1. General Provisions

1.1. The present Keystone Logistics Limited liability company Policy regarding personal data processing (hereinafter referred to as the Policy) was elaborated in accordance with the requirements of clause 2, part 1, art. 18.1 of the Federal Law of July 27, 2006 N 152-FZ “On Personal Data” (hereinafter referred to as the Law on Personal Data) in order to ensure the protection of the rights and freedoms of humans and citizens when processing his personal data, including the protection of rights to privacy, personal and family secrets.

1.2. The policy applies to all personal data processed by Keystone Logistics Limited liability company (hereinafter — Operator, Keystone Logistics LLC).

1.3. The Policy applies to relationships in the field of personal data processing that arose with the Operator both before and after this Policy approval.

1.4. In pursuance of the requirements of Part 2 of Art. 18.1 of the Law on Personal Data, this Policy is published in the public domain on the Internet information and telecommunications network on the Operator’s website https://www.keystone-logistics.com.

1.5. Basic concepts used in the Policy

personal data — any information relating to a directly or indirectly identified or identifiable User of the websitehttps://www.keystone-logistics.com

personal data operator (operator) — a state body, municipal body, legal or natural person, organizing and (or) carrying out personal data processing independently or jointly with other persons, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

user – any visitor of the website https://www.keystone-logistics.com

personal data processing — any action (operation) or set of actions (operations) with personal data performed using automation tools or without their use. Personal data processing of includes, among other things:

• collection;

• recording;

• systematization;

• accumulation;

• storage;

• validation (update, change);

• extraction;

• usage;

• transmission (distribution, provision, access);

• depersonalization;

• blocking;

• deletion;

• destruction;

automated personal data processing — personal data processing by means of computer technology;

personal data distribution — actions aimed at disclosing personal data to an indefinite number of persons;

personal data provision — actions aimed at disclosing personal data to a certain person or a certain group of people;

personal data blocking — temporary cessation of personal data processing (except for cases where processing is necessary to validate personal data);

personal data destruction — actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material media of the personal data are destroyed;

personal data depersonalization — actions as a result of which it becomes impossible to determine the personal data ownership by a specific personal data subject without the use of additional information;

personal data information system — a set of personal data contained in databases and information technologies and technical means that ensure their processing.

website — a combination of graphic and information materials, as well as computer programs and databases that ensure their availability on the Internet at a network address https://www.keystone-logistics.com

1.6. Basic rights and obligations of the Operator.

1.6.1. The operator has the right to:

1)  receive reliable information and/or documents containing personal data from the personal data subject ;

2) independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law on Personal Data and regulations adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;

3)  assign the personal data processing to another person with the consent of the personal data subject, unless otherwise provided for by federal law, on the basis of an agreement concluded with this person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules for processing personal data provided for by the Law on Personal Data, maintain the personal data confidentiality, and take the necessary measures aimed at ensuring the fulfillment of the obligations provided for by the Law on Personal Data;

4)  If the personal data subject withdraws consent to personal data processing, the Operator has the right to continue processing personal data without the personal data subject consent if there are grounds specified in the Law on Personal Data.

1.6.2. The Operator is obliged to:

1)  organize personal data processing in accordance with the requirements of the Law on Personal Data;

2)  respond to requests and inquiries from personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;

3)  report to the authorized body for the protection of the rights of personal data subjects (Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications (Roskomnadzor)) at the request of this body the necessary information within 10 working days from the date of receipt of such a request. This period may be extended, but not more than for five working days. To do this, the Operator must send a motivated notification to Roskomnadzor indicating the reasons for extending the deadline for providing the requested information;

4)  according to the procedure determined by the federal executive body authorized in the field of security provision, ensure interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, including informing it about computer incidents that resulted in unlawful transfer (provision, distribution, access ) of personal data.

1.7. Basic rights of the personal data subject. The personal data subject has the right to:

1)  receive information regarding the processing of his personal data, except for cases provided for by federal laws. The information is provided to the subject of personal data by the Operator in an accessible form, and it should not contain personal data relating to other subjects of personal data, except in cases where there are legal grounds for the disclosure of such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;

2)  demand from the operator to validate his personal data, block it or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as take measures provided by law to protect their rights;

3)  give prior consent to personal data processing in order to promote goods, works and services on the market;

4)  appeal the unlawful actions or inactions of the Operator when processing his personal data to Roskomnadzor or to the court.

1.8. Control over compliance with the requirements of this Policy is carried out by an authorized person responsible for organizing personal data processing by the Operator.

1.9. Responsibility for violation of the requirements of the legislation of the Russian Federation and local regulations of Keystone Logistics LLC in the field of personal data processing and protection is determined in accordance with the legislation of the Russian Federation.

2. Purposes of personal data collecting

2.1. Personal data processing is limited to the achievement of specific, pre-defined and legitimate goals. Personal data processing that is incompatible with the personal data collecting goals is not permitted.

2.2. Only personal data that meets the goals of its processing shall be subject to processing.

2.3. The personal data processing by the Operator is carried out for the following purposes:

·  carrying out its activities in accordance with Keystone Logistics LLC articles of association including:

(а) conclusion and execution of contracts with counterparties;

(b) provision and personalization of Operator services;

(c) working with inquiries and requests from personal data subjects;

(d) contacting personal data subjects with marketing materials and offers for services and products offered by the Operator (except in cases where the personal data subject refuses to receive marketing materials or when this is prohibited by law on any other grounds);

·  implementation of access control.

3. Legal grounds for personal data processing

3.1. The legal basis for personal data processing is a set of regulatory legal acts, in pursuance of which and in accordance with which the Operator processes personal data, including:

·  Constitution of the Russian Federation;

·  Civil Code of the Russian Federation;

· 

  • Federal law “On Information, Information Technologies and the Protection of Information” dd 27.07.2006 N 149-FZ

·  other regulatory legal acts regulating relations connected with the activities of the Operator.

3.2. The legal basis for personal data processing is also:

·  Keystone Logistics LLC articles of association;

·  agreements concluded between the Operator and personal data subjects;

·  consent of personal data subjects to the processing of their personal data, when such consent is mandatory.

4. The volume and categories of the processed personal data,

categories of personal data subjects

4.1. The content and volume of the processed personal data must correspond to the stated goals of processing provided for in Section. 2 of this Policy. The processed personal data should not be redundant in relation to the stated goals of their processing.

4.2. Subjects’ personal data includes:

  • full name
  • e-mail address
  • phone numbers
  • details of the identity document

5. Procedure and conditions for personal data processing

5.1. Personal data processing is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. Personal data processing is carried out with the consent of the personal data subjects for their personal data processing as well as without it in cases provided for by the legislation of the Russian Federation.

5.3. The operator carries out automated personal data processing with or without receiving and/or transmitting the obtained information via information and telecommunication networks.

5.4. Employees of the Operator whose job responsibilities include personal data processing are allowed to process personal data.

5.6. Disclosure to third parties and distribution of personal data without the consent of the personal data subject is not permitted, unless otherwise provided for by federal law. Consent to the processing of personal data authorized by the personal data subject for distribution is issued separately from other consents of the personal data subject for the processing of his personal data.

5.7. Personal data transfer to the bodies of inquiry and investigation, to the Federal Tax Service, the Social Fund of the Russian Federation and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions, including the following:

·  identifies security threats to the personal data during processing;

·  adopts local regulations and other documents regulating relations in the field of personal data processing and protection;

·  appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;

·  creates the necessary conditions for working with personal data;

·  organizes the recording of documents containing personal data;

·  organizes work with information systems in which personal data is processed;

·  stores personal data under conditions that ensure their safety and prevent unauthorized access to them;

·  organizes training for the Operator’s employees processing personal data.

5.9. The operator stores personal data in a form that allows identifying the personal data subject for no longer than required by each personal data processing goal, unless the storage period for personal data is established by federal law or contract.

5.9.1. Personal data on paper is stored at Keystone Logistics LLC during the documents storage period as established by the legislation on archiving in the Russian Federation.

5.9.2. The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data on paper.

5.10. The operator stops processing personal data in the following cases:

·    the fact of their unlawful processing was revealed. The deadline iswithin three working days from the date of detection;

·    the goal of their processing has been achieved;

·    the consent of the personal data subject to the specified data processing has expired or has been revoked, when, according to the Law on Personal Data, the processing of this data is permitted only with consent.

5.11. When the goals of personal data processing are achieved, as well as in the event that the personal data subject withdraws consent to their processing, the Operator stops processing this data in the following cases:

·    unless otherwise stipulated by the contract  to which the personal data subject is a party, beneficiary or guarantor;

·    The operator has no right to carry out processing without the consent of the personal data subject on the grounds provided for by the Law on Personal Data or other federal laws;

·    unless otherwise provided for in another agreement between the Operator and the personal data subject.

5.12. When a personal data subject applies to the Operator with a request to stop processing personal data within a period not exceeding 10 working days from the date the Operator receives the corresponding request, the personal data processing is terminated, except for cases provided for by the Law on Personal Data. This period may be extended, but not more than for five working days. To do this, the Operator must send a motivated notification to the personal data subject indicating the reasons for extending the period.

5.13. When collecting personal data, including through the Internet information and telecommunications network, the Operator ensures recording, systematization, accumulation, storage, validation (updating, changing), extraction of personal data of the Russian Federation citizens using databases located on the territory of the Russian Federation, except in cases specified in the Law on Personal Data.

6. Updating, correction, deletion, destruction

of personal data, replying to the subjects’ requests

concerning access to personal data

6.1. Confirmation of the fact of personal data processing by the Operator, legal grounds and goals of personal data processing, as well as other information specified in Part 7 of Art. 14 of the Law on Personal Data are provided by the Operator to the personal data subject or his representative within 10 working days from the date of application or receipt of the request from the personal data subject or his representative. This period may be extended, but not more than for five working days. To do this, the Operator should send a motivated notification to the personal data subject indicating the reasons for extending the period for providing the requested information.

The information provided does not include personal data relating to other personal data subjects, unless there are legal grounds for disclosing such personal data.

The request shall contain the following:

·  number of the main document identifying the personal data subject or his representative, information about the specified document date of issue and the issuing authority;

·  information confirming the participation of the personal data subject in relations with the Operator (contract number, date of the contract conclusion, conventional verbal designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator;

·  signature of the personal data subject or his representative.

The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

The operator provides the information specified in Part 7 of Art. 14 of the Law on Personal Data, to the subject of personal data or his representative in the form in which the relevant appeal or request was sent, unless otherwise specified in the appeal or request.

If the personal data subject’s appeal (request) does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject does not have the rights to access the requested information, then a substantiated refusal is sent to him.

The right of the personal data subject to access his personal data may be limited in accordance with Part 8 of Art. 14 of the Law on Personal Data, including if the personal data subject’s access to his personal data violates the rights and legitimate interests of third parties.

6.2. If inaccurate personal data is revealed when contacting a personal data subject or his representative or at their request or at the request of Roskomnadzor, the Operator blocks personal data relating to this personal data subject from the moment of such request or receipt of the specified request for the period of verification, if the personal data blocking does not violate the rights and legitimate interests of the personal data subject or third parties.

If the fact of personal data inaccuracy is confirmed, the Operator, based on the information provided by the personal data subject or his representative or Roskomnadzor, or other necessary documents, validates the personal data within seven working days from the date of such information submission and removes the personal data blockage.

6.3. If unlawful processing of personal data is detected upon an appeal (request) from the personal data subject or his representative or Roskomnadzor, the Operator shall block unlawfully processed personal data relating to this personal data subject from the moment of such appeal or receipt of the request.

6.4. If the Operator, Roskomnadzor or another interested party reveals the fact of unlawful or accidental transfer (provision, distribution) of personal data (access to personal data), resulting in the personal data subjects rights violation, the Operator shall do the following:

·    within 24 hours — notify Roskomnadzor about the incident occurred, the supposed reasons that led to the personal data subjects rights violation, the estimated harm caused to the personal data subjects rights, and measures taken to eliminate the incident consequences, and also provide information about the person authorized by the Operator to interact with Roskomnadzor on issues related to the incident;

·    within 72 hours — notify Roskomnadzor of the results of the revealed incident internal investigation and provide information about the persons whose actions caused this incident (if any).

6.5. The procedure for personal data destruction by the Operator.

6.5.1. Terms and conditions for personal data destruction by the Operator:

·    achievement of the personal data processing goal or loss of the need to achieve this goal — within 30 days;

·    achieving maximum storage periods for documents containing personal data — within 30 days;

·    provision by the subject of personal data (his representative) of confirmation that personal data was obtained illegally or is not necessary for the stated processing purpose — within seven working days;

·    withdrawal by the personal data subject of consent to his personal data processing, if their storage for the purpose of their processing is no longer required — within 30 days.

6.5.2. When the purpose of processing personal data is achieved, as well as in the event that the personal data subject withdraws consent to its processing, personal data is subject to destruction in the following cases:

·  otherwise is not provided for by the agreement to which the personal data subject is a party, beneficiary or guarantor;

·  the operator does not have the right to carry out processing without the consent of the personal data subject on the grounds provided for by the Law on Personal Data or other federal laws;

·  otherwise is not provided for by the agreement any other agreement between the Operator and personal data subject.

6.5.3. The destruction of personal data is carried out by a committee created by an order of Keystone Logistics LLC General Director.

6.5.4. Methods for destroying personal data are established in the local regulations of the Operator.

7. Final provisions

7.1. The User can obtain any clarifications on issues of interest regarding his personal data processing by contacting the Operator via emails office@keystone-logistics.com; secretary@keystone-logistics.com.

12.2. This document will reflect any changes to the Operator’s personal data processing policy. The policy is valid in perpetuity until it is replaced by a new version.

12.3. The current version of the Policy is freely available on the Internet at the address: https://www.keystone-logistics.com.