Confidentiality policy

Approved by
the order

POLICY
regarding processing personal data in
LLC «TradeSoft Company»

Kirov city, 2015

1. General Provisions

1.1. The Policy regarding processing of personal data (hereinafter referred to as Policy) determines the policy of LLC TradeSoft Company (hereinafter referred to as Company) regarding processing and guaranteeing personal data security.

1.2. The Policy is developed in accordance with the legislation of the Russian Federation regarding personal data.

1.3. The aim of the current Policy is to establish general procedures and methods of processing and guaranteeing personal data security in the Company, which constitutes a personal data processor.

1.4. The effect of the Policy extends to all the Company processes, connected with processing personal data.

1.5. The Policy shall be mandatory for review and action by all people admitted to process personal data.

1.6. The current revision of the Policy shall be made available on the website of the Company with no access restrictions and shall come into effect when being posted.

2. Terms and Definitions

Personal data is any information, which refers directly or indirectly to a definite or defined individual person (a personal data subject).

Processing of personal data is any action (activity) or series of actions (activities) regarding personal data, including collection, recording, classification, accumulation, storage, qualification (update, modification), acquisition, use, transfer (distribution, submission, access), depersonalization, blocking, deletion, destruction of personal data.

Automatic processing of personal data is personal data processing by means of computer technology.

3. Categories of subjects whose personal data are processed by the Company

3.1. The Company processes the following data in proper legal manner:

- personal data of the Company employees;
- personal data of the Company customers (individual people), acquired as a result of signing the agreement, whose party is a personal data subject;
- personal data of CEOs of legal entities (i.e. surname, name, patronymic), who are the Company’s customers and acquired as a result of signing the agreement, suppliers and other legal entities, entering into contractual relations with the Company.

4. Basic principles of processing personal data

4.1. Personal data are processed by the Company following the principles of:

- legal validity of aims and methods of processing personal data;
- fair practices of the Company as a personal data processor, which is achieved by following the legal requirements of the Russian Federation regarding processing of personal data;
- compliance of range and scope of processed personal data, as well as methods of processing personal data, with the declared aim of processing;
- precision and sufficiency, and, in some cases, relevance of personal data with regard to their declared aim of processing;
- storage of personal data no longer than it is required by aims of processing, in case if the period for retaining personal data is not stated by the law or agreement;
- impermissibility of database integration, if they store personal data, whose processing is conducted following the incompatible aims.

4.2. The Company employees admitted to process personal data, are liable to:

- know and follow the legislative provisions of the Russian Federation referred to processing of personal data, this Policy;
- process personal data for the limited purpose of their work-related duties;
- hold confidential personal data, processed in the Company;
- inform the Company management about actions of other people, which may violate the provisions of this Policy.

4.3. Security of personal data in the Company shall be provided by following the approved measures to prevent (counteract) and eliminate security threats regarding personal data, to minimize potential damage, and also measures to restore data and work of computer systems of personal data in case of threat materializing.

5. Procedure of processing personal data

5.1. The Company processes personal data with and without automation technology.

5.2. Personal data shall neither be revealed to the third parties nor distributed in any other way without consent of the personal data subject, unless otherwise provided for by the legislation of the Russian Federation.

6. Rights of the personal data subject

6.1. The personal data subject, unless otherwise provided for by the legislation of the Russian Federation, shall have the right to acquire the following information, referred to processing of their personal data:

- confirmation of the act of processing their personal data by the Company;
- legal reasons and aims of processing personal data.

6.2. The personal data subject shall have other rights, established by the Federal Law «About personal data».

7. Company responsibilities

7.1. Processing personal data in the Company is conducted with consent of the personal data subject, in accordance with the legislation of the Russian Federation.

7.2. In circumstances, provided by the legislation of the Russian Federation with regards to personal data issues, the Company shall report to either the personal data subject or their representative,
whose authority shall be established in an orderly manner, the information, referred to processing personal data of the subject.

7.3. The Company shall bear other obligations, established by the Federal Law «About personal data».

8. Measures to enforce performance of duties and responsibilities to provide personal data security

8.1. The Company undertakes the following measures for personal data security:

- detects security threats of personal data when processing them in information systems of personal data;
- applies organizational and technical measures to provide personal data security when processing them in information systems of personal data, required to fulfill the requirements regarding personal data security, whose provision guarantees levels of personal data security established by the Government of the Russian Federation;
- conducts efficiency assessment of measures taken to guarantee personal data security prior to launching the information system of personal data;
- undertakes measures to prevent unauthorized access to personal data;
- conducts restoration of personal data, modified or destroyed due to unauthorized access to them;
- establishes rules to access personal data, processed in the information system;
- the Company employees, processing personal data and providing personal data security, review documents, determining the Company policy regarding processing of personal data.

9. Amenability

9.1. People, guilty of violation of regulations, regarding acquisition, processing and security of processed personal data in the Company, shall be held responsible in accordance with the current legislation of the Russian Federation.