Personal data processing policy

Approved by order by General Director of LLC Trey Legal

Moscow 2020

1. General provisions

List of terms and definitions:

Administrative and economic activities are internal processes aimed at ensuring the ongoing provision of LLC Trey Legal’s activities with goods and material values (procurement of stationery, office equipment, consumables, household goods, communications services, etc.); to organize paperwork (maintaining archives, libraries, databases); to organize the operation of buildings, premises, territories (maintenance, cleaning, decoration and repair of premises); to organization of the workflow; to organization of financial and accounting services.

LLC Trey Legal LLC (hereinafter — Trey Legal) is a law firm that processes personal data and that determines the aims of the processing of personal data, the contents of personal data to be processed, and actions committed with personal data.

Close relatives — are relatives in a straight ascending and downward line (parents and children, grandparents and grandchildren), full-born and incomplete (having common father or mother) brothers and sisters.

A candidate is an individual applying for a vacant position at Trey Legal, whose personal data were accepted by Trey Legal.

A client is a Russian or international legal entity, an individual entrepreneur, as well as an individual having a private practice, who has concluded or intends to enter into a service contract with Trey Legal.

Processing personal data is any action (operation) or a set of actions (operations) committed by using or without the use of means of automatization with personal data, including the collection, recording, systemization, accumulation, storage, refinement (update, modification), extraction, use, transmission (dissimilation, providing access), depersonalization, blocking, deletion and destruction of personal data.

Within the framework of the Federal Law as of 27.07.2006 No. 152-Fz "On Personal Data" the following definitions are established:

Blocking personal data is a temporary halt to the processing of personal data (except if processing is necessary to clarify personal data).

The depersonalization of personal data is an action that makes it impossible to determine the identity of personal data to a particular subject without the use of additional information.

Providing personal data are actions aimed at disclosing personal data to a particular person or a certain number of persons.

Destruction of personal data are actions that make it impossible to recover the content of personal data in the information system of personal data and/or as a result of which the material media of personal data are destroyed.

The client’s representative is an individual whose personal data has been transferred to Trey Legal, who is a member of the Client’s management authorities; who owns or is a shareholder or member of the Client; acting on behalf of the Client on the basis of a proxy or specified in the card with samples of signatures and print of the client’s seal.

An employee is an individual who has entered into an employment contract with Trey Legal.

The dissemination of personal data is an action aimed at disclosing personal data to an unspecified number of persons.

The subject of personal data is an individual who is directly or indirectly defined by personal data.

1.1. The policy of processing personal data at Trey Legal (hereinafter — Policy) is developed in accordance with the Constitution of the Russian Federation, the Convention on the Protection of Individuals in relation to the automated processing of personal data (ETS No. 108, concluded in Strasbourg on 28.01.1981), the Labor Code of the Russian Federation of 30.12.2001 No. 197-Fz, with the changes and additions, the Federal Law of 27.07.2006 No. 152-Fz "On Personal Data" with changes and additions, Regulation 2016/679 of the European Parliament and the Council of the European Union "On the protection of individuals in the processing of personal data and on the free circulation of such data, as well as the abolition of Directive 95/ 46/EU (General Data Protection Regulations) " (adopted in Brussels on 27.04.2016), as well as in accordance with other federal laws and by-laws of the Russian Federation, defining the cases and features of the processing of personal data and ensuring the security and confidentiality of such information (hereinafter — Personal Data Legislation).

1.2. The Policy has been developed to comply with the requirements of the legislation in the field of processing and protection of personal data and is aimed at ensuring the protection of the rights and freedoms of the person and the citizen in the processing of his personal data at Trey Legal.

1.3. The Policy establishes:

1.3.1. personal data processing goals;

1.3.2. classification of personal data and subjects of personal data;

1.3.3. general principles for processing personal data;

1.3.4. key participants in the personal data processing management system;

1.3.5. basic approaches to personal data management.

1.4. Policy regulations are the basis for the organization of personal data processing at Trey Legal, including the development of internal regulatory documents of the 2nd and 3rd tier (regulations, methods, technology schemes, etc.) regulating the processing of personal data at Trey Legal.

1.5. The Policy regulations are binding on all Trey Legal’s employees having access to personal data.

1.6. The policy is an internal document of Trey Legal, it is publicly available and accessible on the official website of Trey Legal.

1.7. The Employees of Trey Legal are introduced to the Policy by mailing the policy via electronic document turnover system used at Trey Legal or by providing a paper carrier to the Employee.

2. Personal data processing goals

2.1. Trey Legal processes personal data for the purpose of:

2.1.1. concluding with the subject of personal data of any contracts and their further implementation;

2.1.2. conducting by Trey Legal actions, surveys, research;

2.1.3 providing the Subject of personal data with information about the services provided by Trey Legal, on the development of new products and services by Trey Legal; informing the Customer about the offers on products and services of Trey Legal;

2.1.4. personnel and employee accounting organization at Trey Legal;

2.1.5. attracting and selecting candidates for job at Trey Legal;

2.1.6. implementation of Trey Legal’s administrative and economic activities;

2.1.7. regulation of labor and relationships directly related with them.

3. Classification of Personal Data and Personal Data Subjects

3.1. Personal data includes any information relating to directly or indirectly defined or identified individual (Personal Data Subject) processed by Trey Legal to achieve predetermined goals.

3.2. Trey Legal does not process special categories of personal data relating to race and nationality, political views, religious and philosophical beliefs, intimate life, criminal records of individuals, unless otherwise established by the legislation of the Russian Federation.

3.3. Trey Legal has the right to process biometric personal data in order to identify customers and employees of Trey Legal while providing services and identification of employees and visitors entering the territory of Trey Legal.

3.4. Trey Legal processes the personal data of the following categories of Personal Data Subjects:

3.4.1. individuals who are Candidates;

3.4.2. individuals who are Employees and their close relatives;

3.4.3. individuals carrying out service work and having entered into a civil contract with Trey Legal;

3.4.4. individuals belonging to Trey Legal’s administration;

3.4.5. individuals representing the client’s interests (Customer Representatives);

3.4.6. individuals who have purchased or intend to purchase the services of Trey Legal;

3.4.7. non-customer individuals who have entered into or intend to enter into a contractual relationship with Trey Legal in connection with the implementation by the Trey Legal of administrative and economic activities;

3.4.8. individuals whose personal data were made public by them and their processing does not violate their rights and complies with the requirements set by the personal data legislation;

3.4.9. other individuals who have consented to the processing by Trey Legal of their personal data or individuals whose personal data must be processed by Trey Legal to achieve the objectives set forth by the international treaty of the Russian Federation.

4. General Principles for Personal Data Processing

4.1. Trey Legal processes personal data on the basis of general principles:

  • the legality of predetermined specific goals and ways of processing personal data;
  • ensuring that personal data are properly protected;
4.1.3. compliance of the purpose of processing personal data to the purposes pre-determined and stated while collecting personal data;

4.1.4. compliance of the volume, nature and ways of processing personal data to personal data processing purposes;

4.1.5. the reliability of personal data, its adequacy for processing purposes, the inadmissibility of the processing of personal data, redundant in relation to the goals stated in the collection of personal data;

4.1.6. the inadmissibility of combining databases containing personal data that is processed for purposes incompatible with each other;

4.1.7. storage of personal data in a form that allows identifying the Subject of personal data no longer than the purpose of processing it requires;

4.1.8. destruction or depersonalization of personal data upon achieving the purposes of their processing, if the term of storage of personal data is not established by the legislation of the Russian Federation, a contract, the party of which the Subject of personal data is the beneficiary or guarantor;

4.1.9. ensuring the privacy and security of the personal data being processed.

4.2. The following rights have been defined in the processing of personal data for the Personal Data Subject and Trey Legal.

4.2.1. The subject of personal data has the right to:

4.2.1.1 receive information relating to the processing of his personal data in the manner, form and time frame set by the Personal Data legislation;

4.2.1.2. require clarification of your personal data, blocking or destroying it if personal data are incomplete, outdated, inaccurate, illegally obtained, unnecessary for the stated purpose of processing or is used for purposes not previously stated in the personal data subject’s consent to the processing of personal data;

4.2.1.3. take legal measures to protect his rights;

4.2.1.4. withdraw his consent to the processing of personal data.

4.2.2. Trey Legal is entitled to:

4.2.2.1. process personal data of the Subject of personal data in accordance with the stated purpose;

4.2.2.2. request the Subject of personal data to provide the correct personal data required to execute a contract, provide a service, identify the Subject of personal data, and in other cases under the Personal Data legislation;

4.2.2.3. restrict the personal data subject’s access to personal data if the processing of personal data is carried out in accordance with the legislation in respect of anti-money laundering and financing of terrorism, the access of the Subject of personal data to his personal data violates the rights and legitimate interests of third parties, as well as in other cases, provided for by the legislation of the Russian Federation;

4.2.2.4. process public personal data of individuals;

4.2.2.5. process personal data to be published or mandatory disclosed in accordance with the Russian legislation;

4.2.2.6. entrust the processing of personal data to another person with the consent of the Subject of personal data.

5. Organization of personal data processing system management

5.1. The processing of the Personal Data Subject’s personal data is carried out with his consent to the processing of personal data, as well as without it, if the processing of personal data is necessary for the performance of a contract, the party of which the Subject of personal data is either the beneficiary or guarantor, as well as for the conclusion of a contract initiated by the Subject of Personal Data or a contract under which the Subject of personal data will be a beneficiary or guarantor or in other cases in accordance with the Personal Data legislation.

5.2. Processing of a special category of personal data relating to the health status of the Personal Data Subject is carried out with the consent of the Subject of Personal Data to process his personal data in writing, and without it, if personal data are made public by the Subject of Personal Data.

5.3. Trey Legal has the right to entrust the processing of personal data to another person with the consent of the Subject of personal data, unless otherwise provided by the federal law. This processing of personal data is carried out only on the basis of a contract concluded between Trey Legal and a third party, which must determine:

5.3.1. a list of actions (operations) with personal data to be carried out by a third party, which is processing personal data;

5.3.2. personal Data Processing goals;

5.3.3. third party responsibilities to keep the confidentiality of personal data and ensure their security in processing, as well as the requirements for the protection of processed personal data.

5.4. Access to processed personal data is available only to those employees, who require it in connection with performance of their duties and in compliance with the principles of personal responsibility.

5.5. The processing of personal data ceases when the objectives of such processing are met, as well as after the expiration of the period stipulated by law, contract, or consent of the Subject of personal data to the processing of his personal data. When the Subject of personal data revokes his consent to the processing of his personal data, Trey Legal has the right to continue processing personal data without the consent of the Subject of personal data, if such processing is provided by a contract, the party of which or the beneficiary or guarantor for which is the Subject of Personal Data, another agreement between Trey Legal and the Subject of Personal Data, or if Trey Legal is entitled to process personal data without the consent of the Subject of personal data on the grounds provided by the Federal Act of 27.07.2006 No. 152-Fz "On Personal Data" subject to changes and additions, Regulation 2016/679 of the European Parliament and the Council of the European Union "On the protection of individuals in the processing of personal data and the free circulation of such data" or other federal laws.

5.6. The processing of personal data is carried out in accordance with confidentiality, which means the obligation not to disclose to third parties and not to disseminate personal data without the consent of the Subject of personal data, unless otherwise provided by the legislation of the Russian Federation.

5.7. Trey Legal ensures the confidentiality of the personal data of the Subject of personal data on its part, on the part of its employees who have access to the personal data of individuals, and ensures the use of personal data by the above persons solely for purposes consistent with the law, contract or other agreement concluded with the Subject of personal data.

6. Final provisions

6.1. Trey Legal, as well as its officials and employees bear civil, administrative and other responsibility for the non-compliance with the principles and conditions of the processing of personal data of individuals, as well as for the disclosure or illegal use of personal data in accordance with the law of the Russian Federation.

6.2. The Policy is an internal document of Trey Legal, it is publicly available and it is subject to placement on the official website of Trey Legal.