C3D Labs Personal Data Processing Policy

1. Terms and Definitions

  • Automated personal data processing -- processing of personal data by computers
  • Blocking of personal data -- temporary suspension of personal data processing, except when the personal data shall be amended
  • Personal data processing system -- the databases containing personal data, the processing software, and hardware
  • De-identification of personal data -- the process of removing all identifiable information from the personal data that can lead to the identification of individuals
  • Personal data processing -- any operation(s) performed manually on the personal data, or automatically including acquisition, recording, systematization, accumulation, storage, correction (updating, changing), retrieval, application, disclosure (distribution, provision, access), de-identification, blocking, removal, and destruction
  • Personal data processor -- a state agency, municipal authority, or legal entity, or natural person who independently or together with other persons manages and/or processes personal data, or sets out the purpose of the personal data processing, the specific data to be processed, and the operations to be performed with the personal data
  • Personal data -- any information relating to an identified or identifiable natural person (the “data subject”)
  • Personal data disclosure -- providing personal data to certain persons
  • Personal data distribution -- disclosure of personal data to the general public
  • International data transfer -- sending personal data to another country’s authorities, a foreign individual, or a legal entity
  • Personal data destruction -- complete and irreversible removal of personal data from the IT system and/or physical destruction of the data medium

2. General

2.1. This C3D Labs Personal Data Processing Policy (hereinafter referred to as the Policy) is an official document that defines the general principles, objectives, and personal data processing procedures, and the personal data protection measures in place.

2.2. This Policy applies to every C3D Labs (hereinafter referred to as the Processor) employee, and to the employees of any third parties collaborating with the Processor under contracts, and regulatory, legal, and other documents.

2.3. This Policy becomes effective upon approval and stays in effect indefinitely until replaced by a revision.

3. Purposes of Personal Data Collection

3.1. The Processor processes Personal Data solely for the following purposes:

  • Compliance with the Russian labor code
  • Compliance with legislation and regulations
  • Assisting employees in their career building
  • Security of assets
  • Work safety
  • Record keeping
  • Calculation and payment of temporary disability benefits
  • Determining whether employees are physically able to perform their job functions
  • Corporate Web site management
  • Company Web site access control
  • Learning opportunities
  • Maintaining an in-house telephone directory
  • Issuing corporate SIM cards
  • Publishing publicly accessible personal data, such as on boards and Web sites
  • Welfare payments
  • Compensation benefits and extra days off
  • Holiday gifts for children of employees
  • Employment assistance in offering suitable positions
  • Recruiting
  • Communication with personal data subjects
  • Fulfillment of contractual obligations
  • Technical support for employees
  • Contractual technical support
  • Managing clients’ participation in corporate events
  • Web site signups
  • Registration for corporate events
  • Consulting on corporate products and services
  • Subscriptions to corporate news
  • Submitting applications for partner programs
  • Any activities listed in the corporate charter

4. Legal Framework for Processing Personal Data

4.1. The Processor processes personal data in accordance with the following laws and regulations:

  • Art. 86-90, Russian Labor Code
  • Art. 65, Russian Labor Code
  • Russian Tax Code
  • Basic Pension Security Federal Act No. 167-FZ dated December 15, 2001
  • Art. 13, Basic Temporary Disability and Maternity Benefits Federal Act No. 255-FZ dated December 29, 2006
  • Art. 8, National Defense Federal Act No. 61-FZ dated May 31, 1996
  • Accounting Federal Act No. 402-FZ dated December 6, 2011
  • Russian Statistics Service Directive No. 1 Introduction of Unified Primary Accounting Document Templates for Labor Accounting and Remuneration dated January 5, 2004
  • Consent for personal data processing
  • Agreements with personal data subjects
  • Contracts between the Company and third-parties
  • Contracts between the Company and customers, such as sole proprietors

5. Personal Data Subject Categories

5.1. The Processor processes the following personal data categories:

Personal data subject category Personal data category Personal data scope
Employees, former employees Other categories Fewer than 100,000 subjects
Employees, former employees Special categories Fewer than 100,000 subjects
Employees’ next of kin Other categories Fewer than 100,000 subjects
Applicants for job vacancies Other categories Fewer than 100,000 subjects
Independent contractors Other categories Fewer than 100,000 subjects
Customer agents Other categories Fewer than 100,000 subjects
Customers (e.g., sole proprietors) Other categories Fewer than 100,000 subjects
Suppliers Other categories Fewer than 100,000 subjects
Site visitors Other categories More than 100,000 subjects
Employees of other companies within the group Other categories Fewer than 100,000 subjects


6. Personal Data Processing Procedures and Conditions

6.1. Personal data shall be processed in a legitimate and fair manner.

6.2. Processing of personal data shall be limited to specific, clearly defined, and legitimate purposes. Personal data processing for purposes other than the objective of collecting personal data is not permitted.

6.3. Databases containing personal data for different and incompatible purposes may not be merged.

6.4. Only the personal data required for specific purposes shall be processed.

6.5. The content and scope of personal data shall match the purposes of personal data processing and shall not be excessive.

6.6. Personal data to be processed shall be sufficient and accurate, and up-to-date as required. Incomplete or inaccurate data shall be removed or corrected.

6.7. The Processor may create publicly accessible personal data sources, such as directories, digital databases, and pages on the Processor’s Web site. Publicly accessible sources of personal data may include only the personal data specified by personal data subjects in written consent to the publication of their personal data on such publicly accessible sources.

6.8. Personal data shall be stored in such a way that personal data subjects can be identified for a period of time no longer than required to process personal data, unless superseded by a term of personal data storage specified by a federal act, or an agreement to which personal data subjects are a party, beneficiary, or guarantor. Unless otherwise provided for by a federal act, personal data shall be destroyed or de-identified after processing, or when such processing is no longer required.

7. Personal Data Processing Termination Terms and Conditions

7.1. The Processor will stop processing personal data in the following cases, or following the specified period:

  • Either the purposes for personal data are achieved, or the maximum retention period expires, currently at 30 days
  • The purpose for processing personal data is no longer needed: in 30 days
  • The personal data subjects or their legal representatives notify the Processor that the personal data was obtained illegally, or is no long required for the stated purposes: in 7 days
  • Inability to process the personal data in a legitimate way: in 10 days
  • The personal data subjects cancel their consent to processing of personal data, unless the personal data is to be retained for a stated processing purpose: in 30 days
  • Expiration of the statute of limitations for the legal relations under which the personal data is being, or has been, processed.

7.2. Under Art. 21, part 5, Personal Data Protection Federal Act No. 152-FZ dated July 27, 2006, the Processor may continue processing the subject’s personal data, and in the following cases does not have to destroy it:

  • The processing of data is provided for in the contract to which the Subject is a party, beneficiary, or guarantor
  • The Processor may process personal data without the consent of the Subject to the extent permitted by federal acts
  • The deadlines for processing the Subject’s data, as established by federal acts and other regulations, have not expired.

8. Security of Personal Data

8.1. To secure the personal data being processed, the Processor shall implement legal, organizational, hardware, and software measures as required, and are sufficient to meet the legal requirements for personal data protection.

8.2. The Processor shall take the required organizational and technical measures for personal data security to avoid accidental or unauthorized access, destruction, modification, access blocking, and other unauthorized actions.

8.3. The Processor shall take the following measures:

  • Appoint officials responsible for secure personal data processing
  • Limit the number of the Processor’s employees who have access to personal data
  • Familiarize the Processor’s employees with the federal legislation and local regulations on personal data processing and protection
  • Account for and store personal data media to prevent theft, substitution, unauthorized copying, or destruction
  • Identify threats to personal data security while the data is processed by computer systems (hereinafter referred to as “personal data processing system“), as well as to build threat models
  • Build a data protection system to match the threat model identified, and reach the appropriate level of personal protection as data is automatically processed
  • Inspect the information protection tools for operability and efficiency
  • Restrict computer system user access to information resources, software, and hardware used for information processing and protection
  • Control user access through passwords
  • Use cryptographic tools as required to secure personal data transmission over public communication channels, and when stored on removable media
  • Protect corporate networks from computer viruses, malware, and implants
  • Install firewalls, where appropriate
  • Use corporate network intrusion detection tools to detect violations, or possible violations, of personal data security
  • Train the Processor’s employees in operating data protection tools
  • Track information protection tools and their manuals
  • Use, where appropriate, duly certified information protection tools
  • Log computer system user actions, and if necessary, investigate data security violations
  • Install personal data processing hardware in secured areas
  • Keep the burglar alarm system operational at all times

9. Rights of Personal Data Subjects

9.1. Personal data subjects are entitled to be aware of the processing of their data, such as in the following ways:

  • Confirmation from the Processor that it is processing their personal data
  • Provide the legal framework for personal data processing
  • Describe the personal data processing purposes and procedures used by the Processor
  • List the Processor’s name and location, the names of any persons (other than the Processor’s employees) who have access to the personal data, or to whom the personal data may be disclosed under a contract with the Processor, or as required by federal laws
  • Provide access to processed personal data of the respective subjects and their sources, unless federal law establishes a special procedure for such data collection
  • Give information on the data processing and storage periods of personal data
  • Describe the procedure for exercising rights entitled to personal data, subject to the Personal Data Protection Federal Act
  • Report any actual or suspected international sharing of personal data
  • List the full names and addresses of persons who process personal data on behalf of the Processor, if any
  • Provide other information as required by the Personal Data Protection Federal Act or other federal acts

9.2. Personal data subjects are entitled to require the Processor to correct, block, or destroy data if the personal data is incomplete, outdated, inaccurate, obtained illegally, or unnecessary for the stated purpose, and take any statutory measures to protect their rights.

9.3. If personal data subjects believe that the Processor violated the Personal Data Protection Federal Act or otherwise violates their rights and freedoms, the subjects may appeal the actions, or inaction, of the Processor to a personal data protection authority, such as the Federal Service for Supervision of Communications, Information Technology, and Mass Communication or in court.

9.4. Personal data subjects may protect their rights and legitimate interests in court, including material or moral damage.

10. Closing Provisions

10.1. The employees responsible for personal data processing monitor compliance with this Policy.

10.2. Other rights and obligations of the Processor are listed in the Personal Data Protection Federal Act and other personal data protection regulations.

10.3. Any employees who have violated the personal data processing and protection regulations shall bear material, disciplinary, administrative, civil, or criminal liability as established by federal laws.