PERSONAL DATA PROCESSING POLICY
OF GIPROBIOSINTEZ LLC

1.          GENERAL


1.1.     This document (hereinafter – the “Policy”) describes the policy of processing the personal data of “GIPROBIOSINTEZ” Limited Liability Company (hereinafter – the “Processor” or “Company”).
1.2.     This Policy is drafted in compliance with the requirements of item 2, part 1, Article 18.1 of Federal Law No. 152-FZ “On the Personal Data” dated July 27, 2006 (hereinafter – the “Personal Data Law”).
1.3.     The terms defined in Article 3 of the Personal Data Law have the same meaning in this Policy.
1.4.     The Policy applies to all operations with the personal data performed by the Processor with or without automation means.
1.5.     Main Rights and Obligations of the Processor.
1.5.1.    The Processor has the right to:
  • obtain from the personal data subject true and accurate information and/or documents containing the personal data; and
  • request the personal data subject to timely update the personal data provided.
1.5.2.    The Processor is obliged to:
  • process the personal data in the manner established by the applicable legislation of the Russian Federation;
  • consider requests of the personal data subject (his lawful representative) with respect to the personal data processing and respond with reasons;
  • allow the personal data subject (his lawful representative) free access to his personal data;
  • make efforts to update or destruct the personal data of the personal data subject at his (his lawful representative’s) lawful and reasonable request; and
  • arrange for protection of the personal data in accordance with the requirements of the legislation of the Russian Federation.
1.6.     Main Rights and Obligations of the Personal Data Subjects:
1.6.1.    The personal data subjects have the right to:
  • have full information about their personal data processed by the Processor;
  • have access to their personal data, including the right to obtain a copy of any record containing their personal data, except where the federal law contemplates otherwise;
  • update, block or destruct their personal data if they are incomplete, outdated, inaccurate, illegally obtained or unnecessary for the stated processing purpose;
  • withdraw the consent for personal data processing;
  • enforce their rights as permitted by the law; and
  • exercise any other rights as set forth by the legislation of the Russian Federation.
1.6.2.    The personal data subjects are obliged to:
  • provide the Processor with true and accurate data only;
  • submit documents containing the personal data to the extent required for the processing purpose; and
  • inform the Processor on refinement (update or alteration) of their personal data.
1.6.3.    The persons who have submitted to the Processor any inaccurate information about themselves or other personal data subject without his consent are held liable in accordance with the legislation of the Russian Federation.

2.          SCOPE AND CATEGORIES OF PERSONAL DATA PROCESSED, CATEGORIES OF PERSONAL DATA SUBJECTS


2.1.         The Processor can process the personal data of the following personal data subjects:
  • employees of the Company, former employees, job applicants, relatives of employees;
  • clients and contractors of the Company (individuals);
  • representatives/employees of clients and contractors of the Company (legal entities); and
  • visitors to the Company’s website (hereinafter – the “Website”).
2.2.         The personal data processed by the Processor include:
  • last name, first name and patronymic name of the personal data subject;
  • place of residence (region/city);
  • qualification/area of professional interests;
  • mobile number;
  • e-mail;
  • search and watch history for the Website and its services (for the Website visitors); and
  • other information (this list may grow short or long as applicable and depending on the processing purposes).
2.3.     The Processor ensures that the content and scope of the personal data processed comply with the stated processing purposes and, where necessary, makes all reasonable efforts to bring their scope in line with the stated processing purposes.
2.4.     The Processor processes the biometric personal data upon written consent of the relevant personal data subjects and to the extent otherwise provided for by the legislation of the Russian Federation.
2.5.     The Processor does not process special personal data categories related to ethnical or national identity, political affiliation, religious or philosophic views and intimate life.
2.6.     The Processor does not transfer the personal data cross-border.

3.          PURPOSES OF PERSONAL DATA COLLECTION


3.1.         The personal data are processed by the Processor for the following purposes:
  • conclusion of any agreements with the personal data subjects and their fulfillment;
  • Processor’s promotions, inquiries, interviews, testing or surveys on the Website;
  • provision of the Company’s services and information about new products and services developed by the Company, including advertising one, to the personal data subjects;
  • giving the personal data subjects feedback, including processing of their requests and sharing information about the Website operation;
  • control and improvement of the quality of the Company’s services, including those offered on the Website;
  • personnel management and the Company’s personnel recordkeeping, management of labor and other labor-related relations;
  • recruiting and selection of job applicants for the Company;
  • statistical reporting;
  • carrying out business activities; and
  • exercising other functions, authorities and duties vested on the Processor by the legislation of the Russian Federation.

4.          LEGAL FRAMEWORK OF PERSONAL DATA PROCESSING


4.1.         The following represent the legal framework of the personal data processing by the Processor:
  • Constitution of the Russian Federation;
  • Labor Code of the Russian Federation;
  • Civil Code of the Russian Federation;
  • Law of the Russian Federation No. 2124-1 “On Mass Media” dated December 27, 1991;
  • Federal Law No. 149-FZ “On Information, Information Technologies and Information Protection” dated July 27, 2006;
  • Federal Law No. 294-FZ “On Protection of the Rights of Legal Entities and Individual Entrepreneurs During State Control (Supervision) and Municipal Control” dated December 26, 2008;
  • Decree of the President of the Russian Federation No. 188 “On Approval of the List of Information of Confidential Nature” dated March 6, 1997;
  • Regulation of the Government of the Russian Federation No. 512 “On Approval of the Requirements to Physical Media of Biometric Personal Data and Storage Technologies for Such Data Outside Personal Data Information Systems” dated July 6, 2008;
  • Regulation of the Government of the Russian Federation No. 687 “On Approval of the Statute on Special Aspects of Personal Data Processing Without Automation Means” dated September 15, 2008;
  • Regulation of the Government of the Russian Federation No. 1119 “On Approval of the Requirements to Personal Data Protection in the Course of Their Processing in Personal Data Information Systems” dated November 1, 2012;
  • Order of the Federal Service for Technical and Export Control of Russia No. 21 “On Approval of the Scope and Content of Organizational and Technical Measures for Personal Data Safety in the Course of Their Processing in Personal Data Information Systems” dated February 18, 2013;
  • Order of the Federal Service for Supervision of Communications, Information Technology, and Mass Media No. 996 “On Approval of the Requirements to and Methods of Personal Data Depersonalization” dated September 5, 2013;
  • constituent documents of the Processor;
  • contracts executed between the Processor and the personal data subjects;
  • consents of the personal data subjects to personal data processing; and
  • other grounds when the personal data consent is not required by law.

5.          PROCEDURE AND TERMS OF PERSONAL DATA PROCESSING


5.1.     The personal data processing is carried out by the Processor as follows:
  • non-automated processing of the personal data;
  • automated processing of the personal data with or without transfer of the received information via information and telecommunication networks; and
  • mixed processing of the personal data.
5.2.     The list of actions performed by the Processor on the personal data: collection, systematization, accumulation, storage, refinement (update or alteration), use, dissemination (including transfer), depersonalization, blocking, destruction, as well as any other actions in accordance with the applicable legislation of the Russian Federation.
5.3.     The personal data processing by the Processor is subject to the consent of the personal data subject (hereinafter – the “Consent”), except as otherwise provided by the legislation of the Russian Federation when the personal data processing can be carried out without such Consent.
5.4.     The personal data subject decides to provide his personal data and gives his Consent of his own free will and volition and for his own benefit.
5.5.     The Consent is given in any form enabling to confirm its obtainment. As may be required by the legislation of the Russian Federation, the Consent is drafted in written form.
5.6.     The personal data processing may be terminated in case of achievement of the purposes of the personal data processing, expiry of the Consent or its withdrawal by the personal data subject, as well as detection of unlawful personal data processing.
5.7.     The Consent can be withdrawn by written notice to the Company by registered mail.
5.8.     While processing the personal data, the Processor takes and ensures that all necessary legal, organizational and technical measures are taken in order to protect the personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, dissemination or any other misconduct.
5.9.     The personal data are stored so as to enable to identify the personal data subject and for not longer than it is required to achieve the purposes of the personal data processing unless the period of the personal data storage is established by any federal law or a contract to which the personal data subject is a party, beneficiary or surety.
5.10.  While storing the personal data, the Processor uses databases located in the Russian Federation.

6.          REFINEMENT, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA, RESPONDING TO SUBJECT ACCESS REQUESTS


6.1.     In case of any confirmed inaccuracy or unlawful processing of the personal data the Processor updates or ceases to process such personal data respectively.
6.2.     Inaccuracy or unlawful processing of the personal data can be established by either the personal data subject or competent governmental authorities of the Russian Federation.
6.3.     The Processor must, at the written request of the personal data subject or his representative, inform about processing of the personal data of such subject. The request contains number of the main ID document of the personal data subject and his representative, date of issue and authority issued the main ID document, confirmation of relations between the personal data subject and the Processor (contract number and date, nomenclature and (or) other information) or any other confirmation of the personal data processing by the Processor and signature of the personal data subject or his representative. The request can be in writing and signed with digital signature in accordance with the legislation of the Russian Federation.
6.4.     A substantiated refusal is sent to the personal data subject if his request does not contain all necessary information or the subject has no right to access to the requested information.
6.5.     Subject to item 6.3 of the Policy the personal data subject is entitled to demand that the Processor update, block or destruct his personal data if they are incomplete, outdated, inaccurate, illegally obtained or unnecessary for the stated processing purpose, as well as to take any other actions to enforce his rights as permitted by the law.
6.6.     In case of achievement of the purposes of the personal data processing or withdrawal of the Consent by the personal data subject the personal data must be destructed:
  • if the Processor has no right to carry out the processing without the Consent of the personal data subject;
  • unless otherwise is provided by a contract to which the personal data subject is a party, beneficiary or surety; or
  • unless otherwise is provided by any other agreement between the Processor and the personal data subject.

7.          CONCLUDING PROVISIONS


7.1.     All matters with respect to the personal data processing not provided for herein are governed by the applicable legislation of the Russian Federation.
7.2.     The Processor has the right to amend this Policy. The valid version of the Policy is always available on the Website.