Privacy Policy

1. General Provisions

1.1. This Personal Data Processing Policy (the Policy) sets out the procedure and requirements for personal data processing by BPMSoft (IIN 7724744134, OGRN 1107746293049) as a Personal Data Operator (the Operator).
1.2. This Policy was designed and is applied subject to paragraph 2 of Part 1 of Article 18.1 of Federal Law No. 152-FZ of July 27, 2006 On Personal Data (the Federal Law on Personal Data) and shall be made available at the Operator’s website.
1.3. In the meaning of paragraph 1 of Article 3 of the Federal Law on Personal Data, personal data includes any information relating, directly or indirectly, to an identified or identifiable individual, a personal data subject. A personal data subject may be represented by a representative, duly authorized, and the Operator will verify such authority for each case or query.
1.4. The Operator shall processes personal data by way of: collection, recording, systematization, accumulation, storage, clarification (updating, modification), access, provision, use, blocking, deletion, destruction.
1.5. The Operator shall processes personal data using databases located in the Russian Federation, unless the Federal Law on Personal Data otherwise specifies.

2. Purposes of Personal Data Processing

2.1. Recruitment of personnel (job seekers) for the Operator’s vacancies.
2.2. Compliance with Russian labor law.
2.3. Preparation, execution and fulfillment of civil law contracts.
2.4. Promotion of products, works, services in the market.

3. Procedure and Terms of Personal Data Processing

3.1. The Operator shall process the following personal data of the personal data subjects as follows:
3.1.1. for the purpose specified in section 2.1 of this Policy:
· Subject: Job Seekers;
· Class and list of personal data: last name, first name, patronymic (if any), year of birth, month of birth, day of birth, place of birth, marital status, gender, email address, residential address, registration address, telephone number, SNILS, INN, identity document details, bank card details, current account number, personal account number, occupation, education details, photo.
3.1.2. for the purpose specified in section 2.2 of this Policy:
· Subjects: Employees, Job Seekers, Dismissed Employees;
· Class and list of personal data: last name, first name, patronymic (if any), year of birth, month of birth, day of birth, place of birth, marital status, gender, email address, residential address, registration address, telephone number, SNILS, INN, nationality, identity document details, bank card details, current account number, personal account number, position, military duty, registration for military service, health information, photo.
3.1.3. for the purpose specified in section 2.3 of this Policy:
· Subjects: Counterparty representatives, Beneficiaries under contracts;
· Class and list of personal data: last name, first name, patronymic (if any), year of birth, month of birth, day of birth, place of birth, email address, telephone number, nationality, identity document details, position.
3.1.4. for the purpose specified in section 2.4 of this Policy:
· Subjects: Counterparty representatives, Website visitors;
· Class and list of personal data: last name, first name, patronymic (if any), email address, telephone number, position, photo.
3.2. For the purposes of data processing, the Operator may provide personal data to:
· the Operator’s employees;
· third parties who sign an agreement to keep confidential and secure any information received on behalf of the Operator, which agreement should list the actions (operations) with personal data that will be performed by the person who processes personal data and the purposes of processing; the agreement shall include an obligation of such person to keep personal data confidential and secure during processing, and the requirements for the processed personal data protection in accordance with Article 19 of Federal Law No. 152-FZ On Personal Data;
· at a request of an inquiry and investigation agency or court in connection with an investigation or trial, at a request of a penal enforcement agency in connection with enforcement of a criminal sentence or supervision of a probationer, person on conditional discharge, or parolee.
3.3. The Operator shall process personal data based on the following principles:
3.3.1. legal purposes and methods of personal data processing, integrity and good faith of the Operator’s activities;
3.3.2. personal data processing matches the purposes of processing;
3.3.3. the content and scope of personal data matches the stated purpose of processing, no redundancy;
3.3.4. non-combining databases containing personal data processed for purposes which are incompatible;
3.3.5. accuracy and sufficiency of personal data and, where necessary, relevance for the purposes of personal data processing. The Operator shall take the required measures to remove or update incomplete or inaccurate data;
3.3.6. personal data shall be stored in a form enabling to identify the personal data subject no longer than required by the purposes of personal data processing.
3.4. Personal data may be processed in the events set out in the Federal Law on Personal Data, specifically:
3.4.1. subject to the personal data subject consent to his/her personal data processing;
3.4.2. processing is required for the purposes specified in an international treaty of the Russian Federation or by law to implement and perform the functions, powers and obligations imposed on the Operator by the law of the Russian Federation;
3.4.3. participation of the person in constitutional, civil, administrative, criminal or arbitration proceeding;
3.4.4. processing is required for the execution of an order of court, another agency or official in accordance with the law of the Russian Federation on enforcement proceedings;
3.4.5. processing is required to perform an agreement to which the personal data subject is a party, beneficiary or surety, or to conclude an agreement on the initiative of the personal data subject or an agreement under which the personal data subject will act as a beneficiary or surety, in compliance with the requirements for the content of such agreement as set out in subparagraph 5, Part 1, Article 6 of the Federal Law on Personal Data;
3.4.6. processing is required to protect the life, health or other vital interests of the personal data subject, when the consent of the personal data subject cannot be obtained;
3.4.7. processing is required to exercise the rights and legitimate interests of the Operator or a third party or to achieve a publicly important goal, provided that the rights and freedoms of the personal data subject are not violated;
3.4.8. for statistical or other research purposes, subject always to the personal data subject’s prior consent and mandatory depersonalization of personal data;
3.4.9. otherwise as required by the law of the Russian Federation.
3.5. Personal data may be obtained from a person who is not the personal data subject, if the Operator is provided with an evidence of existence of the grounds set out in sections 3.4.2.-3.4.9. of this Policy or paragraph 3, Article 86 of the Labor Code of the Russian Federation.
3.6. The Operator may authorize another corporate entity to process personal data subject to the personal data subject’s consent issued in writing on the basis of an agreement with such other corporate entity, who shall comply with Part 3 of Article 6 of the Federal Law on Personal Data.
3.7. Consent to personal data processing
3.7.1. The personal data subject consents to personal data processing acting freely, of his/her own free will and in his/her interest, The Consent shall be expressed, specific, informed, conscious, unambiguous and given in any form that allows confirmation of its receipt by the Operator. If such consent is issued by a representative of the personal data subject, The Operator shall verify the authority of such representative.
3.7.2. The personal data subject may revoke the consent to personal data processing at any time, and the Operator may continue to process personal data without the personal data subject’s consent only if there are grounds provided for in sections 3.4.2-3.4.9. of this Policy or other grounds specified in the law of the Russian Federation. In other events, the Operator shall discontinue such personal data processing.
3.7.3. If the personal data subject is legally incapable, the consent to his/her personal data processing shall be given by his/her legal representative.
3.7.4. If the personal data subject dies, the consent to his/her personal data processing shall be given by his/her heirs, unless obtained earlier during his lifetime.
3.8. The Operator shall process special personal data on employee health that relate to the employee’s ability to perform his/her job (job suitability, disability, temporary incapacity) to the extent set out in the labor law of the Russian Federation for the specified purpose.
3.9. The Operator shall not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, intimate life or biometric personal data.
3.10. Processing of photos for the purposes of sections 2.1., 2.2. and 2.4. of this Policy shall not constitute biometric personal data processing in the meaning of Part 1 of Article 11 of the Federal Law on Personal Data.
3.11. The Operator may cross-border transfer personal data. Before any cross-border transfer of personal data, the Operator shall make sure that the destination country has an appropriate level of protection of rights of personal data subjects, and comply with other requirements of current law.
3.12. The Operator may process personal data in a mixed, non-automated or automated way.
3.13. Period of personal data processing by the Operator and conditions for discontinuation:
· the purposes of processing have been achieved or no longer need to be achieved;
· the personal data subject revokes his/her consent to personal data processing;
· the personal data subject or his/her legal representative provide an evidence that the personal data was obtained illegally or are not required for the stated purpose of processing;
· upon request of the personal data subject or his/her legal representative, personal data processing is found to be unlawful and lawful personal data processing cannot be ensured;
· request of the personal data subject, if his/her personal data are incomplete, outdated, inaccurate, illegally obtained or not required for the stated purpose;
· expiry of the personal data storage period as set out in the federal law or the agreement to which the personal data subject is a party, beneficiary or surety;
· the Operator discontinues its activities.
3.14. The Operator shall record cookies on the Website Visitor device used by the Visitor uses to implement his/her needs on the Website. Cookies are small pieces of data sent by a web server and stored on the Website Visitor’s electronic device. Cookies are used to simplify the user experience on the website and collect analytics by the Operator to improve the quality of products/services offered on the website. The Website Visitor hereby consents to collection, analysis and use of cookies, including by third parties, for the purposes of generating statistics and optimizing the Operator’s website. The Visitor may refuse the use of cookies in the settings of his/her browser (more information is available in the “Help” section of respective browser). In such event, the website will use only those cookies strictly necessary for its functioning and the services it offers, but such refusal may lead to incorrect operation of the website.
3.15. The Operator may collect technical information when the Visitor visits the Website. List of technical information: IP address, device operating system and browser type, unique device identifier, address of referring websites, the path the Visitor takes through the website, access time, and other. The Operator shall use the information to ensure functionality of its website, improve the quality of promotion of its products/services, correct errors and generally improve the user experience. At the same time, the Company does not seek to identify a specific user of the Operator’s website.
3.16. The Operator’s website implements Yandex.Metrika, a web analytics service which uses cookies. Information about the website use by the Visitor collected using cookies is transferred to Yandex LLC (OGRN: 1027700229193, located at Lva Tolstogo St. 16, Moscow, 119021, Russia) and stored on Yandex servers located in the Russian Federation. Yandex processes the information received to assess the website use by the Visitor and generate reports on the website activities.

4. Security of personal data

4.1. For personal data processing, the Operator shall apply legal, corporate and technical measures to ensure personal data security in accordance with Articles 18.1. and 19 of the Federal Law on Personal Data No. 152-FZ of July 27, 2006.
4.2. Personal data security is ensured, specifically, by:
· identifying threats to the security of personal data when processed in personal data information systems and potential violators of the security of personal data processed in personal data information systems;
· identifying the required protection levels of personal data processed in the personal data information system and compliance with personal data protection requirements, which implementation ensures the personal data protection levels established by the Government of the Russian Federation;
· using information security tools that have passed the established compliance assessment procedure;
· assessing the efficiency of measures taken to secure personal data before launching the personal data information system;
· dividing employee access rights to the personal data database of the personal data information system;
· guarding the Operator’s facilities, and limiting access to the facilities where personal data bases are located;
· revealing unauthorized access to personal data and taking measures to prevent such access in the future;
· restoring personal data modified or destroyed by unauthorized access;
· establishing the right of access to personal data processed in the personal data information system, and recording and accounting for actions performed with personal data in the personal data information system;
· monitoring the measures taken to ensure personal data security and the protection level of the personal data system.
· appointing a person responsible for managing personal data processing by the Operator.
4.3. Interaction with federal executive authorities in respect of processing and protecting personal data of subjects whose personal data are processed by the Operator shall be in accordance with the law of the Russian Federation.
4.4. The Company may amend this Policy at its own discretion. The Company may make amendments at its own discretion, including, but not limited to, when such relevant amendments result from legal developments or changes in the operation of the Company’s website. The new version of this Policy shall become effective when posted on the relevant pages of the Company’s website, unless such new version otherwise specifies.

5. Rights of Personal Data Subjects

5.1. Personal data subjects shall have the rights set out in the Federal Law on Personal Data and other personal data processing rules and regulations, and the Operator shall ensure the rights of personal data subjects as set out in Chapters 3 and 4 of the Federal Law on Personal Data.
5.2. The personal data subject may:
5.2.1. Access his/her personal data, including:
· receive information about his/her personal data processing to the extent of Part 7 of Article 14 of the Federal Law on Personal Data;
· update personal data;
· request blocking or destruction of data processed in violation of the principles or grounds for processing specified in section 2.3. or 2.4. of this Policy, respectively;
· revoke the consent to his/her personal data processing.
The personal data subject’s right of access to his/her personal data shall be granted by the Operator on the basis of a query or request sent as prescribed by Article 14 of the Federal Law on Personal Data to the Operator’s registered address or e-mail infosec@bpmsoft.ru.
5.2.2. Appeal an act or omission of the Operator to the competent personal data protection authority or court if the personal data subject believes that the Operator processes his/her personal data in violation of the requirements of the Federal Law on Personal Data or otherwise violates his/her rights and freedoms
5.2.3. Protect his/her rights and legitimate interests, including claim compensation for damages and/or moral damages, in court.
5.3. The Operator shall ensure the right of access of the personal data subject by:
5.3.1. providing the subject with the required information upon his/her request or query. The grounds for refusal to provide information include: receipt of a repeated request not meeting Parts 4 and 5 of Article 14 of the Federal Law on Personal Data, or existence of the circumstances set out in Part 8 of the said Article. The Operator’s refusal shall be motivated;
5.3.2. updating incomplete, outdated, or irrelevant data, blocking it for the verification period, unless it violates the rights and legitimate interests of the subject;
5.3.3. if personal data are found to be processed illegally, by blocking it for the period of verification, and further, if the data cannot be legally processed, by destroying it;
5.3.4. destroying personal data illegally obtained or not matching the stated processing purposes;
5.3.5. discontinuing personal data processing upon achieving the stated processing purposes and destroying the data;
5.3.6. providing information upon a request, query or claim of the personal data subject and, if they comply with the law of the Russian Federation, fulfilling the demands therein specified. The Operator shall notify the personal data subject on the fulfillment of its obligations. The deadlines for the Operator to fulfill the obligations specified in section 4.3. of this Policy shall be set out in the Federal Law on Personal Data or the agreement with the personal data subject.
5.4. The Operator shall:
5.4.1. If the personal data subject refuses to provide personal data, explain him/her the legal consequences of such refusal, where such personal data provision is required by the Federal Law on Personal Data;
5.4.2. Appoint an officer responsible for management of the personal data processing, who shall:
· implement internal control over the compliance by the Operator and its employees with the personal data law of the Russian Federation, including the personal data protection requirements;
· make the Operator’s employees aware of the provisions of the personal data law of the Russian Federation, local personal data processing regulations, and personal data protection requirements;
· manage reception and processing of requests and queries from personal data subjects or their representatives and/or oversee the reception and processing of such requests and queries. Such responsible officer shall be directly instructed by and accountable to the Director General.
5.4.3. Adopt local regulations to set out, in relation to each purpose of personal data processing, individual classes of personal data subjects, classes and list of processed personal data, methods, terms of processing and storage, procedure for personal data destruction after achieving the purpose of processing or occurrence of other legal grounds, and local regulations to set out the procedures to prevent and identify violations of the law of the Russian Federation and remedy the consequences of such violations.
5.4.4. Implement internal control and/or audit of compliance of personal data processing with the law of the Russian Federation, the Operator’s Personal Data Processing Policy, and the Operator’s local regulations.
5.5. Assess the harm that may be caused to personal data subjects by a violation of the Federal Law, the balance of such harm and measures taken by the Operator to fulfil the obligations set out in the law of the Russian Federation.
5.6. Make the Operator’s employees directly involved in personal data processing aware of the provisions of the personal data law of the Russian Federation, including personal data protection requirements, documents outlining the Operator’s personal data processing policy, local personal data processing regulations, or train the employees.
5.7. Ensure relevance of the information in the notice sent to the competent personal data protection authority, where Article 22 of the Federal Law on Personal Data so requires.

6. Liability for violation of personal data processing and protection rules

6.1. Persons found guilty of violating the procedures for personal data processing shall be charged with disciplinary, administrative, civil or criminal liability under the law of the Russian Federation.
Heads of the Operator’s business units shall be personally liable for the performance of duties by their subordinates.