Personal data processing policy

защиты и обработки персональных данных

1. General Provisions

1.1. This Personal Data Processing Policy (hereinafter referred to as the Policy) has been developed in accordance with the requirements of the Federal Law of the Russian Federation “On Personal Data” No. 152-FZ dated August 27, 2006 (hereinafter referred to as the Personal Data Law).

1.2. The policy applies to all personal data provided through the use by personal data subjects (hereinafter referred to as the Subjects) of the http://tpa.legal website on the Internet (hereinafter referred to as the Site), including by filling out a feedback form and sending information to email addresses. mail posted on the Site.

1.3. The Policy defines the Operator's approach to the processing and protection of personal data. The policy is an open and public document.

1.4. The Operator adheres to the principles of ensuring the security of the personal data of the Subjects in order to protect their rights and freedoms, including the protection of the rights to privacy, lawyer, personal and family secrets, as well as compliance with legal requirements.

1.5. The Policy applies to all information containing personal data that the Operator can receive about the Subject.

1.6. Basic concepts used in the Policy:

- personal data - any information relating directly or indirectly to a specific or identifiable natural person (Subject);

- personal data operator (operator) - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

- processing of personal data - any action (operation) or a set of actions (operations) with personal data performed using automation tools or without their use.

The processing of personal data includes, among other things:

- collection;
- record;
- systematization;
- accumulation;
- storage;
- clarification (update, change);
- extraction;
- usage;
- transfer (distribution, provision, access);
- depersonalization;
- blocking;
- removal;
- destruction.

- automated processing of personal data - processing of personal data using computer technology;

- dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;

- provision of personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;

- blocking of personal data - temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);

- destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;

- depersonalization of personal data - actions as a result of which it becomes impossible to determine the ownership of personal data by a specific Subject without the use of additional information;

- personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;

- confidentiality of personal data - the obligation of persons who have gained access to personal data not to disclose them to third parties and not to distribute personal data without the consent of the Subject, unless otherwise provided by federal law;

- cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

2. Basic rights of personal data subjects

The subject of personal data has the right to receive information regarding the processing of his personal data, except as otherwise provided by federal laws. The information is provided to the subject of personal data by the Operator in an accessible form, and it should not contain personal data related to other subjects of personal data, unless there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it are established by the Law on Personal Data.

The Subject has the right to demand the elimination of violations of the law committed during the processing of personal data, the clarification of his personal data, their blocking or destruction if, in the opinion of the Subject, the data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing. Also, the Subject has the right to withdraw his consent to the processing of personal data by sending a written request to the email address.
‍
3. Basic rights of the Operator:

- entrust the processing of personal data to other persons with the consent of the Subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person;

- independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law on Personal Data and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;

- in the event that the Subject withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in the Law on Personal Data.

4. The main duties of the Operator:

- organize the processing of personal data in accordance with the requirements of the Law on Personal Data;

- not to disclose to third parties and not to distribute personal data without the consent of the Subject, unless otherwise provided by law;

- take measures aimed at ensuring the fulfillment of obligations stipulated by the legislation on personal data;

- take measures to ensure the security of personal data during their processing;

- provide the necessary information on the processing of personal data upon request of the Subject or upon receipt of a request from the Subject or his representative, as well as the authorized body for the protection of the rights of subjects of personal data in accordance with the requirements of the Law on Personal Data;

- eliminate violations of the law committed during the processing of personal data, clarify, block and destroy personal data in cases established by the legislation on personal data;

- publish or otherwise provide unrestricted access to the document defining the policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data;

- take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.

5. Subjects, scope, categories and purposes of personal data processing

The Operator does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except as provided by the legislation of the Russian Federation.

6. Legal grounds for the processing of personal data

Within the framework of the Policy, the processing of personal data is carried out in accordance, inter alia, with the following legal grounds for processing:

- Civil Code of the Russian Federation;

 -Tax Code of the Russian Federation; - Federal Law of May 31, 2002 N63-FZ "On Advocacy and the Bar in the Russian Federation";

- Federal Law of July 27, 2006 No. 149-FZ "On Information, Information Technologies and Information Protection";

- Decree of the Government of the Russian Federation dated September 15, 2008 No. 687 "On approval of the Regulations on the specifics of the processing of personal data carried out without the use of automation tools";

- Decree of the Government of the Russian Federation of July 6, 2008 No. 512 “On approval of requirements for material carriers of biometric personal data and technologies for storing such data outside personal data information systems”;

- Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems";

- Order of Roskomnadzor dated September 05, 2013 No. 996 "On approval of requirements and methods for depersonalization of personal data";

- Order of Roskomnadzor dated February 24, 2021 No. 18 “On approval of the requirements for the content of consent to the processing of personal data authorized by the subject of personal data for distribution”;

- other regulatory legal acts of the Russian Federation and regulatory documents of authorized state authorities.

7. Procedure and conditions for processing personal data

The processing of personal data is carried out in accordance with the requirements of the legislation of the Russian Federation.

The processing of personal data is carried out with the consent of the subjects of personal data to the processing of their personal data, as well as without it in cases provided for by the legislation of the Russian Federation.

It is not allowed to disclose to third parties and distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law. Consent to the processing of personal data authorized by the subject of personal data for distribution is issued separately from other consents of the subject of personal data to the processing of his personal data.

The requirements for the content of the consent to the processing of personal data authorized by the subject of personal data for distribution are approved by the Order of Roskomnadzor dated February 24, 2021 No. 18. Transfer of personal data to the bodies of inquiry and investigation, the Federal Tax Service, the Social Fund of Russia and other authorized executive bodies and organization is carried out in accordance with the requirements of the legislation of the Russian Federation.

In accordance with Part 5 of Article 18 of the Law on Personal Data, when collecting personal data, including through the information and telecommunications network "Internet", the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, changing), extraction of personal data citizens of the Russian Federation using databases located on the territory of the Russian Federation.

8. Methods and terms of personal data processing

The operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes, destroys personal data.

The operator carries out mixed processing of personal data (with and without the use of automation tools). The information received during the processing of personal data is transmitted through the internal network of the Operator, as well as using the Internet.

The term for processing personal data cannot exceed the period determined by the purposes of processing personal data specified in Article 5 of this Policy.

The condition for terminating the processing of personal data is also the expiration of the consent or withdrawal of the consent of the Subject to the processing of his personal data (unless the current legislation provides for the right of the Operator to process personal data in the absence of consent), as well as the identification of unlawful processing of personal data.

The storage of personal data is carried out in a form that allows you to determine the Subject no longer than required by the purposes of processing personal data, except when a different period of storage of personal data is established by federal law or an agreement.

9. Ensuring the security of personal data

The main personal data protection measures used by the Operator are:

- Development of a policy regarding the processing of personal data;

- Establishment of individual passwords for access to the information system;

- The use of information security tools that have passed the conformity assessment procedure in the prescribed manner;

- Certified anti-virus software with regularly updated databases;

- Compliance with the conditions that ensure the safety of personal data and exclude unauthorized access to them;

- Detection of facts of unauthorized access to personal data and taking measures;

- Recovery of personal data modified or destroyed due to unauthorized access to them;

- Implementation of internal control and audit.