BDO Unicon AO Policy on personal data processing
1. GENERAL TERMS AND CONDITIONS
1.1. The policy of BDO Unicon AO on personal data processing (“the Policy”) defines the main objectives and legal grounds for personal data processing, lists of subjects and personal data processed by BDO Unicon AO (“the Company”), the procedure, conditions, methods and principles of personal data processing, the rights of personal data subjects, obligations of BDO Unicon AO while processing personal data, as well as the requirements for personal data protection followed in the Company.
1.2. The Policy has been developed based on the requirements of legislative and other regulations of the Russian Federation in the field of personal data.
1.3. The provisions of the Policy serve as a basis for development of local regulations governing personal data processing at BDO Unicon AO.
1.4. This Policy uses the following terms and definitions:
Automated personal data processing - processing of personal data (“PD”) by means of computers.
Personal data blocking - temporary termination of personal data processing (except when processing is necessary to clarify personal data).
Personal data information system (“PDIS”) – a set of PD contained in the databases and ITs and technical means ensuring their processing.
Personal data confidentiality – the requirement to prevent PD distribution without the PD subject’s consent or other legal grounds mandatory for the operator or any other person gaining access to PD.
Non-automated personal data processing - the processing of PD contained in the PDIS or extracted from such a system is considered to be completed without operation of automated aids (manual), if such actions with PD, as the use, clarification, distribution and destruction of PD in respect of each of PD subjects are carried out with direct participation of an individual.
Personal data depersonalisation - actions that make it impossible to determine the PD's identity to a specific PD subject without using additional information.
Personal data processing - any action (operation) or set of actions (operations) performed using automation facilities or without using such facilities with PD, including collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalisation, blocking, removal, deletion, destruction of PD.
Operator (of personal data) – BDO Unicon AO, OGRN 1037739271701, TIN 7716021332, registered office: Suite 50, Office 1, 3rd floor, Section 11, Block 1, Bldg. 125, Warshavskoye Shosse, Moscow, 117587.
Personal data - any information that directly or indirectly relates to an identified or identifiable individual (personal data subject).
Personal data provision - any operation intended to disclose PD to a certain party or a group of parties.
Personal data distribution - actions aimed at disclosing PD to an undefined group of persons.
Cross-border transfer of personal data - PD transfer to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity.
Personal data destruction - actions that make it impossible to recover the PD content in the PD information system and (or) as a result of which the PD media are destroyed.
The Policy is determined in accordance with the following statutory legal regulations and documents of the authorised state power agencies:
- Labour Code of the Russian Federation;
- Federal Law No. 149-FZ “On Information, Information Technology and Information Protection” of 27 July 2006;
- Federal Law No. 152-FZ “On Personal Data” of 27 July 2006;
- Resolution of the Government of the Russian Federation No. 687 “On Approval of the Regulations on the Peculiarities of Personal Data Processing not Assisted by Automated Facilities” of 15 September 2008;
- Resolution of the Government of the Russian Federation No. 1119 “On Approval of Requirements for Personal Data Protection during their Processing in Personal Data Information Systems” of 1 November 2012;
- Order of FSTEC (of the Russian Federation No. 21 “On Approval of Structure and Content of Organisational and Technical Measures for Personal Data Safety during their Processing in Personal Data Information Systems” of 18 February 2013;
- Recommendations of the Federal Service for Supervision of Communications, Information Technology and Mass Communications on preparation of a document defining the operator's policy regarding personal data processing in accordance with the procedure established by Federal Law No. 152-FZ “On Personal Data” of 27 July 2006;
- Other statutory legal regulations of the Russian Federation and regulatory documents of authorised state power bodies.
2. PURPOSE OF PROCESSING PERSONAL DATA
2.1. BDO Unicon AO carries out the processing of personal data for the following purposes:
- consideration of candidates’ resumes and selection of personnel for vacant positions for further employment with the Company;
- polling a candidate in respect of whom a positive decision on employment with the Company was taken and verification of the accuracy of the information specified in the questionnaire;
- organisation of internships for university students, polling of university students;
- maintaining a database of candidates for vacant positions;
- verification of authorised persons’ powers to sign the contract;
- checking the reliability of a counterparty;
- concluding a confidentiality agreement;
- provision of services by the Company under the contract;
- project management;
- ensuring compliance with laws and other legal regulations;
- assistance in employment, training and promotion, ensuring personal security, monitoring the quantity and quality of work performed, ensuring the safekeeping of property;
- preparation of reference materials for the internal information support of the activities of BDO Unicon AO and its branches;
- posting data in information materials on the Company's official website;
- preparation of commercial proposals, participation in tenders, coordination and negotiation, signing, execution and termination of contracts with counterparties;
- issuance of an electronic signature;
- provision of access control and internal security regimes at BDO Unicon AO;
- implementation of functions, powers and duties assigned to BDO Unicon AO by the legislation of the Russian Federation;
- gathering of information through feedback forms, collection of statistical information, administration of the Company's website;
- assessing the quality of work performed.
3. LEGAL BASIS OF PERSONAL DATA PROCESSING
3.1. Legal grounds for PD processing are:
- federal laws and legal regulations adopted on the basis thereof, which govern relations connected with the Company’s activities;
- Charter of BDO Unicon AO;
- contracts concluded between the Company and a personal data subject;
- contracts concluded between the Company and legal entities in the interests of PD subjects;
- consent to personal data processing (in cases stipulated by the legislation of the Russian Federation).
4. LIST OF SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED BY BDO UNICON AO
4.1. BDO Unicon AO processes personal data of the following categories of subjects:
- candidates for vacant positions;
- employees of BDO Unicon AO;
- representatives of counterparties (legal entities);
- counterparties (individuals);
- persons making requests to BDO Unicon AO;
- visitors to the Company's website;
- shareholders of BDO Unicon AO, persons exercising the rights in respect of ordinary shares of BDO Unicon AO;
- representatives of potential counterparties of the Company.
5. LIST OF PERSONAL DATA PROCESSED BY BDO UNICON AO
5.1. The list of personal data processed by BDO Unicon AO is determined in accordance with the legislation of the Russian Federation and local regulations of BDO Unicon AO, taking into account the personal data processing purposes specified in Section 2 of this Policy.
5.2. For each category of personal data subjects at the Company, an exhaustive list of PD processed by BDO Unicon AO is determined and approved by the Company's General Director.
5.3. The following personal data of PD subjects are processed by BDO Uncon AO: full name, date of birth, data of an identity document, TIN, SNILS (individual insurance account number), photo, citizenship, place of employment, position, grade, information on income, contact information (phone number, e-mail address, actual residence address), information about education, place of education, faculty, speciality, year and month of graduation, degree of proficiency in foreign languages, information contained in CV, employment history, biographical information, family and immediate family information, military status, SRO membership information, SRO certificate number, information on issued share ownership, issuer relation, information contained in a power of attorney, bank details (settlement account, BIC), electronic signature, information contained in the request, IP-address, cookies.
5.4. Special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, and intimate life are not processed by BDO Unicon AO.
6. PROCEDURE AND TERMS OF PERSONAL DATA PROCESSING
6.1. The processing of personal data by BDO Unicon AO is carried out with the PD subjects’ consent to the processing of their personal data, unless otherwise provided by the Russian legislation in the field of personal data.
6.2. The Company collects, records, organises, accumulates, stores, adjusts (updates, alters), extracts, uses, transfers (distributes, provides, grants access to), depersonalises, blocks, deletes and destroys personal data.
6.3. The processing of personal data is carried out both with and without the use of automated aids.
6.4. BDO Unicon AO does not disclose to third parties and does not distribute personal data without the consent of the personal data subject, unless otherwise provided by federal law.
6.5. The Company has the right to entrust personal data processing to another person with the consent of the personal data subject, unless otherwise established by federal law, on the basis of a contract signed with that person. The contract should contain a list of actions (operations) in respect of personal data, which will be performed by the person that processes personal data, the processing purposes, the obligation of such a person to maintain the confidentiality of personal data and ensure security of personal data during their processing, as well as the requirements for the protection of the processed personal data in accordance with Article 19 of Federal Law No. 152-FZ “On Personal Data” of 27 July 2006.
6.6. For the purpose of internal information support, BDO Unicon AO may create internal reference materials which, with the written consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation, may include the subject’s full name, place of work, position, subscriber number, e-mail address, photo and other personal data provided by the PD subject.
6.7. Access to PD is restricted in accordance with federal laws and local regulations of the Company.
6.8. PD can be processed by:
- the Company employees occupying positions included in the List of subdivisions and officials admitted to personal data processing at BDO Unicon AO;
- third parties engaged in PD processing on behalf of the Company.
6.9. The Company’s employees, who have obtained access to personal data, undertake obligations to ensure the confidentiality and safety of the processed personal data, which are determined by the employment agreement, job descriptions and local regulations of the Company for the processing of personal data.
6.10. PD processing by third parties can only be carried out on the basis of a relevant agreement with the Company in compliance with the requirements of clause 6.5. of this Policy.
6.11. Access of representatives of government bodies to personal data is regulated by the current legislation of the Russian Federation.
6.12. Personal data of the Company's employees may be provided to third parties only with the written consent of the employees, except for cases stipulated by the current legislation of the Russian Federation.
6.13. Cross-border transfer of personal data is allowed:
6.13.1. To the territory of a foreign state being a party to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as of a state included by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications in the List of foreign states not being parties to the said Convention and ensuring adequate protection of the rights of personal data subjects.
6.13.2. To the territory of a foreign state that does not provide an adequate level of protection in the following cases:
- if there is a written consent of the PD subject to the cross-border transfer of his (her) personal data;
- in cases stipulated by international treaties of the Russian Federation;
- in cases provided for by federal laws, if it is necessary in order to protect the foundations of the constitutional system of the Russian Federation, to ensure the defence of the country and the security of the state, as well as to ensure the safety of the sustainable and safe operation of the transport system, to protect the interests of individuals, society and the state in the field of the transport system from acts of unlawful interference;
- for the execution of the contract to which the subject of personal data is a party;
- to protect the life, health, other vital interests of the personal data subject or other persons when it is impossible to obtain written consent of the PD subject.
6.13.3. In the absence of grounds provided for by clauses 6.13.1, 6.13.2 of this Policy, the cross-border transfer of PD is prohibited.
6.13.4. The person authorised by BDO Unicon AO to process PD is obliged to ensure compliance with the conditions specified in clauses 6.13.1, 6.13.2 of this Policy.
7. TIMING OF PERSONAL DATA PROCESSING, INCLUDING STORAGE
7.1. The processing time, including storage, of personal data of the Company’s employees and other personal data subjects in hard copy and in other tangible form, as well as in personal data information systems, is determined by the Company in accordance with the legislation of the Russian Federation.
7.2. If the processing time of personal data is not established by federal law, they are processed and stored no longer than required by the purpose of personal data processing, including storage.
7.3. The Company stops processing PD if:
- the goal of PD processing, including storage, has been achieved, or there is no longer any necessity to achieve the goal, unless otherwise provided by the contract to which the personal data subject is a party, beneficiary or guarantor;
- the term of the consent of the subject has expired or the subject has withdrawn the consent to the PD processing and the Company has no other grounds provided by the legislation of the Russian Federation for the PD processing;
- unlawful processing of personal data has been detected;
- the activities of the Company have been discontinued.
8. PRINCIPLES OF PD PROCESSING
8.1. The processing of personal data by BDO Unicon AO is carried out taking into account the need to protect the rights and freedoms of employees of BDO Unicon AO and other personal data subjects, including protection of the right to privacy, personal and family secrets, based on the following principles:
- the processing of personal data is carried out in a lawful and fair manner;
- the processing of personal data is limited to the achievement of the specific, predetermined and legitimate goals;
- personal data processing that is incompatible with the purposes of collecting personal data is not allowed;
- it is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other;
- only personal data meeting the purposes of processing shall be processed;
- the content and scope of processed personal data meets the stated processing objectives. The redundancy of the processed personal data is not allowed in relation to the stated purposes of processing;
- personal data processing ensures the accuracy of personal data, their sufficiency, and, if necessary, relevance with respect to the purposes of personal data processing. BDO Unicon AO takes necessary measures or ensures their adoption to remove or clarify incomplete or inaccurate personal data;
- personal data are stored in a form that allows determining the PD subject not longer than required by purposes of personal data processing, if the period for storing personal data is not established by federal law or a contract to which the personal data subject is a party or beneficiary;
- the processed personal data are destroyed upon the achievement of the processing goals or in the case there is no further need to achieve those goals, unless otherwise provided by federal law.
9. OBSERVANCE OF THE RIGHTS OF PERSONAL DATA SUBJECTS
9.1. A personal data subject whose PD are processed by the Company is entitled to receive information concerning the processing of his/her PD, including:
- confirmation of the processing of his/her personal data by the Company;
- the legal basis and purposes of PD processing;
- PD processing methods applied by the Company;
- name and location of the Company, information about persons (except for employees of the Company) who have access to personal data or who can disclose personal data on the basis of an agreement with the Company or on the basis of federal law;
- the processed personal data relating to the respective PD subject, the source of their receipt, unless a different procedure for providing such data is stipulated by federal law;
- the personal data processing time, including storage time;
- the procedure for the implementation by a PD subject of the rights provided for by Federal Law No. 152-FZ “On Personal Data” of 27 July 2006;
- information on the completed or intended cross-border data transfer;
- full name and address of the person processing personal data on behalf of the Company, if processing is assigned or will be assigned to such person;
- other information stipulated by Federal Law No. 152-FZ “On Personal Data” of 27 July 2006 or other federal laws.
9.2. A personal data subject has the right to require the Company to clarify his/her PD, block or destroy them if the PD are incomplete, outdated, inaccurate, illegally obtained or not required for the stated purpose of processing, as well as take measures provided by law to protect their rights.
9.3. In the case of receiving the request of the PD subject, the Company shall:
- provide the PD subject with the opportunity to familiarise himself/herself with the full information about his/her PD processed by the Company;
- make alterations to the PD of the subject where there is information confirming that the PD processed are incomplete, outdated, unreliable;
- stop processing PD and destroy the subject’s PD upon his/her written application in cases where the PD are illegally obtained or not necessary for the stated processing purpose, and also if the subject revokes consent to the processing of his/her PD, if the Company does not have legal grounds for continuing PD processing;
- notify the PD subject of the results of the actions requested by the subject in the manner and within the timeframe stipulated by the legislation of the Russian Federation.
9.4. To respond to requests from a PD subject, the Company may ask for additional information confirming the participation of the PD subject in relations with the Company (contract number, date of conclusion, other information), or information otherwise confirming that the Company has processed the subject’s PD.
9.5. The procedure for processing requests of PD subjects at the Company is determined by the relevant regulations.
10. COMPANY RESPONSIBILITIES IN PROCESSING PERSONAL DATA
10.1. When processing PD, the Company is obliged to:
10.1.1. Take measures necessary and sufficient to ensure that the Company fulfils the obligations stipulated by Federal Law No. 152-FZ “On Personal Data” of 27 July 2006 and statutory legal regulations adopted in accordance therewith, in particular:
- appoint a person responsible for organizing personal data processing at BDO Unicon AO;
- publish documents defining the Company’s policy in relation to personal data processing, local regulations on personal data processing, as well as local regulations establishing procedures aimed at preventing and detecting violations of the Russian legislation, eliminating the consequences of such violations;
- apply legal, organisational and technical measures to ensure the safety of personal data;
- carry out internal control and (or) audit of the compliance of personal data processing with Federal Law No. 152-FZ “On Personal Data” of 27 July 2006 and statutory legal regulations adopted in accordance therewith, the requirements for the protection of personal data, this Policy and local regulations of the Company;
- assess the damage that may be caused to personal data subjects in case of violation of Federal Law No. 152-FZ “On Personal Data” of 27 July 2006, the ratio of the said damage and the measures taken by the operator to ensure the fulfilment of duties provided for by the legislation of the Russian Federation;
- familiarise employees of the Company and its branches directly involved in personal data processing with the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, this Policy, local regulations on personal data processing, and (or) train these employees.
10.1.2. Obtain the consent of personal data subjects to the processing of their personal data, except as required by the legislation of the Russian Federation.
10.1.3. Ensure separation of personal data processed without the use of automation equipment from other information, in particular, by fixing them in PD media in special sections.
10.1.4. Provide separate storage of personal data and their material media, which are processed for different purposes and which contain different categories of personal data.
10.1.5. Prohibit the transfer of personal data through open communication channels, computer networks outside the controlled area, to the Internet without applying measures established by BDO Unicon AO to ensure the security of personal data (except for public and (or) depersonalised data).
10.1.6. Store PD media in compliance with conditions that ensure the security of personal data and prevent unauthorised access thereto.
10.1.7. On an ongoing basis, exercise internal control over the compliance of personal data processing with Federal Law No. 152-FZ “On Personal Data” of 27 July 2006 and statutory legal regulations adopted in accordance therewith, requirements for the protection of personal data, this Policy, local regulations of BDO Unicon AO.
10.1.8. When collecting personal data, including through the Internet information and telecommunications network, ensure the recording, systematisation, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located in the Russian Federation.
10.1.9. Take other measures stipulated by the legislation of the Russian Federation in the field of personal data.
10.2. Measures to ensure the security of personal data when they are processed in the personal data information systems are established in accordance with local regulations of the Company in ensuring the security of personal data when they are processed in the personal data information systems.
11. PERSONAL DATA PROCESSING USING THE COMPANY'S WEBSITE
11.1. The Company can process PD of the Company's website visitors in order to collect information through feedback forms, collection of statistical information and administration of the website.
12. PROTECTION OF PERSONAL DATA
12.1. The Company ensures the security of personal data in the manner established by the current legislation of the Russian Federation in the field of personal data.
12.2. PD security is ensured through the adoption of legal, organisational and technical measures to protect PD from unlawful or accidental access thereto, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions in relation to PD.
13. INTERNAL CONTROL
13.1. In order to verify the compliance of personal data processing in structural units of BDO Unicon AO and its branches with the legislation of the Russian Federation and local regulations of BDO Unicon AO in the field of personal data, including requirements for the protection of personal data, as well as measures taken to prevent and detect violations of the legislation of the Russian Federation in the field of personal data, to identify possible channels of leakage and unauthorised access to personal data, to eliminate consequences of such violations, the Company carries out internal control of the compliance of the PD processing and protection processes with the requirements of laws and regulations of the Russian Federation in accordance with the internal control annual plan.
13.2. The internal control over compliance of the structural units of BDO Unicon AO and its branches with the legislation of the Russian Federation and local regulations of BDO Unicon AO in the field of personal data, including requirements for personal data protection, is carried out by a person responsible for organising personal data processing at BDO Unicon AO.
14. LIABILITY FOR VIOLATION OF REGULATIONS GOVERNING THE PROCESSING AND PROTECTION OF PERSONAL DATA OF THE PD SUBJECTS
14.1. Persons guilty of violating the provisions of the laws of the Russian Federation and local regulations of the Company in the field of PD are subject to disciplinary, administrative, civil and criminal liability in accordance with the laws of the Russian Federation.
14.2. Personal responsibility for compliance with the requirements of the legislation of the Russian Federation and local regulations of BDO Unicon AO in the field of personal data in structural units of BDO Unicon AO and its branches, as well as for ensuring the confidentiality and security of personal data in the said units of BDO Unicon AO is assigned to their management.
14.3. The moral damage caused to the PD subject due to the violation of his/her rights, violation of the PD processing rules established by the laws of the Russian Federation and local regulations of the Company in the field of PD and the requirements for PD protection shall be compensated in accordance with the laws of the Russian Federation. Moral damage is indemnified regardless of the compensation of property damage and personal losses incurred by the subject.
15. FINAL PROVISIONS
15.1. This Policy is publicly available. Unlimited access to this Policy is provided by its publication on the official website of the Company: www.bdo.ru.
15.2. Persons whose personal data are processed by the Company can obtain explanations on the processing of their personal data by sending a corresponding written request to the mailing address: 14th floor, PREO-8 Business Centre, 8 Preobrazhenskaya Square, Moscow, or e-mail address: email@example.com