3. Categories of personal data subjects

3.1. The operator processes personal data of the following categories of personal data subjects:

3.1.1. Operator's employees, dismissed employees, candidates for vacant positions, similar categories, the processing of which is provided for by labor legislation (hereinafter referred to as Operator's Employees).

3.1.2. Users.

3.1.3. Partners.

3.1.4. Representatives of the Operator's Counterparties.

4. Purposes and grounds for processing personal data

4.1. Personal data of the Operator's Employees is processed on the basis of subparagraph 2, 7 of paragraph 1 of Article 6 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data", in order to comply with the provisions of the Labor Code of the Russian Federation, in order to fulfill the provisions of the employment contract, as well as related with the Labor Code of the Russian Federation and regulatory legal acts.

4.2. Personal data of Users and Partners is processed in accordance with subparagraph 1 and 5 of paragraph 1 of Article 6 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” in order to become familiar with the operator’s services, the intention to conclude a contract, and the execution of the contract.

4.3. Personal data of the Counterparty's representatives are processed in accordance with subparagraph 5, 7 of clause 1 of Article 6 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" for the purpose of concluding and executing an agreement concluded with the Counterparty.

4.4. Personal data may be used for other purposes if this is mandatory in accordance with the provisions of the legislation of the Russian Federation.

4.5. The processing of personal data is limited to the achievement of specific, pre-defined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.

5. Composition of information about subjects of personal data

5.1. The Operator processes the following categories of personal data of Employees: last name, first name, patronymic, year of birth, gender, age, profession, income, social status, availability of work, passport data; data on military ID (for those liable for military service), certificate of assignment of TIN, insurance pension certificate, files containing materials on advanced training and retraining, certification, and official investigations; other data, the processing of which is provided for by labor legislation and the contract concluded with the employee.

5.2. The Operator processes the following categories of personal data of Users: last name, first name and patronymic, month, date and place of birth, passport data, gender, signal account (in the operator’s system), trading account (in the operator’s system), training account (in the operator’s system), email address, registration address.

5.3. The Operator processes the following categories of personal data of Partners: last name, first name and patronymic, partner status, partner account information.

5.4. The Operator processes personal data of representatives of counterparties: last name, first name, patronymic (if any), position, other information provided for in the agreement with the Counterparty.

5.5. When subjects of personal data use the Site and Mobile applications of the Operator, the Operator processes data provided for by international data exchange protocols via the Internet including (but not limited to): IP address, MAC address, device ID, IMEI, MEID, Cookies data, browser information , operating system, access time.

5.6. The storage period for personal data is determined by the contract or the essence of another basis for processing.

5.6.1. The processing time for Employees' PD is no more than 30 days from the date of loss of the grounds for processing.

5.6.2. The processing time for Users' PD is until termination of the contract, in case of debt - 3 years, while processing for the purpose of debt collection is carried out only on tangible media in the prescribed manner.

5.6.3. The period for processing personal data of Applicants is until the service is performed.

5.6.4. The period for processing personal data of counterparties is until the termination of the contract, storage of tangible media containing personal data of representatives of counterparties is until the expiration of the limitation period.

5.6.5. To ensure the storage of personal data on tangible media, premises equipped with security means are determined in accordance with the order on
to the enterprise. The storage of completed documents containing personal data is carried out in an archive or in a separate room (cabinet).

5.6.6. Storage of tangible media of personal data is carried out separately for each category of personal data subjects.

6. Using ISPD

6.1. The operator processes personal data in personal data information systems.

6.2. In the case of transfer of personal data for processing to a third party where the processing of personal data is expected, the concluded agreement provides for the obligation to protect personal data in accordance with current legislation.

7. User rights

The subject of personal data has the right:
7.1. Apply for changes to the provided personal data or deletion.

7.2. Require notification of all persons to whom incorrect or incomplete personal data was previously provided.

7.3. Send requests to the Operator regarding the processing of his personal data within the limits of the Operator’s concerns.

7.4. Exercise other rights provided for by current legislation.

8. Information about the implemented requirements for the protection of personal data

8.1. When processing personal data, the Operator takes the necessary legal, organizational and technical measures and ensures their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in in relation to personal data, which include in particular (but not limited to):

8.1.1. Appointment of the person responsible for the processing of personal data.

8.1.2. Limiting the number of employees who have access to personal data.

8.1.3. Software identification of Users, Operator employees and recording of their actions.

8.1.4. Implementation of anti-virus control and other measures against malicious software and mathematical influences.

8.1.5. Application of backup and recovery tools.

8.1.6. Software updates when security patches from manufacturers are available.


8.1.7. Implementation of encryption when transmitting personal data on the Internet.

8.1.8. Taking measures related to the admission of only appropriate persons to places where technical equipment is installed.

8.1.9. The use of technical means of protecting premises in which technical means of information systems of personal data are located, and places of storage of material media of personal data.

8.2. The operator ensures the security of personal data, in particular:

8.2.1. taking into account possible harm to the subject of personal data, the volume and content of personal data processed, the type of activity during which personal data is processed, the relevance of threats to the security of personal data

8.2.2. application of technical measures in accordance with threats to the security of personal data during their processing in personal data information systems.

8.2.3. application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;

8.2.4. the use of information security means that have passed the compliance assessment procedure in accordance with the established procedure;

8.2.5. assessment of the effectiveness of measures taken to ensure the security of personal data before starting work in the personal data information system carried out by the Company;

8.2.6. taking into account computer storage media of personal data, if used;

8.2.7. procedures related to detecting facts of unauthorized access to personal data and taking measures;

8.2.8. restoration of personal data modified or destroyed due to unauthorized access to it;

8.2.9. establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;

8.2.10. control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.

9. Using anti-virus protection tools

9.1. Only licensed anti-virus products purchased from suppliers of these products are allowed for use.

9.2. Installation and configuration of parameters of anti-virus control tools on KBC workstations and servers is carried out by the information security administrator or persons under an agreement containing the appropriate conditions.

9.3. Antivirus software should be updated automatically. It is allowed to operate the antivirus with updates no older than 72 hours.

9.4. Anti-virus monitoring of all workstation disks and files should be carried out weekly.

9.5. An anti-virus monitor must be running on each workstation and server in resident mode.

9.6. Any information received via telecommunication channels and on removable media is subject to mandatory anti-virus control.

9.7. The installed software must first be scanned for viruses.

10. Working with password protection

10.1. Personal passwords must be generated by special administrative service software.

10.2. The password must be at least 8 characters long.

10.3. The password must contain upper and lower case letters, numbers and special characters.

10.4. The password must not include:
− easily calculated combinations of symbols;
− keyboard sequences of symbols and signs;
− generally accepted abbreviations;
− abbreviations;
− telephone numbers, car numbers;
− other combinations of letters and characters associated with the user;
− when changing the password, the new combination of characters must differ from the previous one by at least 2 characters.

10.5. It is allowed to use a single password for the subject of access to various information resources.

10.6. A complete scheduled change of user passwords should be carried out regularly, at least once a month.

10.7. A complete unscheduled change of passwords for all users should be carried out in the event of termination of the powers of security administrators or other employees who, due to the nature of their service, were granted the authority to manage password protection.

10.8. A complete unscheduled change of passwords should be carried out in the event of a compromise of the personal password of one of the ISPD administrators.

10.9. If a user's personal password is compromised, access to information from this account must be immediately restricted until the new user account or password takes effect.

10.10. When working with password protection, users are prohibited from:

− disclose your personal password and other identifying information to anyone;

− provide access from your account to information stored in the ISPD to unauthorized persons;

− write down passwords on paper, files, electronic and other media, including on objects.

10.11. The user may store his or her password on paper only in a personal safe, sealed by the owner of the password.

10.12. When using a password, the user is obliged to exclude the possibility of its interception by third parties and technical means.

10.13. By compromise we mean:

− physical loss of the media with information;

−transfer of identification information via open communication channels;

− penetration of an unauthorized person into the premises of physical storage of a password information carrier or algorithm or suspicion of it (alarm activation, damage to NSD control devices (seal impressions), damage to locks, etc.);

− visual inspection of the identification information carrier by an unauthorized person;

−password interception when distributing identifiers;

− deliberate transfer of information to a third party.

10.14. Actions to take if a password is compromised:

− a compromised password is immediately removed from action, and a spare or new password is entered in its place;

− all participants in the exchange of information are immediately notified of compromise. The password is included in special lists containing compromised passwords and accounts.

11. Manual processing of personal data

11.1. To ensure the security of personal data during manual processing, the following measures are taken:

11.1.1. all actions related to the processing of personal data are carried out only by the Operator’s employees who are authorized by order of the sole executive body to work with personal data, and only to the extent necessary for these persons to perform their job function;

11.1.2. An agreement is concluded with a third party carrying out non-automated processing of personal data on behalf of the operator, which includes conditions for taking appropriate measures to protect personal data.

11.1.3. the processing of personal data is carried out in compliance with the procedure provided for by Government Decree No. 687 of September 15, 2008 “On approval of the Regulations on the specifics of processing personal data carried out without the use of automation tools.”

12. Privacy

12.1. The operator and other persons who have access to personal data are obliged not to disclose to third parties or distribute personal data without observing the principle based on the consent of the subject of personal data, except in cases provided for by current legislation.

13. Destruction (depersonalization) of personal data

13.1. Destruction (depersonalization) of the Subject’s personal data is carried out in the following cases:

13.1.1. upon achievement of the purposes of their processing or in case of loss of the need to achieve them within a period not exceeding thirty days from the moment of achieving the purpose of processing personal data, unless otherwise provided for by the contract to which the subject of personal data is a party, or another agreement between the Operator and the subject of personal data ( his representative, employer);

13.1.2. in case of detection of unlawful processing of personal data or lawful revocation of personal data within a period not exceeding ten working days from the date of detection of such a case;

13.1.3. in case of expiration of the storage period for personal data, determined in accordance with the legislation of the Russian Federation and the organizational and administrative documents of the Operator;

13.1.4. in the event of an order from the authorized body for the protection of the rights of personal data subjects, the prosecutor's office of Russia or a court decision.

14. Transfer to third parties

14.1. The operator does not carry out cross-border processing of personal data. When storing personal data using contractors' ISPD, the Operator uses databases located on the territory of the Russian Federation.

14.2. The Operator may transfer personal data to other persons, hosting providers, analytics services, and other persons in order to fulfill the contract concluded with the User.

14.3. The operator has the right to transfer personal data to the authorities of inquiry and investigation,
other authorized bodies on the grounds provided for by the current legislation of the Russian Federation.

15. Exceptions from processing

15.1. The operator does not process special categories of personal data, including
including biometric.

15.2. The Operator does not have processes associated with making decisions solely on the basis of automated processing of personal data.

15.3. The operator does not provide unlimited access to personal data to third parties.

15.4. The operator does not make proactive contacts for information and advertising purposes.

16. Final provisions

16.1. The period for processing personal data processed by the Operator may be determined (redetermined) by the organizational and administrative documents of the Operator in accordance with the provisions of the Federal Law “On Personal Data”.

16.2. This Policy is subject to change and addition in the event of the emergence of new legislative acts and special regulations on the processing and protection of personal data, as well as by the decision of the Operator.

16.3. Control of compliance with the requirements of this Policy is carried out by the person responsible for organizing the processing of personal data.

16.4. Issues not regulated by this Policy are regulated by the current legislation of the Russian Federation.

16.5. The operator may issue other local acts that clarify certain principles
processing of personal data.