DATA PROTECTION AND PERSONAL DATA PROCESSING POLICY

LLC "FORWARD-TRANS"

1. GENERAL PROVISIONS
1.1. This Policy on personal data processing (hereinafter - the Policy) is compiled in accordance with clause 2 of Article 18.1 of the Federal Law "On Personal Data" No. 152-FZ dated July 27, 2006, as well as other normative legal acts of the Russian Federation on the protection and processing of personal data. It applies to all personal data (hereinafter - Data) which the Organization (hereinafter - the Operator, the Company) may receive from a personal data subject who is a party to a civil law contract, as well as from a personal data subject who is an employee under labor relations with the Operator (hereinafter - Employee).
1.2. The Operator ensures protection of processed personal data from unauthorized access, disclosure, unlawful use, or loss in accordance with the requirements of the Federal Law No. 152-FZ.
1.3. Amendments to the Policy
1.3.1. The Operator has the right to amend this Policy. The date of the latest revision is indicated in the header. The new version comes into effect upon posting on the website unless otherwise specified.

2. TERMS AND DEFINITIONS·

• Personal data (PD) – any information relating directly or indirectly to an identified or identifiable individual (data subject).
• Personal data processing – any action (operation) or set of actions performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data.
• Automated personal data processing – personal data processing carried out using computing equipment.
• Personal data information system (PDIS) – a set of databases containing personal data and the information technologies and technical means ensuring their processing.
• Public personal data – PD which the data subject has made publicly available or agreed to make accessible.
• Blocking personal data – temporary suspension of personal data processing (except when processing is necessary for clarifying personal data).
• Destruction of personal data – actions that make it impossible to restore the content of personal data in the information system and/or destroy physical media containing the data.
• Operator – an organization independently or jointly with others organizing personal data processing, determining the purposes and methods of personal data processing. The Operator is LLC "Forward-Trans", located at: 125284, Moscow, Begovaya Street, 3, building.

3.PERSONAL DATA PROCESSING
3.1. Collection of Personal Data
3.1.1. All personal data (PD) should be obtained directly from the data subject. If the PD can only be obtained from a third party, the data subject must be notified of this or their consent must be obtained.
3.1.2. The Operator must inform the data subject about the purposes, intended sources and methods of obtaining the PD, the nature of the PD to be obtained, the list of actions with the PD, the duration of the consent, the procedure for its withdrawal, as well as the consequences of the data subject’s refusal to give written consent for their collection.
3.1.3. Documents containing PD are created by:
– copying original documents (passport, education certificate, taxpayer identification number certificate, pension certificate, etc.);
– entering data into accounting forms;
– obtaining originals of necessary documents (employment record book, medical certificate, reference, etc.).
3.2. Processing of Personal Data
3.2.1. Personal data processing is carried out:
– with the consent of the data subject to process their personal data;
– in cases where processing is necessary for the implementation and fulfillment of functions, powers, and duties imposed by the legislation of the Russian Federation;
– in cases where processing of personal data is carried out that are publicly available or made accessible by the data subject or at their request (hereinafter – personal data made publicly available by the data subject).
3.2.2. Purposes of personal data processing:
– execution of labor relations;
– execution of civil law relations.
3.2.3. Categories of data subjects.
The following categories of data subjects are processed:
– individuals employed by the Company;
– individuals who have been dismissed from the Company;
– individuals who are candidates for employment;
– individuals who have civil law relations with the Company.
3.2.4. Personal data processed by the Operator:
– data obtained in the course of labor relations;
– data obtained for recruitment of candidates;
– data obtained in the course of civil law relations.
3.2.5. Personal data processing is performed:
– using automation tools;
– without the use of automation tools.
3.3. Storage of Personal Data
3.3.1. Personal data may be collected, further processed, and stored both on paper media and electronically.
3.3.2. Personal data recorded on paper media are stored in locked cabinets or locked rooms with restricted access.
3.3.3. Personal data processed using automation tools for different purposes are stored in separate folders.
3.3.4. It is prohibited to store and place documents containing personal data in open electronic catalogs (file sharing services) in the personal data information system.
3.3.5. Personal data stored in a form that allows identification of the data subject are kept no longer than required by the purposes of their processing and must be destroyed upon achievement of processing goals or loss of necessity.
3.4. Destruction of Personal Data
3.4.1. Destruction of documents (media) containing personal data is carried out by burning, shredding, chemical decomposition, or transformation into a shapeless mass or powder. Paper documents can be destroyed by shredders.
3.4.2. Personal data on electronic media are destroyed by erasing or formatting the media.
3.4.3. The fact of destruction of personal data is confirmed by an official act of destruction of the media.
3.5. Transfer of Personal Data
3.5.1. The Operator transfers personal data to third parties in the following cases:
– the data subject has given consent to such actions;
– transfer is provided for by Russian or other applicable legislation according to the established procedure.
3.5.2. List of persons to whom personal data may be transferred:
Third parties to whom personal data are transferred:
– Pension Fund of the Russian Federation (on a legal basis);
– Tax authorities of the Russian Federation (on a legal basis);
– Social Insurance Fund of the Russian Federation (on a legal basis);
– Territorial Mandatory Health Insurance Fund (on a legal basis);
– Insurance medical organizations for mandatory and voluntary health insurance (on a legal basis);
– Banks for payroll purposes (based on contracts);
– Ministry of Internal Affairs of Russia in cases established by law.

4.PERSONAL DATA PROTECTION

4.1. In accordance with regulatory requirements, the Operator has established a Personal Data Protection System (PDPS), consisting of legal, organizational, and technical protection subsystems.
4.2. The legal protection subsystem is a set of legal, organizational, administrative, and normative documents that ensure the creation, operation, and improvement of the PDPS.
4.3. The organizational protection subsystem includes the organization of the management structure of the PDPS, the authorization system, and information protection when working with employees, partners, and third parties.
4.4. The technical protection subsystem includes a set of technical, software, and hardware-software tools that ensure the protection of personal data.
4.5. The main personal data protection measures used by the Operator are:
4.5.1. Appointment of a person responsible for personal data processing, who organizes the processing, training, instruction, and internal control over compliance with personal data protection requirements by the institution and its employees.
4.5.2. Identification of current security threats to personal data during their processing in the personal data information system (PDIS) and development of measures to protect personal data.
4.5.3. Development of a personal data processing policy.
4.5.4. Establishment of access rules to personal data processed in the PDIS, as well as ensuring registration and accounting of all actions performed with personal data in the PDIS.
4.5.5. Setting individual access passwords for employees to the information system according to their job responsibilities.
4.5.6. Use of information protection tools that have passed the established conformity assessment procedure.
4.5.7. Certified antivirus software with regularly updated databases.
4.5.8. Compliance with conditions ensuring the safety of personal data and preventing unauthorized access.
4.5.9. Detection of unauthorized access to personal data and taking appropriate measures.
4.5.10. Restoration of personal data that have been modified or destroyed as a result of unauthorized access.
4.5.11. Training of the Operator’s employees who directly process personal data in the provisions of the Russian Federation legislation on personal data, including requirements for personal data protection, documents defining the Operator’s personal data processing policy, and internal acts concerning personal data processing.
4.5.12. Implementation of internal control and audits.

5.MAIN RIGHTS OF THE PERSONAL DATA SUBJECT AND OBLIGATIONS OF THE OPERATOR

5.1. Main rights of the personal data subject.
The data subject has the right to access their personal data and the following information:
– confirmation of the fact of personal data processing by the Operator;
– legal grounds and purposes of personal data processing;
– purposes and methods of personal data processing used by the Operator;
– name and location of the Operator, information about persons (except employees of the Operator) who have access to personal data or to whom personal data may be disclosed based on an agreement with the Operator or pursuant to federal law;
– periods of personal data processing, including storage periods;
– procedure for exercising the rights of the personal data subject as provided by this Federal Law;
– name or full name and address of the person processing personal data on behalf of the Operator, if processing is or will be entrusted to such a person;
– addressing the Operator and submitting requests to the Operator;
– appealing against actions or inaction of the Operator.
5.2. Obligations of the Operator.
The Operator is obliged to:
– provide information about the processing of personal data when collecting personal data;
– notify the data subject if personal data were obtained from sources other than the data subject;
– explain to the data subject the consequences of refusal to provide personal data;
– publish or otherwise ensure unlimited access to the document defining its personal data processing policy and to information about implemented personal data protection requirements;
– take necessary legal, organizational, and technical measures or ensure their implementation to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data;
– respond to requests and appeals of personal data subjects, their representatives, and the authorized body for the protection of personal data subjects’ rights.