Privacy

1. General Provisions
1.1. This Policy regarding the processing of personal data (hereinafter referred to as the "Policy") of Limited Liability Company "Raduga" (LLC "Raduga") is developed in fulfillment of the requirements of Clause 2, Part 1, Article 18.1 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" (as amended and supplemented) (introduced by the Federal Law of July 25, 2011 No. 261-FZ) (hereinafter referred to as the "Personal Data Law") to ensure the protection of human and civil rights and freedoms during the processing of their personal data, including the protection of the rights to privacy, personal and family secrets.
1.2. The Policy applies to all personal data processed by LLC "Raduga" (hereinafter referred to as the "Operator").
1.3. The Policy applies to relations in the field of personal data processing that arose for the Operator both before and after the approval of this Policy.
1.4. In fulfillment of the requirements of Part 2, Article 18.1 of the Personal Data Law, this Policy is published in free access on the Internet on the Operator's website.
2. Terms and Abbreviations
Personal Data - any information relating to a directly or indirectly identified or identifiable individual (personal data subject).
Personal Data Authorized by the Personal Data Subject for Dissemination - personal data, access to which by an unlimited number of persons is provided by the personal data subject by giving consent to the processing of personal data permitted by the personal data subject for dissemination.
Personal Data Operator (operator) - a state body, municipal body, legal entity or individual, independently or jointly with other persons, organizing and/or carrying out the processing of personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.
Processing of Personal Data - any action (operation) or a set of actions (operations) performed with personal data, with or without the use of automation means. Processing of personal data includes, but is not limited to:

collection;
recording;
systematization;
accumulation;
storage;
clarification (updating, modification);
extraction;
use;
transfer (provision, access);
distribution;
depersonalization;
blocking;
deletion;
destruction.

Automated Processing of Personal Data - processing of personal data using computer technology.
Provision of Personal Data - actions aimed at disclosing personal data to a specific person or a specific circle of persons.
Blocking of Personal Data - temporary cessation of personal data processing (except for cases where processing is necessary to clarify personal data).
Destruction of Personal Data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which the material carriers of personal data are destroyed.
Depersonalization of Personal Data - actions as a result of which it becomes impossible, without the use of additional information, to determine the belonging of personal data to a specific personal data subject.
Personal Data Information System - a set of personal data contained in databases and ensuring their processing, information technologies and technical means.
Cross-Border Transfer of Personal Data - transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual, or foreign legal entity.
3. Procedure and Conditions for Processing and Storing Personal Data
3.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
3.2. The processing of personal data is carried out with the consent of the personal data subjects to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.
3.3. Consent to the processing of personal data authorized by the personal data subject for dissemination is formalized separately from other consents of the personal data subject to the processing of his/her personal data.
3.4. Consent to the processing of personal data authorized by the personal data subject for dissemination may be provided to the operator directly or using the information system of the authorized body for the protection of the rights of personal data subjects.
3.5. The Operator carries out both automated and non-automated processing of personal data.
3.6. Employees of the Operator whose job responsibilities include the processing of personal data are allowed to process personal data.
3.7. The processing of personal data is carried out by:

receiving personal data orally and in writing directly with the consent of the personal data subject for the processing or dissemination of his/her personal data;
entering personal data into journals, registers, and information systems of the Operator;
using other methods of personal data processing.

3.8. Disclosure to third parties and dissemination of personal data without the consent of the personal data subject is not allowed, unless otherwise provided by federal law.
3.9. The transfer of personal data to the bodies of the Ministry of Internal Affairs, the FSB, the FSSP, customs, inquiry and investigation, to the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
3.10. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, distribution, and other unauthorized actions, including:

identifying threats to the security of personal data during their processing;
adopting local regulations and other documents regulating relations in the field of processing and protection of personal data;
appointing persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
creating the necessary conditions for working with personal data;
organizing the accounting of documents containing personal data;
organizing work with systems in which personal data are processed;
storing personal data under conditions that ensure their safety and prevent unauthorized access to them;
organizing training for the Operator's employees who process personal data.

3.11. The Operator stores personal data in a form that allows the identification of the personal data subject, for no longer than required by the purposes of personal data processing.
3.12. When collecting personal data, including via the Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in the Personal Data Law.
3.13. The purposes of personal data processing include:
3.13.1. Personal data that correspond to the purposes of their processing.
3.13.2. Personal data, the collection and storage of which are carried out for the following purposes:

ensuring compliance with the Constitution, federal laws, and other regulatory legal acts of the Russian Federation;
carrying out its activities in accordance with the charter of LLC "Raduga";
maintaining personnel records;
assisting employees in employment, education, and career advancement, providing benefits (insurance, corporate communications, etc.), ensuring personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property;
attracting and selecting candidates for employment with the Operator;
organizing registration for individual (personalized) accounting of employees in the mandatory pension insurance system;
filling out and submitting required reporting forms to executive authorities and other authorized organizations;
carrying out civil law relations;
maintaining accounting records;
implementing access control;
providing access to services, information, and materials posted on the Operator's websites;
conducting advertising and marketing events, tours, and other events aimed at drawing attention to the Operator's activities and its products.

3.14. The processing of personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts. The Operator does not process personal data concerning race, nationality, political views, religious and philosophical beliefs, or intimate life.
3.15. Categories of personal data subjects.
Personal data of the following subjects are processed:

individuals who have employment relations with the Company;
individuals who have resigned from the Company;
individuals who are job candidates;
individuals who have civil law relations with the Company or are employees of a legal entity with which the Company has civil law relations;
individuals who are users of services, information and/or materials contained on the Operator's websites;
individuals, participants in advertising and marketing events, tours conducted by the Operator to attract attention to the Operator's activities and its products.

3.16. Personal data processed by the Operator:

data obtained during employment relations;
data obtained for the selection of job candidates;
data obtained during civil law relations;
data obtained when providing users with access to services, information and/or materials contained on the Operator's websites;
data obtained when allowing individuals to participate in advertising and marketing events, tours conducted by the Operator to attract attention to the Operator's activities and its products.

3.17. Storage of personal data.
3.17.1. Personal data of subjects can be obtained, further processed, and stored both on paper and in electronic form.
3.17.2. Personal data recorded on paper are stored in locked cabinets or in locked rooms with limited access rights.
3.17.3. Personal data of subjects, processed using automation tools for different purposes, are stored in different folders.
3.17.4. It is prohibited to store and place personal data in open electronic catalogs (file sharing systems) in the personal data information system.
3.17.5. Storage of personal data in a form that allows the identification of the personal data subject is carried out for no longer than required by the purposes of their processing and shall be destroyed upon achieving the processing purposes.
3.18. Destruction of personal data.
3.18.1. Destruction of documents (media) containing personal data is carried out by burning, shredding (grinding), chemical decomposition, turning into a shapeless mass or powder. For the destruction of paper documents, the use of a shredder is allowed.
3.18.2. Personal data on electronic media are destroyed by erasing or formatting the media.
3.18.3. The fact of destruction of personal data is documented by an act of destruction of media.

Privacy and Personal Data Processing Policy of Ltd"Raduga"

4. Protection of Personal Data
4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system, consisting of legal, organizational, and technical protection.
4.2. The legal protection subsystem is a set of legal, organizational, administrative, and regulatory documents that ensure the creation, functioning, and improvement of the personal data protection system.
4.3. The organizational protection subsystem includes the organization of the management structure of the personal data protection system, an access control system, information protection when working with employees, partners, and third parties.
4.4. The technical protection subsystem includes a set of technical, software, and software-hardware tools that ensure the protection of personal data.
4.5. The main measures for the protection of personal data used by the Operator are:
4.5.1. Appointment of a person responsible for the processing of personal data, who organizes the processing of personal data, training and instruction, internal control over the compliance of the institution and its employees with the requirements for the protection of personal data.
4.5.2. Identification of current threats to the security of personal data during their processing in the personal data information system and development of measures and activities for the protection of personal data.
4.5.3. Development of a policy regarding the processing of personal data.
4.5.4. Establishment of rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system.
4.5.5. Establishment of individual passwords for employees' access to the information system in accordance with their job responsibilities.
4.5.6. Application of information protection means that have passed the conformity assessment procedure in the prescribed manner.
4.5.7. Certified antivirus software with regularly updated databases.
4.5.8. Compliance with conditions ensuring the safety of personal data and preventing unauthorized access to them.
4.5.9. Detection of facts of unauthorized access to personal data and taking measures.
4.5.10. Restoration of personal data modified or destroyed due to unauthorized access to them.
4.5.11. Training of the Operator's employees who directly process personal data on the provisions of the Russian Federation legislation on personal data, including requirements for the protection of personal data, documents defining the Operator's policy regarding the processing of personal data, local acts on the processing of personal data.
4.5.12. Carrying out internal control and audit.
5. Basic Rights of the Personal Data Subject and Obligations of the Operator
5.1. Basic rights of the personal data subject.
5.1.1. The personal data subject has the right to access his/her personal data and the following information:

confirmation of the fact of personal data processing by the Operator;
legal grounds and purposes of personal data processing;
the purposes and methods of personal data processing used by the Operator;
the name and location of the Operator, information about persons (except for the Operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
the terms of personal data processing, including the terms of their storage;
the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator;
receipt of other information related to the processing of his/her personal data, except for cases provided for by federal laws of the Russian Federation.
The information is provided to the personal data subject in an accessible form, and it must not contain personal data relating to other personal data subjects, except in cases where personal data is disclosed in accordance with the legislation of the Russian Federation.

5.1.2. The personal data subject has the right to demand from the Operator the clarification of his/her personal data, their blocking or destruction if the personal data are incomplete, outdated, inaccurate, illegally obtained, or are not necessary for the stated purpose of processing.
5.1.3. The personal data subject has the right to withdraw consent to the processing of personal data at any time.
5.1.4. The personal data subject has the right to appeal unlawful actions of the Operator when processing his/her personal data to the authorized body for the protection of personal data or in court in accordance with the procedure established by the legislation of the Russian Federation.
5.1.5. The personal data subject has the right to exercise other rights and take measures to protect his/her personal data in accordance with the legislation of the Russian Federation.
5.2. Obligations of the Personal Data Subject:
5.2.1. The personal data subject is obliged to provide the Operator with reliable information about himself/herself or another personal data subject in cases provided for by the legislation of the Russian Federation. In case of providing the Operator with inaccurate data, the personal data subject bears responsibility in accordance with the legislation of the Russian Federation;
5.2.2. The personal data subject is obliged to promptly inform the Operator about the clarification (change, update) of his/her personal data.
5.3. The Operator has the right to receive from the personal data subject reliable information and documents containing personal data and to process personal data without the consent of the personal data subject, including in case of withdrawal of consent to the processing of personal data by the personal data subject, if there are grounds provided for by the legislation of the Russian Federation.
5.4. Obligations of the Operator.
The Operator is obliged to:

provide the personal data subject, upon his/her request, with information concerning the processing of his/her personal data;
in cases where personal data were not obtained from the personal data subject, notify the personal data subject in the manner prescribed by the legislation of the Russian Federation;
in case of refusal of the personal data subject to provide personal data in violation of the requirements of the legislation of the Russian Federation, explain to the personal data subject the consequences of such refusal;
publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information on the implemented requirements for the protection of personal data;
take the necessary legal, organizational, and technical measures or ensure their adoption to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data;
respond to requests and appeals of personal data subjects, their representatives, and the authorized body for the protection of the rights of personal data subjects;
terminate the transfer (distribution, provision, access), processing of personal data and destroy personal data in the cases and manner provided for by the legislation of the Russian Federation.

6. Updating, Correction, Deletion and Destruction of Personal Data, Responses to Subjects' Requests for Access to Personal Data
6.1. Confirmation of the fact of personal data processing by the Operator, legal grounds and purposes of personal data processing, as well as other information specified in the Personal Data Law, is provided by the Operator to the personal data subject or his/her representative upon application or upon receipt of a request from the personal data subject or his/her representative.
The provided information does not include personal data relating to other personal data subjects, except in cases where there are legal grounds for the disclosure of such personal data.
The request must contain and can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation:

the number of the main identity document of the personal data subject or his/her representative, information on the date of issue of the said document and the issuing authority;
information confirming the participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and/or other information), or information otherwise confirming the fact of personal data processing by the Operator;
the signature of the personal data subject or his/her representative.
If the application (request) of the personal data subject does not contain all the necessary information in accordance with the requirements of the Personal Data Law or the subject does not have the right to access the requested information, a reasoned refusal is sent to him/her.
The right of the personal data subject to access his/her personal data may be restricted in accordance with Part 8, Article 14 of the Personal Data Law, including if the access of the personal data subject to his/her personal data violates the rights and legitimate interests of third parties.

6.2. In case of identification of inaccurate personal data upon application of the personal data subject or his/her representative or upon their request or upon request of Roskomnadzor, the Operator blocks the personal data relating to this personal data subject from the moment of such application or receipt of the specified request for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
In case of confirmation of the fact of inaccuracy of personal data, the Operator, on the basis of information provided by the personal data subject or his/her representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven working days from the date of submission of such information and removes the blocking of personal data.
6.3. In case of identification of unlawful processing of personal data upon application (request) of the personal data subject or his/her representative, or Roskomnadzor, the Operator blocks the unlawfully processed personal data relating to this personal data subject from the moment of such application or receipt of the request.
6.4. Upon achieving the purposes of personal data processing, as well as in case of withdrawal of consent to their processing by the personal data subject, the personal data shall be destroyed if:

otherwise is not provided by the agreement, to which the personal data subject is a party, beneficiary, or guarantor;
the operator is not entitled to process without the consent of the personal data subject on the grounds provided for by the Personal Data Law or other federal laws;
otherwise is not provided by another agreement between the Operator and the personal data subject.