Personal Data Processing Policy
LLC “SIMPLOY”



General Provisions


This Personal Data Processing Policy (hereinafter referred to as the “Policy”) defines the principles, purposes, and procedures for processing personal data at Limited Liability Company “SIMPLOY” (Primary State Registration Number (OGRN) 1257800042940, Taxpayer Identification Number (INN) 7805823031, registered address: Office 736, Premises 10-N, Lit. A, Building 3, 10 Dvinskaya Street, Saint Petersburg 198035, Russian Federation) (hereinafter referred to as the “Operator”, the “Company”), and establishes measures to ensure their security.

This Policy has been developed in accordance with Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.

The Company ensures the protection of human and civil rights and freedoms when processing personal data, including the protection of the right to privacy, personal and family confidentiality, and undertakes to provide unrestricted access to this Policy.

For the purposes of this Policy, the following key terms shall apply:

• Automated processing of personal data – processing of personal data using computer equipment.
• Blocking of personal data – temporary suspension of personal data processing (except where processing is necessary to clarify personal data).
• Personal data information system – a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
• Depersonalization (anonymization) of personal data – actions resulting in the impossibility of identifying personal data as belonging to a specific data subject without additional information.
• Processing of personal data – any action (operation) or set of actions (operations) performed with or without automation tools in relation to personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.
• Operator – a state authority, municipal authority, legal entity, or individual who independently or jointly with others organizes and/or carries out personal data processing and determines the purposes of processing, the scope of personal data to be processed, and the actions performed with personal data.
• Personal data – any information relating to an identified or identifiable individual (data subject).
• Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons.
• Distribution of personal data – actions aimed at disclosing personal data to an indefinite group of persons or making personal data accessible to an unlimited number of persons, including publication in the media, posting in information and telecommunication networks, or granting access by any other means.
• Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign public authority, foreign individual, or foreign legal entity.
• Destruction of personal data – actions resulting in the impossibility of restoring the content of personal data in a personal data information system and/or resulting in the destruction of material carriers of personal data.

Principles and Conditions of Personal Data Processing



1. Principles of Personal Data Processing

Personal data processing in the Company is based on the following principles:

• legality and fairness;
• limitation of processing to specific, predetermined, and lawful purposes;
• prevention of processing incompatible with the purposes of data collection;
• prevention of merging databases processed for incompatible purposes;
• processing only personal data relevant to the stated purposes;
• ensuring that the content and scope of processed personal data correspond to the stated purposes;
• preventing excessive personal data processing in relation to the stated purposes;
• ensuring accuracy, sufficiency, and relevance of personal data;
• destruction or anonymization of personal data upon achievement of processing purposes or loss of necessity, unless otherwise provided by federal law.

2. Conditions of Personal Data Processing

The Company processes personal data if at least one of the following conditions applies:

• processing is carried out with the consent of the data subject;
• processing is necessary to achieve objectives provided for by an international treaty of the Russian Federation or by law, or to perform functions and obligations imposed on the Operator by Russian legislation;
• processing is necessary for the performance of a contract to which the data subject is a party, beneficiary, or guarantor, or for entering into a contract at the initiative of the data subject;
• processing is necessary for the exercise of the rights and legitimate interests of the Operator or third parties, or for achieving socially significant goals, provided that the rights and freedoms of the data subject are not violated;
• processing relates to personal data made publicly available by the data subject;
• processing relates to personal data subject to publication or mandatory disclosure under federal law.

3. Confidentiality of Personal Data

The Company and other persons who have obtained access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the data subject, unless otherwise provided by federal law.


4. Publicly Available Sources of Personal Data

For informational purposes, the Company may create publicly available sources of personal data (including directories and address books). With written consent of the data subject, such sources may include full name, date of birth, position, contact phone numbers, email address, photograph, and other personal data provided by the subject.

Information about a data subject must be removed from publicly available sources upon the request of the subject or by court decision or decision of other authorized state bodies.


5. Special Categories of Personal Data

The Company may process special categories of personal data (racial or ethnic origin, political views, religious or philosophical beliefs, health status, private life) only if:

• the data subject has given written consent;
• the data has been made publicly available by the subject;
• processing is carried out in accordance with legislation on state social assistance, labor law, pension legislation, or insurance legislation.

Processing of special categories must be terminated immediately once the reasons for such processing cease to exist, unless otherwise provided by federal law.

Processing of data related to criminal convictions is carried out exclusively in cases and in the manner provided by federal law.


6. Biometric Personal Data

Biometric personal data used to identify a data subject may be processed only with the written consent of the subject.


7. Processing on Behalf of Another Person

The Company may process personal data on behalf of another person based on an agreement and with the consent of the data subject, unless otherwise provided by federal law. In such cases, the Company shall comply with all principles and requirements of Federal Law No. 152-FZ.


8. Cross-Border Transfer of Personal Data

Cross-border transfer may be carried out to states that are parties to the Council of Europe Convention, as well as to other foreign states that ensure adequate protection of the rights of personal data subjects.

Transfer to countries that do not ensure adequate protection may be carried out only if:

• the data subject has provided written consent;
• the transfer is necessary for the performance of a contract to which the data subject is a party.

Before initiating such transfer, the Company shall ensure that the foreign state provides adequate protection of personal data subjects’ rights.



Rights of the Personal Data Subject



1. Consent

The data subject independently decides to provide personal data and gives consent freely, of their own will and in their own interest. The Company bears the burden of proving that consent has been obtained or that other legal grounds for processing exist.


2. Rights of the Data Subject

The data subject has the right to:

• receive information from the Company regarding the processing of their personal data, unless restricted by law;
• require clarification, blocking, or destruction of inaccurate, outdated, unlawfully obtained, or unnecessary personal data;
• demand termination of processing for direct marketing purposes;
• challenge actions or omissions of the Company before the authorized supervisory authority or in court;
• seek protection of rights and legitimate interests, including compensation for damages and moral harm in court.

Decisions producing legal consequences for a data subject based solely on automated processing are prohibited, except where provided by federal law or with the written consent of the subject.



Personal Data Security


The Company implements legal, organizational, and technical measures necessary to comply with federal legislation on personal data protection.

Measures include:

• appointment of responsible persons;
• restriction of access to personal data;
• staff awareness of legal and internal requirements;
• accounting and secure storage of information carriers;
• threat identification and risk modeling;
• implementation and maintenance of protection systems;
• differentiation of user access rights;
• use of appropriate information security and cryptographic tools;
• restoration of data destroyed or altered due to unauthorized access;
• monitoring of security measures and protection levels;
• access control to Company premises and protection of facilities containing technical means of data processing.

Final Provisions


Other rights and obligations of the Company as a personal data operator are determined by the legislation of the Russian Federation.

Company officials responsible for violations of personal data processing and protection requirements shall bear disciplinary, administrative, civil, or criminal liability in accordance with applicable federal law.