The Policy
of Arctic Catering Services LLC (ACS LLC)
with regard to the Personal Data Processing
1. General
1.1. The policy of ACS LLC in relation to the personal data processing (hereinafter referred to as the Policy) has been developed in accordance with Article 18.1 of the Federal Law dated July 27, 2006 N 152-FZ “On Personal Data” (hereinafter referred to as the Federal Law) and contains information about the requirements for personal data processing and the protection.
1.2. The policy was developed taking into account the requirements of the Convention for the Protection of Individuals with regard to Automated Processing of Personal Data of the Council of Europe, the Constitution of the Russian Federation, international treaties of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation in the field of personal data.
1.3. The purpose of this document is to inform personal data owners and persons involved in the processing of personal data about the observance of the fundamental principles of legality, fairness, non-redundancy, compliance of the content and volume of processed personal data with the stated processing purposes, by ACS LLC (hereinafter also the Company or the Operator).
1.4. Ensuring the protection of human rights and freedoms when processing their personal data, including the protection of the rights to privacy, personal and family secrets, is one of the priority tasks of the Company.
1.5. The Policy applies to all personal data processed by the Company and is a publicly available document.
2. Legal Basis for Personal Data Processing
2.1. The processing of personal data by the Operator, depending on the purposes of processing, is carried out:
2.1.1. With the consent of personal data owners to the processing of their personal data;
2.1.2. In order to comply with the laws of the Russian Federation, international treaties of the Russian Federation, decrees of the Government of the Russian Federation and other regulatory legal acts of the Russian Federation;
2.1.3. In order to execute or conclude an agreement, the party to which or the beneficiary or guarantor of which is a personal data owner, including if the Company exercise their right to assign rights (claims) under such an agreement.
3. Purposes and Applied Methods of Personal Data Processing
3.1. The personal data processing in the Company is carried out using automation tools, including in personal data information systems, and without the use of such tools (mixed personal data processing).
3.2. In case of the automated personal data processing, the transfer of personal data through the internal network of the Operator and using the information and telecommunication network “Internet” is used.
3.3. The personal data processing is carried out in order to:
3.3.1. Assist employees and candidates in employment, training and promotion, control the quantity and quality of work performed, comply with labor laws and other instruments containing labor statues;
3.3.2. Ensure social benefits and guarantees, personal safety or other vital interests of the Company’s employees and their family members;
3.3.3. Conclude and execute civil contracts, including service contracts;
3.3.4. Comply with the legislation of the Russian Federation on limited liability companies, on information disclosure;
3.3.5. Comply with antitrust laws;
3.3.6. Protect the rights and legitimate interests of the Company and their officials in courts, dispute resolution bodies, administrative bodies;
3.3.7. Form of reporting or prepare statements, notifications, etc. provided for in the legislation to the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, the Federal Tax Service and other state bodies and services;
3.3.8. Consolidate statistical data and indicators for ACS LLC;
3.3.9. Control and audit ACS LLC;
3.3.10. Carry out or participate in tender procedures of ACS LLC;
3.3.11. Prepare powers of attorney issued to employees of ACS LLC, other organizations and individuals;
3.3.12. Provide access and site security regime to the premises of the Company, ensuring the safety of property;
3.3.13. Maintain corporate telephone and other information directories, publish messages on internal corporate portals, boards of honor and in publicly available personal data information systems;
3.3.14. Fulfill other obligations within the framework of the legal grounds listed in clause 2.1 of the Policy.
4. Processed Personal Data and Sources of their Receipt
4.1. Personal data is received by the Operator directly from the personal data owner or their representative, unless another procedure for obtaining personal data is established by Federal Law.
4.2. Personal data may be received not from the personal data owner if there is the consent of the personal data owner to transfer their personal data to the Company for processing, unless another procedure for personal data receipt is provided for by the Federal Law.
4.3. The processing of special categories of personal data (concerning race, nationality, political views, religious or philosophical beliefs, health status, intimate life), biometric personal data (characterizing the physiological and biological characteristics of a person, on the basis of which it is possible to establish the identity of the owner) is not allowed in the Company, except for the cases stipulated by the Federal Law.
4.4. It is not allowed to use personal data for political campaigning, as well as for the promotion of goods, works, services, with the exception of cases provided for by the Federal Law.
4.5. The Company can process personal data belonging to:
4.5.1. Company employees and their family members;
4.5.2. Persons holding senior positions in ACS LLC and their family members;
4.5.3. Candidates considered for the conclusion of employment contracts;
4.5.4. Owners, the processing of personal data of which is associated with the fulfillment of the terms of the concluded contracts;
4.5.5. Owners who have entered into employment contracts or civil contracts with ACS LLC;
4.5.6. Persons who were previously in an employment relationship with the Company;
4.5.7. Potential counterparties (individuals);
4.5.8. Founders (individuals) of potential counterparties;
4.5.9. Lawyers, notaries interacting with the Company;
4.5.10. Authors of written appeals to ACS LLC;
4.5.11. Other personal data owners (to ensure the implementation of the purposes of personal data processing specified in clause 3.3 of the Policy).
4.6. The Operator also processes publicly available personal data of the Company’s employees, made as such with the consent of the personal data owner, namely: surname, first name, patronymic, image (photograph) of the person, occupied and combined position, name of the structural unit, business e-mail address, business telephone numbers, fax numbers, number and location of the work space.
5. Terms of Personal Data Processing and Storage
5.1. The personal data processing begins not earlier than the emergence of legal grounds for the personal data processing listed in clause 3 of the Policy.
5.2. The personal data processing stops when the processing goals are achieved, the legal basis for processing is lost, the storage periods for documents established by the legislation on archiving in the Russian Federation and local regulations of ACS LLC expire.
5.3. After the expiration of the processing period, personal data is destroyed or depersonalized for use for statistical or other research purposes.
6. Rights of the Personal Data Owners
6.1. The personal data owner has the right to receive information about the processing of their personal data in the manner and within the time frame provided for by the Federal Law.
6.2. The personal data owner may request the Operator to adjust, block or destroy his or her personal data if the personal data are incomplete, outdated, inaccurate, illegally obtained or not required for the purpose for which they intended to be processed and take measures available under the Federal Law to protect their rights.
6.3. The rights of the Personal Data Owner to access their personal data may be limited in accordance with the Federal Law.
6.4. Decision-making on the basis of exclusively automated processing of personal data that generates legal consequences in relation to the personal data owner or otherwise affecting their rights and legitimate interests is allowed with the consent of the owner in writing.
6.5. The personal data owner has the right to appeal against the actions or inaction of the Operator by contacting the authorized body for the protection of the rights of personal data owners or in court.
6.6. The personal data owner has the right to protect their rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in the courts.
7. Cross-Border Transfer of Personal Data
7.1. The Company carries out cross-border transfer of personal data — the transfer of personal data to the territory of a foreign state, to the authority of a foreign state, to a foreign individual or foreign legal entity.
7.2. The cross-border transfer of personal data on the territory of foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automated Processing of Personal Data, as well as other foreign states that ensure adequate protection of the rights of personal data owners (the list of such countries is approved by the authorized body for the protection of the rights of personal data owners), can be carried out without obtaining the written consent of the personal data owner for cross-border transfer, taking into account the purposes of processing personal data specified in clause 3.3 of the Policy.
7.3. The cross-border transfer of personal data to countries that do not provide adequate protection of the rights of personal data owners is carried out:
7.3.1. If there is a written consent of the personal data owner for the cross-border transfer of their personal data;
7.3.2. For the execution of an agreement to which the personal data owner is a party;
7.3.3. To protect the life, health, and other vital interests of the personal data owner or other persons if it is impossible to obtain the consent of the personal data owner in writing;
7.3.4. In cases stipulated by international treaties of the Russian Federation, federal laws (if necessary in order to protect the foundations of the constitutional system of the Russian Federation, ensure the country’s defense and state security, as well as ensure the stable and safe functioning of the transport complex, protect the interests of the individual, society and the state in the field of transport complex from acts of unlawful interference).
7.4. The cross-border transfer of personal data by the Operator, depending on the purposes and categories of personal data, is carried out, including to the following countries: Kazakhstan, France.
8. Information on Third Parties Involved in the Processing of Personal Data
8.1. The Operator has the right to entrust the personal data processing to another person with the consent of the personal data owner, unless otherwise provided by the Federal Law, on the basis of a contract concluded with this person.
8.2. The Operator’s order (contract) defines a list of actions (operations) with personal data that will be performed by the person processing personal data, the purposes of processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the safety of personal data during their processing, and the requirements to the protection of processed personal data.
8.3. The person who processes personal data on behalf of the Operator is not obliged to obtain the consent of the personal data owner to the processing of their personal data.
8.4. In the event that the Operator entrusts the processing of personal data to another person, the Operator bears responsibility to the personal data owner for actions of this person. The person who processes personal data on behalf of the Operator is responsible to the Operator.
9. Information on the Implemented Requirements for the Personal Data Protection
9.1. When processing personal data, the Operator ensures that the necessary legal, organizational and technical measures are taken to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution and other illegal actions in relation to personal data.
9.2. The personal data security support is achieved, in particular:
9.2.1. By the appointment of persons responsible for organizing the processing of personal data and ensuring the security of personal data;
9.2.2. By the publication of local regulations on the processing and protection of personal data, aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
9.2.3. By determining the list of positions, upon replacement of which the processing of personal data is carried out;
9.2.4. By organizing training, conducting methodological assistance, familiarizing employees engaged in the processing of personal data with the fact of participation in the processing of personal data, as well as with the rules for processing and protecting personal data established by regulatory legal acts of executive authorities and local regulatory acts of ACS LLC;
9.2.5. By ensuring registration and accounting of actions performed with personal data;
9.2.6. By accounting for material carriers of personal data and control over their circulation in order to exclude loss, theft, substitution, unauthorized copying or destruction;
9.2.7. By keeping records of the execution of requests from personal data owners;
9.2.8. By the transfer of personal data within the Company only between persons holding positions included in the list of positions, upon replacement of which personal data processing is carried out;
9.2.9. By the placement of personal data processing within the boundaries of the protected area, as well as the organization of physical protection of personal data carriers, places and means of their processing;
9.2.10. By organizing the access to the premises used for personal data processing and/or storage of their material carriers;
9.2.11. By identifying threats to the security of personal data during their processing in personal data information systems, developing, if necessary, a personal data protection system during their processing in personal data information systems and establishing rules for access to personal data;
9.2.12. By detecting facts of unauthorized access to personal data and taking appropriate measures;
9.2.13. By drawing up standard forms for collecting personal data in such a way that each of the personal data owners had the opportunity to get acquainted with their personal data without violating the rights and legitimate interests of other personal data owners;
9.2.14. By entering in standard forms providing for the indication of personal data in them, fields in which the personal data owner would have the opportunity to put a mark on their consent to the processing of personal data, carried out without using automation tools (if it is necessary to obtain written consent to the processing of personal data);
9.2.15. By periodic control over the compliance of the measures taken to ensure the security of personal data with the legislation of the Russian Federation on personal data and local regulations adopted in its implementation.
10. Responsibility for Violation of the Rules for the Personal Data Processing and Requirements for the Personal Data Protection
10.1. Company employees involved in personal data processing bear disciplinary, civil, administrative or criminal liability in accordance with the current legislation of the Russian Federation for violation of the rules for the personal data processing and requirements for the personal data protection.
11. Contact Details
11.1. Arctic Catering Service Limited Liability Company INN [Taxpayer Identification Number]: 1106010917. 125040, Moscow, Skakovaya st. 36, floor 2, bld. XXV, office 253. Phone/fax: +7 (499) 673-05-50.
11.2. Person responsible for organizing the personal data processing at ACS LLC — IT manager, Sergey Veselov, Tel.: +7 499 673 05 50 ext: 7010, e-mail: sergey.veselov@acs-cis.ru
11.3. Person responsible for personal data protection at ACS LLC — IT manager, Sergey Veselov, Tel.: +7 499 673 05 50 ext: 7010, e-mail: sergey.veselov@acs-cis.ru
