POLICY

POLICY

of TREM Engineering Joint Stock Company

regarding the processing of personal data

1. General Provisions

1.1. This Policy of TREM Engineering Joint Stock Company regarding the processing of personal data (hereinafter – the Policy) has been developed in fulfilment of the requirements of Paragraph 2, Part 1, Article 18.1 of Federal Law dated 27.07.2006 N 152–FZ “On Personal Data” (hereinafter – the Personal Data Law) for the purpose of ensuring the protection of the rights and freedoms of an individual and citizen during the processing of their personal data, including the protection of rights to privacy, personal and family secrecy.

1.2. The Policy applies to all personal data which TREM Engineering Joint Stock Company processes (hereinafter – the Company, the Operator, TREM Engineering JSC).

1.3. In fulfilment of the requirements of Part 2 of Article 18.1 of the Personal Data Law, this Policy is published in free access on the Operator’s website on the information and telecommunication network Internet.

1.4. Key concepts used in the Policy:

personal data – any information relating directly or indirectly to an identified or identifiable natural person (personal data subject);

personal data operator (operator) – a state body, municipal body, legal entity or individual, independently or jointly with other persons organising and/or carrying out the processing of personal data, as well as determining the purposes of personal data processing, the composition of personal data subject to processing, the actions (operations) performed with personal data;

personal data processing – any action (operation) or set of actions (operations) performed with personal data, with or without the use of automation tools. Personal data processing includes, but is not limited to: collection; recording; systematisation; accumulation; storage; refinement (updating, modification); extraction; use; transfer (dissemination, provision, access); anonymisation; blocking; deletion; destruction;

automated processing of personal data – processing of personal data using computer technology;

dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons;

provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons;

blocking of personal data – temporary cessation of personal data processing (except in cases where processing is necessary for refining personal data);

destruction of personal data – actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which material carriers of personal data are destroyed;

anonymisation of personal data – actions, as a result of which it becomes impossible to determine the belonging of personal data to a specific personal data subject without the use of additional information;

personal data information system – a set of personal data contained in databases and the information technologies and technical means ensuring their processing;

cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state, to an authority of a foreign state, a foreign individual, or a foreign legal entity;

cookies – these are small data fragments containing service information about website visits, which the server sends to the User’s device. Cookies remember information about user preferences, allowing for more convenient browsing of visited sites for a certain period.

Website User – an individual accessing the Operator’s website via the Internet and using the website’s functionality, including, but not limited to, viewing pages, filling out forms, subscribing to newsletters, participating in surveys, and other actions related to the use of the web resource.

1.5. Main Rights and Obligations of the Operator.

1.5.1. The Operator has the right:

1) To independently determine the scope and list of measures necessary and sufficient to ensure the fulfilment of obligations stipulated by the Personal Data Law and regulatory legal acts adopted in accordance therewith, unless otherwise provided by the Personal Data Law or other federal laws;

2) To entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, based on a contract concluded with that person. The contract with the personal data processor must define the list of personal data, the list of actions (operations) with personal data to be performed by the personal data processor, the purposes of their processing, and must stipulate the obligation of such person to observe the confidentiality of personal data, as well as other conditions provided for by the Personal Data Law that are mandatory terms, including obligations to comply with the principles and rules of personal data processing, reporting to the Operator, notifying the Operator about unauthorised access to personal data, etc. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing stipulated by the Personal Data Law, to observe the confidentiality of personal data, and to take necessary measures aimed at ensuring the fulfilment of obligations stipulated by the Personal Data Law;

3) In case the personal data subject withdraws consent for personal data processing, to continue processing personal data without the consent of the personal data subject if there are grounds specified in the Personal Data Law.

1.5.2. The Operator is obliged to:

1) organise the processing of personal data in accordance with the requirements of the Personal Data Law;

2) respond to appeals and requests from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;

3) provide the authorised body for the protection of personal data subjects’ rights (Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) with the necessary information upon the request of this body within 10 business days from the date of receipt of such request. This period may be extended, but not for more than five business days. For this, the Operator must send a reasoned notification to Roskomnadzor, indicating the reasons for extending the period for providing the requested information;

4) in the manner determined by the federal executive body authorised in the field of security, ensure interaction with the state system for detecting, preventing, and eliminating the consequences of computer attacks on the information resources of the Russian Federation, including informing it of computer incidents that led to the unlawful transfer (provision, dissemination, access) of personal data.

1.6. Main Rights of the Personal Data Subject.

The personal data subject has the right:

1) To receive information concerning the processing of their personal data, except in cases stipulated by federal laws. Such information is provided to the personal data subject by the Operator in an accessible form, and it must not contain personal data relating to other personal data subjects, unless there are legal grounds for the disclosure of such personal data. The list of information and the procedure for its receipt are established by the Personal Data Law;

2) To demand from the Operator the refinement of their personal data, its blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights;

3) To stipulate the condition of prior consent for the processing of personal data for the purpose of promoting goods, works, and services in the market;

4) To appeal to Roskomnadzor or through judicial procedure, the unlawful actions or inactions of the Operator during the processing of their personal data.

1.7. Control over the fulfilment of the requirements of this Policy is exercised by an authorised person responsible for organising the processing of personal data at the Operator.

1.8. Responsibility for violating the requirements of the legislation of the Russian Federation and the normative acts of TREM Engineering JSC in the field of personal data processing and protection is determined in accordance with the legislation of the Russian Federation.

 

2. Categories of Personal Data Subjects and Purposes of Personal Data Processing

 

2.1. The processing of personal data is limited to achieving specific, pre-defined, and legitimate purposes. Processing of personal data incompatible with the purposes for which the personal data was collected is not permitted.

2.2. Only personal data that is relevant to the purposes of its processing shall be processed.

2.3. The Operator collects and processes personal data for the purpose of carrying out its activities in accordance with the legislation of the Russian Federation and the Charter of TREM Engineering JSC.

2.4. The Operator processes personal data of Data Subjects for purposes, the general definition of which is provided in the table below.

Categories of Personal Data Subjects

Categories of Personal Data

Purposes of Processing

Candidates (Applicants)

Employees and former employees
  • surname, first name, patronymic;
  • gender;
  • citizenship;
  • date and place of birth;
  • contact details (phone, email address);
  • information on education, work experience, qualifications;
  • other personal data provided by candidates in resumes and cover letters.

– Reviewing resumes and selecting candidates (applicants) for vacant positions for subsequent employment in the Company, as well as approving candidates in accordance with the Company’s internal regulatory acts;

– Maintaining the Company’s personnel reserve;

– Vetting selected candidates prior to concluding an employment contract;

– Maintaining statistics on the selection process.

Employees and former employees
  • surname, first name, patronymic;
  • gender;
  • citizenship;
  • date and place of birth;
  • image (photograph);
  • passport data;
  • address of registration at the place of residence;
  • actual residential address;
  • contact details (phone, email address);
  • individual taxpayer identification number (INN);
  • individual insurance account number (SNILS);
  • information on education, qualifications, professional training, and advanced training;
  • marital status, presence of children, family ties;
  • information on employment history, including awards, decorations, and/or disciplinary actions;
  • marriage registration data;
  • military registration data;
  • information on disability;
  • information on alimony deductions;
  • information on income from the previous place of work;
  • other personal data provided by employees in accordance with the requirements of labour legislation.

– Conclusion, amendment, administration, and termination of employment contracts, as well as the fulfilment of obligations stipulated by employment contracts and the legislation of the Russian Federation;

– Fulfilling personal data processing requirements within the framework of accounting and tax records.

– Organising business trips (official travel);

– Organising access control;

– Arranging parking spaces;

– Processing insurance policies (Voluntary Health Insurance (VHI), life insurance, accident insurance);

– Assisting in the processing of bank cards (within the “payroll project”);

– Assisting employees with training and career advancement within the Company (career growth, internal transfers, etc.);

– Information support (maintaining internal directories);

– Ensuring the personal safety of employees, controlling the quantity and quality of work performed by employees, and safeguarding company property.

– Ensuring compliance with the internal regulatory acts of TREM Engineering JSC.

Relatives of Employees
  • surname, first name, patronymic;
  • degree of kinship;
  • date of birth;
  • phone number;
  • other personal data provided by employees in accordance with the requirements of labour legislation.

Fulfilment of the requirements of the legislation of the Russian Federation imposed by virtue of concluded employment contracts, including:

– Maintaining employee personal records in T-2 form;

– Fulfilling the requirements of social insurance legislation, providing compensations and benefits;

– Receiving alimony, processing social payments, benefits, ensuring appropriate insurance payouts upon the occurrence of an insured event as a result of an accident when such relatives are designated as beneficiaries;

– Conclusion, amendment, and termination of voluntary medical insurance contracts for employees’ relatives.

Individuals comprising the Company’s management bodies
  • surname, first name, patronymic;
  • passport data;
  • address of registration at the place of residence;
  • contact details (phone, email address);
  • individual taxpayer identification number (INN);
  • individual insurance account number (SNILS).

Fulfilment of the requirements of Federal Law No. 208-FZ dated 26.12.1995 “On Joint-Stock Companies,” as well as other requirements of the legislation of the Russian Federation.

Counterparties

(suppliers of goods / works / services, clients / customers of services)
  • surname, first name, patronymic;
  • date and place of birth;
  • passport data;
  • address of registration at the place of residence;
  • contact details (phone number, email address);
  • position held;
  • individual taxpayer identification number (INN);
  • bank account number;
  • other personal data provided by clients and counterparties (individuals), necessary for the conclusion and execution of contracts.

– Conclusion, amendment, and termination of contracts, fulfilment of obligations under concluded contracts, as well as compliance with relevant requirements stipulated by the legislation of the Russian Federation;

– Provision of information about the services offered by the Company, and about the Company’s development of new products and services;

– Informing about the Company’s product and service offerings;

– Generating statistical reports.

Employees of Counterparties
  • surname, first name, patronymic;
  • passport data;
  • contact details (phone number, email address);
  • position held;
  • other personal data provided by representatives (employees) of clients and counterparties, necessary for the conclusion and execution of contracts.

– Fulfilment of obligations under concluded contracts, as well as compliance with relevant requirements stipulated by the legislation of the Russian Federation.

Users
  • surname, first name, patronymic;
  • email address;
  • phone number.

– Analysis of the effectiveness of the website www.tremseals.com;

– Collection of user location data, IP addresses, registration history, and reports on network event registration;

– Collection of information about consumers of the Company’s products/services, and the opinion of website visitors about the Company’s products/services, particularly regarding quality;

– Dissemination of information about the Company’s products/services;

– Informing about the Company’s products/services, as well as events held and/or organised by the Company;

– Servicing Counterparties, fulfilling orders, providing responses to inquiries;

– Generating statistical reports.

 

3. Legal Grounds and Principles of Personal Data Processing

3.1. The Operator is a Russian legal entity and conducts its activities on the territory of the Russian Federation.

3.2. The legal basis for personal data processing is the totality of regulatory legal acts, in fulfilment of and in accordance with which the Operator processes personal data, including:

  • The Constitution of the Russian Federation;
  • The Civil Code of the Russian Federation;
  • The Labour Code of the Russian Federation;
  • The Tax Code of the Russian Federation;
  • Federal Law No. 14-FZ dated 08.02.1998 “On Limited Liability Companies”;
  • Federal Law No. 402-FZ dated 06.12.2011 “On Accounting”;
  • Federal Law No. 167-FZ dated 15.12.2001 “On Mandatory Pension Insurance in the Russian Federation”;
  • Federal Law No. 149-FZ dated 27 July 2006 “On Information, Information Technologies, and Information Protection”;
  • Law of the Russian Federation No. 2124-1 dated 27 December 1991, “On Mass Media”;
  • Federal Law No. 294-FZ dated 26 December 2008, “On the Protection of Rights of Legal Entities and Individual Entrepreneurs during State Control (Supervision) and Municipal Control”;
  • Federal Law No. 152-FZ dated 27.07.2006 “On Personal Data”;
  • Decree of the President of the Russian Federation No. 188 dated March 6, 1997 “On Approval of the List of Confidential Information”;
  • Resolution of the Government of the Russian Federation No. 512 dated 6 July 2008, “On Approval of Requirements for Material Carriers of Biometric Personal Data and Technologies for Storing Such Data Outside Personal Data Information Systems”;
  • Resolution of the Government of the Russian Federation No. 687 of 15 September 2008, “On Approval of the Regulation on the Specifics of Personal Data Processing Carried Out Without the Use of Automation Tools”;
  • Resolution of the Government of the Russian Federation No. 1119 of 1 November 2012, “On Approval of Requirements for the Protection of Personal Data During Their Processing in Personal Data Information Systems”;
  • Order of Roskomnadzor No. 996 of 5 September 2013, “On Approval of Requirements and Methods for Anonymisation of Personal Data”;
  • Order of FSTEC of Russia No. 21 dated 18 February 2013, “On Approval of the Composition and Content of Organisational and Technical Measures to Ensure the Security of Personal Data During Their Processing in Personal Data Information Systems”;
  • Subordinate acts of the authorised body for the protection of personal data subjects’ rights;
  • Other regulatory legal acts regulating relations related to the Operator’s activities;
  • Charter of TREM Engineering JSC;
  • Contracts concluded between the Operator and personal data subjects;
  • Consent of personal data subjects to the processing of their personal data.

3.3. The Operator’s activities are based on the following principles:

  • Legality.
  • Fairness.
  • Data Minimisation.
  • Purpose-Driven Data Processing.
  • Timely Data Processing.
  • Data Confidentiality.
  • Localisation of Data Processing.

3.4. The Operator does not carry out cross-border transfer of personal data at the time of this Policy’s approval.

3.5. The Operator does not process special categories of personal data concerning racial or ethnic origin, political views, religious or philosophical beliefs, health status, or intimate life, except in cases stipulated by the legislation of the Russian Federation.

4. Website Visit Analytics

4.1. For the proper functioning of the website and for conducting statistical research and reviews, the Operator uses cookies, which are collected from Users of the Operator’s websites (location data; OS type and version; Browser type and version; device type and screen resolution; referral source; OS and Browser language; user actions on the website; IP address).

4.2. The types of cookies used on the website are presented in the table below. The Site’s user documents may provide for the use of other cookies.

 

     

 

Type of cookie files

Description

Purpose of using

Necessary

These cookies ensure the proper functioning of the Site and the provision of services.

To ensure the proper display of interfaces and their interactive components.

Functional

These cookies save preferences regarding Site settings.

To simplify Site usage for a better user experience.

 

Analytical

These cookies store aggregated information about usage and its individual elements.

For further improvement of interfaces, planning Site development.

 

Marketing

These cookies store information about how the Site is used, i.e., user preferences related to the Site.

For site personalisation, optimisation of recommendation technologies, and evaluation of personalisation effectiveness.

 

Third-party

These cookies collect information about users, traffic sources, visited pages, and advertisements displayed to the user. Third-party providers include Yandex and the Jino service.

To register data on user behaviour on the Yandex website;

 To collect data on visitors’ interaction with video content on the site (Jino).


4.3. The Operator uses the information contained in cookies only for the purposes indicated above, after which the collected data will be stored on the Operator’s device for a period that may depend on the respective type of cookie, but not exceeding the period necessary to achieve their purpose, after which they will be automatically deleted from the Operator’s system.

4.4. To refuse the use of cookies, the user has the right to use browser settings, where the use of cookies can be disabled. Complete disabling of cookies may lead to a limitation of the Site’s functionality.

4.5. Detailed instructions for disabling cookies are available via an external link:

5. Procedure and Conditions for Personal Data Processing

5.1. Personal data is processed by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. Personal data processing is carried out with the consent of personal data subjects for the processing of their personal data, as well as without such consent in cases stipulated by the legislation of the Russian Federation.

5.3. The Operator performs both automated and non-automated processing of personal data.

5.4. Employees of the Operator are permitted to process personal data when performing their official duties, to fulfil assigned tasks.

5.5. Personal data processing is carried out by:

•  obtaining personal data verbally and in writing directly from personal data subjects;

•  obtaining personal data from publicly available sources;

•  entering personal data into the Operator’s journals, registers, and information systems;

•  recording;

•  systematization;

•  accumulation;

•  storage;

•  refinement (updating, modification);

•  extraction;

•  use;

•  transfer (dissemination, provision, access);

•  anonymization;

•  blocking;

•  deletion;

•  destruction;

•  using other methods of personal data processing.

5.6. Personal data may be transferred to third parties in the following cases:

– to authorised state authorities on grounds stipulated by the legislation of the Russian Federation;

– to contractors and other persons providing services on behalf of the Operator;

– to counterparties in cases provided for by contract;

– to other persons in cases stipulated by the legislation of the Russian Federation.

Disclosure to third parties and dissemination of personal data without the consent of the personal data subject is not permitted, unless otherwise provided by federal law.

Consent to the processing of personal data permitted by the personal data subject for dissemination is formalised in writing directly to the Operator or electronically using the information system of the authorised body for the protection of personal data subjects’ rights, separately from other consents of the personal data subject to the processing of their personal data.

5.7. The transfer of personal data to investigative bodies, the Federal Tax Service, the Social Fund of Russia, and other authorised executive authorities and organisations is carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The Operator takes necessary legal, organisational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, dissemination, and other unauthorised actions, including:

• identifying threats to the security of personal data during their processing;

• adopting local regulatory acts and other documents regulating relations in the field of personal data processing and protection;

• appointing persons responsible for ensuring the security of personal data in the Operator’s structural divisions and information systems;

• creating necessary conditions for working with personal data;

• organising the accounting of documents containing personal data;

• organising work with information systems in which personal data is processed;

• storing personal data under conditions that ensure their safety and exclude unauthorised access to them.

5.9. The Operator stores personal data in a form that allows the identification of the personal data subject for no longer than required by the purposes of personal data processing, unless the personal data retention period is established by federal law or contract.

5.10. When collecting personal data, including via the information and telecommunication network Internet, the Operator ensures the recording, systematisation, accumulation, storage, refinement (updating, modification), and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except in cases specified in the Personal Data Law.

5.11. All consents for personal data processing are documented in written or electronic form with a note of the date of receipt.

 

6.  Updating, Correction, Deletion, and Destruction of Personal Data, Responses to Data Subjects’ Requests for Access to Personal Data


6.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of the Personal Data Law, are provided by the Operator to the personal data subject or their representative within 10 business days from the date of the request or receipt of the personal data subject’s or their representative’s request. This period may be extended, but not by more than five business days. For this, the Operator sends a reasoned notification to the personal data subject indicating the reasons for extending the period for providing the requested information.

The information provided does not include personal data relating to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data.

The request must contain:

– the number of the main identity document of the personal data subject or their representative, information about the date of issue of the said document and the issuing authority;

– information confirming the personal data subject’s participation in relations with the Operator (contract number, date of contract conclusion, conventional verbal designation and/or other information), or information otherwise confirming the fact of personal data processing by the Operator;

– the signature of the personal data subject or their representative.

The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

The Operator provides the information specified in Part 7 of Article 14 of the Personal Data Law to the personal data subject or their representative in the form in which the respective appeal or request was submitted, unless otherwise indicated in the appeal or request.

If the personal data subject’s appeal (request) does not contain all the necessary information in accordance with the requirements of the Personal Data Law, or if the subject does not have access rights to the requested information, a reasoned refusal is sent to them.

The right of the personal data subject to access their personal data may be restricted in accordance with Part 8 of Article 14 of the Personal Data Law, including if the personal data subject’s access to their personal data violates the rights and legitimate interests of third parties.

6.2. In case of identifying inaccurate personal data upon the appeal or request of the personal data subject or their representative, or upon the request of Roskomnadzor, the Operator shall block the personal data pertaining to that personal data subject from the moment of such appeal or receipt of the specified request for the period of verification, provided that the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

If the fact of inaccuracy of personal data is confirmed, the Operator, based on information provided by the personal data subject or their representative, or by Roskomnadzor, or other necessary documents, shall refine the personal data within seven business days from the date of submission of such information and unblock the personal data.

6.3. In the event of detection of unlawful processing of personal data upon the appeal (request) of a personal data subject or their representative, or Roskomnadzor, the Operator shall block the unlawfully processed personal data pertaining to that personal data subject from the moment of such appeal or receipt of the request.

6.4. Upon detection by the Operator, Roskomnadzor, or any other interested party, of unlawful or accidental transfer (provision, dissemination) of personal data (access to personal data) which led to a violation of the rights of personal data subjects, the Operator shall:

  • within 24 hours – notify Roskomnadzor and the personal data subjects of the incident that occurred, the presumed causes that led to the violation of personal data subjects’ rights, the presumed harm caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident, and also provide information about the person authorised by the Operator to interact with Roskomnadzor on matters related to the incident;
  • within 72 hours – notify Roskomnadzor of the results of the internal investigation of the identified incident and provide information about the persons whose actions caused it (if applicable).

6.5. Personal data of Data Subjects processed by the Company are subject to destruction or anonymisation in the event of:

– achievement of the purposes of personal data processing or loss of the necessity to achieve these purposes;

– withdrawal of consent by the Personal Data Subject for the processing of their personal data (except in cases stipulated by the current legislation of the Russian Federation);

– receipt of a demand from the Personal Data Subject for the deletion of their personal data (except in cases stipulated by the current legislation of the Russian Federation);

–  cessation of the Company’s activities.

6.6. Upon a personal data subject’s request to the Operator for cessation of personal data processing, personal data processing shall cease within a period not exceeding 10 business days from the date the Operator receives the corresponding request, except in cases stipulated by the Personal Data Law. The specified period may be extended, but not by more than five business days. For this, the Operator must send the personal data subject a reasoned notification indicating the reasons for the extension of the period.

6.7. A request for the cessation of personal data processing must be sent to the Operator’s address: 35B Vorontsovskaya St., bldg. 2, 4th floor, room II, office 63, Moscow, 109147. The request must specify information about the document identifying your identity or the identity of your representative (document type, series and number, by whom and when issued), your full name or the full name of your representative, and information about your relationship with the Operator, during which the Operator received your personal data. The request must be signed.

You can send a request via email to trem@trem.ru; in this case, the request must be in the form of an electronic document signed in accordance with the provisions of the legislation of the Russian Federation on electronic signatures.

7. Final Provisions

7.1. All relations concerning personal data processing that are not reflected in this Policy are regulated in accordance with the provisions of the legislation of the Russian Federation.

7.2. The Operator has the right to amend this Policy. The current version is permanently available on the Website at: https://tremseals.com/politika.