Personal Data Processing Policy Regarding Personal Data Subjects of DoubleGIS LLC
1. GENERAL PROVISIONS
1.1. Document Purpose
1.1.1. For maintaining a business reputation and ensuring compliance with federal legislation, in accordance with the requirements of Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data", DoubleGIS LLC determines ensuring the legality of processing Personal Data in the business processes of DoubleGIS LLC and ensuring an appropriate level of security of Personal Data processed at DoubleGIS LLC as the most important tasks.
1.1.2. This Personal Data Processing Policy (hereinafter referred to as the Policy) is developed in accordance with Clause 2 Part 1 Article 18.1 of Federal Law of the Russian Federation No. 152-ФЗ dated 27.07.2006 "On Personal Data" and determines the basic principles, goals, conditions and methods of Personal Data processing, rights and obligations of DoubleGIS LLC in the Personal Data processing, rights of Personal Data Subjects, as well as measures implemented at DoubleGIS LLC to ensure the security of Personal Data in the implementation of the activities established in the Charter.
1.1.3. The provisions of this Policy serve as the basis for the development of local acts regulating the Personal Data processing in DoubleGIS LLC.
1.2. Regulatory References
1.2.1. Federal Law of the Russian Federation No. 152-ФЗ dated 27.07.2006 "On Personal Data" (hereinafter referred to as the Federal Law "On Personal Data").
1.2.2. Federal Law No. 149-ФЗ dated 27.07.2006 "On Information, Information Technologies and Information Protection."
1.2.3. Resolution of the Government of the Russian Federation No. 1119 dated 01.11.2012 "On Approval of Requirements for Personal Data Protection when Processing them in Personal Data Information Systems";
1.2.4. Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008 "On Approval of the Regulation on the Specifics of Personal Data Processing Performed Without the Use of Automation Tools";
1.3 Scope
1.3.1. This Policy applies to all processes of DoubleGIS LLC within which Personal Data is processed, both with the use of computer means, including the use of information and telecommunication networks, and without the use of such means.
1.4 Approval and Revision
1.4.1. This Policy shall enter into force upon its approval by the General Director of DoubleGIS LLC and shall be valid for an indefinite period.
1.4.2. DoubleGIS LLC shall review the provisions of this Policy and update them as necessary, but at least once every three years, as well as:
· When changing the requirements of the legislation of the Russian Federation to the procedure for processing and ensuring the security of Personal Data;
· Based on the results of inspections of the Privacy Authority, which revealed inconsistencies with the requirements of the legislation of the Russian Federation to ensure the security of Personal Data;
· In case of revealing significant violations based on the results of internal checks of the Personal Data protection system;
· When changing the processes and technologies of processing of Personal Data in DoubleGIS LLC.
1.4.3. When making changes, the date of the last revision shall be indicated. The new edition shall be introduced by the order of the General Director of DoubleGIS LLC.
1.4.4. Unrestricted access to the Policy shall be provided by publishing it on the website of DoubleGIS LLC on the Internet.
1.4.5. The terms used in this Policy with a capital letter have the meanings specified in Section 2 hereof, unless otherwise specified in this Policy.
2. TERMS, DEFINITIONS AND ABBREVIATIONS
2.1. Affiliate shall mean (a) in relation to a person who is not an individual, any other person directly or indirectly Controlling, Controlled or under common Control with DoubleGIS LLC; (b) in relation to an individual, a close relative of such person, manager of a trust (trustee), the beneficiary of which is such a person or a close relative of such a person, and any person who is not an individual, which is directly or indirectly Controlled by such person or a close relative of such person, or which is under their general Control. For the purposes of this definition, Control shall mean the possibility in relation to a person or the right of another person (individual or legal entity) directly or indirectly (through a person or several persons), independently or jointly with Affiliated Persons, based on a corporate agreement, a property trust agreement, or as a result of other transactions, or for other reasons, to dispose of more than 50% (fifty percent) of the total number of votes attributable to voting shares (stakes) constituting the authorized (joint) capital of the Controlled Entity; and/or appoint or terminate the powers of the sole executive body and/or more than 50% (fifty percent) of the collegial executive body of the Controlled Entity and/or elect more than 50% (fifty percent) of the members of the board of directors (supervisory board), or other collegial body of the Controlled Entity; and/or determine the decisions or actions of such person on all or a significant part of the issues (in fact or in law). The terms "Controlled", "Controls" and "Controlling" shall be interpreted accordingly.
2.2. Blocking of Personal Data is a temporary termination of Personal Data processing (except in cases where processing is necessary to clarify Personal Data).
2.3. Other Data shall mean data that is not Personal Data and is required for the operation of 2GIS Services.
2.4. Personal Data Information System or PDIS shall mean an aggregation of Personal Data contained in the databases and the IT technology and technical means ensuring processing of Personal Data.
2.5. Counterparty shall mean a legal entity, individual entrepreneur, individual who has entered into or is about to enter into any contract (agreement) with the Operator for own benefits or on behalf of the legal entity/individual entrepreneur/individual it represents in accordance with the requirements of the current legislation.
2.6. Personal Data Anonymization shall mean actions resulting in the impossibility to attribute Personal Data to a specific Personal Data Subject without additional information.
2.7. Personal Data Processing shall mean any action (operation) or a set of actions (operations) performed with or without the use of automation tools with Personal Data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion, destruction of Personal Data.
2.8. The Operator or DoubleGIS LLC or the Administration shall mean DoubleGIS Limited Liability Company, independently or jointly with other persons arranging and/or carrying out the processing of Personal Data, as well as determining the purposes of processing of Personal Data, the composition of Personal Data to be processed, actions (operations) performed with Personal Data.
2.9. Partner shall mean a legal entity with which DoubleGIS LLC has entered into agreements as part of implementation of a model for selling advertising space on 2GIS sites (in the 2GIS Service) in different territories in the absence of its own business units in these territories.
2.10. Personal data shall mean any information relating directly or indirectly to an identified or identifiable individual (Personal Data Subject), including surname, name, patronymic, year, month, date and place of birth, address, family, social and property status, education, position, profession, income, image, phone number and/or e-mail address of the Personal Data Subject, data automatically transmitted to the Operator using the software installed on the device of the Personal Data Subject (in case it is possible to identify the Subject based on this data), including the IP address obtained by the Operator as a result of contractual or other civil law relations with third parties, as well as in the usual course of business by the Operator (including Personal Data of the Employee and/or the Counterparty).
2.11. User shall mean a capable individual who uses or intends to use 2GIS Services for own benefits or on behalf of legal entities and/or individual entrepreneurs, the information on which is available in the Directory of 2GIS Organizations.
2.12. Employee shall mean an individual who has an employment relationship with the Operator.
2.13. Dissemination of Personal Data shall mean actions aimed at disclosure of Personal Data to an indefinite circle of persons.
2.14. 2GIS Services shall mean a set of 2GIS software products that include Digital Plans and/or Directories of Organizations, as well as each computer program or database separately included in them or used together with them, and hardware, access to which is provided to users using the website; computer programs that combine reference information on the range, prices, discounts, promotions and other information of manufacturers and/or sellers of goods/works/services. For example, websites in the domains flamp.ru, 2gis.ru, 2gis. kz, 2gis. kg, 2gis. uz, 2gis. az, 2gis.com, and 2GIS mobile application;
2.15. Applicants shall mean candidates for filling vacant positions.
2.16. Directory of Organizations shall mean a database of an electronic directory, which includes information on names, location, phone numbers, e-mail addresses and websites, types of goods produced and sold (works performed, services rendered) and other information on organizations and individual entrepreneurs located within a certain territory, coinciding with the boundaries of the Digital Plan combined with it, as well as other organizations at the discretion of DoubleGIS LLC.
2.17. Personal Data Subject (Subject) shall mean an individual who has Personal Data directly or indirectly determining it.
2.18. Destruction of Personal Data shall mean actions as a result of which it becomes impossible to restore the content of Personal Data in the information system of Personal Data and/or as a result of which the tangible media with personal data are destroyed.
2.19. Digital Plan shall mean an electronic map database that includes geographic information on geographic objects and settlements within a territory limited by certain geographical coordinates.
3. PERSONAL DATA PROCESSING PRINCIPLES

3.1. When organizing the processing of Personal Data of Personal Data Subjects, DoubleGIS LLC shall be guided by the following principles:
· legality of the purposes and methods in Personal Data processing;
· good faith and fairness;
· processing of only those Personal Data that meet the purposes of processing thereof;
· ensuring the Personal Data accuracy, adequacy, and where appropriate, relevance regarding the purposes of processing thereof; The Operator shall take the necessary measures or ensure they are taken to remove or clarify incomplete or inaccurate data;
· compliance of the purposes of Personal Data processing with the goals set out and declared at the time of Personal Data collection, as well as with the powers of the Operator;
· compliance of the content and volume of the processed Personal Data, methods of processing of Personal Data with the stated purposes of processing. The processed Personal Data is not excessive in relation to the stated purposes of processing;
· reliability of Personal Data, their sufficiency for processing, the inadmissibility of Personal Data Processing that is excessive in relation to the purposes stated when collecting Personal Data;
· avoidance of database combination, where such databases contain Personal Data that may be processed for mutually incompatible purposes;
· Personal data media shall be stored in a form allowing identification of a Personal Data Subject for no longer than required by the purposes of their processing. Personal Data shall be subject to destruction upon achievement of the purposes of their processing or in case there is no more need to achieve them.
4. PURPOSES OF PERSONAL DATA PROCESSING AND PERSONAL DATA COMPOSITION FOR EACH CATEGORY OF PERSONAL DATA SUBJECTS
4.1. For each category of Personal Data Subjects, the purposes of Personal Data processing, categories and list of processed personal data, categories of subjects whose personal data are processed, methods, terms of their processing and storage, procedure for destruction of personal data shall be determined.
5. PERSONAL DATA PROCESSING
5.1. For ensuring the rights and freedoms of a person and a citizen, the following requirements shall be observed by the Operator when processing Personal Data:
· Personal Data may be processed solely to ensure compliance with the purposes specified in Section 4 hereof;
· Personal Data Subjects or their legal representatives are entitled to familiarize themselves with the Operator’s documents establishing the procedure for the processing of Personal Data of Subjects, as well as their rights and obligations in this area;
· Personal Data Subjects shall not waive their rights to preserve and protect Personal Data.
5.2. The Subject shall independently decide on the provision of its Personal Data and gives its consent to their processing by the Operator.
5.3. In case of incapacity of the Personal Data Subject, all Personal Data of the Subject shall be obtained from its legal representatives. The legal representative shall independently decide on the provision of Personal Data of its ward and give its consent to their processing by the Operator.
5.4. Consent to the Personal Data processing may be revoked by the Personal Data Subject based on its written request or in the form of an electronic document signed with an electronic signature in accordance with the legislation of the Russian Federation, as well as in other ways provided for by the legislation of the Russian Federation. In the case specified in Clause 5.3 hereof, the consent may be revoked by the legal representative of the Personal Data Subject.
5.5. In cases where the Operator can obtain the necessary Personal Data of the Subject only from a third party, the Subject shall be notified in advance and shall give its consent. In the notification, the Operator shall inform about the purposes, methods and sources of obtaining Personal Data, as well as about the nature and list of Personal Data to be received and the possible consequences of the Subject’s refusal to consent to their receipt.
5.6. If Personal Data are not received from the Personal Data Subject, the Operator, except for the cases provided for in Clause 5.7., shall provide the following information to the Personal Data Subject:
· Name or surname, name, patronymic and address of the operator or its representative;
· Purpose of Personal Data processing and its legal basis;
· List of Personal Data;
· Intended users of Personal Data;
· Rights of a Personal Data Subject;
· Source of Personal Data.
5.7. The Operator is released from the obligation to provide the Personal Data Subject with the information specified in Clause 5.6. in cases where:
· The Personal Data Subject is notified of the processing of its Personal Data by the Operator;
· Personal Data are obtained by the Operator based on a federal law or in connection with the performance of an agreement to which the Personal Data Subject is a party, or a beneficiary, or a guarantor;
· Personal Data permitted by the Personal Data Subject for dissemination shall be processed in compliance with the prohibitions and conditions provided for in Article 10.1 of Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data";
· The Operator shall process Personal Data for statistical or other research purposes based on anonymized data, if this does not violate the rights and legitimate interests of the Personal Data Subject;
· Provision of the above information to the Personal Data Subject violates the rights and legitimate interests of third parties.
5.8. The Operator shall not be entitled to receive and process Personal Data of the Subject relating to race, nationality, political views, religious or philosophical beliefs, intimate life, its biometric data, except as provided by Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data", as well as Personal Data of the Employee about its membership in public associations or its trade union activities, except as provided by the Labor Code of the Russian Federation or other federal laws. It is prohibited to request information about the health status of the Employee, except for the information related to the issue of the Employee’s ability to perform the labor function.
5.9. When making decisions affecting the interests of the Employee, the Operator shall not rely on Personal Data obtained exclusively as a result of their automated processing or using electronic means of delivery.
5.10. Personal Data received by DoubleGIS LLC shall be stored on the following types of media:
· Hard copies (including personal files, employment contracts, Employees' work record books);
· Electronic media (including corporate automated information systems).
5.11. Personal Data of Subjects shall be processed in a mixed way:
· Non-automated method of Personal Data processing;
· Automated method of Personal Data processing (using a personal computer and special software products).
5.12. Personal Data shall be processed in compliance with the procedure provided for by Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data", Resolution of the Government No. 687 dated September 15, 2008 "On Approval of the Regulation on the Specifics of Personal Data Processing Performed Without the Use of Automation Tools" and Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of Requirements for Personal Data Protection when Processing them in Personal Data Information Systems."
5.13. Documents containing Personal Data shall be confidential.
6. STORAGE OF PERSONAL DATA
6.1. Personal Data may be stored in the following ways:
· In electronic form:
— in information systems/databases of DoubleGIS LLC;
— on service computer facilities;
— on external computer (electronic) media.
· In hard copy:
— in the premises of business units that store tangible media of Personal Data, in specially designated areas;
— in the archive in accordance with the legislation of the Russian Federation on archives.
6.2 The Operator shall store Personal Data for the following periods:
· Personal Data of Employees shall be stored during the term of employment contracts with Employees and for 6 years following the date of termination of employment relations;
· Personal Data of relatives of Employees shall be stored until the purposes of Personal Data processing are achieved;
· Personal Data of Applicants shall be stored for 10 years;
· Personal Data of Employees of Partners and Affiliates shall be stored during the term of the employment contract with the Partner or Affiliate;
· Personal Data of Affiliates (when the Affiliate is a Personal Data Subject) shall be stored until the purposes of Personal Data processing are achieved;
· Personal Data of Counterparties, employees and/or representatives of Counterparties of DoubleGIS LLC shall be stored within the term of the relevant agreement and for 10 years after its termination unless a shorter period is agreed by the parties to the agreement separately;
· Personal Data of Users shall be stored for the entire period of use of the account profile/Personal Account by the User and after its deletion within the period determined in accordance with Federal Law No. 149-ФЗ dated 27.07.2006 "On Information, Information Technologies and Information Protection" as well as until achieving the purposes of Personal Data processing or until withdrawal of consent to the Personal Data processing by the User and within the period determined in accordance with Law No. 149-ФЗ;
· Personal Data of members of the management bodies of DoubleGIS LLC shall be stored for 5 years after the member leaves the management body.
6.3. If a different, longer period of storage of any category of Personal Data is provided in accordance with the requirements of the applicable law, such period shall be applied. Upon expiration of the retention period, the data will be destructed in the manner prescribed by Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data."
6.4. Personal Data of Subjects shall be stored by business units of the Operator in accordance with the list of Personal Data (see Section 4 hereof) and the list of Personal Data Information Systems approved by the Operator (see Annex 1).
6.5. Personal Data of Subjects are mainly stored on electronic media in electronic form in personal computers connected to the local computer network of the Operator. Access to electronic databases is limited by password.
6.6. Access to paper and electronic media of Personal Data shall be granted only to those Employees who need it to perform their job duties.
6.7. DoubleGIS LLC shall ensure the necessary organizational and technical measures to protect Personal Data from unauthorized or accidental access thereto, destruction, modification, blocking, copying, distribution of Personal Data, as well as from other illegal actions.
6.8. Personal Data of Subjects may be transferred via the Operator’s internal network using technical and software means of information protection, with access only to Employees who are allowed to work with Personal Data of Subjects and only to the extent necessary for these Employees to perform their job duties.
6.9. Subdivisions of DoubleGIS LLC responsible for HR administration shall maintain personal files of Employees containing Employees' Personal Data and other information related to the employment of the Employees. Along with copies of documents and personal statements, a questionnaire completed by the Employee shall be attached to the personal file of the Employee. Personal files, employment contracts and work record books of Employees shall be stored in the premises of the HR department in fireproof cabinets (safe boxes). Responsibility for the storage of these documents shall be imposed on the head of the HR department.
6.10. Personal Data of Employees on paper shall be stored in printed form in folders, bound and numbered by pages in a specially designated section of the safe box (or cabinets), which provides protection against unauthorized access.
6.11. Access to Personal Data of Employees on paper shall be provided in the manner prescribed for in Section 7 hereof.
6.12. Subdivisions of the Operator storing Personal Data on paper shall ensure their protection against unauthorized access and copying in accordance with the Resolution on the Specifics of Personal Data Processing Performed Without the Use of Automation Tools, approved by Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008.
6.13. Personal Data shall be stored in a form allowing identification of a Personal Data Subject for no longer than allowed in accordance with Personal Data processing purposes unless the storage period for Personal Data is established by Federal Law No. 152-ФЗ "On Personal Data" or the relevant agreement. The processed Personal Data shall be subject to destruction upon achievement of the purposes of their processing or in case there is no more need to achieve them unless otherwise provided for by federal law.
6.14. Documents containing Personal Data of Subjects shall be stored within the terms of storage of these documents established by the current regulatory or local acts. Upon expiration of the established storage period, the documents shall be destructed.
7. INTERNAL ACCESS TO PERSONAL DATA
7.1. Employees of the Operator who are allowed to work with Personal Data of Subjects shall have access to Personal Data of Subjects. The job duties of these categories of employees include a clause on maintaining the confidentiality of processed information.
7.2. When providing access to Personal Data, the Operator shall comply with the following requirements:
· Allow access to Personal Data only to specially authorized persons, while these persons should have the right to receive only those Personal Data that are necessary to perform specific functions;
· Not request information about the health status of the Employee of DoubleGIS LLC, except for the information related to the issue of the Employee’s ability to perform the labor function;
7.3. Access to Personal Data shall be provided to the Employee of DoubleGIS LLC in accordance with an order on the appointment of officials who need access to Personal Data to perform their functional duties, approved by the General Director of DoubleGIS LLC. An annex to this order shall define a list of positions that directly use Personal Data for work-related purposes, which are entitled to process only those Personal Data that they need to perform their specific functions in accordance with the job description of these persons.
7.4. Heads of business units of the Operator shall have access to Personal Data of Employees of the relevant business units by administrative and functional subordination.
7.5. Other Employees of DoubleGIS LLC shall have access to Personal Data of other Employees in accordance with the procedure established by the current legislation and these Provisions.
7.6. When an employee has access to information systems/databases, he/she shall be provided with a minimum set of access rights as part of the role assigned to the user. Information systems implement control of user access to Personal Data.
7.7. The employee’s access to the processed Personal Data shall be terminated in case of absence (elimination) of production necessity, changes in functional and job duties, long leave, or dismissal of the employee. For proper organization of the production process and ensuring optimal interaction between units and individual Employees, all employees of DoubleGIS LLC shall have access to the Planeta information system posted on the corporate website planeta.2gis.ru/, containing the following information about the Employees:
· name, patronymic, surname;
· date of birth;
· work phone number;
· mobile phone number;
· corporate e-mail address;
· personal e-mail address;
· addresses of account profiles in social media;
· name (user name) in the software products used by the Employee for communication;
· office (place of work identifier);
· position held;
· company (company of the employer/represented person);
· photographic images;
· city of location of the employee;
· country of location of the employee;
· hobbies, interests of the employee.
7.8. Employees of DoubleGIS LLC receiving Personal Data shall:
· comply with the requirements of these Provisions to ensure the protection of Personal Data;
· suppress the actions of others that may lead to the disclosure of Personal Data;
· use Personal Data only for the performance of functional duties;
· use in its work only those Personal Data that are really necessary for the full performance of their functional duties;
· when drawing up documents containing Personal Data, be limited to the minimal, only necessary, information and the number of copies;
· arrange documents containing Personal Data in such a way as to exclude the possibility of familiarization with them to other persons, including those admitted to such information, but not directly related to them;
· immediately report the loss or shortage of documents containing Personal Data to their functional supervisor;
· refuse to provide Personal Data to third parties without the written permission of DoubleGIS LLC or its authorized person;
· in case of dismissal, submit to the functional supervisor all official documents containing Personal Data (paper, electronic media) that have been at their disposal in connection with the performance of functional duties while working at DoubleGIS LLC.
7.9. The Personal Data Subject, data of which are processed by DoubleGIS LLC, shall be entitled to have free access to its Personal Data, to receive copies of its Personal Data (except for cases provided for by federal law) under its written request.
7.10. DoubleGIS LLC shall inform the Personal Data Subject or its legal representative on the availability of Personal Data relating to the relevant Personal Data Subject in the manner prescribed by Federal Law No. 152-ФЗ dated July 27, 2006 "On Personal Data", as well as provide the possibility of familiarization with them when applying to the Personal Data Subject or its legal representative, or within ten business days from the date of receipt of the request of the Personal Data Subject or its legal representative. The specified period may be extended but for no more than five business days if the Operator sends a reasoned notice to the Personal Data Subject indicating reasons for extending the period for providing the requested information.
8. PERSONAL DATA TRANSFER
8.1. When transferring Personal Data of the Subject, the Operator shall comply with the following requirements:
· not disclose Personal Data of the Subject to a third party without the proper consent of the Subject or its legal representative, except for cases when it is necessary to prevent a threat to the life and health of the Subject, as well as in cases provided for by the current legislation;
· not disclose Personal Data of the Subject for commercial purposes without its proper consent;
· transfer Personal Data of the Subject to representatives of the Subject in the manner prescribed by the current legislation, and limit this information only to those Personal Data of the Subject that are necessary for the performance of functions by these representatives;
· warn the persons receiving Personal Data of the Subject that these data can be used only for the purposes for which they are communicated, and require these persons to confirm that this rule is observed.
8.2 Persons receiving Personal Data of the Subject shall comply with the confidentiality requirements.
8.3. All information on the transfer of Personal Data of the Subject shall be recorded in the Logs of Appeals and Requests of the Personal Data Subject, the Privacy Authority, as well as third parties, and participants in legal relations to control the legality of the use of this information by the persons who have received it. The Logs record information on the person who has sent the request, the date of Personal Data transfer or the date of notification of the refusal to provide them, as well as the Personal Data that have been transferred.
8.4. The Operator shall transfer Personal Data of Subjects to third parties only with their proper consent, except in cases where:
· the transfer is necessary to protect the life and health of the Subject or other persons and obtaining its consent is impossible;
· at the request of the bodies of inquiry, investigation and court in connection with the investigation or trial;
· Personal Data is transferred in the context of fulfilling the contract to which the Personal Data Subject is a party or beneficiary or guarantor, except for cases requiring the consent of the Personal Data Subject;
· in other cases provided for by federal laws.
8.5. In the case of a written consent of the Subject to the transfer of its Personal Data to third parties, the consent shall include:
· surname, name, patronymic, address of the Subject, series and number of the primary identity document, information on the date of issue of the specified document, and the issuing authority;
· name and address of the Operator receiving the consent of the Personal Data Subject;
· purpose of the processing of Personal Data of the Subject by a third party;
· list of Personal Data for the transfer of which consent is given by the Subject;
· list of actions of a third party with Personal Data for the performance of which consent is given, and a general description of the methods of Personal Data processing used by the third party;
· period during which consent is valid, as well as the procedure for its withdrawal.
8.6. In case of death of the Subject, consent to the processing of its Personal Data shall be given in writing by the Subject’s heirs unless such consent has been given by the Employee during its lifetime.
8.7. The Employee’s consent to the dissemination of its Personal Data is not required in case of anonymization of the Personal Data.
8.8. Information relating to the Personal Data of the Employee may be provided to state and local authorities within the limits of their powers established by federal laws. The basis for the transfer of Personal Data of the Employee shall be a written request from an official of the relevant state authority or local self-government authority motivated by the requirements of the legislation or a court decision, signed by the head of this authority, and certified by the official seal.
8.9. Relatives and family members of the Employee do not have access to its Personal Data.
8.10. If the person requesting the provision of Personal Data is not authorized by federal law, this Policy, or other local regulations of DoubleGIS LLC to receive Personal Data of the Subject, or there is no proper consent of the Subject to provide its Personal Data, the Operator shall refuse provision of Personal Data of the Subject to the specified person.
8.11. All confidentiality measures in the collection, processing and storage of Personal Data of the Subject shall apply to both paper and electronic (automated) media.
8.12. If DoubleGIS LLC uses the services of third parties under concluded agreements (or other grounds), and by virtue of these agreements they should have access to Personal Data processed by DoubleGIS LLC, the relevant Personal Data shall be provided to DoubleGIS LLC only after signing an agreement on non-disclosure of Personal Data with these persons or including clauses on non-disclosure of Personal Data, including those providing for the protection of Personal Data, and other clauses provided for by the Regulations on Contractual Work of DoubleGIS, LLC.
8.13. All standard forms of contracts of DoubleGIS, LLC shall contain provisions on the Personal Data processing to eliminate the risk of illegal processing of Personal Data by the Counterparty.
8.14. In case of concluding an expense/income generating contract with the condition on the use of Personal Data of contact persons outside the term of the contract, this condition shall be included in the contract.
8.15. If DoubleGIS LLC has instructed a processor to process Personal Data, a provision thereon shall be included in the agreement.
8.16. A Data Processor on behalf of DoubleGIS LLC shall comply with the requirements provided for by Federal Law No. 152-ФЗ dated July 27, 2006 "On Personal Data."
8.17. The instruction shall specify the list of Personal Data, the list of actions (operations) with personal data to be performed by the Data Processor on behalf of DoubleGIS LLC, the purpose of their processing; the obligation of such person to maintain the confidentiality of Personal Data, requirements provided for by Part 5 Article 18 and Article 18.1 of Federal Law No. 152-ФЗ dated July 27, 2006 "On Personal Data", the obligation of such person to provide documents and other information at the request of DoubleGIS LLC during the term of the instruction, including prior to processing of Personal Data, confirming the adoption of measures and compliance with the requirements of this Clause to fulfill the instructions of DoubleGIS LLC, and the obligation to ensure the security of Personal Data during their processing shall be established; as well as the requirements for the protection of processed Personal Data shall be specified in accordance with Article 19 of the Federal Law "On Personal Data", including the requirement to notify DoubleGIS LLC on the cases provided for in Part 3.1 Article 21 of the Federal Law "On Personal Data."
8.18. In case of Personal Data transfer, a provision thereon shall be included in the agreement.
8.19. Cross-border transfer of Personal Data. Prior to the start of cross-border transfer of Personal Data, DoubleGIS, LLC shall determine:
· Purpose of cross-border transfer of Personal Data;
· Legal grounds for cross-border transfer of Personal Data;
· Categories of Personal Data Subjects;
· Composition of Personal Data transferred;
· List of foreign countries under the jurisdiction of which foreign recipients of Personal Data (public authorities, legal entities or individuals) are located.
8.20. DoubleGIS LLC shall notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) of the implementation of cross-border transfer of Personal Data.
8.21. Prior to filing the notification provided for in Clause 8.20, DoubleGIS LLC shall receive from the authorities of a foreign state, foreign individuals, foreign legal entities to which the cross-border transfer of Personal Data is planned, the following information:
  1. Information on the measures taken to protect the transferred Personal Data and on the conditions for the termination of their processing;
  2. Information on the legal regulation on Personal Data of a foreign state, under the jurisdiction of which there are the authorities of a foreign state, foreign individuals, foreign legal entities to which cross-border transfer of Personal Data is planned (if it is planned to carry out cross-border transfer of personal data to the authorities of a foreign state, foreign individuals, foreign legal entities under the jurisdiction of a foreign state that is not a party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and is not included in the list of foreign states that provide adequate protection of the rights of Personal Data Subjects);
  3. Information on the authorities of a foreign state, foreign individuals, foreign legal entities to which the cross-border transfer of personal data is planned (name or surname, name and patronymic, as well as contact phone numbers, postal addresses and e-mail addresses).
8.22. Upon receipt of the information specified in Clause 8.21., DoubleGIS LLC shall assess compliance with the confidentiality of Personal Data and ensure the security of Personal Data during their processing.
8.23. The transfer or instruction for processing of Personal Data to a foreign recipient shall be performed subject to the conditions and restrictions established by Law No. 152-ФЗ and regulatory legal acts of the Government of the Russian Federation.
9. BLOCKING OF PERSONAL DATA
9.1. Personal Data of a particular Personal Data Subject shall be blocked in all Personal Data Information Systems of DoubleGIS LLC, including archives of databases containing such Personal Data.
9.2. Personal Data in DoubleGIS LLC shall be blocked:
· In case of unlawful processing of Personal Data when applying/sending a request of the Personal Data Subject or its representative or the Privacy Authority from the moment of such request or receipt of the request for the verification period;
· In the absence of the possibility to destruct Personal Data in a timely manner before their destruction.
9.3. After eliminating the identified illegal processing of Personal Data, DoubleGIS LLC shall remove the blocking of Personal Data. The decision to block and remove the blocking of Personal Data shall be made by the person responsible for the processing of Personal Data in DoubleGIS LLC.
10. DESTRUCTION OF PERSONAL DATA
10.1. Personal data shall be stored for the period specified in Section 6 hereof and shall be subject to destruction upon achievement of the purposes of their processing, expiration of the period or in case there is no more need to achieve them.
10.2. Documents containing Personal Data shall be stored and destructed in the manner prescribed by this Policy and the archival legislation of the Russian Federation.
10.3. The destruction of documents containing Personal Data shall be performed:
· in case of withdrawal of the consent of the Personal Data Subject, if there are no other legal grounds for the processing of Personal Data;
· upon achievement of the purposes of their processing in accordance with the nomenclature of cases and documents or in case there is no more need to achieve them;
· Personal Data are no longer required to achieve the purposes for which they have been obtained;
· upon reaching the end of the storage period for Personal Data specified in the relevant agreement of the parties concerned;
· the period of consent to the processing of Personal Data has expired;
· in case of detection of illegal processing of Personal Data within a period not exceeding ten business days from the date of detection of illegal processing of Personal Data.
10.4. The destruction of Personal Data on computer media shall be performed by means of the information system (operating system, database management system).
10.5. Tangible media with Personal Data shall be destructed in accordance with the document "Regulations on the Organization of Handling of Protected Personal Data Media."
10.6. The Company shall document the facts of destruction of Personal Data in the PDIS and on tangible media in accordance with the Requirements for Confirmation of the Destruction of Personal Data approved by Order of Roskomnadzor No. 179 dated 28.10.2022 (hereinafter referred to as Order No. 179), the Certificate on the Destruction of Personal Data in Databases, on Tangible (Paper, Electronic) Media as per Form (hereinafter referred to as the Certificate).
10.7. If the Company confirms the destruction of Personal Data in the PDIS, the Certificate shall also be accompanied by an upload from the event log in the PDIS.
10.8. If the upload of the event log in the PDIS does not allow specifying certain information provided for by Order No. 179, it is allowed to indicate such information in the Certificate.
11. PROTECTION OF PERSONAL DATA IN INFORMATION SYSTEMS
11.1. Methods and techniques of protecting Personal Data in the information systems of the Operator shall comply with the requirements established by:
· Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data";
· Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of Requirements for Personal Data Protection when Processing them in Personal Data Information Systems";
· Order of the Federal Service for Technical and Export Control No. 21 dated February 18, 2013 "On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data During Their Processing in Personal Data Information Systems";
· Other requirements of the legislation on Personal Data.
11.2. When processing Personal Data, the necessary legal, organizational and technical measures shall be taken to protect Personal Data from unauthorized or accidental access thereto, destruction, modification, blocking, copying, provision, distribution of Personal Data, as well as from other illegal actions;
11.3. Personal Data during their processing in the Personal Data Information Systems shall be exchanged through communication channels, the protection of which is ensured by the implementation of appropriate organizational measures and/or by the use of technical means.
11.4. Deployment of Personal Data Information Systems, special equipment and security of the premises in which work with Personal Data is realized, the organization of a security regime in these premises shall ensure the safety of Personal Data carriers and information protection means, as well as exclude the possibility of uncontrolled entry or presence of unauthorized persons in these premises.
11.5. For the implementation of measures to protect Personal Data during their processing in Personal Data Information Systems, protection systems may include the following subsystems: access control; registration and accounting; ensuring integrity; anti-virus protection; ensuring the security of interconnectivity; security analysis; intrusion detection.
11.6. For ensuring the security of Personal Data, if necessary, speech information and information processed by technical means, as well as information presented in the form of informative electrical signals, physical fields, media on paper, magnetic, magnetic-optical and other basis shall be protected.
11.7. For ensuring the security of Personal Data during their processing in the Personal Data Information Systems, monitoring of compliance with the terms of use of information protection means provided for by the operational and technical documentation, as well as the investigation and drawing up conclusions on the facts of non-compliance with the conditions of access to Personal Data or the use of information protection means, which may lead to breaches of the confidentiality of Personal Data, shall be organized.
11.8. If violations of the procedure for providing Personal Data are detected, the provision of Personal Data to users of the Personal Data Information System who have received them in violation of the established procedure shall be immediately suspended until the causes of violations are identified and these reasons are eliminated.
11.9. DoubleGIS LLC also applies the following measures to ensure the security of Personal Data:
· The harm that may be caused to the Personal Data Subject in case of violation of the legislation of the Russian Federation on Personal Data shall be assessed; the ratio of this harm and the measures taken to ensure compliance with the legislation of the Russian Federation on Personal Data shall be assessed;
· The employees DoubleGIS LLC who are directly engaged in processing of Personal Data shall be familiarized with the provisions of the laws of the Russian Federation on Personal Data, including the requirements for protection of Personal Data, documents defining the policy of DoubleGIS LLC on processing of Personal Data, local acts on processing of Personal Data, and/or training for these employees shall be conducted;
· Threats to the security of Personal Data during their processing in Personal Data Information Systems have been identified;
· The effectiveness of efforts made to ensure the security of Personal Data shall be assessed before commissioning the Personal Data Information System;
· Measures taken to ensure security of Personal Data and the level of protection of Personal Data Information Systems shall be controlled;
· In cases and in the manner provided for by the legislation on Personal Data, interaction shall be ensured with the Privacy Authority of the Russian Federation in case of unlawful or accidental transfer (provision, distribution, access) of personal data, resulting in a violation of the rights of Personal Data Subjects, as well as, if applicable, with the state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation, including informing it on computer incidents that resulted in the illegal transfer (provision, distribution, access) of Personal Data.
11.10. Responsibility for the organization of protection of Personal Data in the Personal Data Information Systems shall be imposed on the security and information technology departments.
12. RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS AND THE OPERATOR
12.1. For ensuring the protection of Personal Data, Subjects shall be entitled to:
· receive full information about their Personal Data and the processing of these data (including automated);
· exercise free access to their Personal Data free of charge, including the right to receive copies of any record containing Personal Data of the Subject, except as provided by law;
· demand the exclusion or correction of incorrect or incomplete Personal Data, as well as data processed in violation of the law;
· if the Operator refuses to exclude or correct Personal Data of the Subject, declare in writing its disagreement with provision of appropriate justification;
· supplement Personal Data of an estimated nature with a statement expressing its own point of view;
· require the Operator to notify all persons who have previously been provided with incorrect or incomplete Personal Data of the Subject of all changes or exceptions thereto;
· appeal in court any illegal actions or omissions of the Operator, or its authorized person in the processing and protection of Personal Data of the Subject;
· exercise other rights provided for by the legislation on Personal Data.
12.2. For protection of Personal Data of the Subjects, the Operator shall:
· at its own expense ensure the protection of Personal Data of the Subject from their unlawful use or loss in the manner prescribed by the legislation of the Russian Federation;
· upon request, familiarize the Personal Data Subject or its legal representatives with this Policy and its rights on Personal Data protection, as well as provide it with full information about its Personal Data and the processing of these data;
· transfer Personal Data of the Subject only in accordance with this Policy and the legislation of the Russian Federation, as well as other applicable legislation;
· perform other obligations provided for by the legislation on Personal Data.
12.3. Protection of information containing Personal Data means the adoption by the Operator of legal, organizational and technical measures aimed at:
· ensuring protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution as well as from other illegal actions in relation to such information;
· confidentiality of restricted information;
· exercising the right to access information.
12.4. The Personal Data protection system includes organizational and/or technical measures determined subject to the current threats to the security of Personal Data and information technologies used in information systems in accordance with Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of Requirements for Personal Data Protection when Processing them in Personal Data Information Systems."
12.5. For ensuring the security of Personal Data of Subjects, the Operator shall take the following measures during manual processing:
Places of storage of Personal Data of the Subjects shall be determined, which shall be equipped with the following protection means:
· specially equipped cabinets shall be protected from unauthorized access in the office of the relevant department;
· premises of the Operator shall be under round-the-clock security of private security personnel;
· all actions to process Personal Data of Subjects shall be performed only by Employees of the Operator, duly admitted to work with Personal Data of Subjects and only to the extent necessary for these persons to perform their labor functions.
12.6. Processing, clarification, destruction or blocking of Personal Data of Subjects during their processing without the use of automation tools shall be performed in compliance with the procedure provided for by Resolution of the Government of the Russian Federation No. 687 dated September 15, 2008 "On Approval of the Regulation on the Specifics of Personal Data Processing Performed Without the Use of Automation Tools."
12.7. For ensuring the security of Personal Data of Subjects, the Operator shall take the following measures during automated processing:
· All actions in the automated processing of Personal Data of Subjects shall be performed only by Employees of the Operator holding positions specified in the list of positions approved by the relevant order, and only to the extent necessary for these persons to perform their labor functions.
· Personal computers containing Personal Data of Subjects shall be protected by access passwords. Passwords shall be set by the information security administrator of the Operator and communicated individually to the Employee authorized to work with Personal Data and processing Personal Data of Subjects on this personal computer.
· Processing of Personal Data in the automated processing of Personal Data shall be performed in compliance with the procedure provided for by Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data" and Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of Requirements for Personal Data Protection when Processing them in Personal Data Information Systems."
12.8. DoubleGIS LLC shall regularly monitor changes in the legislation on personal data and, if necessary, inform employees on the relevant changes.
12.9. In case of changes in the information sent by DoubleGIS LLC to the Privacy Authority in the notification of the processing of Personal Data, DoubleGIS LLC shall inform the Privacy Authority on all changes that have occurred no later than the 15th day of the month following the month in which such changes have occurred.
13. REQUIREMENTS FOR CONSENT TO THE PERSONAL DATA PROCESSING
13.1. Consent to the Personal Data processing shall meet the following requirements:
· it shall be specific, informed, conscious, substantive and unambiguous;
· it may be given by the Subject or its representative in any form allowing to confirm the fact of its receipt, if the legislation of the Russian Federation does not establish the obligation to obtain consent in writing;
· it shall be given freely, by its own will and for its own benefits.
13.2. Personal Data of Subjects for promoting goods, works, services on the market by contacting the Subject directly by means of communication shall be processed only subject to the prior consent of the Subject. In this case, an evidentiary basis for obtaining such consent shall be ensured. The Operator shall immediately stop, at the request of the Personal Data Subject, the processing of its Personal Data in order to promote goods, works, services on the market through direct contacts.
13.3. Consent of the Subject in writing and in the form of an electronic document.
13.3.1. The Personal Data Operator shall obtain consent of the Subject in writing in the following cases:
· inclusion of Personal Data of the Subject in public sources of Personal Data;
· processing of biometric Personal Data;
· processing of special categories of Personal Data;
· cross-border transfer of Personal Data to the territory of a state that does not provide adequate protection of the rights of Personal Data Subjects;
· making a decision based on exclusively automated processing of Personal Data, giving rise to legal consequences in relation to the Subject or otherwise affecting its rights and legitimate interests;
13.4. The content of Subject’s consent in writing shall meet the requirements of Part 4 Article 9 of Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data":
13.5. Consent of the Subject in writing shall be drawn up on paper with the handwritten signature of the Subject or its representative. Consent in the form of an electronic document signed in accordance with the requirements of Federal Law No. 63-ФЗ dated 06.04.2011 "On Electronic Signature" shall be deemed equivalent to consent of the Subject in writing.
13.6. Consent of the Subject in any form
13.6.1. In cases where the Operator’s consent is not required in writing in accordance with the current legislation, consent may be obtained in any form with the use of the services owned or used by the Operator allowing to confirm the fact of its receipt. Such cases include obtaining consents in writing and in the form of an electronic document, as well as in cases where the Subject commits an explicit action, for example, but not limited to:
· sending a response SMS message to the Operator after the procedure of familiarization with the text of consent to the processing of Personal Data with a Confirmation Code received by the Subject to the mobile phone number or by voice confirmation;
· pressing by the Subject of the button "Confirm", "Agree", "Accept", "Continue", etc. after the procedure of familiarization with the text of consent to the processing of Personal Data;
· filling in the check box next to the text of consent to the processing of Personal Data in the graphical interface of the business service;
· sending a response e-mail to the Operator’s e-mail box, outgoing from the Subject with information on consent to the processing of Personal Data.
13.7. Providing evidence of legal grounds for the processing of Personal Data.
13.7.1. The Operator shall record and store consents during the term of the consent extended by three years (the general limitation period).
13.7.2. In accordance with the requirements of Federal Law No. 152-ФЗ dated 27.07.2006 "On Personal Data", at the request of the authorized body or the Subject, the Operator shall provide evidence of receipt of the Subject’s consent to the processing of its Personal Data or evidence of other grounds for the processing of Personal Data.
13.7.3. Confirmation of the fact of obtaining consent on paper shall be a consent form with the handwritten signature of the Subject or its representative and the date of its signature.
13.7.4. Consents issued on paper, depending on the type, shall be stored in the responsible departments of the Operator.
13.7.5. Upon receipt of consent from the representative of the Subject, the Operator shall keep the documents confirming the authority of the representative within the period established for the storage of consents. Documents confirming the authority of the representative shall be stored together with the consents.
13.7.6. The place of storage of consents, as well as the persons responsible for the storage organization, shall be determined by the internal local regulatory document of the Operator.
13.7.7. For ensuring confirmation of receipt by the Operator of consents in electronic form, the functions of recording the received consents and storage of confirmations (with the possibility of uploading them for subsequent printing) shall be implemented in the information systems of the Operator.
14. LIABILITY FOR VIOLATION OF THE STANDARDS REGULATING THE PROCESSING AND PROTECTION OF PERSONAL DATA
14.1. Persons at fault for violating the requirements of the legislation on Personal Data shall be liable under the current legislation of the Russian Federation.

Version dated 08.12.2023