Personal Data Processing Policy for the YOGA Platform (Legal entity – OOO BUBUKA)

1. General Provisions

1.1. This Policy sets out a procedure for processing personal data and measures to ensure the security of personal data in OOO BUBUKA (hereinafter referred to as the Company) in order to protect human and citizen’s rights and freedoms in processing personal data, including rights to personal and family privacy.

1.2. The Company’s Personal Data Processing Policy (hereinafter referred to as the Policy) was developed in accordance with Federal Law No. 152-FZ On Personal Data of July 27, 2006 (hereinafter referred to as Law FZ-152).

1.3. The following terms and definitions are used in this Policy:

  • The “Operator” means a government authority, a municipal authority, a legal entity or an individual who severally or jointly arrange and/or perform the processing of personal data, as well as define the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.
  • The “personal data” means any information related to an individual identified or to be identified directly or indirectly (hereafter referred to as the Personal Data Subject);
  • The “personal data processing” means any action (operation) or a series of actions (operations) with personal data performed with or without means of automation, including collection, recording, systematization, accumulation, storage, refinement (updating, change), retrieval, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data;
  • The “automated personal data processing” means the processing of personal data with the use of computers.
  • The “personal data dissemination” means any actions aimed at disclosing (transfer of personal data) or making the personal data known to the general public, including publication of the personal data in mass media, information and telecommunication networks, or providing access to the personal data in any other way;
  • The “provision of personal data” means any actions aimed at disclosing the personal data to a specific person or a specific group of persons;
  • The “personal data blocking” means temporary interruption of the personal data processing, unless the processing is required to refine the personal data.
  • The “personal data destruction” means any actions making it impossible to restore the content of the personal data in the personal data system and/or resulting in the destruction of physical media on which personal data are stored;
  • The “personal data depersonalization” means any actions making it impossible to establish a connection between the personal data and a specific personal data subject without using additional information;
  • The “personal data system” means a set of personal data contained in personal data databases, as well as information technologies and equipment used for their processing;
  • The “cross-border transfer of personal data” means a transfer of personal data to a foreign country, specifically to a foreign government body, a foreign individual, or a foreign legal person.

1.4. The Policy applies to all personal data of subjects processed by the Company with or without means of automation.

1.5. Any personal data subject shall have access to this Policy.

2. Principles and Conditions for the Personal Data Processing

2.1. The personal data processing by the Company is based on the following principles:

  • The personal data processing is performed on a legal and equitable basis;
  • The personal data processing is limited to specific, predefined and legitimate purposes;
  • The personal data processing is not permitted if it conflicts with purposes of personal data collection;
  • It is not allowed to combine databases containing personal data which are processed for conflicting purposes;
  • The personal data may be processed only according to the stated purposes of their processing;
  • The scope and amount of personal data comply with the stated purposes of processing;
  • Data redundancy is not permitted unless it meets the stated purposes of their processing;
  • The personal data shall be accurate, sufficient and relevant to purposes of the personal data processing;
  • The personal data shall be destroyed or depersonalized as soon as the purposes of their processing are achieved, or if the achievement thereof is no longer required, or if the Company cannot eliminate any violation in respect of the personal data, unless otherwise provided by the federal law.

2.2. The Company shall process the personal data only if at least one of the following conditions exists:

  • the personal data processing is performed with the consent of the personal data subject to the processing of his/her personal data;
  • the personal data processing is necessary to achieve the objectives stipulated by law, to implement the functions, powers and duties imposed by the legislation of the Russian Federation on the Operator;
  • The personal data processing is necessary for the performance of a contract under which the personal data subject is either a beneficiary or a guarantor, or for entering into agreements on the initiative of the personal data subject or agreements under which the personal data subject will be a beneficiary or guarantor;
  • The personal data processing is necessary to exercise rights and legal interests of the Company or third parties, or to achieve socially significant objectives, provided that the rights and freedoms of the personal data subject are not violated in any way;
  • The Company processes the personal data access to which is provided to the general public by or at the request of the personal data subject (hereinafter referred to as the publicly available data);
  • The Company processes the personal data to be published or disclosed in accordance with the federal law.

2.3. The Company and other persons that obtain access to the personal data shall not disclose to third parties or disseminate the personal data without the consent of the personal data subject, unless otherwise specified in the federal law.

2.4. For information support purposes, the Company may create publicly available sources of employees’ personal data, including directories and address books. With the consent of employees, publicly available sources of personal data may include their names, date and place of birth, position, telephone number, and email address. Employee’s personal data shall be excluded from publicly available sources of personal data at any time at the request of the employee, or by decision of a court or other authorized government bodies.

2.5. The Company is entitled to engage another person in the personal data processing with the consent of the personal data subject, unless otherwise specified in the federal law, under an agreement concluded with this person (hereinafter referred to as the Company’s engagement). The person engaged in personal data processing with the consent of the Company shall follow the principles and rules of personal data processing set forth in Law FZ-152.

2.6. Special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, health status and private life are acceptable subject to the following conditions:

  • The personal data subject has given consent in writing to the processing of their personal data;
  • The personal data are made publicly available by the personal data subject;
  • The personal data processing is performed in accordance with social security and labor laws, laws on state pension protection and retirement pensions of the Russian Federation;
  • Personal data processing is necessary to establish or exercise rights of the personal data subject or a third party, as well as in connection with the administration of justice;
  • Personal data processing is performed in accordance with anti-terrorism and anti-corruption laws, enforcement proceedings laws and criminal penal laws of the Russian Federation;
  • Personal data processing is performed in accordance with laws on compulsory types of insurance and other insurance laws. Processing of special categories of personal data shall be immediately terminated if reasons for the processing do not exist anymore, unless otherwise specified in federal law.

2.7. The personal data processing relating to convictions may be performed by the Company exclusively in the cases and in the manner defined by applicable federal laws.

2.8. Any information that concerns physiological and biological characteristics of individuals which can be used to identify them (personal biometric data) can be processed by the Company only with the written consent of an employee.

2.9. Cross-border transfer of the personal data to foreign states may be performed by the Company only with the consent of the personal data subject to cross-border transfer of his/her personal data. Before cross-border transfer of the personal data., the Company shall make sure that the foreign state to which the personal data are to be transferred ensure adequate protection of the personal data subject’s rights.

3. RIGHTS OF THE PERSONAL DATA SUBJECT

3.1. The personal data subject shall decide to provide his/her personal data and give consent to processing them of their own will and in his/her interests. The consent to the personal data processing may be given by the personal data subject or his/her representative in any form that clearly shows his/her consent, unless otherwise specified in the federal law. The obligation to provide proof that the personal data subject’s consent to the personal data processing has been obtained, or evidence of the grounds thereof, as specified in Law FZ-152, shall rest with the Company.

3.2. The personal data subject is entitled to receive information regarding the processing of his/her personal data unless this right is limited by federal law. The personal data subject is entitled to demand that the Company update, block or destroy his/her personal data if they are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose, and to take any legal steps to protect their rights as permitted by law.

3.3. The personal data processing for promoting goods or services to the market by engaging in direct contact with potential consumers using means of communication, or for political promotion is only allowed with prior consent of the personal data subject. These forms of personal data processing are considered to be performed without prior consent of the personal data subject unless the Company proves that the consent was obtained. The Company is required to immediately terminate personal data processing for the above purposes when and as required to do so by the personal data subject.

3.4. It is prohibited to make any decisions based solely on the automated personal data processing if these decisions have any legal consequences with regard to the personal data subject or otherwise affect his/her rights and legitimate interests, unless otherwise is specified in federal laws or written consent has been obtained from the personal data subject.

3.5. If the personal data subject considers that the Company violates Law No. 152-FZ in processing his/her personal data or otherwise violates his/her rights and freedoms, the personal data subject is entitled to lodge a complaint against actions or omission of the Company with the body authorized to protect personal data subjects’ rights or with the court. The personal data subject is entitled to protect his/her rights and legitimate interests, including compensation for pecuniary and non-pecuniary damages, through the court.

4. Personal Data Security

4.1. The security of personal data processed by the Company is ensured through the implementation of legal, organizational, technical and software-based measures which are necessary and sufficient to meet the requirements of the federal laws on personal data security.

4.2. In order to purposefully create unfavorable conditions and insurmountable obstacles for violators trying to obtain unauthorized access to the personal data in order to capture, modify, destroy, infect with malicious program code and perform other unauthorized actions with the personal data, the Company shall apply the following organizational and technical measures:

  • appoint officials responsible for processing and protecting the personal data;
  • limit and regulate the number of employees who have access to the personal data;
  • familiarize employees with requirements of federal laws and internal regulatory documents of the Company concerning the processing and security of personal data;
  • ensure that physical media containing personal data are properly recorded, stored and used to prevent their theft, substitution, unauthorized copying and destruction;
  • identify security threats to the personal data during their processing and develop related threat models;
  • develop a personal data security system based on the threat model for the appropriate class of information systems;
  • check available information security tools for readiness and effectiveness;
  • implement a controlled access system for users of information resources, data processing and security software and hardware;
  • register and record activity of users of personal data systems;
  • ensure password protection of users’ access to the personal data system;
  • use control access tools for communication ports, I/O devices, portable machine-readable media and external storage devices;
  • use cryptographic information security tools to ensure the security of personal data when they are transmitted via open communication channels and stored on machine-readable media;
  • implement anti-virus protection, prevent introduction of malicious programs (viruses) and malicious logic into the corporate network;
  • use firewalling;
  • detect intrusions into the Company’s corporate network that violate or create conditions for violating requirements for personal data security;
  • ensure centralized management of the personal data security system (data backup);
  • ensure the recovery of personal data modified or destroyed as a result of unauthorized access;
  • train and instruct employees engaged in using information security tools in personal data systems;
  • keep record of information security tools and related operational and technical documentation to them;
  • use information security tools that have duly passed the compliance assessment procedure;
  • monitor user activity and investigate violations of personal data security requirements;
  • install personal data processing equipment within the protected area;
  • organize the controlled access to the Company’s premises;
  • maintain security and alarm equipment in a constant state of readiness.

5. Final Provisions

5.1. Other rights and obligations of the Company as a personal data operator shall be determined by laws of the Russian Federation concerning the personal data. Officials of the Company who are guilty of violating the personal data processing and security regulations shall bear financial, disciplinary, administrative, civil or criminal liability in the manner prescribed by applicable federal laws.