ScienceSoft's policy on personal data processing

General provisions

This Policy on personal data processing of subjects at ScienceSoft determines the procedure and conditions for processing and protecting personal data that may be obtained from personal data subjects.

The provisions of this Policy apply to personal data obtained both before and after the approval of this Policy.

The following terms and definitions are used in this Policy:

Personal data – any information related to an identified or identifiable person;

Subject of personal data – a natural person whose personal data is being processed.

Provision of personal data – actions aimed at familiarizing oneself with the personal data of a specific person or group of people;

Processing of personal data – any action or set of actions carried out with personal data (both with and without the use of automated means), including collection, systematization, storage, modification, use, depersonalization, blocking, dissemination, provision, deletion of personal data;

Protection of personal data – a set of measures (organizational, technical, legal) aimed at preventing unauthorized or accidental access to personal data, destruction, modification, blocking, copying, dissemination of personal data, as well as other unlawful actions.

Blocking of personal data – suspension of access to personal data without their deletion;

Cross-border transfer of personal data – transfer of personal data to a foreign country.

Purposes of processing personal data

The Company processes personal data using automation tools and without using such tools, as well as in a mixed manner, for the following purposes:

  • Conclusion and execution of labor, civil contracts with individuals, as well as participation of individuals in events conducted by the Company;
  • Calculation and payment of wages, bonuses, corporate reimbursements for expenses incurred, corporate compensations;
  • Implementation of insurance for Employees and their family members;
  • Participation of Employees in corporate sports and other programs;
  • Placement of data on the Company's website and social networks for corporate and informational purposes;
  • Identification of parties within contracts concluded by the Company;
  • Sending notifications, information, and requests related to the collection, storage, and processing of personal data;
  • Organization of physical access of individuals to the Company's premises;
  • Compliance with the current regulatory acts of the Company.

Categories of data subjects whose data are being processed

  • Individuals with whom the Company has concluded labor (civil law) contracts (Employees), their relatives;
  • Individuals who are one of the parties to civil law contracts (Counterparties) concluded by the Company; Representatives of legal entities – contractors of the Company;
  • Candidates for vacant positions in the Company (Candidates for the position);
  • Participants of events organized by the Company;
  • Shareholders of the Company and affiliated persons.

 List of processed personal data

Personal data of subjects of personal data include primary and additional personal data, as well as data on the requisites of documents confirming the primary and additional personal data of specific subjects of personal data:

  • primary personal data;
  • identification number;
  • last name, first name, patronymic (if any);
  • gender;
  • date of birth;
  • place of birth;
  • digital photo portrait;
  • data on citizenship (nationality);
  • data on registration at the place of residence and/or stay;
  • data on death or declaration of a physical person as deceased, recognition as missing, incapacitated, or partially capable.

Additional personal data:

  • information on parents, guardians, caretakers, marital status, spouse, children of the physical person;
  • information on higher education, academic degree, academic title;
  • information on occupation;
  • information on pension, monthly monetary support in accordance with the legislation on state service, monthly insurance payment for mandatory insurance against accidents at work and occupational diseases;
  • information on tax obligations;
  • information on fulfillment of military duty;
  • information on disability.

Order and conditions for processing personal data

The processing of personal data by the Company is based on the principles of legality, respect for the rights and interests of individuals, and the inviolability of their private life.

The processing of personal data should be limited to achieving specific, previously defined, and lawful purposes. Processing of personal data incompatible with the purposes of collecting personal data is not allowed.

The content and volume of processed personal data should correspond to the stated purposes of processing. Processed personal data should not be excessive in relation to the stated purposes of their processing.

The Company is obliged to obtain the consent of data subjects for the processing of their personal data.

Consent of the subject is a free, unambiguous, informed expression of his will, through which he allows the processing of his personal data.

The subject's consent can be obtained in writing, in the form of an electronic document, or in another electronic form.

When processing personal data, the accuracy of personal data, their sufficiency, and, where necessary, relevance to the purposes of processing personal data should be ensured.

Storage of personal data is carried out in a form that allows the identification of the subject of personal data no longer than is required by the purposes of processing personal data, if the storage period of personal data is not established by law, a contract, a party to which, a beneficiary, or a guarantor, on the basis of which the data subject is.

Processed personal data are subject to destruction or depersonalization upon achieving the purposes of processing or in case of loss of the need to achieve these purposes unless otherwise provided by law.

The Company entrusts the processing of personal data to a third party only on the basis of an agreement concluded between the Company and the third party. In this case, the Company specifies in the agreement the obligation of the person processing personal data on behalf of the Company to comply with the principles and rules for processing personal data provided for by this Policy.

In the event that the Company entrusts the processing of personal data to another person, the responsibility for the actions of the specified person before the subject of personal data lies with the Company. The person processing personal data on behalf of the Company is responsible to the Company.

The Company undertakes and obliges other persons who have access to personal data not to disclose them to third parties and not to distribute them without the consent of the data subject.

 

Rights and obligations of personal data subjects

The subject of personal data has the right to receive information related to the processing of personal data of the respective subject of personal data, including:

  • the name (surname, first name, patronymic (if any)) and location (residential address (place of stay)) of the operator;
  • confirmation of the fact of processing personal data by the operator (authorized person);
  • their personal data and the source of their receipt;
  • the legal basis and purposes of personal data processing;
  • the duration for which their consent was given;
  • the name and location of the authorized person, which is a state body, a legal entity, or other organization if the processing of personal data is entrusted to such a person;
  • other information provided by law.

The subject providing personal data to the Company is responsible for the accuracy, reliability, and relevance of the personal data provided.

Procedure for personal data subjects to exercise their rights

The subject has the right to submit an application aimed at exercising their rights to the authorized person responsible for the organization of personal data processing or to the person directly processing personal data.

The personal data subject's application must contain:

  • the surname, first name, patronymic (if any) of the personal data subject, the address of their place of residence (place of stay);
  • the date of birth of the personal data subject;
  • the identification number of the personal data subject, in the absence of such a number – the number of the document certifying the identity of the personal data subject, in cases where this information was indicated by the personal data subject when giving their consent to the operator or personal data processing is carried out without the consent of the personal data subject;
  • a statement of the essence of the personal data subject's requirements;
  • the personal signature or electronic digital signature of the personal data subject.

Measures to protect personal data

The company takes necessary and sufficient legal, organizational, and technical measures to protect personal data of data subjects from unauthorized or accidental access, destruction, alteration, blocking, copying, distribution, as well as from other unlawful actions.

The mandatory measures taken by the company to ensure the protection of personal data include:

  • Development and implementation of regulatory documents on the processing and protection of personal data within the company;
  • Inclusion of requirements for compliance with confidentiality and security of personal data of data subjects during their processing in agreements concluded by the company with contractors;
  • Familiarization of the company's employees with the requirements of the legislation and regulatory documents of the company in the field of working with personal data;
  • Appointment of a person responsible for internal control over the processing of personal data;
  • Issuance of internal documents defining the company's policy on personal data processing, local regulations on personal data processing, as well as local regulations establishing procedures aimed at preventing and detecting violations when working with personal data and eliminating the consequences of such violations;
  • Organization of access control to the premises and buildings of the company, their protection during working and non-working hours;
  • Application of organizational and technical measures to ensure the security of personal data during their processing necessary to comply with the requirements for personal data protection (use of secure and certified data transmission channels);
  • Assessment of the effectiveness of measures taken to ensure the security of personal data;
  • Accounting of personal data storage devices;
  • Internal control over compliance with the requirements of the legislation and internal local regulatory acts by the employees of the company who work with personal data of data subjects, as well as control over measures taken to ensure the security of personal data;
  • Registration and recording of all actions performed with personal data processed using computer devices;
  • Implementation of differentiation/limitation of access by employees to documents, information resources, technical means and carriers of information, information systems and works related to their use;
  • Regular monitoring of personal data security, improving their protection system;
  • Implementation of technical and cryptographic protection of personal data.