To use these add-ons, you'll need to download Firefox.

Log in
Add-on icon

Privacy policy for Safefly

Safefly by Amulex

0 Stars out of 5
5
0
4
0
3
0
2
0
1
0
Privacy policy for Safefly

NATIONAL LEGAL SERVICE
Data Processing
Policy
(in view of Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union)

Moscow 2019

Hereby, acting in order to respect the rights of the natural person as a personal data subject and a participant in legal relations, being guided by the principles of fair and transparent data processing which ensure the data security and controller’s legal interests in a certain context, providing guarantees while data processing in proper protection and security in view of a number of requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (adopted in Brussels on 27/04/2016) (hereinafter referred to as the Regulation), including with the aim to confirm the intent of resolving, in particular, out-of-court disputable issues with data subjects on data processing, preventing harm to the parties’ interests to the relationship while processing data and increasing the level of trust and interest in the company, «company_name»NATIONAL LEGAL SERVICES LLC (hereinafter referred to as the Controller Operator / Data Processor), acting under the Charter, accepts these rules for personal data handling and processing in the form of this Policy.
Within the scope of their activities, the Operator follows the principle of exclusive legal data processing insofar as personal data are processed based on the consent of the relevant data subject and/or in connection with the need to perform the contract where one of the parties is a data subject, or to act at the request of the data subject before the conclusion of the contract. Such data processing takes place on an equitable basis despite the existence of other legal grounds and obligations of the Operator which may be established in the Regulation, legislation of the Union or a Union member state.

1. GENERAL TERMS AND CONDITIONS
The Operator’s Data Processing Policy (hereinafter referred to as the Policy) was developed on the basis of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (adopted in Brussels on 27/04/2016).
1.1. This Policy (according to the Regulation) applies to personal data processing in the context of the Operator’s activities or the Data Processor if the mentioned activity takes place in the Union, regardless of whether it is processed in or outside the Union.
1.2. This Policy (according to the Regulation) applies to data processed by the Operator of personal data subjects located in the Union, since this data processing concerns the provision of services to these subjects (natural persons), regardless of whether payment is required from a specified subject or monitoring the activities of specified natural persons carried out on the territory of the Union.
This Policy defines the procedure for data processing by the Operator and measures to ensure its security in order to protect human rights and freedoms, as well as compliance with the requirements of the Regulation when processing personal data of data subjects (natural persons) and determining the powers of the Operator and subjects in the field of data processing, including the protection of the rights to privacy, personal and family secrets. While activities being carried out by the Operator, including using the Internet, data is being processed in accordance with the provisions of the Regulation according to the executed civil law agreements, including services rendering in order for the Operator to comply with its obligations and fulfill them when providing the information (the purpose is to provide the information) at the request of a natural person in written or electronic form (using the Internet, in written or electronic form which permits to identify the applicant). During the Operator’s activities, the need for the data subject to provide personal data is caused by the disclosure of information upon their request and/or the rendering of services to them. Obtaining data of the data subject by the Operator is based on the provisions of the Regulation and the content of the agreement with the personal data subject. In the absence of literally submitted consent for data processing, unless otherwise provided by the Regulations, data processing (service provision) is not possible.
In order to provide the information at the request of the data subject and/or to render the services to them in pursuance of the agreement with them, the data subject submits the following personal data to the Operator: surname, name, patronymic (if available); e-mail address (when registering on the Operator’s Internet resource); number (series/number) of the identity document; phone number if the data subject voluntarily indicates; date of birth; details for receiving the service (certificate); information on the services provided; information on control information, additional information provided in order to obtain services under an agreement for legal assistance, information and reference support, as well as to establish or determine the rights of the personal data subject.
The personal data processing in the context of the Operator’s activities or the data processor in the European Union (hereinafter also referred to as the Union), regardless of whether it is processed in the Union or not, as well as in relation to the personal data processing of data subjects in the Union, by the Operator or the processor given by a person not located in the Union, should comply with the requirements of the Regulation. In all cases that do not imply compliance with the provisions of the Regulation in the data processing, the legislation of the Russian Federation applies in the territory of the Russian Federation.
The Policy uses the following basic concepts:
personal data is any information relating to an identified or identifiable natural person (data subject), hereinafter also referred to as PD;
data processing is any operation or set of operations carried out with personal data, with or without automated means, for example, collecting, recording, organizing, structuring, storing, modifying and changing, retrieving, advising, using, disclosing by means of transmission, distributing or otherwise providing, ordering or combining, limiting, deleting or destroying;
pseudonymization is data processing in such a way that personal data can no longer be assigned to a specific data subject without using additional information, provided that the additional information is stored separately and is subject to technical and organizational measures to ensure that personal data is not related to the identified or identifiable natural person;
controller is a natural or legal person, state authority, agency or another body that, independently or jointly with others, determines the goals and methods of data processing;
data processor is a natural or legal person, state authority, agency or another body that processes personal data on behalf of the controller;
recipient means a natural or legal person, state authority, agency or another body which personal data is disclosed to, regardless of whether it is a third party or not.
third party is a natural or legal person, state authority, agency or body other than the data subject, controller, data processor authorized to process data under the direct supervision of the controller or the data processor;
consent of the data subject is any freely given, specific, informative and definite indication of their will through which the personal data subject notifies of their consent to their personal data processing;
data leakage is a security violation leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that has been saved, stored or otherwise processed;
biometric data is personal data arising from special technical processing relating to the physical, physiological or behavioral characteristics of a natural person which provide or confirm the unique identification of the specified natural person, for example, an image of a person’s face or fingerprint data;
health data refers to personal data relating to the physical or mental health of a natural person, including the provision of medical services that disclose information about their health;
representative is a natural or a legal person established in the Union which is appointed by the controller or data processor in written form and represents the controller or mentioned person according to their respective obligations under this Regulation;
cross-border processing:
– data processing which is carried out in the context of the activities of institutions in several EU member states of the controller or data processor in the Union if the controller or data processor are established in several Union member states;
– personal data processing which is carried out in the context of the activities of a single institution of the controller or data processor in the Union, but which significantly affects or may significantly affect data subjects in several Union member states.
In this Policy concepts that are not defined in Section 1 of this Policy may be used. The interpretation of the concepts used and the meaning of the relevant provisions in such cases should be made on the basis of the literal meaning of the expressions presented, considering the topics of the relations considered in this Policy and objectives pursued by it according to the requirements of the Regulation.
Natural persons using the Operator’s Internet resources can be associated with network identifiers located on their devices, with applications, software and protocols. In particular, there can be: IP addresses, identifiers such as cookie identifiers (files) or other identifiers, for example, RFID tags. The specified data can leave marks that can be used to create profiles of natural persons and to identify them. The user data (data subject), left by them when using the software and surfing the Internet, is used only to improve the user experience on the Internet and to optimize processes when rendering services to them.
When using the Operator’s Internet resources in cooperation with third-party Internet resources, the Operator’s Internet resources are obvious for the specified resources (websites) and are provided to the user together with the start of transition to the third-party Internet resource.
HTML5 local memory/cookie. Cookie file is a data file placed on a device. Cookies can be created using various web protocols and technologies (HTTP, cookie browsers), HTML5.
The Operator’s services are used, in particular, by the following categories of cookies:
– strictly necessary cookies: which are necessary to provide services and functions when requested in a particular case; cookies and tracking technology can be used to prevent fraudulent activity, increase security, for system administration. The provision of services is impossible without such files;
– functional cookies: in order to identify the fact, for example, of visiting the service earlier;
– targeting technologies: using tracking technology to determine geolocation (determination of the geographic location of the electronic device) of the data subject.
Embedded script. The program code is used to collect the information on interactions/work of the data subject with the Controller’s service. The code of the controller’s web server or third-party service provider is temporarily downloaded to the data subject’s device. If there is no connection to the service, the code is deactivated or deleted.
Attention! Changes to the settings of cookies, the installation of ad-blocking extensions and applications (for example, Adblock, friGate CDN, Aliexpress Seller Check, as well as VPN / Proxy / Socks extensions, etc.), can lead to error in the Operator’s Internet service, and the information will not be tracked down.


2. PRINCIPLES AND TERMS OF DATA PROCESSING

2.1. Principles of data processing:
data processing is legal, fair, and transparent with respect to the data subject;
data collection should be carried out for specific, explicit and legitimate purposes and further data should not be processed in a manner inconsistent with these goals; further processing to achieve public interest goals, as well as scientific or historical research goals or statistical goals should not be considered as incompatible with the original goals (considering Art. 89 (1) of the Regulation);
the processed data should be appropriate, relevant and limited to what is necessary relative to the purposes for which they are processed (the data minimization principle);
data should be accurate and, if necessary, relevant; reasonable steps should be taken to ensure the timely removal or correction of inaccurate data considering the purposes for which they are processed (accuracy);
the data should be stored in a form that allows to identify the data subjects for a period necessary for the purposes for which personal data are processed; personal data can be stored for a longer period if they are processed only for public interest purposes, as well as for scientific or historical research or for statistical purposes in accordance with the requirements of the Regulation considering the implementation of relevant technical and organizational measures to protect the rights and freedoms of the data subject;
data processing should be carried out in a manner that guarantees the appropriate security of personal data (confidentiality) including protection against unauthorized or illegal processing and against accidental loss, destruction or erasure of data, using appropriate technical and organizational measures.

In case if the data is processed by a person on behalf of the Controller on the basis of a settled contract, the mentioned person should take measures to ensure the protection and security of data processing in accordance with the requirements of the Regulation.
In case if processing is carried out on behalf of the controller according to the requirements of the Regulation, the processing is carried out in accordance with the established requirements of this Regulation, taking into account the appropriate guarantees to protect the rights of the data subject.

2.2 Legality of data processing
The requirement of the Regulation on legal data processing is fulfilled provided that the following conditions are met:
- the data subject has agreed the processing of their personal data for one or several specific purposes;
- processing is necessary to perform the contract where the data subject is one of the parties, or to act on the request of the data subject prior to the conclusion of the contract (data processing in this case is necessary for the performance of the contract and fulfilling the obligations assumed by the Operator, as well as for the conclusion of the contract initiated by the data subject; data processing is terminated after performing the contract);
- processing is necessary to comply with the legal obligation, the object of which is the Operator;
- processing is necessary to protect the basic interests of the data subject or another natural person;
- protection is necessary to perform a task in the interests of the state or while exercising the state power assigned to the Operator;
- processing is necessary for the purposes of ensuring the legitimate interests of the Operator or a third party, unless such interests are covered with the interests or fundamental rights and freedoms of the data subject, which require personal data protection, in particular, if the data subject is a child (does not apply to data processing by public authorities in the performance of their tasks).
Additional requirements can be provided by the Regulation to ensure the legality of the data processing, including subject to the legislation of the EU member states, to ensure guarantees of legal and fair processing.
If data processing is determined by a purpose not specified by the data subject in a previously agreed consent, or the data processing is not based on the legislation of the Union or the Union member state, the Operator should inter alia take the following into account:
- any connection between the objectives for which personal data were obtained and the objectives of the proposed subsequent processing;
- the environment where personal data were collected, in particular, the connection between data subjects and the Operator;
- nature of personal data (if processing sensitive data and data related to convictions and crimes is available);
- the possible consequences of the intended processing for data subjects;
- the existence of security means that may include cryptographic closure or pseudonymization.

2.3 Terms for data processing consent
If the processing is based on consent, the Operator should be able to prove that the data subject has agreed to the data processing.
If the consent of the data subject is given in the form of a written statement which also applies to other circumstances, the request for consent should be presented in an understandable and easily accessible form in a clear and plain language in a form that would clearly distinguish it from other circumstances. Any part of such a statement drawn up in violation of the provisions of the Regulation is not binding.
When submitting consent to the data processing, a natural person voluntarily, definitely and clearly realizes their own will through a particular action. Consent can be given, for example, through a written statement including electronically submitted, or an oral statement (ticking/crossing when visiting the website, choosing technical settings for the information society services or other statement, or a behavior that clearly indicates the consent of the data subject to the planned personal data processing in the specific context).
The data subject has the right to withdraw their consent at any time. The withdrawal of consent should not affect the legal basis for processing based on consent prior to its withdrawal. Before giving any consent, the data subject should be informed on this. The consent withdrawal procedure should be as simple as the submitting consent procedure.
While evaluating voluntariness when the data subject submits their consent, the main focus inter alia is on the relationship with the performance of the relevant contract. It is extremely important whether the fulfillment of the contract (including the provision of the service) depends on the consent to the data processing that are not necessary for the fulfillment of the mentioned contract.
The separate provision of the Regulation concerns the consent of a child in respect of who the age criteria and the record of obtaining the consent of persons with parental responsibility are established.

2.4. Processing of sensitive personal data
2.4.1. The personal data processing disclosing racial or ethnic origin, political opinions, religious beliefs or philosophical views, membership in a trade union, as well as the processing of genetic and biometric data for unique identification of a natural person, data on health, sex life or sexual orientation of a natural person is prohibited.
2.4.2. An exception to the prohibition established by clause 2.4.1 of this Policy, in accordance with the provisions of the Regulation, are cases as follows:
– if the data subject has given direct consent to the personal data processing for one or several established goals except for cases when the legislation of the Union or the Union member state does not provide for the possibility of lifting the prohibition provided for in clause 2.4.1 of this Policy, by the data subject;
– if processing is necessary in order to fulfill the obligations and special rights of the Operator or data subject in the field of labor law, social security law insofar as this is permitted by the legislation of the Union or Union member state or by collective agreement according to the legislation of a Union member state providing for appropriate means of protection of the basic rights and interests of the data subject;
- if processing is necessary to protect the basic interests of the data subject or another natural person if the data subject is physically or legally incapable of giving their consent;
- if processing is carried out by a foundation, association or non-profit organization within their lawful activities with appropriate guarantees for political, philosophical, religious or trade union purposes, and provided that processing applies only to members, former members of the organization or natural persons who have regular contact with them in connection with their objectives, and that personal data are not disclosed to third parties without the consent of the data subject;
- if processing refers to personal data that the data subject has explicitly made public;
- if processing is necessary for the presentation, execution or protection of lawsuits or in cases where the courts operate within their judicial capacity;
- if processing is necessary for reasons of particular public interest on the basis of the legislation of the Union or Union member state which should be proportionate to the goal pursued, should be consistent with the essence of the right to data protection and provide for acceptable and specific measures to protect the basic rights and interests of the data subject;
- if processing is necessary for the purposes of preventive or occupational medicine, for assessing the employee’s ability to work, for diagnosing a medical condition, for providing medical or social assistance or treatment, or for managing health care systems and services and for social security under the legislation of the Union or Union member state or on the basis of an agreement with a healthcare professional and in accordance with the terms and guarantees specified in paragraph 3 of Art. 9 of the Regulation.
- if processing is necessary for reasons of public interest in public health, for example, protection against serious cross-border health threats or to ensure high standards of quality and reliability of medical care and drugs or medical equipment, based on the legislation of the Union or Union member state which provides for acceptable and specific measures to protect the rights and freedoms of the data subject, in particular, in sense of professional secrecy;
- if processing is necessary for the purpose of archiving information in the interests of the state, for scientific, historical or statistical purposes based on the legislation of the Union or Union member state which should be proportionate to the goal pursued, must be consistent with the essence of the right to data protection and provide for acceptable and specific measures to protect the basic rights and interests of the data subject;
Member states have the right to retain or impose additional terms, including restrictions on the processing of genetic and biometric data or health data.

3. RIGHTS OF THE DATA SUBJECT

3.1. Providing the information, terms for the fulfillment of the personal data subject’s rights.
The Operator shall take appropriate measures for the providing the subject with the information on the data processing in a brief, clear and easily-accessible form and in understandable and plain language. Information should be provided in writing or by other means, including, if needed, electronic means of communication. Information can be provided verbally at the data subject’s request on condition that the data subject’s identity is established through other means.
The Operator should facilitate the implementation of the data subject’s rights according to the requirements of this Policy and Regulation except for the absence of the grounds for their identification (data subject’s identity verification) and confirmation of this fact by the Operator if the data subject does not provide additional information for their identification.
The Operator should provide information to the data subject according to the requirements of the Regulation at fixed time. The Operator provides the information by electronic means at the data subject’s request in an electronic form if another data transfer form is not mentioned apart by the data subject in the request. The Operator has to inform them on failure to take measures on the data subject’s request immediately or not later than one month after their request on the causes of non-acting and the possibility of making of a complaint to the supervisory authority and judicial protection of rights.

3.2. Disclosure to the data subject.
3.2.1. If the subject provides their personal data on their own, the Operator shall give the following information according to the requirements of the Regulation when receiving personal data:
- identification information and their contact details and representative’s data (if needed);
- contact details of the personal data protection officer where relevant;
- the aims for processing personal data and legal basis for this processing;
- legitimate interests served by the Operator or third party (if processing occurs for providing mentioned interests, so as this processing is not overlapped by the data subject’s interests);
- recipients or categories of recipients of personal data, if available;
- where relevant, the intention of the Operator to convey the data to third party or international organization in the established order by the Regulation.
In order to provide reasonable and clear processing, the following information is given additionally to the data subject:
- the term during which the personal data will be kept or, if it is impossible, the criteria for determination of the specified period;
- existence of the right to claim the access from the Operator to the following personal data and their improvement or withdrawal, or processing limitation, or objection against processing and the rights to data portability;
- in case the processing is based on the executed consent of the data subject, the existence of the right of consent withdrawal with no impact to processing data basis based on the consent to its withdrawal;
- the right to make a complaint to the supervisory authority;
- shall the providing of personal data be a requirement under the Law or the Agreement, or the requirement that is necessary for signing the Agreement and shall the data subject provide the personal data and possible consequences of non-providing the specified data;
- if available, the data on automated process of decision making, including profiling according to the provisions of the Regulation (Art. 22 (1), (4)) and, at a minimum in reported cases, exact information on corresponding logical design and value, and intended consequences of processing for the data subject.
3.2.2. If the Operator intends to process personal data hereafter for purposes other than purposes for which the personal data were received, they shall give the information to the data subject regarding another purpose and any further details, mentioned in paragraph 3.2.1 of this Policy before starting the specified processing.
3.2.3. Clauses 3.2.1, 3.2.2 of this Policy shall not apply as and if the data subject has been already informed on relevant information.
3.2.4. In case personal data were obtained not from the data subject, the following information should be provided to the data subject:
- identification information and the Operator’s contact details and, if available, of their representative;
- contact details of the personal data protection officer where relevant;
- the processing purposes for which the personal data are aimed at, and the legal basis for the processing;
- categories of the relevant personal data;
- recipients or categories of recipients of personal data, if available;
- in relevant cases, the Operator’s intentions to convey personal data to the third party’s recipient or international organization (according to the requirements of the Regulation and decisions of the European Commission).
In order to provide reasonable and clear processing, the following information is given additionally to the data subject:
- the term during which the personal data will be kept or, if it is impossible, the criteria for determination of the specified period;
- legitimate interests served by the Operator or third party (if processing occurs for providing mentioned interests, so as this processing is not overlapped by the data subject’s interests);
- existence of the right to claim the access from the Operator to the following personal data and their improvement or withdrawal, or processing limitation, or objection against processing and the rights to data portability;
- in case the processing is based on the executed consent of the data subject, the existence of the right of consent withdrawal with no impact to processing data basis based on the consent to its withdrawal;
- the right to make a complaint to the supervisory authority;
- which resources personal data occur from and, if available, whether they were taken from the publicly accessible sources;
- if available, the data on the automated process of decision making, including the profiling according to the provisions of the Regulation (Art. 22 (1), (4)) and, at a minimum in reported cases, exact information on corresponding logical design and value, and intended consequences of processing for the data subject.
3.2.5. If the Operator intends to process personal data hereafter for purposes other than purposes for which the personal data were received, they shall give the information to the data subject regarding another purpose and any further details, mentioned in clause 3.2.4 of this Policy before starting the specified processing.
3.2.6. The information, mentioned in clause 3.2.4 of this Policy, is provided according to the terms of the Regulation.

3.3. Right of access by the personal data subject
3.3.1. The data subject has the right to ask the Operator for the confirmation regarding the processing of the personal data, and if it is so, they have the right on access to the personal data and the following information:
- the processing purposes;
- categories of the processing personal data;
- recipients or the categories of the recipients which are in charge to get the personal data, especially, the recipients in third countries or international organizations;
- if possible, required dates, during which the personal data will be kept or, without corresponding possibilities, the criteria used for determination of the specified period;
- the existence of the right on the request from the Operator to correct or remove corresponding personal data or limit their processing, or object to specified processing;
- the right to make a complaint to the supervisory authority;
- if the personal data are obtained not from the data subject, any available information on their source;
- availability of the automated process of decision making, including the profiling according to the provisions of the Regulation and, at a minimum in reported cases, exact information on corresponding logical design and value, and intended consequences of processing for the data subject.
3.3.2. If a third country or international organization get the personal data, the data subject has the right to receive information on corresponding guarantees provided by the Regulation.
3.3.3. The Operator shall guarantee the existence of a copy of the processed personal data. The Operator may collect acceptable price on the basis of administrative costs for any other copies requested by the data subject. If the data subject makes a request by electronic means, the information should be provided in an accepted electronic form if the data subject does not request for the other. The right to obtain the copy should not negatively influence on the rights and freedom of other parties.
3.3.4. The data subject has the right to require from the Operator immediate change of the improper personal data and additions considering the processing purposes. The data subject has the right to claim the limitations of the subject’s data processing and immediate withdrawal (right to be forgotten) considering the necessity to reach the goal of processing, legal basis for processing and demand for justice (according to the Regulation).
3.3.5. The data subject has the right to get their PD that were conveyed to the Operator earlier in an organized, common and machine-readable format. The right to receive the data relates to the data subject’s right to directly convey their PD to another Operator (if technical capabilities are available) if the data processing was based on the data subject’s consent and is made with the help of automatic means. The data subject’s execution of the rights stipulated by this clause should work without loss to the realization of the right on the data withdrawal and this should not negatively influence on the rights and freedoms of other parties.
3.3.5. The Operator should inform each recipient, which is aware of these data, of any change or destruction of personal data or limitations to their processing on the basis of the provisions of this Policy when this impossible or claims for disproportionate efforts. The Operator shall inform the data subject on referred recipients if the data subject claims for it.


3.4. Right to object
3.4.1. The data subject has the right to object to processing personal data related to them if the data processing is caused by the state’s interests, executed in the frames implementable by the Operator of the government power or based on the legal interests of the Operator or third party as if these interests are not overlapped by the interests of the data subject including profiling based on the mentioned provisions. The data processing will be possible if the Operator is able to confirm the existence of reasonable legal basis for such processing despite the interests, rights and freedom of the data subject or the processing is necessary for verification, implementing or control of the defense on the law actions.
3.4.2. If the personal data are processed for direct marketing, the data subject should have the right to object to the processing their personal data for the purposes of the mentioned marketing, including the profile formation inasmuch as it relates to direct marketing.
3.4.3. If the data subject objects to processing for the purposes of the direct marketing, the personal data should not be processed for these purposes.
3.5. Automated data processing.
3.5.1. The data subject has the right not to expand the decision based on the automated processing including profiling that causes judicial consequences in regard to them or fundamentally influences them. The realization of the mentioned right does not come into effect if the decision is needed for the conclusion or implementation of the contract between the data subject and the data Operator or is allowed by the legislation of the Union or EU member or is based on direct consent of the data subject.
The data subject has the right to appeal for the defense of rights to the authorized appointing authority of the government by violation of their rights; if they are located in the European Union, they should appeal to the corresponding supervisory authority of the EU member.
The Operator guarantees impartial review of the situation with participation of the person if the rights of the data subject were violated during the automated processing.

4. PROTECTION OF PERSONAL DATA

4.1. In order to provide protection of the processed data, the Operator takes corresponding technical and organizational actions considering content and data amount, purposes of their processing, possible risks and danger of violation of the rights and freedoms of natural persons as a result of data processing. More specifically:
- the data minimization principle is fulfilled (the processing of the necessary data according to the purpose);
- appointment of the persons responsible for processing and protection of PD (data protection officer );
- arranging an access to the data processing in the frames of power and guarantee of familiarization with requirements of legislation on the data processing, training of the users of data processing systems;
- accounting of used resources data media and their storage excepting their unauthorized use;
- readiness and effectiveness test of usage of information security products;
- capability to restore availability and access to personal data in time in case of incident of physical or technical properties;
- implementation of anti-virus control, prevention of penetration of malicious software (virus programs) and malicious logic into the enterprise network;
- monitoring of user actions, verification of violations of personal data security requirements, including the ability to guarantee permanent confidentiality, integrity and stability of systems and services related to processing;
- taking other actions in the frames of the requirements of the Regulation to ensure the safety of personal data.

The safety level of PD provided by the Operator shall be coherent with the possible risks of violation of the confidentiality of the processing, in particular related to accidental or illegal destruction, loss, alteration, unauthorized dissemination or access to the processing personal data.
4.2. According to the requirements of the Regulation, an approved certification mechanism may be used to ensure the safety requirements for data processing.
4.3. The Operator shall keep a record of all activities related to data processing and falling within the scope of their responsibility. The credentials shall contain the following information:
- the surname and contact details of the Operator and, where possible, of the controller conducting the data processing together with the Operator, of the representative and data protection officer;
- the processing purposes;
- description of categories of data subjects and personal data;
- categories of recipients whom personal data have been or will be disclosed to, including recipients in third countries or international organizations;
- where possible, the transfer of personal data to a third country or international organization, including the identification data of the third country or international organization, and, in the case of the transfer referred to in the second sub-paragraph of Art. 49 (1), documentary proof of appropriate guarantees;
- if possible, specified time for the destruction of various categories of data;
- if possible, a general description of the technical and organizational safety measures.
4.4. Each data processor and, where possible, their representative shall keep records of all categories of data processing performed on behalf of the Operator. The content of the credentials shall meet the requirements of the Regulation.
4.5. The credentials referred to in clauses 4.1.2, 4.1.3 of this Policy shall be reserved in a written form, including in an electronic form.
4.6. The Operator and, where possible, their representative shall provide credentials at the disposal of the supervisory authorities at their request.
4.7. The provisions referred to in clause 4.1.1, 4.1.4 of this Policy do not apply to businesses or organizations that employ less than 250 persons, except when their ongoing processing can result in risks for the rights and freedoms of data subjects, the processing is not of random nature or involves sensitive or personal data related to convictions and crimes.


5. REPRESENTATIVE OF THE OPERATOR (CONTROLLER OR
DATA PROCESSOR) NOT ESTABLISHED IN THE UNION

5.1. The Operator’s activities are carried out entirely on the territory of the Russian Federation, and therefore the placement of a separate representative in the European Union is not required.
5.3. If the processing is carried out on behalf of the Operator (controller; data processor), this interaction takes place only with the guaranteed application of appropriate technical and organizational measures to protect the rights of the data subject in accordance with the requirements of the Regulation. The data processor and any person acting on behalf of the controller (Operator) or data processor, having access to the personal data, shall process the specified data only by order of the controller, except as provided by the legislation of the Union or the member of the Union.

6. FINAL PROVISIONS, CONTACTS

This Policy, considering the provisions of the Regulation, applies to legal relations with natural persons within the framework of providing information and services in the established field of activity of the Operator in accordance with the requirements of the Regulation.
In case the transition occurs on the links used on the Internet resources of the Operator, the Policy data processing in this case is not regulated, with the exceptions to this rule mentioned in this Policy or the provisions of the Regulation.

Reference information and phone contacts:
Address / Operator’s contacts:
National Legal Service LLC,
TIN 7702745920, PSRN 1107746913064
registered at: 9/1, Maly Sukharevsky Lane, Office 36, Moscow, 127051, Russia;
postal address: 22/25, Bolshoy Strochenovsky Lane, Office 300, Moscow, 115054, Russia;
Contact phone 7 499 215-14-77; e-mail: info@amulex.ru

Address / contacts of the data protection officer (responsible) appointed by the Operator:

Address: 22/25, Bolshoy Strochenovsky Lane, Office 300, Moscow, 115054, Russia;
Andrey Olegovich Panskoy
Email: info@amulex.ru.