Basic Provisions

This Policy of the OPEN group of companies in relation to the processing of personal data (hereinafter - the Policy) Establishment in fulfillment of the requirements of clause 2, part 1 of Art. 18.1 of the Federal Law of the Russian Federation of July 27, 2006 N 152-FZ "On Personal Data" (hereinafter - the Law on Personal Data) in order to ensure the rights and freedoms of a person and citizen when processing his data, including protecting the rights to privacy, personal and family secret.

1.2. The policy applies to all personal data processed by OPEN group (hereinafter referred to as the Operator).

1.3. The Policy applies to relations in the field of personal data processing that arose with the Operator both before and after the approval of this Policy.

1.4. In pursuance of the requirements of Part 2 of Art. 18.1 of the Law on Personal Data, this Policy is published in the public domain on the information and telecommunications network Internet on the OPEN group website.

1.5. Basic concepts used in the Policy:

personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);

personal data operator (operator) - a state, municipal body, legal or jointly with other persons organizing and (or) providing data processing services, composite data, electronic processing functions (operations) performed with personal data;

processing of personal data - any action (operation) or a set of actions with personal data. Data processing includes, but is not limited to:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (update, change);
  • extraction;
  • using;
  • transmission (distribution, provision, access);
  • depersonalization;
  • blocking;
  • removal;
  • destruction;
  • automated data processing - processing of personal data using computer technology;
  • distribution of personal data - actions, use to disclose data to an indefinite circle of persons;
  • provision of personal data - action, use to disclose data to a specific person or a specific group of persons;
  • blocking of personal data - temporary termination of data processing (except for cases when data processing is necessary to clarify data);
  • destruction of data - actions as a result of which it becomes impossible to restore data in a digital data system and (or) as a result of which tangible data carriers are destroyed;
  • anonymization of data through a specific data subject.

information system of information data - a set of information systems of data and ensuring their processing of information technologies and technical means;

cross-border data transfer - transfer of data to the territory of a foreign state to the authority of a foreign person or a foreign legal entity.

1.6. Basic rights and obligations of the Operator.

1.6.1. The operator has the right:

independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations stipulated by the Law on Personal Data and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;

to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. The person who processes personal data on behalf of the Operator is obliged to comply with the principles and rules for processing personal data provided for by the Law on Personal Data;

in the event that the subject of personal data revokes consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in the Law on Personal Data.

1.6.2. The operator is obliged:

organize the processing of personal data in accordance with the requirements of the Law on Personal Data;

respond to requests and inquiries from subjects of personal data and their legal representatives in accordance with the requirements of the Law on Personal Data;

report to the authorized body for the protection of the rights of subjects of personal data (Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) at the request of this body, the necessary information within 30 days from the date of receipt of such a request.

1.7. Basic rights of the subject of personal data. The personal data subject has the right:

receive information regarding the processing of his personal data, with the exception of cases provided for by federal laws. The information is provided to the subject of personal data by the Operator in an accessible form, and it should not contain personal data relating to other subjects of personal data, except in cases where there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;

require the operator to clarify his personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights;

put forward a condition of prior consent when processing personal data in order to promote goods, works and services on the market;

to appeal to Roskomnadzor or in court the illegal actions or inaction of the Operator when processing his personal data.

1.8. Control over the implementation of the requirements of this Policy is carried out by an authorized person responsible for organizing the processing of personal data at the Operator.

1.9. Responsibility for violation of the requirements of the legislation of the Russian Federation and the regulations of the Operator in the field of processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.

Purpose of collecting personal data

2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed.

2.2. Only personal data that meet the purposes of their processing is subject to processing.

2.3. The processing of personal data by the Operator is carried out for the following purposes:

  • ensuring compliance with the Constitution of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation;
  • carrying out its activities in accordance with the charter of the Operator;
  • HR administration;
  • assistance to employees in employment, education and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property;
  • attraction and selection of candidates for work with the Operator;
  • organization of individual (personified) registration of employees in the compulsory pension insurance system;
  • filling out and submitting the required reporting forms to the executive authorities and other authorized organizations;
  • implementation of civil law relations;
  • accounting;
  • implementation of access control.

2.4. The processing of personal data of employees can be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

Legal basis for the processing of personal data

3.1. The legal basis for the processing of personal data is a set of regulatory legal acts, in pursuance of which and in accordance with which the Operator processes personal data, including:

  • The Constitution of the Russian Federation;
  • Civil Code of the Russian Federation;
  • Labor Code of the Russian Federation;
  • Tax Code of the Russian Federation;
  • Federal Law of 08.02.1998 N 14-FZ "On Limited Liability Companies";
  • Federal Law of 06.12.2011 N 402-FZ "On Accounting";
  • Federal Law of December 15, 2001 N 167-FZ "On Compulsory Pension Insurance in the Russian Federation"; other regulatory legal acts regulating relations related to the activities of the Operator.

3.2. The legal basis for the processing of personal data is also:

  • Operator's charter;
  • contracts concluded between the Operator and personal data subjects;
  • consent of personal data subjects to the processing of their personal data.

Scope and categories of personal data

4.1. The content and volume of processed personal data must comply with the stated processing objectives provided for in section 2 of this Policy. The processed personal data should not be redundant in relation to the stated purposes of their processing.

4.2. The operator can process personal data of the following categories of personal data subjects.

4.2.1. Applicants for employment with the Operator:

  • Full Name;
  • gender;
  • citizenship;
  • Date and place of birth;
  • Contact details;
  • information about education, work experience, qualifications;
  • other personal data provided by candidates in the resume and cover letters.

4.2.2. Employees and former employees of the Operator:

  • Full Name;
  • gender;
  • citizenship;
  • Date and place of birth;
  • image (photograph);
  • passport data;
  • registration address at the place of residence;
  • address of the actual residence;
  • Contact details;
  • individual taxpayer number;
  • insurance number of an individual personal account (SNILS);
  • information about education, qualifications, professional training and advanced training;
  • marital status, having children, family ties;
  • information about work activities, including the availability of incentives, awards and (or) disciplinary sanctions;
  • marriage registration data;
  • information about military registration;
  • information about disability;
  • information about withholding alimony;
  • information about income from a previous job;
  • other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.3. Family members of the Operator's employees:

  • Full Name;
  • relation degree;
  • year of birth;
  • other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.4. Operator's clients and counterparties (individuals):

  • Full Name;
  • Date and place of birth;
  • passport data;
  • registration address at the place of residence;
  • Contact details;
  • the position to be replaced;
  • individual taxpayer number;
  • current account number;
  • other personal data provided by customers and counterparties (individuals) required for the conclusion and execution of contracts.

4.2.5. Representatives (employees) of the Operator's clients and counterparties (legal entities):

  • Full Name;
  • passport data;
  • Contact details;
  • the position to be replaced;
  • other personal data provided by representatives (employees) of clients and counterparties, necessary for the conclusion and execution of contracts.

4.3. The processing by the Operator of biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity) is carried out in accordance with the legislation of the Russian Federation.

4.4. The operator does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except as provided by the legislation of the Russian Federation.

The procedure and conditions for the processing of personal data


5.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. The processing of personal data is carried out with the consent of the subjects of personal data to the processing of their personal data, as well as without such consent in the cases provided for by the legislation of the Russian Federation.

5.3. The operator carries out both automated and non-automated processing of personal data.

5.4. The employees of the Operator are allowed to process personal data, whose job responsibilities include the processing of personal data.

5.5. The processing of personal data is carried out by:

  • receiving personal data orally and in writing directly from the subjects of personal data;
  • obtaining personal data from publicly available sources;
  • entering personal data into the logs, registers and information systems of the Operator;
  • using other methods of processing personal data, not excluding cookies.

5.6. Disclosure to third parties and dissemination of personal data without the consent of the subject of personal data is not allowed, unless otherwise provided by federal law.

5.7. The transfer of personal data to the bodies of inquiry and investigation, to the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, distribution and other unauthorized actions, including:

  • identifies threats to the security of personal data during their processing;
  • adopts local regulations and other documents regulating relations in the field of processing and protection of personal data;
  • appoints persons responsible for ensuring the security of personal data in structural divisions and information systems of the Operator;
  • creates the necessary conditions for working with personal data;
  • organizes the accounting of documents containing personal data;
  • organizes work with information systems in which personal data is processed;
  • stores personal data in conditions under which their safety is ensured and unlawful access to them is excluded;
  • organizes training for the Operator's employees who process personal data.

5.9. The operator stores personal data in a form that makes it possible to determine the subject of personal data, no longer than the purpose of processing personal data requires, if the storage period for personal data is not established by federal law, by an agreement.

5.10. When collecting personal data, including through the information and telecommunications network Internet, the Operator provides recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, for except for the cases specified in the Law on Personal Data.

Updating, correcting, deleting and destroying personal data, responding to requests from subjects for access to personal data

6.1. Confirmation of the fact of personal data processing by the Operator, legal grounds and purposes of personal data processing, as well as other information specified in part 7 of Art. 14 of the Law on Personal Data are provided by the Operator to the subject of personal data or his representative upon contact or upon receipt of a request from the subject of personal data or his representative.

The information provided does not include personal data relating to other subjects of personal data, except for cases where there are legal grounds for disclosing such personal data.

The request must contain:

  • number of the main document proving the identity of the subject of personal data or his representative, information on the date of issue of the specified document and the issuing authority;
  • information confirming the participation of the subject of personal data in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;
  • the signature of the personal data subject or his representative.

The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

If the request (request) of the subject of personal data does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject does not have the right to access the requested information, then a reasoned refusal is sent to him.

The right of the subject of personal data to access his personal data may be limited in accordance with Part 8 of Art. 14 of the Law on Personal Data, including if the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties.

6.2. In case of revealing inaccurate personal data when the subject of personal data or his representative applies, or at their request or at the request of Roskomnadzor, the Operator blocks personal data related to this personal data subject from the moment of such a request or receipt of the specified request for the verification period, if the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

If the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the subject of personal data or his representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven working days from the date of submission of such information and removes the blocking of personal data.

6.3. In the event that illegal processing of personal data is revealed when the subject of personal data or his representative or Roskomnadzor applies (request), the Operator blocks the unlawfully processed personal data related to this subject of personal data from the moment of such a request or receipt of the request.

6.4. Upon reaching the goals of processing personal data, as well as in the event that the subject of personal data withdraws consent to their processing, personal data are subject to destruction if:

  • otherwise is not provided for by the contract, the party to which, the beneficiary or the guarantor of which is the subject of personal data;
  • the operator is not entitled to carry out processing without the consent of the subject of personal data on the grounds provided for by the Law on Personal Data or other federal laws;
  • otherwise is not provided for by another agreement between the Operator and the subject of personal data.