from PD subjects, including their provision with information related to
the processing of their PD, in compliance with the requirements of the laws of the Russian Federation.
13.2. A description of the PD subjects’ rights enshrined in the laws of the Russian Federation is
given in section 14 of this Policy.
14. Rights and Obligations
14.1. The PD subject has the right:
- to make a decision whether or not to provide his/her PD or give consent to its processing freely, of his/her own free will and for his/her own benefit;
- to require updating of his/her PD, its blocking or destruction if the PD is incomplete, outdated, unreliable, unlawfully obtained or not necessary for the stated processing purpose, and to take measures stipulated by law to protect his/her rights;
- to obtain information related to processing of his/her personal data by submitting a request and in the manner prescribed by FL No. 152;
- to revoke the consent to the processing of his/her PD, if such consent is required in accordance with the laws of the Russian Federation;
- to require notification of all persons processing PD on behalf of the Company, who were previously provided with incorrect or incomplete PD, of all exceptions, corrections or additions to it;
- to appeal to the competent authority that protects PD subjects' rights or in a judicial proceeding against unlawful actions or omissions committed when processing his/her PD;
- to the protection of his/her rights and lawful interests, including the right to the compensation for losses and (or) compensation for non-pecuniary damage by judicial means;
- to exercise other rights contemplated by laws of the Russian Federation.
14.2. The PD subject is obliged:
- to provide reliable PD and affirm its accuracy by presenting original documents or their duly certified copies;
- to timely inform the Company about changes in his/her PD.
14.3. The Company, as a PD operator, has the right:
- to defend its interests in court;
- to provide subjects’ PD to government and other competent authorities, if this is contemplated by the laws of the Russian Federation currently in force (tax, law enforcement agencies, the Bank of Russia, etc.);
- to refuse to provide PD in the cases stipulated by the laws of the Russian Federation, including the laws on the countering of legalization (laundering) of criminally obtained incomes and the financing of terrorism;
- to process the subject's PD without his/her consent, in the cases contemplated by the laws of the Russian Federation;
- to exercise other rights contemplated by the laws of the Russian Federation.
14.4. The Company, as a PD operator, is obliged:
- to process and protect PD in compliance with the requirements of the PD processing and security regulations of the Russian Federation;
- to notify the subject of the processing of his/her PD, if such PD is received from third parties, except as otherwise provided by the laws of the Russian Federation.
- to provide the PD subject with information regarding the processing of his/her PD, at the request of the subject, except as otherwise provided by the laws of the Russian Federation.
- check the accuracy of the data provided by the PD subject or his/her legal representative by verifying it against the information contained in the original documents or their duly certified copies presented by the PD subject or his/her legal representative;
- to explain to the PD subject the legal implications of refusal to provide his/her PD, if such provision of PD is mandatory in accordance with the laws of the Russian Federation;
- to organize the reception and processing of appeals and requests from PD subjects or their representatives;
- to organize the reception and processing of requests from competent authorities.
15. Final Provisions
15.1. This Policy is subject to approval by the order of the General Director of the Company and
shall be posted on the Company's website in the public domain.
15.2. Responsibility for monitoring compliance with this Policy is imposed on the person
appointed by an Officer Responsible for Organizing PD Processing in the Company.
15.3. The Policy shall be reviewed and updated upon a change in the PD processing and security
ensuring legislation of the Russian Federation, or upon a change in the PD processing processes
in the Company, but no less than once every three (3) years.
15.4. Any amendments and/or additions to this Policy will come into force from the date of
approval of a new version of the document by the General Director of the Company.
15.5. Any issues that are not settled by this Policy shall be resolved in accordance with the laws
of the Russian Federation.
16. Contact Information
16.1. PD subjects can send questions about PD processing by the Company to the e-mail address:
contact.ufgwmru@yandex.ru or to the postal address of the Company: 2, Tsvetnoy Boulevard,
floor 3, premises II, room 1, Moscow, 127051 (if the address changes, the relevant information
will be posted on Altus Capital LLC's website www.ufgwm.ru, English version of the website at
ufgwm.com).