1. TERMS AND DEFINITIONS
1.1. Personal data operator – Limited Liability Company “Mosgo & Partners" Law Firm, OGRN [Primary State Registration Number] 5137746234720, INN [Individual Taxpayer Number] 7714924339, registered at 16/12 M.Dmitrovka, Moscow, 127006, Russia (the "Company").
1.2. Personal data – any information related to an identified or identifiable individual (personal data subject).
1.3. Personal data processing – any action (operation) or a series of actions (operations) carried out with or without the use of means of automation with personal data including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion, destruction of personal data.
1.4. Automated personal data processing – personal data processing with the use of computer equipment.
1.5. Dissemination of personal data – actions aimed at disclosing personal data to an indefinite group of persons (transfer of personal data) or at making an unlimited group of persons familiar with personal data, including publication of personal data in mass media, information and telecommunications networks, or otherwise granting access to personal data.
1.6. Provision of personal data – actions aimed at disclosing personal data to a certain person or group of persons.
1.7. Blocking of personal data – temporary cessation of personal data processing (except where processing is necessary to specify personal data).
1.8. Destruction of personal data – actions resulting in the impossibility to restore the contents of personal data in the personal data information system and (or) in the destruction of personal data storage media.
1.9. Depersonalization of personal data – actions resulting in the impossibility to determine, without additional information, whether personal data belongs to a specific personal data subject.
1.10. Personal data information system – the entirety of personal data contained in databases and the information technologies and technical means ensuring their processing.
1.11. Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign state, a foreign individual or a foreign legal entity.
1.12. Special categories of personal data – personal data related to race, ethnical identity, political opinions, religious or philosophical convictions, state of health, or intimate life.
1.13. Biometric personal data – data, which characterize the physiological and biological features of a person allowing to identify that person.
1.14. Employees – the Company’s employees with access to personal data and / or directly involved in the processing of personal data on the basis of an order of the General Director of the Company.
2. GENERAL PROVISIONS
2.1. This Personal Data Processing Policy of (hereinafter – the "Policy") defines the procedure for the processing of personal data and measures to ensure the security of personal data in the Limited Liability Company “Mosgo & Partners" Law Firm, OGRN [Primary State Registration Number] 5137746234720, INN [Individual Taxpayer Number] 7714924339, registered at: 119180, Moscow, Bolshaya Yakimanka St., 1, office 524 (the "Company").
2.2. This Policy was developed in accordance with the Constitution of the Russian Federation, Federal Law No. 152-FZ dated 27 July 2006 "On Personal Data" (hereinafter – "FZ-152") and other applicable laws on personal data collected with the use of the Company’s Internet sites. The Policy for the processing of personal data of employees is regulated by a separate internal document.
2.3. The Company is a Personal data operator processing personal data using automation tools. The Policy applies to all personal data of subjects processed by the Company with the use of automation tools. Collection of personal data is carried out using the Internet site of the Company. The scope of the personal data is specified in clause 3.1 hereof.
2.4. This Policy is mandatory for the Company and the Company’s Employees. The Policy is a local normative act of the Company that determines the responsibilities of the Employees with respect to personal data processing.
2.5. This Policy is open for the public and is published on the www.mosgolaw.com Internet site at http://mosgolaw.com/en/politic/.
2.6. The objectives of this Policy are as follows:
- protection of human and civil rights and freedoms during the processing of personal data, including protection of the rights to inviolability of private life, personal and family privacy;
- ensuring the protection of personal data from unauthorized access, loss, unauthorized use or dissemination;
- ensuring compliance with the legislation of the Russian Federation of the actions of Employees placed in charge of the processing of personal data.
3. PERSONAL DATA COMPOSITION AND SUBJECTS
3.1. The Company processes the following personal data: surname, name, patronymic, address, place of birth, date of birth, marital status, education, profession, financial situation, social status, income, email address, telephone number. The Company does not process special categories of personal data and biometric personal data.
3.2. Personal data subjects are persons in contractual relations with the Company, persons using the services of the Company, as well as users of various services and members of various projects on the Company’s Internet site, including persons submitting requests through the feedback form at www.mosgolaw.com, and the representatives of all of the above persons. A personal data subject may not provide the personal data of other persons.
4. PROCESSING OF PERSONAL DATA
4.1. PURPOSES OF PROCESSING
4.1.1. Personal data are processed for the purpose of providing services, including (but not limited to) legal advice, accounting services and other consulting services, distribution of marketing materials, including (but not limited to) in the form of newsletters on changes in the legislation and other similar letters (including by e-mail, telephone or other means of communication), for statistical purposes, in order to gather client opinions of the Company, to compile (including where done by third parties) rankings of law firms and lawyers (and in particular, as a Right.ru 300, Chambers & Partners, The Legal 500) and for other related purposes.
4.1.2. Employees are not entitled to process personal data unrelated to the processing purposes.
4.1.3. The scope of personal data processed must correspond to the processing purposes. Processing of excessive personal data is not allowed.
4.2. CONDITIONS OF PERSONAL DATA PROCESSING
4.2.1. The Company may process personal data only where at least one of the following conditions is met:
- personal data shall be processed with the consent of the personal data subject to the processing of his/her personal data;
- processing of personal data is necessary to achieve the purposes stipulated by the law, to exercise and perform the functions, powers and duties vested in the Company by the law;
- processing of personal data is necessary to perform a contract, where the subject of personal data is a party or a beneficiary, as well as to execute a contract on the initiative or for the benefit of the personal data subject;
- processing of personal data is necessary to implement the rights and legitimate interests of the Company or third parties or to achieve important public purposes, provided that doing so does not violate the rights and freedoms of the data subject;
- processing of personal data is carried out for statistical or other research purposes, subject to mandatory depersonalization of the data (except where processed to promote services in the market).
4.2.2. The Company shall ensure the recording, systematization, accumulation, storage, clarification (updating, changing), extraction of personal data of Russian citizens using databases in the territory of the Russian Federation.
4.3. THE TERM OF PROCESSING OF PERSONAL DATA
4.3.1. Personal data shall be processed until the Company is liquidated / reorganized or until the personal data subject revokes his/her consent to the processing.
4.3.2. The processing of personal data shall also be terminated upon reaching the purposes of processing; if it is impossible to reach the purposes of processing; and in case of impossibility of elimination of violations of personal data processing.
4.3.3. Personal data shall be destroyed or depersonalized upon the termination of processing.
4.4. ACCESS TO PERSONAL DATA
4.4.1. The Company shall determine which Employees will have access to personal data and will be directly involved in the processing of personal data. The feasibility of granting access to personal data shall be determined on the basis of the Company’s local acts and based on whether granting the required access rights is reasonable.
4.4.2. Employees shall process personal data only in their workplaces.
4.4.3. Employees are required to respect the confidentiality of personal data and the rules for their processing.
4.4.4. The Company and the Employees must not disclose to third parties or disseminate personal data without the consent of the personal data subject, unless as otherwise provided by the federal law.
4.5. PERSONAL DATA TRANSFER
4.5.1. The Company may entrust the processing of personal data to another person, including the Company’s partners and postal services, with the consent of the personal data subject, unless as otherwise provided by the federal law. The person or entity processing personal data on behalf of the Company shall be obliged to observe the principles and rules of processing of personal data, stipulated by FZ-152 and other applicable normative legal acts.
4.5.2. Any transfer of data occurs when using the appropriate actual state of the art encryption via HTTPS protocols.
4.5.3. It is prohibited to transfer personal data to a third party without the consent of the personal data subject, except where necessary to prevent threats to life and health, and in cases stipulated in the legislation of the Russian Federation.
4.5.4. Cross-border transfer of personal data in the territory of foreign states that ensure an adequate level of protection of personal data, including in the territory of the states parties to the Convention of the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, is allowed. Cross-border transfer of personal data in the territory of other states may be carried out by the Company only with the consent of the personal data subject to the specific cross-border transfer of personal data.
4.5.5. The Employees shall provide personal data to the relatives, family members and representatives of the subject of personal data only with the consent of the personal data subject, except where disclosure of personal data without the consent of the personal data subject is permitted by the effective legislation.
4.5.6. Documents containing personal data may, upon a personal request of the personal data subject, be sent by mail or e-mail. The letter (e-mail) shall contain a mark on the confidentiality of the information contained therein and the responsibility for its illegal disclosure. It is possible to use other secure means of communication.
4.5.7. The persons receiving personal data must be warned that such data may be used only for the purposes for which they are communicated.
4.5.8. All instances of transfer of personal data to third parties should be recorded in the Company’s documents.
4.6. TECHNOLOGIES AND SERVICES OF AUTOMATIC DATA COLLECTION
4.6.1. The Company may use computer equipment and services for automated collection and processing of information when the personal data subject visits the Company’s Internet site: web protocols, cookies, web grades, plugins and so on, as well as similar applications and tools of third parties.
4.6.2. Information on the Company’s use of technologies and services for the automated collection and processing of information shall be communicated to the personal data subject by posting the relevant information on the website, including by way of publication of this Policy. Likewise, personal data subjects shall be informed of their right to deny the use of such technologies and services, the way to exercise this right and the consequences of exercising the same.
5. RIGHTS OF A PERSONAL DATA SUBJECT
5.1. A personal data subject shall make the decision on the provision of his/her personal data and shall grant his/her consent to their processing freely, of his/her own volition and in his/her interest. Consent can be granted by placing a corresponding mark (ticking) in a special box at www.mosgolaw.com when filling out the feedback form for contacting the Company.
5.2. A personal data subject may at any time withdraw the consent to the processing of his/her personal data. Withdrawal of consent indicating the name, surname and patronymic should be sent to the following email address: email@example.com. In this case, the Company shall, within ten days of receipt of the withdrawal, stop processing the personal data of the relevant personal data subject, informing the personal data subject of the fact by sending a notification to the e-mail address provided during the registration on the Company’s website.
5.3. A personal data subject is entitled to receive information regarding the processing of his/her personal data. The personal data subject is entitled to demand that the Company clarify his/her personal data, block or destroy them where the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the declared purpose of processing, as well as take legal measures to protect his/her rights. The respective request indicating the surname, name and patronymic of the personal data subject should be sent to the following email address: firstname.lastname@example.org. The Company must respond to the request within 10 days from the date of its receipt.
5.4. The processing of personal data for the purpose of promotion of services in the market through direct contacts with potential consumers using communication means is permitted only with the prior consent of the personal data subject. The Company shall immediately cease the processing of personal data for the above purposes upon the request of the personal data subject.
5.5. The Company may not make decisions solely on the basis of automated processing of personal data that would entail legal consequences with respect to the personal data subject or otherwise affect his/her rights and legitimate interests, except in cases stipulated in the law or with the written consent of the personal data subject.
5.6. A personal data subject is entitled to protect his/her rights and legitimate interests, including to the indemnification and (or) compensation of moral harm in court.
6. DUTIES OF EMPLOYEES
6.1. Employees must:
- know and comply with the requirements of this Policy;
- carry out the processing of personal data for the purposes defined in this Policy;
- process only the personal data to which they were granted access;
- keep confidential all personal data they became aware of;
- inform their immediate supervisor of the facts of violation of the procedure for the processing of personal data and unauthorized access thereto;
- warn the persons receiving personal data that such data can be used only for the purposes for which they are communicated;
- fulfill the requirements for the protection of personal data.
7. PERSONAL DATA SECURITY
7.1. The security of personal data shall be ensured by the implementation of legal, organizational, technical and software measures necessary and sufficient to meet the requirements of the federal legislation in the field of personal data protection.
7.2. In order to create unfavorable conditions and obstacles for perpetrators attempting to access personal data without authorization in the Company, the Company shall implement, among others, the following organizational and technical measures:
- appointment of an employee responsible for organizing the processing and protection of personal data;
- limitation of the number of employees with access to personal data;
- making the employees familiar, against their signature, with the requirements of the legislation and the Company’s internal documents on the processing and protection of personal data;
- ensuring that data storage media are kept and treated in a way that precludes their theft, spoofing, unauthorized copying and destruction;
- password protection of access to the personal data information system;
- application of control tools for the access to communication ports, input-output, machine removable media, and external storage media;
- implementation of anti-virus control, prevention of exposure of the corporate network to malware and software bugs;
- back-up copying of information;
- ensuring the recovery of personal data, modified or destroyed due to unauthorized access thereto;
- making the employees familiar with the rules of working with personal data;
- investigation of violations of the security of personal data;
- placement of technical means of personal data processing within a secured area;
- organization of the regime of access to the Company's premises.
7.3. If the Company’s website contains links to the websites of third parties, except for the Internet sites owned by the Company, this Policy shall not apply to the content of such websites. The Company has no information as to what information the administrators of such websites may collect and does not control the process of collection of such data. The relevant information may be found in data protection guidelines on the corresponding page.
8. FINAL PROVISIONS
8.1. Other rights and obligations of the Company as a personal data operator shall be determined by the legislation of the Russian Federation on personal data.
8.2. Control of performance of the requirements of this Policy shall be carried out by the Employee in charge of ensuring the security of personal data.
8.3. The Employees guilty of violating the norms regulating the processing and protection of personal data shall bear material, disciplinary, administrative, civil or criminal liability in accordance with the procedure prescribed by the law.
8.4. The personal data subjects shall be informed of any changes to this Policy in advance.