1. General Provisions
1.1. This Personal Data Processing Policy (hereinafter “the Policy”) adopted by the Individual Entrepreneur Julia Vyacheslavovna Fedonina, OGRNIP (primary state registration number of individual entrepreneur) 317507400051262, INN (taxpayer identification number) 504810072558, postal address: 25-1-123 Isakovskogo Street, Moscow 123181 (hereinafter “the Controller”), combines the key principles, purposes, procedure and terms of processing personal data of Website Visitors and other persons specified in cl. 2.2. hereof as well as measures enabling security and protection of such personal data.
1.2. This Policy has been developed in compliance with requirements of the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation governing personal data protection and has been made available to the general public at the Controller's website www.felicitylaw.ru.
1.3. Legal grounds for personal data processing by the Controller include: Federal laws On Compulsory Medical Insurance in the Russian Federation, On Individual (Personalized) Record-Keeping in the Compulsory Pension Insurance System, On Limited Liability Companies, On Consumer Right Protection, On Personal Data, Labour, Civil, Family and Tax Codes of the Russian Federation, local regulatory acts of the Controller, contracts entered into by the Controller for the purposes of its activity as well as consents to personal data processing.
1.4. The terms used herein shall be defined according to the Federal Law of the Russian Federation No. 152-FZ dated July 27, 2006, On Personal Data.
2. Definition and Scope of Personal Data
2.1. List of personal data to be protected by the Controller shall be compiled in accordance with the Federal Law No. 152-FZ, On Personal Data.
2.2. Subjects of personal data processed by the Controller include:
2.2.1. Controller’s employees, former employees, nominees to the Controller’s vacant positions as well as relatives of the Controller’s employees;
2.2.2. Controller’s customers and contractors (individuals);
2.2.3. Representatives and employees of Controller’s customers and contractors (legal entities), contractors of Controller’s customers - individuals, members of governing bodies, founders and beneficiaries of Controller’s customers and contractors (individuals);
2.2.4. Controller’s Website Visitors.
2.3. The Controller processes and protects personal data including: surname, name, patronymic, passport data, place of employment, position, contact phone number, e‑mail address, INN, SNILS (personal pension account number) numbers, family status, education, occupation, job title, amount of income, bank details. The scope of collected and processed personal data depends on the processing purpose and must be consistent with it.
2.4. The Controller processes personal data of Visitors of the Controller’s Website www.felicitylaw.ru (hereinafter “the Website”) including personal data received to the address of the Controller’s corporate mailbox ending with @felicitylaw.ru (hereinafter “the Corporate Mailbox”). The Controller also processes personal data submitted to it by subjects of such data in accordance with the Labour Code of the Russian Federation and other federal laws.
2.5. Any personal data are processed by the Controller based on the Personal Data Processing Consent (hereinafter “the Consent”).
2.6. Controller’s Website Visitors shall send their Consents to the Controller by sending e-mails to the Corporate Mailbox. The moment of acceptance of the Consent shall be deemed the moment of clicking the button to send an e-mail containing personal data of the subject to the Corporate Mailbox address. Other persons shall send their Consents in person when addressing the Controller or by mail.
3. Purposes of Personal Data Processing
3.1. Personal data of Website Visitors shall be processed for the purposes including:
3.1.1. preparing and sending responses to any requests of the Controller’s Website user;
3.1.2. sending to Website Visitors any reference and marketing information in e-mails to the e-mail address specified by the Website Visitor;
3.1.3. enabling the Website Visitor to get and provide feedback to/from the Controller;
3.1.4. giving to the Website Visitor advice on the issues related to the services rendered, for the purposes of marketing activity and Website Visitors’ support as well as for other purposes not inconsistent with current legislation of the Russian Federation and the provisions of agreements entered into between the Controller and the relevant Website Visitors.
3.2. Personal data of other persons shall be processed for the purposes as follows:
3.2.1. of Controller’s employees - to comply with labour, tax and pension legislation of the Russian Federation including employees’ outplacement, facilitation of their training and promotion; payroll accounting and management, business travel (secondment) management, issue of powers of attorney (inter alia for the representation of interests before third parties); for employee personal security issues; control the quantity and quality of works performed; secure safety of property; follow any access control procedures in the premises; keep record of hours worked; use any types of benefits in accordance with the Labour Code of the Russian Federation, the Tax Code of the Russian Federation, federal laws as well as the Articles of Association and local regulatory acts of the Controller; voluntary life, health and accident insurance;
3.2.2. of Representatives and employees of legal entities - Controller’s contractors - for the purposes as follows: to hold negotiations, to enter into and perform agreements requiring submission of personal data of employees of such legal entity in furtherance of legal services agreements;
3.2.3. of nominees to the Controller’s vacant positions - to adopt resolutions on potential entry into employment agreements with persons intending to fill any vacancies;
3.2.4. of contractors - individuals - for the purposes as follows: to enter into and perform an agreement involving an individual as its party; to consider the possibility of future cooperation;
3.2.5. of individuals whose personal data are processed to the benefit of third parties - personal data controllers based on the agreement - to perform agreements with such personal data controllers;
3.2.6. of relatives of Controller’s employees - to perform requirements of Russian legislation, to provide additional benefits and to take part in corporate events;
3.2.8. of customers - consumers - for the purposes as follows: to submit information on the services rendered; to send notices on such services, to inform of order status; to perform service agreements and other types of agreements, including agreements entered into remotely; to analyze the quality of services rendered by the Controller and to improve customer satisfaction.
4. Procedure and Terms of Personal Data Processing
4.1. The Controller processes personal data according to the following rules:
4.1.1. Any processing must be legal and fair;
4.1.2. Processing must be limited by any specific, predefined and lawful purposes;
4.1.3. Processing not consistent with the purposes of personal data collection is prohibited;
4.1.4. Any combination of databases containing personal data processed for conflicting purposes shall not be permitted;
4.1.5. The contents and scope of processed personal data must comply with the purposes of such processing;
4.1.6. Personal data must be stored in the form enabling data subject identification for as long as they are required to achieve the processing purposes, unless the term for personal data retention is stipulated by the federal law, an agreement involving the data subject as a party thereto, beneficiary or guarantor thereunder.
4.2. The Controller shall process personal data subject to the fulfillment of any of the following:
4.2.1. Data subject has provided its Consent to personal data processing;
4.2.2. Personal data processing is necessary for the exercise of rights and lawful interests of the Controller, for achievement of socially important goals provided that it does not infringe any rights and freedoms of the data subject;
4.2.3. Personal data are processed for statistical purposes or other purposes of research subject to obligatory personal data anonymization;
4.2.4. Any other conditions may be stipulated by laws on personal data of the Russian Federation.
5. Rights and Obligations of Personal Data Subjects
5.1. A personal data subject is entitled:
5.1.1. to request rectification of its personal data, their update, blocking or erasure;
5.1.2. to obtain the list of its personal data processed by the Controller, their source, information on the period of processing of its personal data, including the term of their retention, and other information on the processing of its personal data;
5.1.3. to request notification of all persons who have earlier received its incorrect or incomplete personal data, of all corrections or addenda having been made;
5.1.4. to dispute in accordance with the established procedure any unlawful acts or omission upon the processing of its personal data;
5.2. Personal data subjects, including Website Visitors, assume to submit only reliable data on themselves.
5.3. A personal data processing consent shall be given by a data subject for the entire period as necessary for the Controller to achieve the purposes of processing.
5.4. A personal data processing consent may be withdrawn by a personal data subject under a written application sent to the address: Individual Entrepreneur Julia Vyacheslavovna Fedonina, 25-1-123 Isakovskogo Street, Moscow 123181 or to the Corporate Mailbox email@example.com.
5.5. Personal data subjects or their authorized representatives as well as authorized bodies may send to the address specified in the above clause their requests in any form concerning inaccuracy of personal data, their unlawful processing, withdrawal of consent and a subject’s access to his personal data. If access is to be granted to personal data, the Controller shall grant it within 30 days from the date of the relevant request. In case access is denied, a reasoned response with a reference to the law shall be sent by the Controller within 30 days from the relevant request. In case a personal data subject or his representative submits data evidencing incompleteness, inaccuracy or inadequacy of personal data, the Controller shall make the relevant amendments within 7 working days at the latest from the date of submission of such data. In case of submission of information evidencing that personal data were obtained in breach of law or are unnecessary for the claimed processing purpose, the Controller must destruct them within 7 working days at the latest from the date of receipt of such information.
5.6. In case any inaccuracy of personal data is detected, they shall be updated by the Controller. In case their processing is found unlawful, such processing shall be ceased.
5.7. Persons having submitted data to the Controller via the Website on any other personal data subject without Consent of the subject of such personal data shall be liable in compliance with the legislation of the Russian Federation.
6. Rights and Obligations of the Controller
6.1. The Controller shall never request from personal data subjects any information on their race, nationality, political views, religious and philosophic beliefs, health, sexual life.
6.2. In the course of personal data processing the Controller shall be entitled: to collect, to record, to systematize, to accumulate, to store, to rectify (to update, to change), to retrieve, to use, to transfer (to distribute, to grant access to), to impersonalize, to block, to remove, to erase personal data.
6.3. In case of participation in any events arranged by the Controller, the latter shall be entitled to disclose the relevant personal data of the participating personal data subjects to persons taking part in arranging such events.
6.4. The Controller shall not be entitled to transfer personal data to a third party except for:
6.4.1. authorized public bodies to the extent of their competence;
6.4.2. persons to be transferred such data by the Controller for the purposes of compliance with Russian legislation;
6.4.3. persons being transferred personal data by the Controller in pursuance of an agreement whereunder the personal data subjects act as beneficiaries;
6.4.4. persons entrusted with personal data processing by the Controller;
6.4.5. Controller’s successors;
6.4.6. other persons with the consent of personal data subjects.
6.5. The Controller shall not be entitled to report personal data of personal data subjects for commercial use without their consent. Personal data may be processed for the promotion of goods, works and services at the market through direct contacts with potential consumers via communications means solely with the prior consent.
6.6. The Controller assumes to notify persons obtaining personal data that such data may only be used for the purposes of their transfer and to require from such persons to confirm compliance with this rule.
6.7. Persons obtaining personal data must keep them secret (confidential).
6.8. The Controller shall process and take measures to protect personal data in accordance with this Policy as well as other local regulatory acts adopted by the Controller.
7. Personal Data Protection and Security
7.1. The Controller applies the relevant technological and operational safety standards to protect information from unauthorized access, disclosure, distortion, blocking or erasure.
7.2. The relevant measures taken by the Controller include:
7.2.1. Appointment of a person liable for arranging for personal data processing;
7.2.2. Application of legal, technical and organizational measures to ensure personal data security;
7.2.3. Assessment of damage which may be caused to personal data subjects in case of violation of statutory requirements, the ratio between damage and security measures taken by the Controller;
7.2.4. Use of protected premises with selectable access to place personal data information system servers as well as use of lockable cabinets to store personal data in a hard copy form;
7.2.5. Making the Controller’s employees directly responsible for personal data processing aware of the provisions of Russian personal data legislation;
7.2.6. Follow-up of any measures taken to ensure personal data security.
7.3. Access to personal data is granted solely to authorized employees of the Controller having assumed to keep such information confidential.
8. Personal Data Retention
8.1. Personal data are kept in the Russian Federation in the Controller’s offices.
8.2. Terms of personal data processing and retention shall be determined based on the term of the contract (agreement) with a personal data subject, the Order of the Ministry of Culture of the Russian Federation No. 558 dated August 25, 2010, “On Approval of List of Standard Management Archive Documents Executed in the Course of Activity of Public Authorities, Local Self-Government Authorities and Organizations with Retention Periods”, limitation period, the Federal Law No. 43-FZ dated March 02, 2016, “On Amendments to the Federal Law “On Archives in the Russian Federation” as well as other requirements of Russian legislation as well as until the Controller achieves the purposes of personal data processing or the need for achievement of such purposes is eliminated.
8.3. The documents containing personal data shall specify the date of and/or condition for termination of personal data processing.
8.4. Upon achievement of purposes/expiry of the term for personal data processing personal data are erased, unless otherwise stipulated by law or contract whereunder the data subject acts as a party, beneficiary or guarantor, other agreement or Consent.
8.5. In case a personal data subject withdraws its Consent, the Controller shall nevertheless be entitled to process the stated personal data to the extent stipulated by Russian legislation (dismissal, calculation, submission of documents to authorized public bodies, retention of personnel records, acknowledgment of service records, etc.).
9. Final Provisions
9.1. This Policy is to be amended or supplemented, in case the relevant amendments or addenda are made to current Russian legislation on personal data as well as may be amended at any time at the Controller’s discretion. Current version of the Policy is available for viewing to the general public at the website www.felicitylaw.ru.
9.2. All relations with the Controller concerning personal data processing and not incorporated into this Policy shall be governed by current personal data legislation of the Russian Federation.
9.3. Follow-up of performance of requirements hereof shall be imposed on the Controller as a person liable for arranging for personal data processing.
Date of the latest Policy revision: July 13, 2020.