Policy- FOR SUPPLIERS
FOR THE PROTECTION AND PROCESSING OF USER PERSONAL DATA
ON THE WEBSITE OF LIMITED LIABILITY COMPANY «NWC CARBON RUS»
Order of General Director
of «NWC CARBON RUS» Ltd.
No. ЭК-13 dd. September 10, 2020
- General Provisions
1.1. This Policy regarding the personal data processing (hereinafter referred to as the Policy) has been drawn up in accordance with Federal Law of 27 July 2006 No. 152-FZ On Personal Data (hereinafter referred to as the Law on Personal Data), Article 18.1, Paragraph 2, and in accordance with other regulatory acts in the field of protection and processing of personal data. The Policy covers all personal data (hereinafter, the Data) that the Entity (hereinafter, the Operator, the Company) may receive from a personal data subject, i. e. a user of the Company’s official website located at http://www.carbon-nwc.ru/, in the Internet information and telecommunications network, while using the Website.
The Policy is both an internal regulatory document of «NWC CARBON RUS» Ltd. and its public document which establishes general provisions in the field of legality of processing and ensuring the security of processed personal data.
1.2. The Operator shall protect the processed personal data from unauthorized access and disclosure, misuse, or loss in accordance with the requirements of the Law on Personal Data.
1.3. In pursuance of the requirements set forth in the Law on Personal Data, Article 18.1, Part 2, the Policy is published in free access on the Operator's website on the Internet information and telecommunications network.
1.4. The Website usage means the voluntary, given willingly and in own interest consent of the User with this Policy and the conditions of processing of User personal information specified herein; in case of disagreement with these conditions, the User should not use the Website.
1.5. Modifications of the Policy
1.5.1. The Operator shall be entitled to modify the Policy without any prior consent of the User. When making modifications, the Policy headline shall contain the date of its latest update. The new version of the Policy shall become effective on the date of its publication on the Website, unless otherwise provided by the new version of the Policy.
- Terms and Abbreviations
Personal Data (PD) shall mean any information relating to a directly or indirectly identified or identifiable individual (Personal Data Subject).
Website shall mean a set of software, visual and informational content the access to which is provided via a domain name through the Internet.
User shall mean an individual who has access to the Website via the Internet and who uses the Website.
Cookies shall mean a small chunk of data stored on the User's PC or mobile device in order to save the settings for viewing the Website pages.
IP address shall mean a unique identifier (address) of a device (PC or mobile device) connected to a local network or the Internet.
Personal Data Operator (the Operator) shall mean «NWC CARBON RUS» Ltd., TIN 7811197223, PSRN 1157847160976, registered at: 271 Obukhovskoy oborony pr., bldg. A, office 1004, Saint Petersburg, 192012, that processes personal data and identifies the purposes of personal data processing, composition of personal data to be processed and actions (operations) performed in respect of personal data.
Processing of Personal Data shall mean any single action (operation) or a set of actions (operations) performed with personal data in either an automated or non-automated mode, including collection, recording, systematization, accumulation, storage, clarification (update, change), retrieval, use, transfer (dissemination, provision, access), anonymization, blocking, deletion and destruction of personal data;
Automated Processing of Personal Data shall mean computer-assisted processing of personal data.
Personal Data Protection shall mean a set of technical, organizational and combined measures aimed at protecting information related to an identified or identifiable personal data subject on the basis of such information;
Dissemination of Personal Data shall mean actions aimed at disclosing personal data to an indefinite number of persons.
Provision of Personal Data shall mean actions aimed at disclosing personal data to a certain person or a certain number of persons.
Personal Data Blocking shall mean temporary suspension of personal data processing (except for where processing is required to clarify personal data).
Destruction of Personal Data shall mean actions resulting in the impossibility to restore the contents of personal data in the Personal Data Information System and/or in the destruction of hard copies of personal data.
Personal Data Anonymization shall mean actions resulting in the impossibility to attribute personal data to a specific personal data subject without additional information.
Personal Data Information System (PDIS) shall mean an aggregation of personal data contained in the personal data databases and the IT technologies and technical means ensuring personal data processing.
Cross-Border Transfer of Personal Data shall mean transfer of personal data to a foreign jurisdiction to an authority therein, to a foreign individual or to a foreign legal entity.
- Personal Data Processing Principles
3.1. The Processing of personal data shall have a legal and fair basis.
3.2. The processing of personal data shall be limited to the achievement of specific, predetermined and legitimate purposes.
3.3. No processing of personal data incompatible with the purposes of collecting personal data shall be allowed.
3.4. Combining databases containing personal data that may be processed for purposes incompatible between them shall be forbidden.
3.5. When processing personal data, the accuracy of personal data, their sufficiency and, if required, relevance in relation to the purposes of processing personal data must be ensured. Incomplete or inaccurate data shall be deleted or revised.
3.6. Personal data shall be kept in a form allowing identification of a Personal Data Subject for no longer than allowed in accordance with personal data processing purposes, unless the storage period for personal data is established by a federal law or an agreement to which a Personal Data Subject is a party, beneficiary or guarantor.
3.7. When the processing purposes are achieved, or when they are no longer required to be achieved, or when personal data subject or judicial and executive authorized bodies send a valid request, personal data shall be destroyed or anonymized, unless otherwise provided by a federal law.
- Procedure and Conditions for Processing and Storing of Personal Data
4.1. Personal data shall be processed by the Operator in accordance with the requirements of the Russian legislation.
4.2. Personal data shall be processed with consent of personal data subjects regarding the processing of their personal data, or without such consent in cases provided for by the Russian legislation.
4.3. The Operator shall process personal data in both automated and non-automated modes.
4.4. The Operator's employees shall be allowed to process personal data if their job descriptions include such an activity.
4.5. The processing of personal data shall be carried out as follows:
- obtaining data orally and in writing directly with consent of a personal data subject for such personal data processing;
- obtaining personal data from publicly available sources;
- entering personal data into the logs, registers and information systems of the Operator;
- using other methods of processing personal data.
4.6. No personal data shall be disclosed to third parties and disseminated without consent of a personal data subject (unless otherwise provided by a federal law).
4.7. The Operator shall take all necessary legal, organizational and technical measures to protect personal data from misuse or accidental access, destruction, modification, blocking, dissemination and other unauthorized actions. The measures include as follows:
- determining threats to the security of personal data during data processing;
- adopting local regulations and other documents regulating relations in the field of processing and protection of personal data;
- appointing persons responsible for ensuring the security of personal data in Operator’s business units and information systems;
- creating the required conditions for working with personal data;
- arranging the accounting of documents containing personal data;
- arranging work with information systems where personal data is processed;
- storing personal data in conditions under which its safety is ensured and unlawful access to it is excluded;
- arranging training for the Operator's employees who are involved in processing personal data.
4.8. The Operator shall keep personal data in a form allowing identification of a personal data subject for no longer than allowed in accordance with personal data processing purposes, unless the storage period for the personal data is established by a federal law or an agreement.
4.9. Purposes of Personal Data Processing: The Operator shall process and collect personal data for the following purposes: processing of requests and applications sent by the User; establishing feedback channel with the User, including sending notifications or inquiries regarding processing of requests and applications; confirming the accuracy and completeness of Personal Data entered; notifying the User about the status of a User’s application or request; sending out information about updating the product line and services, special offers, prices, information regarding the use of the Website; implementing an advertising campaign.
4.10. Processing of personal data using cookies:
4.10.3. Cookies, which the Website transmits to the User's computer or mobile device, are used to provide the User with personalized functions of the Website, personalized advertising that is shown to the User for statistical and research purposes as well as to improve the Website's performance.
4.10.4. The User understands that the equipment and software which he/she uses to visit the Website may prohibit any operation with cookies or delete previously received cookies.
4.10.5. The Operator shall be entitled to set a requirement for Users to allow acceptance and receipt of cookies to use certain functions of the Website.
4.10.6. The Operator shall determine the structure of a cookie file, its content and technical parameters and may modify it without any prior notice sent to the User.
4.10.7. You can also refuse to accept all cookies by disabling them in your browser. For more information about cookies and other tracking technologies, including instructions on how to block it, please check, for example http://help.yandex.ru/common/?id=1111120
4.11. Categories of Personal Data Subjects
PD of the following PD subjects are processed: visitors to the Website located at http://www.carbon-nwc.ru/, on the Internet information and telecommunications network, during their visit to the Website, if the subjects have agreed to PD processing.
4.12. The Operator shall process the following PD:
Personal Data provided by the User to the Operator the processing of which has been allowed by the User hereunder, namely: User's name, User's contact phone number, User's e-mail address as well as other data entered in the Message text field of the feedback form related to personal data. of the User.
4.13. PD Storage.
4.13.1. PD of subjects can be obtained, undergo further processing and be transferred to storage as a soft/hard copy.
4.13.2. PD of subjects processed using automation tools for different purposes shall be stored in different folders as a soft/hard copy.
4.13.3. No documents containing PD shall be stored or published in open electronic catalogs (file sharing tools).
4.13.4. PD in a form allowing identification of a PD subject shall be stored for no longer than allowed in accordance with personal data processing purposes; PD shall be destroyed when the processing purposes are achieved, or when they are no longer required to be achieved.
4.14. PD Destruction.
4.14.1. Soft copies of PD shall be destroyed by erasing or formatting the corresponding media. No shredder shall be used to destroy hard copies of PD.
4.14.2. The actual destruction of PD shall be confirmed with a destruction certificate regarding such copies.
- Personal Data Protection
5.1. In accordance with the regulatory requirements, the Operator created a personal data protection system (PDPS), which consists of legal, organizational and technical protection subsystems.
5.2. The legal protection subsystem is a complex of legal, organizational, administrative and regulatory documents that ensure the creation, operation and improvement of the PDPS.
5.3. The organizational protection subsystem includes the arrangement of the PDPS management structure, the authorization system and information protection when working with employees, partners and third parties.
5.4. The technical protection subsystem includes a set of technical and software/hardware tools that ensure PD protection.
5.5. The Operator shall apply the following main PD protection measures:
5.5.1. Appointing a person responsible for PD processing in order to arrange PD processing, training and instructing sessions, internal control over the compliance of the company and its employees with the requirements for PD protection.
5.5.2. Identifying actual threats to PD security during data processing within the PDIS and developing measures and actions to protect PD.
5.5.3. Developing the personal data processing policy.
5.5.4. Establishing rules for accessing PD processed within the PDIS as well as ensuring the registration and accounting of all actions performed with PD within the PDIS.
5.5.5. Setting individual passwords for employees' access to the information system depending on their business responsibilities.
5.5.6. Applying information protection means that have passed the conformity assessment procedure in the established manner.
5.5.7. Applying certified antivirus software with regularly updated databases.
5.5.8. Compliance with the conditions that ensure the safety of PD and exclude any unauthorized access to them.
5.5.9. Detecting facts of unauthorized access to personal data and taking measures.
5.5.10. Restoring PD modified or destroyed as a result of an unauthorized access.
5.5.11. Arranging training for the Operator's employees who are directly involved in the processing of personal data on the provisions of the Russian legislation on personal data, including the requirements on personal data protection, documents defining the Operator's policy regarding personal data processing and local acts on personal data processing.
5.5.12. Internal control and audit.
5.6. At the same time, the Operator shall protect data that is automatically transmitted by the User during viewing the information blocks of the Website, when visiting the pages of the Website, namely: IP address; information from cookies; information about the browser or other software used to display and demonstrate advertising information; access time; address of a page where the information block is located; address of a previous page (referrer).
- PD Subject’s Basic Rights and Operator’s Obligations
6.1. PD Subject’s Basic Rights.
The subject shall be entitled to access its personal data and the following information:
- confirmation that PD is actually processed by the Operator;
- legal grounds and purposes of PD processing;
- the purposes and methods of PD processing used by the Operator;
- Operator’s name and location, information about persons (except for Operator’s employees) who may access PD or to whom PD may be disclosed on the basis of an agreement with the Operator or on the basis of a federal law;
- terms of personal data processing, including terms of their storage;
- the procedure for a PD subject to exercise its rights provided for by this Federal Law;
- name or surname, first name, patronymic and address of a person who processes PD on behalf of the Operator, if the processing is entrusted or will be entrusted to such a person;
- contacting the Operator and sending requests to the Operator;
- appeal against the actions or inaction of the Operator.
6.2. Operator’s Obligations.
The Operator shall:
- while collecting PD, provide information on PD processing;
- in case PD has been received not from the PD subject, notify the subject on the fact;
- in case of refusal to provide PD, explain the consequences of such a refusal to the subject;
- publish or otherwise provide unrestricted access to the document defining its policy in relation to PD processing as well as to information about the implemented requirements for PD protection;
- take all necessary legal, organizational and technical measures or ensure their implementation in order to protect PD from unlawful or accidental access thereto, destruction, change, blocking, copying, displaying and dissemination of PD and from other unlawful actions regarding PD;
- give answers to requests and inquires of PD subjects, their representatives and an authorized body in charge of PD subjects rights protection.
- Liability of the Operator
7.1. In case of failure to fulfill its obligations regulated by this Policy, the Operator shall be liable for harm caused to the User in connection with the unlawful use of Personal Data in accordance with the current Russian legislation.
7.2. The Operator shall not be liable for the loss or disclosure of Personal Data if this information: became public domain before its loss or disclosure; had been received from a third party before it was received by the Operator; was disclosed with User’s consent.
- Dispute Resolution
8.1. Prior to filing a lawsuit before the court regarding a dispute arising from disagreements between the Parties, the User shall submit a written claim to the Operator.
8.2. Within thirty (30) calendar days from the date when the claim was received, the Operator shall notify the User in writing of the results of its consideration.
8.3. If no agreement is reached on the disputed issue, the dispute shall be considered by the court in accordance with the current Russian legislation.
8.4. The current Russian legislation shall be applied to all provisions hereof.
- Final Provisions
9.1. This Policy and all modifications hereto shall be approved by General Director of «NWC CARBON RUS» Ltd. and come into force from the date of its publication on the website http://www.carbon-nwc.ru/
9.2. From the moment this version of the Policy comes into force, its previous version shall be considered invalid.
9.3. The current version of the Policy shall be stored at the location of Company’s executive body.