HADL — Documentation

English

Русский

English

Русский

Appearance

Personal Data Processing Policy

1. General provisions

1.1. This Personal Data Processing Policy (the “Policy”) is prepared in accordance with clause 2, part 1, article 18.1 of the Federal Law of the Russian Federation “On Personal Data” No. 152-FZ of July 27, 2006 (the “Law”) and defines the position of Ural Technok LLC (OGRN 1206600007536, INN/KPP 6678106502/663301001, address: 624865, Russia, Sverdlovsk Region, Kamyshlov, Severnaya St., 2, apt. 19) and its affiliates (the “Company”) regarding the processing and protection of personal data (the “Personal Data”), observance of the rights and freedoms of every individual, in particular the right to privacy and personal and family confidentiality.

2. Scope

2.1. This Policy applies to Personal Data obtained both before and after this Policy came into effect.

3. Definitions

Personal data — any information relating to a directly or indirectly identified or identifiable natural person (data subject).

Processing of Personal Data — any action (operation) or set of actions (operations) performed with or without the use of automation with Personal Data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of Personal Data.

Dissemination of Personal Data — actions aimed at disclosure of personal data to an indefinite number of persons.

Blocking of Personal Data — temporary suspension of processing of personal data (except where processing is necessary for clarification of personal data);

Destruction of Personal Data — actions as a result of which it becomes impossible to restore the content of Personal Data in the personal data information system and/or which result in the destruction of material carriers of Personal Data.

Anonymization of Personal Data — actions as a result of which it becomes impossible to determine the belonging of personal data to a specific data subject without the use of additional information.

Security of Personal Data — the protection of Personal Data from unlawful and/or unauthorized access, destruction, modification, blocking, copying, provision, dissemination of Personal Data, as well as from other unlawful actions in relation to Personal Data.

Agreement with the User — any agreement(s) concluded with a natural person user of the Company’s Sites on the terms set out in the offers published on the Internet on one of the following sites: hadl.app or their subdomains, as well as all integral appendices thereto (including amendments agreed by the parties in electronic form or in the manner prescribed by the agreements with the User).

4. Legal grounds and purposes of processing of Personal Data

4.1. The processing and security of Personal Data in the Company is carried out in accordance with the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, by-laws, other federal laws of the Russian Federation defining the cases and specifics of processing of Personal Data, and guidance and methodological documents.

4.2. The data subjects whose Personal Data is processed by the Company are:

  • registered users of the sites: hadl.app, or their subdomains (the “Company Sites”);
  • employees of the Company, family members of employees of the Company, candidates for vacant positions in the Company;
  • individuals who have concluded civil law agreements with the Company;
  • representatives of legal entities that are counterparties of the Company.

4.3. The Company processes Personal Data of data subjects for the purposes of exercising the functions, powers and duties assigned to the Company by the legislation of the Russian Federation in accordance with federal laws, including but not limited to: the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, Federal Law No. 27-FZ of April 1, 1996 “On individual (personified) accounting in the mandatory pension insurance system”, Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, Federal Law No. 53-FZ of March 28, 1998 “On military duty and military service”, Federal Law No. 31-FZ of February 26, 1997 “On mobilization preparation and mobilization in the Russian Federation”, Federal Law No. 14-FZ of February 8, 1998 “On limited liability companies”, Federal Law No. 2300-1 of February 7, 1992 “On consumer rights protection”, Federal Law No. 129-FZ of November 21, 1996 “On accounting”, Federal Law No. 326-FZ of November 29, 2010 “On mandatory health insurance in the Russian Federation”.

4.4 The Company processes Personal Data of registered users of the Company Sites for the purpose of performing the Agreements with Users in the manner set out in section 9 of this Policy.

4.5. The Company processes Personal Data of the Company’s employees, family members of employees, and job candidates for the purposes of assisting in employment, training and career advancement, sending employees on business trips, ensuring personal safety of employees, monitoring the quantity and quality of work performed and safeguarding property in accordance with the Labor Code of the Russian Federation (Article 86 of the Labor Code), performance of contractual obligations to counterparties (execution of powers of attorney, copies of documents containing personal data, and other documents necessary for interaction with banks), issuance of corporate bank cards.

The Company may process Personal Data of employees, family members of employees, and job candidates, including: last name, first name, patronymic, date of birth, place of birth, citizenship, address, photograph, contact phone number, INN, pension insurance certificate number, gender, voluntary health insurance policy number, education, profession, work experience, passport data, income information, bank details, bank (payment) card number, marital status and family composition, military registration data, employment data, transfer records, performance appraisal, training and professional development, awards, honorary titles, leave and social benefits.

The procedure for processing Personal Data of the Company’s employees is established by the Regulations on processing of personal data of the Company’s employees.

4.6. The Company processes Personal Data of individuals who are in contractual or other civil law relations with the Company solely for the purpose of performing the agreements concluded with them.

4.7. The Company processes Personal Data of representatives of legal entities that are counterparties of the Company for the purposes of conducting negotiations, concluding and performing agreements under which Personal Data of employees of such legal entity are provided for the purpose of performing the agreement in various areas of the Company’s business.

5. Principles and conditions of processing of Personal Data

5.1. When processing Personal Data, the Company adheres to the following principles:

  • processing of Personal Data is carried out on a lawful and fair basis;
  • Personal Data are not disclosed to third parties and are not disseminated without the consent of the data subject, except where disclosure of Personal Data is required by request of authorized state bodies or in legal proceedings;
  • specific lawful purposes are determined before the start of processing (including collection) of Personal Data;
  • only such Personal Data as are necessary and sufficient for the stated purpose of processing are collected;
  • merging of databases containing Personal Data processed for incompatible purposes is not permitted;
  • processing of Personal Data is limited to the achievement of specific, predetermined and lawful purposes;
  • processed Personal Data are to be destroyed or anonymized upon achievement of the processing purposes or when the need to achieve those purposes is lost, unless otherwise provided by federal law.

5.2. The Company may include data subjects’ Personal Data in publicly available sources of Personal Data, in which case the Company obtains the data subject’s written consent to the processing of their Personal Data, or consent expressed through a site form (checkbox) by which the data subject gives consent.

5.3. The Company does not process Personal Data relating to race, ethnic origin, political views, religious, philosophical or other beliefs, intimate life, membership in public associations, including trade unions.

5.4. Biometric Personal Data (information characterizing physiological and biological characteristics of a person that can be used to establish their identity and that are used by the operator to identify the data subject) are not processed by the Company.

5.5. The Company does not carry out cross-border transfer of Personal Data.

5.6. In cases established by the legislation of the Russian Federation, the Company may transfer Personal Data to third parties (the Federal Tax Service, the State Pension Fund and other state bodies) in cases provided for by the legislation of the Russian Federation.

5.7. The Company may entrust the processing of data subjects’ Personal Data to third parties with the consent of the data subject, on the basis of an agreement concluded with such persons, including when agreeing to the user agreement and personal data processing policy posted on the Company Sites.

5.8. Processing of Personal Data in the Company is carried out both with and without the use of automation. The set of processing operations includes collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), anonymization, blocking, deletion, destruction of Personal Data.

6. Rights and obligations of data subjects and of the Company in relation to processing of Personal Data

6.1. A data subject whose Personal Data are processed by the Company has the right to:

  • obtain from the Company:

    • confirmation of the fact of processing of Personal Data and information on the availability of Personal Data relating to the relevant data subject;
    • information on the legal grounds and purposes of processing of Personal Data;
    • information on the methods of processing of Personal Data used by the Company;
    • the name and location of the Company;
    • a list of processed Personal Data relating to the data subject and information on the source of their receipt, unless a different procedure for provision of such Personal Data is provided by federal law;
    • information on the periods of processing of Personal Data, including storage periods;
    • information on the procedure for exercise by the data subject of the rights provided by the Law;
    • other information provided by the Law or other regulatory legal acts of the Russian Federation;

  • require from the Company:

    • clarification of their Personal Data, their blocking or destruction if the Personal Data are incomplete, outdated, inaccurate, unlawfully obtained or are not necessary for the stated purpose of processing;
    • withdraw consent to the processing of Personal Data at any time; require the Company to remedy unlawful actions in relation to their Personal Data;
    • appeal the actions or inaction of the Company to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) or in court if the data subject believes that the Company processes their Personal Data in violation of the requirements of the Law or otherwise violates their rights and freedoms;
    • protection of their rights and legitimate interests.

6.2. In the course of processing Personal Data, the Company is obliged to:

  • provide the data subject with information relating to the processing of their Personal Data upon request, or provide a lawful refusal within thirty days of receipt of the request from the data subject or their representative;
  • explain to the data subject the legal consequences of refusal to provide Personal Data if provision of Personal Data is mandatory in accordance with federal law;
  • take the necessary legal, organizational and technical measures or ensure their adoption to protect Personal Data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of Personal Data, as well as from other unlawful actions in relation to Personal Data;
  • publish on the Internet and ensure unrestricted access via the Internet to the document defining the policy on the processing of personal data and to information on the requirements for the protection of Personal Data being implemented;
  • provide data subjects and/or their representatives with the opportunity to review Personal Data free of charge upon a corresponding request within 30 days of receipt of such request;
  • block unlawfully processed Personal Data relating to the data subject, or ensure their blocking (if processing is carried out by another person acting on behalf of the Company) from the time of application or receipt of the request for the verification period, if unlawful processing of Personal Data is identified upon application by the data subject or their representative or upon request of the data subject or their representative or the authorized body for the protection of the rights of data subjects;
  • clarify Personal Data or ensure their clarification (if processing is carried out by another person acting on behalf of the Company) within 7 business days of submission of the information and remove the blocking of Personal Data if the inaccuracy of the Personal Data is confirmed on the basis of information submitted by the data subject or their representative;
  • terminate unlawful processing of Personal Data or ensure its termination (if processing is carried out by another person acting on behalf of the Company) within no more than 3 business days of such identification if unlawful processing of Personal Data by the Company or a person acting under an agreement with the Company is identified;
  • terminate the processing of Personal Data or ensure its termination (if processing is carried out by another person under an agreement with the Company) and destroy the Personal Data or ensure their destruction (if processing is carried out by another person under an agreement with the Company) upon achievement of the purpose of processing of Personal Data, unless otherwise provided by an agreement to which the data subject is a party, beneficiary or guarantor, upon achievement of the purpose of processing of Personal Data;
  • terminate the processing of Personal Data or ensure its termination and destroy the Personal Data or ensure their destruction when the data subject withdraws consent to the processing of Personal Data, if the Company is not entitled to process Personal Data without the consent of the data subject.

7. Requirements for the protection of Personal Data

7.1. When processing Personal Data, the Company takes the necessary legal, organizational and technical measures to protect Personal Data from unlawful and/or unauthorized access, destruction, modification, blocking, copying, provision, dissemination of Personal Data, as well as from other unlawful actions in relation to Personal Data.

7.2. Such measures in accordance with the Law include in particular:

  • appointment of a person responsible for the organization of processing of Personal Data and a person responsible for ensuring the security of Personal Data;
  • development and approval of local acts on the processing and protection of Personal Data;
  • application of legal, organizational and technical measures to ensure the security of Personal Data:
    • identification of threats to the security of Personal Data during their processing in personal data information systems;
    • application of organizational and technical measures to ensure the security of Personal Data during their processing in personal data information systems necessary to meet the requirements for the protection of Personal Data, the fulfillment of which ensures the levels of protection of Personal Data established by the Government of the Russian Federation;
    • application of information security tools that have undergone the established conformity assessment procedure;
    • assessment of the effectiveness of measures taken to ensure the security of Personal Data before the commissioning of the personal data information system;
    • accounting of machine carriers of Personal Data if Personal Data are stored on machine carriers;
    • detection of facts of unauthorized access to Personal Data and taking measures to prevent such incidents in the future;
    • recovery of Personal Data modified or destroyed as a result of unauthorized access;
    • establishment of rules for access to Personal Data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with Personal Data in the personal data information system;
    • control over the measures taken to ensure the security of Personal Data and the level of protection of personal data information systems;
    • assessment of the harm that may be caused to data subjects in case of violation of the requirements of the Law, and the relationship between such harm and the measures taken by the Company aimed at ensuring the fulfillment of the obligations provided by the Law;
    • observance of conditions that exclude unauthorized access to material carriers of Personal Data and ensure the safety of Personal Data;
    • familiarization of the Company’s employees who directly process Personal Data with the provisions of the legislation of the Russian Federation on Personal Data, including the requirements for the protection of Personal Data, local acts on the processing and protection of Personal Data, and training of the Company’s employees.

8. Periods of processing (storage) of Personal Data

8.1. The periods of processing (storage) of Personal Data are determined based on the purposes of processing of Personal Data, in accordance with the term of the agreement with the data subject, the requirements of federal laws, the requirements of Personal Data operators on whose behalf the Company processes Personal Data, the main rules of operation of organization archives, and the limitation periods.

8.2. Personal Data whose processing (storage) period has expired shall be destroyed, unless otherwise provided by federal law. Storage of Personal Data after termination of their processing is permitted only after their anonymization.

9. Specifics of processing and protection of Personal Data collected by the Company via the Internet

9.1. The Company processes Personal Data received from natural person users of the Company Sites during the user registration procedure and stores them only in case of successful completion thereof for the purpose of concluding Agreements with the User.

9.2. This Policy takes effect for users from the moment the user accepts the terms of this Policy by completing the registration procedure by filling in the registration form posted on one of the following sites: hadl.app or their subdomains, which indicates acceptance of the terms of this Policy.

9.3. Pursuant to clause 5, part 1, article 6 of the Federal Law of the Russian Federation “On Personal Data”, the processing of users’ Personal Data is carried out on the basis of the concluded Agreement with the User.

9.4. User Personal Data are stored in electronic form.

9.5. The preparation and storage of documents and information, including in electronic form, containing user Personal Data, including agreements with the User and documents (in paper and/or electronic form) provided by the user containing user Personal Data, is permitted.

9.6. Upon expiration or termination of the Agreement with the User, the user’s Personal Data are blocked in accordance with the requirements of the legislation of the Russian Federation.

9.7. In accordance with the requirements of the legislation of the Russian Federation, destruction of user Personal Data is carried out upon the expiry of 10 years from the date of expiration or termination of the Agreement with the user. Destruction of User Personal Data before the expiry of this period may be carried out on the basis of a written application by the User.

9.8. User Personal Data are used for the performance of the Agreement with the User, in connection with the conclusion of which the user’s Personal Data were obtained.

9.9. In case of change of information constituting the user’s Personal Data, the user is obliged to provide the updated information as soon as possible.

9.10. User Personal Data are subject to protection from their unlawful use or loss.

9.11. Protection of User Personal Data is ensured by:

preventing unauthorized access to processed user Personal Data;

  • preventing unauthorized modification, distortion, dissemination, blocking, destruction of processed user Personal Data;
  • ensuring confidentiality of processed User Personal Data.

9.12. Automatically collected information

The Company may collect and process information that is not personal data:

  • IP address
  • information on user interests on the Company Sites based on search queries entered by users of the Company Sites about goods sold and offered for sale by the Company for the purpose of providing relevant information to the Company’s clients when using the Company Sites, as well as summarizing and analyzing information on which sections of the Company Sites and which goods are most in demand among the Company’s clients;
  • processing and storage of search queries of users of the Company Sites for the purpose of summarizing and creating client statistics on the use of sections of the Company Sites.

The Company automatically receives certain types of information obtained in the process of user interaction with the Company Sites, e-mail correspondence, etc. This concerns technologies and services such as web protocols, cookies, web beacons, as well as applications and tools of the indicated third party.

10. Use of Personal Data

10.1. The Company may use the provided Personal Data in accordance with the stated purposes of their collection with the consent of the data subject, if such consent is required in accordance with the requirements of the legislation of the Russian Federation in the field of Personal Data.

10.2. The Personal Data obtained in summarized and anonymized form may be used for a better understanding of the needs of users of the services provided by the Company and improvement of the quality of service, and for marketing purposes.

11. Transfer of Personal Data

11.1. The Company may entrust the processing of Personal Data to third parties only with the consent of the data subject.

11.2. Personal Data may also be transferred to third parties in the following cases:

  • In response to lawful requests from authorized state bodies, in accordance with laws, court decisions, etc.
  • Personal Data may not be transferred to third parties for marketing, commercial or similar purposes, except where the data subject has given prior consent.

12. Final provisions

12.1. This Policy is published on the Internet on one of the following sites: hadl.app or their subdomains.

12.2. Amendments to this Policy are made by posting the amended text of this Policy on the Internet on one of the following sites: hadl.app or their subdomains.