PERSONAL DATA PROCESSING AND PRIVACY POLICY
1. INTRODUCTORY PROVISIONS
1.1. INTRODUCTION
The Personal Data Processing and Privacy Policy of AVA GROUP LLC (hereinafter – the Operator) has been developed in accordance with Federal Law No. 152-FZ of July 27, 2006 «On Personal Data».
1.2. PURPOSES
The purpose of this Policy is to ensure the protection of the rights and freedoms of personal data subjects during the processing of their personal data by AVA GROUP LLC (hereinafter – the Operator).
1.3. OBJECTIVES
The objectives of this Policy include:
- protecting the rights of data subjects and ensuring that personal data processing is conducted in accordance with lawful and ethical standards;
- defining clear legal grounds for personal data processing (e.g., consent, performance of a contract, legitimate interests, etc.);
- ensuring the process of obtaining and documenting data subjects' consent for the processing of their personal information where required;
- informing data subjects about which data is collected, for what purposes, how and by whom it is processed, and what rights they have regarding their data;
- establishing measures to protect personal data from unauthorized access, loss, disclosure, or destruction, including technical and organizational security measures;
- processing only the data necessary to achieve specific purposes and avoiding redundant information;
- defining retention periods for personal data and conditions for their deletion or anonymization upon expiration of these periods;
- creating mechanisms to enable data subjects to exercise their rights to access, correct, delete, transfer, or restrict the processing of their data;
- establishing clear procedures and roles for managing access to personal data within the Operator, so that only authorized personnel have access to such information;
- implementing regular training and awareness programs for employees regarding personal data processing and compliance with established standards and practices;
- conducting regular risk assessments related to personal data processing and developing measures to minimize such risks;
- creating and maintaining documentation demonstrating compliance with this Policy, including reports on assessments and incidents;
- establishing a process for collecting feedback and reviewing policies and procedures to ensure their continuous improvement and adaptation to changes in legislation and best practices.
1.4. SCOPE
This Policy applies to all employees of the Operator who process personal data or have access to it, as well as to all relations associated with the processing of personal data carried out by the Operator:
- using automated means, including information and telecommunication networks, or without such means, provided that non-automated processing corresponds to the nature of operations performed with personal data using automated means, i.e., it allows the search of personal data recorded on a physical medium and contained in card files or other structured collections of personal data, and/or access to such personal data in accordance with a defined algorithm;
- without using automated means.
Employees of the Operator must be familiarized with this Policy through the «1C: Document Management» system (hereinafter – 1C: DM).
Violation of applicable legislation as a result of non-compliance with this Policy by employees of the Operator entails liability in accordance with the laws of the Russian Federation.
1.5. TERM AND PROCEDURE FOR AMENDMENTS
This Policy is a permanent internal regulatory document.
The Policy is approved, amended, revoked, and enters into force by order of the General Director (CEO) of the Operator.
The Information Security Department of the Operator's Security Division is responsible for maintaining the Policy up to date.
The Policy is reviewed in the event of amendments to applicable Russian Federation legislation regarding personal data processing, or due to changes in the structure, operations, or scope of the Operator's activities. Any structural unit of the Operator may initiate amendments to the Policy.
If, as a result of amendments to applicable legislation, certain provisions of the Policy are inconsistent with the newly enacted requirements, such provisions shall cease to have effect.
2. TERMS AND DEFINITIONS
AUTOMATED PERSONAL DATA PROCESSING – processing of personal data using computing equipment.
BLOCKING OF PERSONAL DATA – temporary suspension of personal data processing (except where processing is necessary to clarify personal data).
DEPERSONALIZATION OF PERSONAL DATA – the process of deleting or masking personal data on a physical medium, making it impossible to further restore or process such data. This is a form of personal data processing used to ensure confidentiality and protect information.
PERSONAL DATA INFORMATION SYSTEM – a set of personal data contained in databases, together with information technologies and technical means ensuring their processing.
CONFIDENTIALITY OF INFORMATION – an obligation of a person who has gained access to certain information not to disclose it to third parties without the consent of the information owner.
OPERATOR – a state body, municipal authority, legal entity, or individual who independently or jointly with other persons organizes and/or carries out the processing of personal data, and determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed with personal data.
PERSONAL DATA PROCESSING – any action (operation) or set of actions (operations) performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, updating, modification, extraction, use, transfer (distribution, provision, access), blocking, deletion, and destruction of personal data.
PERSONAL DATA – any information relating to an identified or identifiable individual (personal data subject).
PERSONAL DATA PERMITTED BY THE DATA SUBJECT FOR DISSEMINATION – personal data that the data subject has consented to be disseminated in accordance with Federal Law No. 152-FZ of July 27, 2006 "On Personal Data."
PROVISION OF PERSONAL DATA – actions aimed at disclosing personal data to a specific person or a specific group of persons.
DISSEMINATION OF PERSONAL DATA – actions aimed at disclosing personal data to an unspecified group of persons.
PERSONAL DATA SUBJECT – an individual who is identified or can be identified, directly or indirectly, using personal data.
DESTRUCTION OF PERSONAL DATA – actions resulting in the impossibility of restoring the content of personal data in the personal data information system and/or resulting in the destruction of physical carriers of personal data.
CROSS-BORDER TRANSFER OF PERSONAL DATA – transfer of personal data to the territory of a foreign state, to a foreign government authority, foreign individual, or foreign legal entity.
THREATS TO PERSONAL DATA SECURITY – a set of conditions and factors creating a risk of unauthorized, including accidental, access to personal data, which may result in destruction, modification, blocking, copying, provision, dissemination of personal data, or other unlawful actions during their processing in a personal data information system.
LEVEL OF PERSONAL DATA PROTECTION – a comprehensive indicator characterizing the requirements, compliance with which ensures neutralization of specific threats to the security of personal data during processing in personal data information systems.
WEBSITE – the Operator's website available at the domain name https://avagroup.ru.
COOKIES – small text files sent by the website's web server and stored on the visitor's device.
3. GENERAL PROVISIONS
3.1. PURPOSES OF PERSONAL DATA PROCESSING
The Operator processes personal data for the following purposes:
- compliance with the labor legislation of the Russian Federation; maintenance of accounting, human resources, and military records; execution of contractual relations in accordance with the legislation of the Russian Federation (performance of civil-law relations); calculation of salaries and other payments;
- provision of benefits; implementation of social payments and other types of social assistance and guarantees; provision of compensations, allowances, additional days off, and leave;
- fulfillment of contractual obligations;
- providing website visitors with information about the organization and the services offered;
- recruitment of personnel (candidates) for vacant positions within the Operator;
- handling citizen inquiries and preparing responses to such inquiries.
3.2. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
The legal grounds for personal data processing by the Operator include:
- The Charter of the Operator, approved by the minutes of November 8, 2024, No. 1;
- Federal Law No. 152-FZ of July 27, 2006 «On Personal Data».
In cases not explicitly provided for by the legislation of the Russian Federation, but falling within the Operator's authority, personal data processing is carried out based on the data subject's consent to the processing of their personal data.
Personal data processing shall cease upon the liquidation of the Operator or the termination of its activities due to reorganization.
3.3. SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS
Information regarding the categories of data subjects whose personal data is processed by the Operator, the categories and list of personal data processed, as well as the methods, retention periods, and storage conditions, is provided in the Appendix to this Policy.
4. PROCEDURE AND CONDITIONS FOR PERSONAL DATA PROCESSING
4.1. PRINCIPLES OF PERSONAL DATA PROCESSING
Personal data processing by the Operator is carried out in accordance with the following principles:
- personal data shall be processed on a lawful and fair basis;
- personal data processing shall be limited to achieving specific, pre-defined, and lawful purposes; processing of personal data incompatible with the purposes for which it was collected is not permitted;
- databases containing personal data processed for purposes that are mutually incompatible shall not be combined;
- only personal data relevant to the purposes of processing shall be processed;
- the content and scope of processed personal data shall correspond to the stated purposes of processing; processed personal data shall not be excessive in relation to the stated purposes;
- accuracy, sufficiency, and, where necessary, relevance of personal data in relation to the purposes of processing shall be ensured; the Operator shall take, or ensure the taking of, necessary measures to update or correct incomplete or inaccurate personal data;
- personal data shall be stored in a form that allows identification of the data subject for no longer than is required to achieve the purposes of processing; if the retention period for personal data is not established by federal law, contract (of which the data subject is a party, beneficiary, or guarantor), or other legal basis, processed personal data shall be destroyed upon achieving the purposes of processing or if there is no longer a need to achieve such purposes, unless otherwise provided by federal law.
4.2. CONDITIONS FOR PERSONAL DATA PROCESSING
Processing of special categories of personal data. The Operator does not process special categories of personal data, including data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, health, or sexual life.
Processing of biometric personal data. The Operator does not process biometric personal data.
Processing of other categories of personal data. Processing of other categories of personal data by the Operator is carried out under the following conditions:
- personal data processing is conducted with the consent of the data subject to the processing of their personal data;
- personal data processing is necessary to achieve the purposes provided by an international treaty of the Russian Federation or by law, and for the exercise and fulfillment of functions, powers, and obligations assigned to the Operator under the legislation of the Russian Federation;
- personal data processing is carried out with the consent of the data subject for the processing of personal data permitted by the data subject for dissemination.
4.3. PERSONAL DATA PROCESSING WITHOUT THE USE OF AUTOMATION TOOLS
General Provisions. Personal data contained in a personal data information system or extracted from such a system shall be considered processed without the use of automation tools (non-automated processing) if actions such as use, clarification, dissemination, or destruction of personal data in respect of each data subject are carried out with the direct involvement of a human being.
4.4. PROCESSING OF METRICS DATA
The Operator's website uses the following web analytics tools: Yandex.Metrica, Smartis, Comagic. Web analytics tools are used for analyzing the usage of the Operator's websites and improving their performance.
Cookie processing is carried out in aggregated form and is never linked to Users' personal data.
The website https://avagroup.ru displays a notice informing users about the processing of metrics data.
By visiting https://avagroup.ru, the user provides consent to the Operator for the processing of the specified data using metrics services for the purposes of analyzing usage, measuring, and improving the performance of the Company's website. Consent is effective from the moment it is given and throughout the period of the User's interaction with the website.
Across the Operator's various web projects (during website visits), the following anonymized statistical data about visitors is automatically collected (from cookies):
- IP address;
- information about the user's device and browser;
- information about interaction with the website and the Operator's services (referral source, viewed pages, interaction with website elements and pages, session parameters, time of visits, etc.);
- cookies.
Website visitors can manage cookies independently by changing their browser settings. Changes to user settings that result in cookies being blocked may lead to the unavailability of certain website components.
If a user refuses cookie processing, they must stop using the Operator's website or disable cookies in the browser settings; in this case, some website functions may become unavailable.
5. UPDATING, CORRECTING, DELETING, AND DESTROYING PERSONAL DATA; RESPONDING TO DATA SUBJECT REQUESTS; RIGHTS OF PERSONAL DATA SUBJECTS; OBLIGATIONS OF THE OPERATOR
5.1. RIGHTS OF PERSONAL DATA SUBJECTS
A personal data subject has the right to obtain information (hereinafter – information requested by the data subject) regarding the processing of their personal data, including the following:
- confirmation of the fact that the Operator processes their personal data;
- legal grounds and purposes of personal data processing;
- purposes and methods of personal data processing applied by the Operator;
- name and location of the Operator, and information about persons (except employees of the Operator) who have access to personal data or to whom personal data may be disclosed under a contract with the Operator or pursuant to federal law;
- personal data processed concerning the respective data subject, the source of such data, unless otherwise provided by federal law;
- personal data processing periods, including retention periods;
- procedure for exercising the rights of the personal data subject as established by Federal Law No. 152-FZ of July 27, 2006 «On Personal Data»;
- information regarding any completed or intended cross-border transfer of personal data;
- name, surname, patronymic (if applicable), and address of the person processing personal data on behalf of the Operator, if processing has been or will be entrusted to such person;
- information on the methods by which the Operator fulfills the obligations set forth in Article 18.1 of Federal Law No. 152-FZ of July 27, 2006 «On Personal Data»;
- other information provided for by Federal Law No. 152-FZ of July 27, 2006 «On Personal Data» or other federal laws.
A personal data subject has the right to request that the Operator update their personal data, block it, or destroy it if such personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, and to take measures provided by law to protect their rights.
Information requested by the data subject must be provided by the Operator in an accessible form and must not contain personal data relating to other data subjects, except where there are legal grounds for disclosing such personal data.
The requested information shall be provided to the personal data subject or their representative by the Operator within ten (10) business days from the date of receipt of the request. This period may be extended, but by no more than five (5) business days, in the event that the Operator sends the data subject a reasoned notice specifying the reasons for extending the provision period.
6. OBLIGATIONS OF THE OPERATOR
Obligations of the Operator when collecting personal data. When collecting personal data, the Operator provides the personal data subject, upon their request, with the information regarding the processing of their personal data in accordance with Part 7 of Article 14 of Federal Law No. 152-FZ of July 27, 2006 «On Personal Data».
If provision of personal data and/or obtaining the Operator's consent for personal data processing is mandatory under federal law, the Operator explains to the personal data subject the legal consequences of refusing to provide their personal data and/or give consent for its processing.
If personal data is obtained from a source other than the data subject, the Operator shall, prior to the commencement of such processing, provide the data subject with the following information:
- name, or surname, first name, patronymic (if applicable), and address of the Operator or the Operator's representative;
- purpose of personal data processing and its legal grounds;
- list of personal data;
- intended recipients of the personal data;
- rights of the personal data subject established by Federal Law No. 152-FZ of July 27, 2006 «On Personal Data»;
- source of the personal data.
7. AREAS OF RESPONSIBILITY
Persons responsible for organizing personal data processing. The Operator appoints a person responsible for organizing personal data processing.
The person responsible for organizing personal data processing reports directly to the executive body of the organization acting as the Operator and is accountable to it.
The Operator provides the person responsible for organizing personal data processing with all necessary information.
The person responsible for organizing personal data processing, in particular, performs the following functions:
- exercises internal control over compliance by the Operator and its employees with the legislation of the Russian Federation on personal data, including requirements for personal data protection;
- informs employees of the Operator about the provisions of the Russian Federation legislation on personal data, internal regulations regarding personal data processing, and personal data protection requirements;
- organizes the receipt and processing of requests and inquiries from data subjects or their representatives and/or monitors the receipt and processing of such requests and inquiries.
Liability. Persons who violate the requirements of Federal Law No. 152-FZ of July 27, 2006 «On Personal Data» shall bear liability as provided for by the legislation of the Russian Federation.
Moral harm caused to a data subject as a result of violation of their rights, violation of personal data processing rules established by Federal Law No. 152-FZ of July 27, 2006 «On Personal Data», and personal data protection requirements established under Federal Law No. 152-FZ shall be compensated in accordance with the legislation of the Russian Federation. Compensation for moral harm is provided independently of compensation for material damage and losses incurred by the data subject.
8. KEY OUTCOMES
Upon achieving the purposes of personal data processing, the following outcomes are expected:
- ensuring the protection of the rights and freedoms of personal data subjects during processing of their personal data by the Operator;
- improving the overall level of information security of the Operator;
- minimizing the Operator's legal risks.
9. APPENDIX TO THE POLICY
INFORMATION ON PERSONAL DATA PROCESSED BY THE COMPANY
| List of Processed Personal Data | Methods of Personal Data Processing | Period of Personal Data Processing | Retention Period of Personal Data |
|---|---|---|---|
|
Purpose of Personal Data Processing: compliance with the labor legislation of the Russian Federation; maintenance of accounting, human resources, and military records; execution of contractual relations in accordance with the legislation of the Russian Federation (performance of civil-law relations); calculation of salaries and other payments. |
|||
|
Employees and former employees: Other categories of personal data: - last name, first name, patronymic; - year, month, date, and place of birth; - gender; - marital status; - income; - email address; - residential address; - registration address; - phone number; - SNILS (Individual Insurance Account Number); - INN (Taxpayer Identification Number); - citizenship; - identity document details; - driver's license details; - identity document details issued outside the Russian Federation; - details from the birth certificate; - bank card details; - current account number; - personal account number; - occupation; - job position; - information about education; - information about employment (including length of service, data on current employment with the name and account number of the employing organization); - military service status, information on military registration; - photo and video image of the individual. |
Mixed (automated and non-automated) | For the duration of the employment contract | In accordance with regulatory legal acts governing the procedure for storing personal data |
|
Purpose of Personal Data Processing: provision of benefits; administration of social payments and other types of social assistance and guarantees; provision of compensations, allowances, additional days off, and leave |
|||
|
Close relatives of employees: Other categories of personal data: - last name, first name, patronymic of spouse; - last name, first name, patronymic of children; - year of birth of spouse; - year of birth of children; - month of birth of spouse; - month of birth of children; - date of birth of spouse; - date of birth of children; - place of work of spouse and children; - place of study of spouse and children; - details from children's birth certificates; - details from the marriage certificate. |
Mixed (automated and non-automated) | For the duration of the employment contract with the employee and/or until the purposes of processing are achieved | In accordance with regulatory legal acts governing the procedure for storing personal data |
|
Purpose of Personal Data Processing: fulfillment of contractual obligations |
|||
|
Counterparties; Individuals with Civil-Law Contracts: Other categories of personal data: - last name, first name, patronymic; - year, month, and date of birth; - email address; - residential address; - registration address; - phone number; - INN (Taxpayer Identification Number); - citizenship; - identity document details; - driver's license details; - identity document details issued outside the Russian Federation; - bank card details; - current account number; - personal account number; - occupation; - job position; - photo and video image of the individual. |
Mixed (automated and non-automated) | For the duration of the contract with the counterparty and/or until the purposes of processing are achieved | In accordance with regulatory legal acts governing the procedure for storing personal data |
|
Purpose of Personal Data Processing: providing website visitors with information about the organization and the services offered |
|||
|
Website visitors; counterparties: Other categories of personal data: - last name, first name, patronymic; - phone number; - email address |
Automated | Until the purposes of processing are achieved | In accordance with regulatory legal acts governing the procedure for storing personal data |
|
Purpose of Personal Data Processing: recruitment of personnel (candidates) for vacant positions within the Operator. |
|||
|
Job Applicants: Other Categories of Personal Data: - last name, first name, patronymic; - year, month, date, and place of birth; - gender; - marital status; - email address; - residential address; - registration address; - phone number; - citizenship; - identity document details; - driver's license details; - birth certificate details; - occupation; - job position; - education information; - employment history (including work experience and current employment with employer name and account number); - military service status and records; - photo and video image of the individual |
Mixed (automated and non-automated) | Until the purposes of processing are achieved | In accordance with regulatory legal acts governing the procedure for storing personal data |
|
Purpose of Personal Data Processing: handling citizen inquiries and preparing responses to such inquiries. |
|||
|
Counterparties; website visitors; individuals with civil-law contracts: Other categories of personal data: - last name, first name, patronymic; - phone number; - email address; - residential address; - registration address |
Mixed (automated and non-automated) | Until the purposes of processing are achieved | In accordance with regulatory legal acts governing the procedure for storing personal data |