BUBUKA LLC Personal Data Processing Policy

(for unlimited access, published in accordance with Part 2 Article 18.1 of the Federal Law “On Personal Data” No. 152─FZ as of July 27, 2006)

1. General Provisions

1.1. The Policy defines the procedure for processing personal data and measures to ensure security thereof in BUBUKA LLC (hereinafter referred to as the “Company”) in order to protect human rights and freedoms in case of processing of personal data, including protection of rights to privacy, personal and family secrets.
1.2. Company’s Personal Data Processing Policy (hereinafter referred to as the “Policy”) was developed in accordance with the Federal Law “On Personal Data” No. 152─FZ as of July 27, 2006 (hereinafter referred to as the “FZ─152”).
1.3. The following terms and definitions are used in this Policy: governmental authority, municipal authority, legal entity or individual, arranging and (or) carrying out (independently or jointly with others) personal data processing, as well as determining the purposes of processing of personal data, the contents of personal data subject to processing, actions (operations) performed with respect to personal data;
─ any information directly or indirectly relating to an identified or identifiable individual (personal data subject);
─ any action (operation) or series of actions (operations) performed with respect to personal data by means of automation facilities or without them, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, utilization, transmission (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
─ personal data processing by means of computer equipment;
─ actions, aimed at disclosure of personal data to general public (personal data transfer) or at familiarization with the personal data by the general public, including disclosure of personal data in the media, publication in the information and telecommunications networks or provision of access to personal data otherwise;
─ actions aimed at disclosure of personal data to a specific group of people or general public;
─ temporary suspension of personal data processing (unless processing is necessary to clarify personal data);
─ actions, as a result of which it becomes impossible to restore the contents of personal data in personal data information system and (or) as a result of which personal data physical media are destroyed;
─ actions, as a result of which it becomes impossible to determine the appurtenance of personal data to a particular personal data subject without using additional information;
─ a set of personal data contained in the databases, as well as information technologies and hardware and software ensuring their processing;
─ transfer of personal data to the territory of a foreign state to the foreign state’s authority, foreign individual or foreign legal entity.
1.4. The Policy applies to all subjects’ personal data processed in the Company with or without the use of automation tools.
1.5. Any personal data subject must have access to the Policy.

2. Principles and Conditions of Personal Data Processing

2.1. The Company processes personal data based on the following principles:
─ legality and equitable basis;
─ restrictions on personal data processing upon reaching specific, predefined and legitimate purposes;
─ prohibition of processing the personal data inconsistent with the objectives of personal data collection;
─ prohibition of consolidating the databases containing the personal data, which are processed for inconsistent purposes;
─ processing of only the personal data, meeting the objectives of processing thereof;
─ matching of content and volume of processed personal data with claimed processing objectives;
─ prohibition of processing of personal data, redundant with respect to claimed objectives of processing thereof;
─ maintenance of personal data accuracy, sufficiency and relevance with respect to objectives of personal data processing;
─ destruction or depersonalization of personal data upon reaching the objectives of processing thereof or in case of no further need to reach them, if the Company can not eliminate the admitted violations of personal data, unless otherwise provided by federal law.
2.2. The Company processes personal data only if at least one of the following conditions apply:
─ personal data is processed with the consent of the personal data subject to processing of his/her data;
─ personal data processing is necessary to achieve the objectives stipulated by law for to exercise and perform the functions, powers and duties imposed on the operator by the laws of the Russian Federation;
─ personal data processing is necessary for performance of an agreement, to which a personal data subject is a party or a beneficiary or guarantor, as well as for the execution of an agreement at the initiative of a personal data subject or an agreement, to which a personal data subject will be a party or a beneficiary or guarantor;
─ personal data processing is necessary for exercise of the rights and legitimate interests of the Company or third parties, or for the achievement of socially significant purposes, provided that the rights and freedoms of a personal data subject are not thereby violated;
─ access to the processed personal data was granted to general public by the personal data subject or at his/her request (hereinafter referred to as the “publicly available personal data”);
─ personal data processed are subject to disclosure in accordance with the federal law.
2.3. The Company and other persons who have access to personal data will not disclose to third parties or distribute personal data without the consent of the personal data subject, unless otherwise provided for by federal law.
2.4. In order to provide information, the Company may create internal publicly available sources of personal data (including reference books, address books). With the consent of an employee, publicly available sources of personal data may include his/her last, first and patronymic name, date and place of birth, position, phone numbers, e─mail. Information about the employee will be excluded from publicly available sources of personal data at the request of the employee or by the decision of a court or other authorized public authorities.
2.5. Unless otherwise provided for by federal law, the Company will have the right to assign personal data processing to another person with the consent of the personal data subject, based on an agreement executed with such person (hereinafter referred to as the “Bank’s assignment”). The person, performing personal data processing under the Company’s assignment, will be obliged to comply with the principles and rules of the personal data processing, provided for by FZ─152.
2.6. The Company may process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life in cases where:
─ personal data subject granted written consent to process his/her personal data;
─ personal data were made public by the personal data subject;
─ personal data is processed in accordance with the laws on state social aid, labor legislation, the laws of the Russian Federation on state─provided pensions, on labor pensions;
─ personal data processing is necessary for establishment or exercise of personal data subject’s or third party rights, as well as in connection with the administration of justice;
─ personal data is processed in accordance with the counter terrorism, anti─corruption, enforcement proceedings, correctional laws of the Russian Federation;
─ personal data is processed in accordance with the laws on mandatory insurance, insurance laws. Processing of special categories of personal data will be immediately terminated if the reasons for their processing are eliminated, unless otherwise provided for by federal law.
2.7. The Company may process personal data on the criminal record only in cases and in the manner determined in accordance with federal laws.
2.8. The Company may process information characterizing physiological and biological traits of a person based on which it is possible to establish his/her identity (biometric personal data) only if an employee granted his/her written consent thereto.
2.9. The Company may carry out cross─border transfer of personal data in the territory of foreign countries only if a personal data subject consents to cross─border transfer of his/her personal data. Prior to cross─border transfer of personal data, the Company will make sure that the foreign state to which the personal data is transferred ensures adequate protection of the rights of personal data subjects.

3. Rights of the Personal Data Subject

3.1. Personal data subject will decide on the provision of his/her personal data and give consent to processing thereof freely, willingly and for own benefit. Unless otherwise provided for by federal law, personal data subject or his/her representative may grant consent to personal data processing in any form allowing confirming the fact of its receipt. The duty to provide evidence of the consent of a personal data subject to the processing of his/her personal data or evidence of the existence of grounds specified in FZ─152 will be imposed on the Company.
3.2. Personal data subject may receive information concerning the processing of his/her personal data, unless such right is restricted in accordance with federal laws. Personal data subject will have the right to demand clarification from the Company of his/her personal data, blocking or destruction thereof if the personal data is incomplete, outdated, inaccurate, unlawfully obtained or are not required for the stated purpose of the processing, as well as take the steps, provided for by the law, to protect his/her rights.
3.3. Personal data processing in order to promote goods, works and services in the market by making direct contact with a potential customer using the communication means, and also for political agitation purposes will be allowed only with the prior consent of the personal data subject. This specified personal data processing will be recognized to be carried out without the prior consent of the personal data subject, unless the Company proves that such consent was obtained. At the request of a personal data subject, the Company will immediately stop processing of his/her personal data for the above purposes.
3.4. It is prohibited to make decisions having legal implications with respect to a personal data subject or otherwise affecting his/her rights and legitimate interests based solely on the automated personal data processing, except for cases provided for by federal laws or with the written consent of the personal data subject.
3.5. If a personal data subject believes that the Company processes his/her personal data violating the requirements of FZ─152 or otherwise violates his or her rights and freedoms, the personal data subject will have the right to appeal against the Company’s actions or omissions to the Authorized body for protection of the rights of personal data subjects or in court. A personal data subject may protect his/her rights and legitimate interests, including the right to damages and (or) non─pecuniary damage in court.

4. Personal Data Security

4.1. Personal data processed by the Company are secured by taking legal, organizational, technical and program steps necessary and sufficient to meet the requirements of federal law for personal data protection.
4.2. The Company takes the following organizational and technical measures to deliberately create unfavorable conditions and formidable obstacles for violators making unauthorized access attempts to personal data for the purpose of acquiring, modifying, destroying it, infecting with a malware, substituting and committing other unauthorized actions:
─ appointing officials responsible for organizing personal data processing and protection;
─ restricting and regulating the list of employees who have access to personal data;
─ familiarizing employees with the requirements of the federal law and Company’s regulations for personal data processing and protection;
─ maintaining record and storage of physical storage media and circulation thereof, eliminating theft, substitution, unauthorized copying and destruction;
─ identifying threats to personal data security during processing, generation of threat models based thereon;
─ developing personal data protection system based on the threat model for relevant class of information systems;
─ checking the readiness and effectiveness of using information security tools;
─ implementing authorization system for user access to information resources, software and hardware tools for information processing and protection;
─ registering and recording the actions of users of personal data information systems;
─ passwording user access to personal data information systems;
─ using access─control mechanism to communication ports, information input─output devices, removable machine─readable media and external storage devices;
─ using cryptographic information security tools (as necessary) to ensure personal data security when transferred via open communication channels and stored on machine─readable data media;
─ implementing anti─virus control, prevention of malware (software virus) and implants into corporate network;
─ firewalling;
─ detecting intrusions into the Company’s corporate network violating or predetermining violation of the established requirements for ensuring the personal data security;
─ centralized management of the personal data protection system.
─ information backup;
─ ensuring the restoration of personal data, modified or destroyed due to unauthorized access thereto;
─ training employees using information security tools used in personal data information systems, in the rules for working therewith;
─ recording applied information security tools, as well as operational and technical documentation therefor;
─ using information security tools that have undergone compliance assessment procedure in the prescribed manner;
─ monitoring user actions, carrying out investigations on violations of the requirements for personal data security;
─ placing data processing technology within the protected territory;
─ organizing the access mode to the Company’s territory;
─ keeping security appliances, premises alarm fully operational.

5. Final Provisions

5.1. Other rights and obligations of the Company as a personal data operator are determined by personal data laws of the Russian Federation. Company’s officials guilty of violating the rules governing personal data processing and protection, will bear financial, disciplinary, administrative, civil or criminal liability in accordance with the procedure established by federal laws.

top