1. General Provisions
1.1. Personal data processing at ESL (hereafter, ESL ) is organized in order to ensure personal human and civil rights, pursuant to the requirements of Russian legislation.
1.2. Personal data processing at ESL shall be organized in strict compliance with these Regulations, which must be observed by all ESL staff.
1.3. These Regulations are aimed at ensuring protection of personal human and civil rights in the course of personal data processing, with respect to privacy policies, personal and family confidentiality, as well as setting forth ESL ’ policies as the personal data operator.
1.4. ESL hereby undertakes legal, organizational and technical measures required for ensuring the application of Russian legislation on personal data protection and/or ensures the adoption of such measures.
1.5. These Regulations may be amended without prior notification of the personal data subjects and other persons. The current version of the Regulations may be viewed on ESL ’ corporate website (portal).
1.6. These Regulations and amendments thereto shall be approved by a directive issued by President of ESL .
2. Terms and Definitions
2.1. The terms and definitions used in these Regulations are presented as per Federal Law No. 152-FZ, dated July 27, 2006 (hereafter, the “Federal Law On Personal Data”) and other bylaws of the Russian Federation, as follows:
2.1.1. Personal data (hereafter, “PD”) includes information, directly or indirectly relating to any particular individual (hereinafter, a “PD Subject”).
PD and related categories thereof may differ in terms of a given PD Subject’s identification and identifiability, as well as depend on whether or not a particular person or citizen (PD Subject) can be identified on the basis of relevant PD.
Any data that does not feature information on personal identity, or does not make it possible to identify persons by use of special procedures, shall not be considered PD.
Thus, such information may be processed regardless of Russian legislation on PD processing. Such data can include such common information as gender, age, official position, profession, hobby, etc., as well as information generally available through Internet, until such data may allow the identification of a person or citizen;
2.1.2. PD Subjects are identifiable individuals.;
2.1.3. Personal data processing (hereafter, “PD processing”) involves any activity (operation) or a combination of activities (operations), performed manually or relying on automated means for PD processing, including collection, recording, systematization, accumulation, storage, specification (renewal, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of PD;
2.1.4. An operator is a body of the government or municipal authorities, a legal entity or an individual, acting individually or jointly with other persons, who organize and/or engage in PD processing, as well as determine the purposes of such processing activities, the composition of PD that is subject to processing and actions (operations) performed. In the context of these Regulations, ESL is regarded as the operator;
2.1.8. Legislation on PD is specified in the Constitution of the Russian Federation and Federal Law No. 152-FZ “On Personal Data”, dated July 27, 2006, as well as other bylaws and regulations on PD processing.
3. Terms and Conditions on PD Processing
3.1. After receiving PD from staff, students and other persons specified herein, and accepting this information for storage, ESL shall thereby be deemed an operator. The Company shall process PD in line with the principles, terms and conditions stipulated in legislation on PD in regards to the following cases:
3.1.1. PD processing shall be implemented on the basis of the PD Subject’s consent, provided either in writing, by an e-mail certified with a valid electronic signature.
Such cases include, in particular, the processing of PD relating to:
· Job applications;
· Any tests or exams carried out by applicants or company personnel;
· former ESL staff, in order to maintain consistent staff records:;
· managers and other authorized representatives of legal entities, including (potential) counterparties under contracts and agreements (hereafter, jointly referred to as “agreements”), with the aim of making preparations for the conclusion and execution of such agreements and maintenance of related records.
3.1.2. ESL shall perform PD processing acting as an operator, pursuant to Russian legislation, with respect to the requirements of the following respective regulations, including:
· labour legislation (including labour safety laws), including the Russian Labour Code, other federal laws and respective legislation of the constituent bodies of the Russian Federation, relating to labour regulations;
· rules for maintaining a register of concluded procurement agreements, pursuant to Directive of the Russian Government No. 1132, dated October 31, 2014;
· other bylaws of the Russian Federation.
3.1.3. PD processing shall be required for executing agreements to which a PD Subject is a party, or a beneficiary, or a guarantor, including in cases whereby the operator exercises its right to assign rights (claims) under an agreement, as well as for concluding agreements upon the PD Subject’s initiative, and/or agreements to which the PD Subject is a party, or a beneficiary, or a guarantor.
3.1.4. PD processing is required in the context of research, literary and any other creative activities, provided that the rights and legal interests of the PD Subject are properly observed;
3.1.5. PD processing is performed for statistical and other research-related purposes, provided that this information must be subject to depersonalization;
3.1.6. PD processing is performed with respect to information, which is publicly available upon consent and/or as per the request of the PD Subject (including PD made publicly available in general).
3.2. The aforementioned data of PD Subjects, groups of PD Subjects and other PD shall be processed as per the requirements for relevant consent for PD processing, including consent provided through employment and independent contractor agreements, and/or official regulations, and/or ESL ’ respective bylaws, as well as related regulations and bylaws, or within a given established timeframe. These include, but are not limited to, general terms and conditions for PD processing. Consent for PD processing provided by PD Subjects may be amended with respect to the given purpose, size, methods and deadlines of PD processing.
3.3. PD of other persons shall be processed upon their consent provided in the course of their cooperation/legal relations with HSE. Unless otherwise specified within these Regulations, relevant agreements and/or consent for PD processing provided by PD Subjects, ESL shall exclusively use such information for intended purposes, including answering questions, as well as making certain information and knowledge available.
3.4. Prior to processing PD, relevant ESL ’ staff must make sure that such PD processing is lawful, that Company has respective authorities, and/or related consents have been provided by PD subjects. In case these authorities and/or consent are not available, ESL ’ staff must obtain the PD Subject’s consent for PD processing. The following steps can be undertaken for these purposes:
· requests for a PD Subject’s consent for PD processing may be presented in different online registration forms, messages sent via e-mail and through phone calls, with confirmation provided by the PD Subject in any form, including his/her subsequent personal confirmation;
· a recommended format for written consent is available on ESL ’ corporate website (portal) at
3.5. The list of ESL staff involved in PD processing includes:
2. Chief Operating Officer;
3. All employees reporting to them;
3.6. Unless otherwise provided, as per submission of their PD to the Company, the PD Subject thereby shall agree to the terms and conditions of these Regulations, and, in their free will and interest, shall control their PD, understand consequences of their PD disclosure and provide their consent to related PD processing for relevant purposes, as well for the purposes of ESL compliance with official regulations and bylaws of the Russian Federation; execution of decisions, orders and inquiries of government authorities; providing information on events organized by ESL , researchand education projects, and related deliverables; marketing promotion of ESL ’ products, works and services, including through directly contacting PD Subjects; implementing ESL activities as per the Company By-Laws; as well as accumulating information on persons and entities acting as ESL counterparties, through such activities as gathering, recording, systematization, accumulation, storage, clarification (renewal, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction, performed both manually and via automated means. The overall volume of PD processed in such situations shall be limited to data provided by PD Subjects. Also, the period for PD processing shall come to 5 (five) years after submission.
Despite a wide range of operations that may be performed with PD upon consent, ESL shall only carry out PD processing for pre-determined legal purposes.
ESL must refrain from selling or making PD available in any form. In turn, PD shall be processed at the Company only for the aforementioned purposes upon consent provided by PD Subjects. In any other cases, the use of PD is prohibited.
4. Access to PD
4.1. Access to processed PD at ESL shall only be granted to persons designated and/or specified in these Regulations, as well as persons who are duly authorized by these Regulations and PD Subjects themselves.
4.2. Other ESL staff may acquire PD access in order to read and prepare methodological, analytical, consolidated reports and other materials on any matters relating to the competence of such persons and ESL ’ relevant subdivisions. Other staff of the Company may be granted PD access only on the condition that such persons undertake to observe effective confidentiality with respect to such information.
4.3. Persons liable for violations of PD processing rules shall bear responsibility as per Russian legislation. Disciplinary measures may be applied to HSE staff who are liable for violations of PD processing rules.
5. Special Aspects of Staff PD Protection
5.1. PD protection refers to the implementation of legal, organizational and technical measures focused on:
1. ensuring PD protection from unauthorized access, destruction, modification, blocking, copying, provision and distribution, as well as other illegal operations with PD;
2. PD confidentiality;
3. providing rights for access to PD.
5.2. ESL shall ensure the efficiency of its PD security system, including such activities as organizational and/or technical measures, determined with due consideration of actual security risks to PD and the information technologies used in information systems.
5.3. Protection of ESL staff’s PD from unauthorized access and/or loss shall be ensured at the Company’s expense, as per the procedure established by federal legislation.
5.4. PD stored within ESL ’ electronic databases and information systems shall be protected from unauthorized access, distortion and destruction, as well as any other illegal operations, through diversification of rights of access, relying on a system of logins and passwords.
5.5. PD storage at ESL shall be organized so as to avert their loss or unauthorized use.
5.6. ESL staff responsible for PD processing, as well as heads of relevant subdivisions, shall organize and monitor the protection of ESL staff’s PD.
5.7. ESL senior managers shall observe and implement the following procedures, in order to regulate the access of HSE staff to PD, documents (including e-documents), other material data storage devices, databases and information systems containing PD, in order to prevent unauthorized access of any third parties and protection of the PD of ESL ’ staff:
· limiting and setting rules for employees whose job responsibilities require access to PD;
· ensuring strictly selective and rational distribution of documents and other data storage devices containing PD among ESL ’ staff;
· ensuring rational distribution of employees’ workplaces in order to properly monitor PD usage and access;
· making employees aware of requirements of applicable laws and bylaws concerning PD protection and confidentiality;
· ensuring adequate conditions on premises for operations with documents and other data storage devices, databases and information systems containing PD;
· determining and regulating the number of employees with the right to access databases and information systems containing PD;
· spelling out procedures for the destruction of PD storage devices, as well as ensuring that this system is properly observed;
· ensuring timely detection of cases of unauthorized access to PD;
· organizing work in respective subdivisions in order to avert and prevent PD loss or disclosure;
· limiting access to documents and other data storage devices, databases and information systems, which contain PD.
5.8. All measures relating to PD confidentiality that are applicable during PD processing must cover both material data storage devices and any PD that is submitted electronically.
6. Rights of PD Subjects
6.1. PD processing shall be performed by ESL only upon consent of PD Subjects and/or pursuant to terms and conditions of Russian legislation on PD processing unless otherwise stipulated in Russian law.
6.2. PD Subjects shall be acquainted with the text of his/her consent, which is subsequently submitted to ESL and, if necessary, they may refer to the Company’s subdivisions specified in the Regulations in order to carry out any steps spelled out in relevant Russian laws on PD processing.
6.3. Any PD Subject shall be entitled to withdraw his/her consent provided to ESL for PD processing (in the same format).
6.4. A PD Subject can exercise his/her other rights as specified by the relevant laws on PD processing.
 In particular, through inquiries and web searches, including social networks, etc.
 If it is not unique, not specifying the PD Subject’s place of work
 In particular, information on dynamic IP-addresses for non-professional users of telecommunication services