Contact sales department
Eng
search

Personal Data Processing and Protection Policy

 

 1. GENERAL

1.1 This Personal Data Processing and Security Policy of JSC Ilim Group (the Policy) was developed in accordance with Personal Data Federal Law No. 152-FZ dated July 27, 2006 (152-FZ or Personal Data Legislation) for personal data subjects to exercise their rights and is aimed at protecting human rights and freedoms during personal data processing at Ilim Group (the Company).

1.2 The Company and “we” mean JSC Ilim Group.

1.3 This Policy is recommended for adoption by the subsidiaries and affiliates of the Company and by its managed companies. The subsidiaries and affiliates of the Company adopt their own policies and are guided by the general principles and standard set forth herein.

1.4 We are committed to providing necessary protection and ensure proper use of the personal data were receive from you directly or through authorized third parties.

1.5 The Policy outlines how we use your personal data and to what extent they are processed to, including at the Company’s websites:

  • ilimgroup.ru
  • officepaper.ilimgroup.ru;
  • amber.ilimgroup.ru;
  • ilimgroup.com;
  • omelapaper.ru.

2.  TERMS AND DEFINITIONS

2.1 The following terms and definitions are used in the Policy:

Automated processing of personal data

  :

computer-assisted processing of personal data

Personal data security

:

state of personal data protection against wrongful acts characterized by user ability, technical means and information systems to ensure confidentiality, integrity, and accessibility of personal data during processing regardless of the form of their provision

Blocking of personal data

:

temporary suspension of personal data processing (except for cases when processing is required for personal data validation)

Personal data information system

:

aggregate of personal data contained in data bases and information technologies and technical means to ensure its processing

Incident

:

circumstance related to a wrongful action/omission of the Company or its representatives

Confidentiality of personal data

:

request that is binding on the Company or another persona accessing personal data not to disclose personal data to third parties and prevent data sharing without the consent of a personal data subject or another legal basis

Personal data processing

  :

any action (operation) or aggregate of actions (operations) performed with or without the use of automation software for personal data, including collection, recording, systematization, accumulation, storage, clarification (update, adjustment), retrieval, usage, transfer (dissemination, submission, access), depersonalization, blocking, removal, and destruction

Personal Data Operator

:

person acting severally or jointly with other persons, arranging, and/or carrying out the processing of personal data, as well as determining the goal of personal data processing, composition of personal data for processing and actions (operations) with personal data

Personal data

:

any information related to a directly or indirectly identified or identifiable individual (personal data subject)

Provision of personal data

:

any action aimed at personal data disclosure to a particular person or to a particular group of persons

Dissemination of personal data

:

any action aimed at personal data disclosure to general public

Personal data subjects

:

Company employees and other categories of personal data subjects outlined in local regulations whose personal data are processed by the Company

Special personal data categories

:

personal data pertaining to race, ethnicity, political opinions, religious or philosophical beliefs, health, and intimate life

Cross-border personal data transfer

:

transfer of personal data to a foreign country to the authority of a foreign country, foreign person, or foreign entity

Personal data destruction

:

any action that results in failure to recover personal data in the personal data information system or in destruction of the physical media on which personal data are stored

3.  PRINCIPLES OF PERSONAL DATA PROCESSING

3.1 When processing your personal data, the Company is guided by the principles of legality and justness while ensuring accuracy, adequacy, and if necessary relevancy of personal data. The Company ensures proper protection of processed personal data and does not store personal data longer than is required for the goals of their processing.

3.1.1 Legality and justness: when processing personal data, we ensure a legal basis in accordance with the Personal Data Legislation and never abuse our opportunities (Part 1 Article 5 of 152-FZ).

Compliance with the personal data processing principle in the Company:

  • We process your personal data in accordance with the requirements of applicable legislation. We determined necessary legal grounds for each goal of personal data processing, which are listed in Section 5
  • We provide you full information on personal data processing in the Policy published on the Company’s official website.
  • Your rights are determined in Section 9

3.1.2 Personal data processing for specific, predetermined, and legitimate goals: personal data may not be processed for any purpose that is incompatible with that for which the personal data are collected (Parts 2, 3, and 4 Article 5 of 152- FZ).

Compliance with the personal data processing principle in the Company:

  • We predetermined goals for personal data processing which do not contradict the Personal Data Legislation.
  • We do not process personal data for any purpose that is incompatible with that for which the personal data are collected.

3.1.3 Personal data sufficiency: personal data may not be processed to the extent above the one sufficient to achieve a particular goal (Part 5 Article 5 of 152-FZ).

Compliance with the personal data processing principle in the Company:

  • The content and scope of personal data we process is in line with the declared goals of their processing and are sufficient to achieve these goals. Personal data may not be excessive.

3.1.4 Accuracy and relevancy of personal data: measures are taken to update any incomplete or inaccurate personal data (Part 6 Article 5 of 152-FZ).

Compliance with the personal data processing principle in the Company:

  • We make sure personal data are accurate, sufficient, and relevant for the goal of their processing.
  • We receive personal data only from reliable sources: from you or third parties who confirmed the legality of the provision of your personal data.
  • We take into account the processes of personal data processing in the List of Goals of Personal Data Processing which contains information on goals, legal grounds, categories of subjects, and scope of processed personal data.
  • We take all necessary actions to delete or update incomplete and/or inaccurate personal data. You may request your personal data update.

3.1.5 Storage of personal data: personal data may not be stored longer than it is required to achieve the goals of personal data processing (Part 7 Article 5 of 152-FZ).

Compliance with the personal data processing principle in the Company:

  • We store personal data in the form that makes a subject of personal data identifiable however no longer than it it required to achieve the goals of personal data processing.
  • We destroy personal data at your request once we have achieved the goal for their processing or if these goals are no longer needed.

3.1.6 Personal data protection: necessary technical and organizational measures are taken to protect personal data during their processing (Articles 18.1 and 19 of 152-FZ).

Compliance with the personal data processing principle in the Company:

  • The Company ensures proper protection of personal data using relevant technical or organizational measures, including protection against unauthorized or illegal processing and accidental loss, destruction, or damage of personal data. Measures are detailed in Section 11

4.  LEGAL GROUNDS FOR PERSONAL DATA PROCESSING

4.1 In order to comply with the requirements of applicable legislation and the principle of legality during the processing of your personal data, we will be guided by the conditions for their processing stipulated by Part 1 Article 6 of 152-FZ.

4.1.1 Signing and performance of agreements/contracts: your personal data must be processed to sign agreements/contracts (including employment contracts) and/or to enable you to perform your obligations thereunder.

4.1.2 Liability established by law: we must process your personal data to discharge our liability established by law, e.g., retain records for taxation purposes or provide information to a government or law enforcement authority.

4.1.3 Your consent: in some cases, we will request your consent to process personal data and your personal data will be processed only subject to your consent.

4.1.4 Personal data are processed with statistical and other research goals: we might need your data with statistical and other research goals, but before use, you data will be depersonalized.

4.1.5 Vital interests: personal data must be processed to protect the life, health, and vital interests of people and personal data subjects if the latter’s consent cannot be obtained.

4.1.6  Legitimate interest of the Company: personal data must be processed to exercise the rights and legitimate interests of the operator provided this does not violate the rights and freedoms of personal data subjects.

5.  INFORMATION ON THE GOALS AND METHODS OF PERSONAL DATA PROCESSING, CATEGORIES OF PERSONAL DATA SUBJECTS, SCOPE OF PERSONAL DATA AND LEGAL GROUNDS OF PERSONAL DATA PROCESSING

5.1. We process your personal data only when it is required to achieve predetermined goals, required by law or professional standards.

5.2. We process personal data if you provide personal date to us of your own accord directly or through duly authorized third parties. However, in some cases we may already have personal data (e.g., if you are former Company employee or have existing business relations with the Company), but they are processed no longer than it is required by the goals or Russian legislation.

5.3. In the course of our business activities, we process personal data to achieve the following goals:

5.3.1. HR, bookkeeping, and military registration

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, place of birth, family status, social status, gender, photograph, residence address, Pension Fund certificate number (SNILS), taxpayer’s ID (INN), nationality, ID details, details of the ID used outside the Russian Federation, details of the settlement account,  specialist field, period of education, employment history (occupation, company name, job title, structural unit, qualification, period of employment, details of rotation, details of employment termination (with reasons specified), date of employment start record, date and number of the relevant document used to make the record), driving license number, driving license category, military status, military registration details, education details, temporary resident permit details, residence permit details, work permit details, migration card details, visa details, employee ID, tariff rate (base salary), length of service, amount of salary, other pays, and bonuses, number of calendar days of temporary disability, presence/absence from work information, type of leave, dates of leave, compensations or leave deduction, employment contract number, city, telephone number, email, health information, criminal record, identifying facial data obtained using photo and video devices of the personal data subject, and image of the venous network of the palm.

Categories of the subjects whose personal data are processed with this goal: employees, former employees, and legal representatives.

Legal grounds for data processing: consent of the personal data subject; legal requirement.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.2. Recruitment for vacant positions at the operator’s company and adding to the succession pool

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, place of birth, gender, email, telephone number, nationality, photograph, ID details, taxpayer’s ID (INN), driving license details, profession, employment details (including length of service, current employment with the employer’s name), military status, military registration details, education and professional development details or special knowledge, academic degree (including year, diploma number, and subject of the thesis work), details of publication, professional activities (overall length of service, details of hire, rotations, and termination of previous employment), foreign language, results of polling, professional and/or personal tests, completed questionnaires, completed test assignments; sports achievements, national awards and badges of honor, marital status, region of residence, autobiographical details, company name, job title, criminal record.

Foreign citizens: visa details, temporary residence permit; work permit.

Categories of the subjects whose personal data are processed with this goal: applicants, employees’ family members, students (college students and schoolchildren), referees, legal representatives.

Legal grounds for data processing: consent of the personal data subject, legal requirement.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.3. Promotion of goods, work, and services in the market

Categories of personal data processed with this goal: last name, first name, patronymic name, email, telephone number, profession, job title.

Categories of the subjects whose personal data are processed with this goal: contractors, contractors’ representatives, customers, website users

Legal grounds for data processing: consent of the personal data subject.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.4. Compliance with the labor legislation of the Russian Federation

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, place of birth, marital status, social status, financial situation, income, photograph, gender, email, residence address, telephone number, Pension Fund certificate number (SNILS), taxpayer’s ID (INN), nationality, ID details, driving license details, details of the ID used outside the Russian Federation, birth certificate details, settlement account details, personal account number, profession, employment details (including length of service, current employment with the employer’s name), military status, military registration details, education details, details of benefits and liabilities, contributions to the Social Fund, employee ID, tariff rate (base salary), length of service, amount of salary, other pays, and bonuses, number of calendar days of temporary disability, employment contract number, city, type and dates of leave, dates and place of secondment, another type of absence, number of the work incapacity certificate, work incapacity certificate details, date of training, training certificate number, instruction details, copies of diplomas, electrical safety group, workplace number, details of the expert’s certificate authorizing to carry out special workplace conditions assessment, workplace conditions class, date of death, place of death, health information, criminal record, identifying facial data obtained using photo and video devices of the personal data subject, and image of the venous network of the palm.

Foreign citizens: visa details, temporary residence permit, work permit, resident card details, migration card details.

Categories of the subjects whose personal data are processed with this goal: employees, employees’ family members, former employees, legal representatives, contractors’ representatives, customers.

Legal grounds for data processing: consent of the personal data subject, international treaty of the Russian Federation, legal requirement.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.5. Drafting, signing, and performance of a civil contract

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, place of birth, income, email, residence address, telephone number, taxpayer’s ID (INN), Pension Fund certificate number (SNILS), nationality, ID details, settlement account number, employment details, number of the power of attorney.

Categories of the subjects whose personal data are processed with this goal: contractors, contractors’ representatives, customers, designated beneficiaries.

Legal grounds for data processing: contract with the subject, legal requirements, operator’s legitimate interest

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.6. Ensuring access control at the operator’s site

Categories of personal data processed with this goal: last name, first name, patronymic name, email, telephone number, ID details, destination, date of employment; photograph; structural unit, job title, access card validity, checkpoint number.

Categories of the subjects whose personal data are processed with this goal: employees, applicants, contractors, contractors’ representatives, customers, other visitors.

Legal grounds for data processing: consent of the personal data subject.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.7. Compliance with the tax legislation of the Russian Federation.

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, income, employee ID, email, residence address, Pension Fund certificate number (SNILS), taxpayer’s ID (INN), nationality, ID details, settlement account details, personal account number, taxpayer status, employment details, payment details, temporary disability details, types and dates of absence, details of amounts withheld, pensionable service details, details of tax credits amounts, details of total income and tax estimated for the tax period.

Categories of the subjects whose personal data are processed with this goal: employees, employees’ family members, former employees, contractors, contractors’ representatives, customers, designated beneficiaries.

Legal grounds for data processing: legal requirement, consent of the personal data subject.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.8. Compliance with the pension legislation of the Russian Federation

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, place of birth, marital status, social status, income, email, residence address, Pension Fund certificate number (SNILS), taxpayer’s ID (INN), nationality, ID details, profession.

Categories of the subjects whose personal data are processed with this goal: employees, employees’ family members, former employees, legal representatives.

Legal grounds for data processing: legal requirement.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.9. Supporting corporate governance procedures

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, place of birth, income, email, residence address, telephone number, Pension Fund certificate number (SNILS), taxpayer’s ID (INN), nationality, ID details, details of the ID used outside the Russian Federation, settlement account details, personal account number, education details, ownership of shares, authorized capital, number and types of securities.

Categories of the subjects whose personal data are processed with this goal: employees, employees’ family members, designated beneficiaries, legal representatives, Board members, sole executive authority, members of the Auditing Commission, shareholders (individuals) and their authorized persons, shareholders’ heirs, customers.

Legal grounds for data processing: consent of the personal data subject, contract with the subject, legal requirement.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.10. Production and business operations

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, gender, photograph, email, telephone number, driving license details, job title, size of clothes and shoes, communication limits depending on the job title, amount of expenses, ID details, details of the ID used outside the Russian Federation, job title, job location, residence address, Pension Fund certificate number (SNILS), taxpayer’s ID (INN), employee ID, structural unit, details of internal investigation results, digital identifiers (work IP address; unique identifiers in automated systems), user activity (data from attendance recording systems; corporate mobile communications breakdown; history of operations using corporate devices), mandatory medical insurance policy details, details of medical certificates and doctor’s advice, chronic diseases, health information.

Foreign citizens: registration details, temporary residence details, residence card details.

Categories of the subjects whose personal data are processed with this goal: employees, former employees, employees’ family members, contractors, contractors’ representatives, customers.

Legal grounds for data processing: consent of the personal data subject, legal requirement, operators’ legitimate interests.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.11. Compliance with the customs legislation of the Russian Federation

Categories of personal data processed with this goal: last name, first name, patronymic name, email, telephone number, company name, job title, ID details, Pension Fund certificate number (SNILS), taxpayer’s ID (INN), date of birth, residence address.

Categories of the subjects whose personal data are processed with this goal: employees, contractors’ representatives, customers, contractors.

Legal grounds for data processing: international treaty, legal requirement.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.12. Opinion and marketing surveys: SMS and email notifications from the Company about opinion and marketing surveys of the Company, sending links to surveys

Categories of personal data processed with this goal: last name, first name, patronymic name, job location, city where the subject is located, gender, age, job title, email, mobile phone number (if any).

Categories of the subjects whose personal data are processed with this goal: employees, former employees, contractors, contractors’ representatives, customers, other respondents.

Legal grounds for data processing: data are processed with statistical or other research goals, consent of the personal data subject.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

5.3.13. Prevention and resolution of conflicts of interest, including for the purpose of compliance with the anti-corruption legislation

Categories of personal data processed with this goal: last name, first name, patronymic name, date of birth, degree of kinship, company name, job title, participatory interest in the capital of another company.

Categories of the subjects whose personal data are processed with this goal: employees, applicants, contractors, contractors’ representatives.

Legal grounds for data processing: consent of the personal data subject.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

Posting information on the Company’s information platforms, including its official website and social media

5.3.14. Categories of personal data processed with this goal: last name, first name, patronymic name (if any), date of birth, place of birth, city, marital status, employment details, education details and profession, photograph, video image.

Categories of the subjects whose personal data are processed with this goal: employees, employees’ family members, former employees, participants of corporate events.

Legal grounds for data processing: consent of the personal data subject, legal requirement.

List of actions with personal data taken to achieve this goal: Collection, recording, update (revision, change), use, transfer (distribution), deletion, and destruction.

5.3.15. Analysis of visits and user activity on the Company’s websites

Categories of personal data processed with this goal: details collected using metric software, IP addresses, geographical location information of the computer or mobile device.

Categories of the subjects whose personal data are processed with this goal: website users.

Legal grounds for data processing: consent of the personal data subject.

List of actions with personal data taken to achieve this goal: Collection, recording, systematization, accumulation, storage, update (revision, change), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.

When you visit a website, a cookie banner is place on the web page. You can use it to consent to cookies processing after you have reviewed the cookies processing procedure and Cookies Policy.

5.4. Information on any specific features and methods of personal data processing by the Company is provided below.

5.4.1. Processing of the personal data of children The Company fully understands the importance of compliance with children privacy, especially in the electronic environment. Our websites are not designed for children below 14 years of age. Our Policy prohibits us from targeted collection and storage of any data of persons below 14 years of age, except that such data can be collected and stored for HR purposes and employee support.

5.4.2. Processing of biometric personal data and special categories of personal data We can process special personal data categories, as well as biometric personal data in accordance with the personal data processing legislation of the Russian Federation only subject to consent provided by personal data subjects in writing or on other grounds stipulated by Russian legislation.

5.4.3 Methods of personal data processing The Company processes your personal data with/without using automation devices (hard copies) with their online transfer.

5.4.4. Publication of personal data on publicly accessible sources The Company does not publish personal data on publicly accessible sources with a prior consent.

5.4.5. Making decisions based exclusively on automated processing The Company may not make decisions based solely on automated personal data processing that entail legal consequences for personal data subjects or otherwise affect their rights and legitimate interests except for the cases stipulated by federal laws or subject to a written consent of a personal data subject.

6. TRANSFER TO THIRD PARTIES

6.1. We only transfer your data to third parties when it is necessary to process your requests, comply with contractual obligations and/or required or permitted by law, including the following persons, cases, and instances:

Our contractors, including service providers: we transfer your personal information to our service providers, such as players of the insurance services market, IT, hosting, consulting services providers (legal counsel), telecommunication services, as well as other providers of goods and services. The Company cooperates with services providers we can trust to process your personal data. The Company transfers personal information to the same provided their operations meet our data processing and security standards. We transfer personal data only to the extent it is required to render services.

General jurisdiction courts, arbitration courts, law enforcement and regulatory authorities: The Company will disclose personal information to draft replies to the inquiries of general courts, arbitration courts, or law enforcement authorities if it is required or reasonable to comply with applicable legislation, decision, or rulings of general courts, arbitration courts or regulations issued by government authorities or authorities governing professional activities.

Audits: personal data will have to be disclosed to ensure data privacy or check information protection and/or investigate or draft and adequate reply to a claim or information security threat.

6.2. The Company shall not transfer your personal data to any third parties for further use by the same for direct marketing purposes.

7.  CROSS-BORDER PERSONAL DATA TRANSFER

7.1. In order to support the Company’s activities, we can transfer personal data to foreign entities. However, one of the Company's priorities is to provide adequate protection of personal data subjects and personal data security during any cross-border data transfer and we do this in compliance with applicable legislation.

8.  STORAGE AND DELETION OF PERSONAL DATA

8.1. The period of data storage depends on specific events and circumstances for data collection.

8.2. We store personal data only while we need them to:

fulfill requests and/or contractual obligations (during the period of the contract/agreement and the limitation period);

comply with the requirements of legislation, regulatory authorities, internal administrative activities;

to use them until the goals of personal data processing are achieved or the consent is withdrawn (if personal data are processed based on the personal data processing consent).

8.3. Afterwards, we destroy any personal data within the timeframe stipulated by legislation.

9.  YOUR RIGHTS

9.1. When the Company processes your personal data, we guarantee that we will respect your rights in accordance with the provisions of 152-FZ:

Right to receive information pertaining to personal data processing: you may request information on the processing of your personal data and we will provide it in a well structured and accessible format (Part 7 Article 14 of 152-FZ);

Right to correct personal data: if you believe that some personal data we store about you are inaccurate or incomplete, you may request us to correct or update these data (Part 1 Article 14 of 152-FZ);

Right to delete personal data: you may request us to delete some or all of your personal data from our systems (Part 1 Article 14 of 152-FZ);

Right to block personal data: if data are incomplete, outdated, inaccurate, have been illegally received or do not meet the goal of their processing, you may request us to limit or discontinue processing of your personal data (Part 1 Article 21 of 152-FZ);

Right to set data dissemination bans: you may set bans on data transfer or conditions for personal data processing by an unlimited range of persons (Part 9 Article 10.1 of 152-FZ). The information on bans and conditions for processing is published on the same pages as your personal data.

Right to terminate data transfer: you may prohibit dissemination, provision of, and access to personal data which may be disseminated (Part 12 Article 10.1 of 152-FZ);

Right to terminate data processing for political solicitation and promotion of goods, work, and services: you may request us to terminate processing of your personal data for the purpose of promotion of of goods, work, and services through direct contact with potential consumers and for political solicitation (Part 2 Article 15 of 152-FZ);

Right to withdraw personal data processing consent: if we process your personal data based on your consent provided when we received your personal data, you may withdraw your consent at any time (Part 5 Article 21 of 152-FZ).

You may use your right by personally visiting the Company or contacting the person responsible for personal data processing at the Company at HR_communication@ilimgroup.ru. We will make every reasonable and feasible effort to fulfill your request provided it does not conflict with applicable legislation.

Right to submit a complaint: if you believe that the Company violates the requirements of applicable Personal Data Legislation, you may contact the Hot Line and submit your complaint at: 8-800-500-70-77, 8-800-200-2565 or hotline@ilimgroup.ru. You may also contact the regulator (in accordance with the procedure established in Article 17 of 152-FZ).

9.2. We will confirm receipt of your email within ten (10) business days and take measures to solve your problem. We will make amendments within seven (7) business days if your data are incomplete, inaccurate, or obsolete. We will provide information on your personal data processing based on your request within ten (10) business days. In any case, you request will be handled and a reply will be provided within 30 calendar days.

10.  RIGHTS AND OBLIGATIONS OF THE COMPANY

10.1. The personal data legislation of the Russian Federation imposes some obligations on the Company and vests the Company with some rights.

10.2. For instance, the Company may entrust personal data processing to another person, however it must take necessary legal, organizational, and technical measures to protect these personal data when they are transferred to a third party.

10.3. When processing personal data, the Company has the following rights and responsibilities.

10.3.1. The Company may:

process the personal data of personal data subjects with the declared goal;

request from personal data subjects to provide reliable personal data required to perform contracts/agreements, render services, identify personal data subjects and in other cases stipulated by the Personal Data Legislation;

restrict access of personal data subjects to their personal data if personal data are processed in accordance with the laws on countering the legalization of proceeds from crime and financing of terrorism, if access of personal data subjects to their personal data infringes the rights and legitimate interests of third parties and in other cases stipulated by the legislation of the Russian Federation;

process personal data, which are to be published or are subject to obligatory disclosure in accordance with the legislation of the Russian Federation;

entrust personal data processing to another person subject to the personal data subject's consent;

process publicly available personal data of individuals subject to a legal basis.

10.3.2. The Company shall:

publish the Personal Data Processing Policy on its website;

notify Roskomnadzor in case of illegal or accidental transfer of (provision and dissemination of or access to) personal data, which entailed infringement of the rights of personal data subjects;

take all necessary legal, organizational, and technical measures for personal data protection;

respect the rights of personal data subjects specified in Section 9 hereof;

refrain from disclosure or dissemination of personal data without the personal data subject’s consent unless stipulated otherwise by the legislation of the Russian Federation;

when collecting personal data, ensure recording, systematization, accumulation, storage, update (change or modification), retrieval of the personal data of Russian citizens using databases located in the Russian Federation;

explain to personal data subjects legal consequences of their refusal to provide personal data or consent to their processing;

submit to Roskomadzor all necessary information on any change in the goals and methods of personal data processing and do the same in case of Roskomadzor’s inquiry.

11.  PERSONAL DATA PROTECTION

11.1. The Company understands the importance and need to ensure the safety of personal data and encourages continuous improvement of the security system for the personal data processed in the course of the Company’s core business activities.

11.2. The Company has implemented and takes measures to protect personal data against loss, unauthorized use, modification, or deletion. We make every effort to provide access to your personal data only to the persons who need them to fulfill their job responsibilities, and such persons shall keep your persona data confidential.

11.2.1. Measures to protect your personal data:

We appointed a person to be responsible for personal data processing;

We issued the documents that determine the Company’s personal data processing policy and internal personal data processing regulations;

We adopted legal, organizational, and technical measures to ensure personal data security, in particular: procedures and regulations that detail personal data processing policy in the Company;

We assessed security threats for personal data and adopted relevant technical measures (access control, antivirus protection, network protection, back-up, etc.);

We implement internal control of legal conformity of personal data processing and conformity to personal data security, Company’s Personal Data Processing Policy and internal regulations;

We assess harm to personal data subjects in case of non-compliance with legal requirements and take relevant measures depending on identified harm;

We briefed Company employees who are directly responsible for personal data processing with the provisions of the Personal Data Legislation of the Russian Federation;

We organize receipt and processing of queries and requests of personal data subjects or their representatives and control receipt and processing of such queries and requests;

We take other measures to ensure personal data security.

11.3. In case of personal data leak, the Company takes all measures stipulated by applicable personal data processing and security legislation.

12.  PERSONAL DATA SECURITY AUDIT AND MONITORING

12.1. The procedure and frequency of personal data processing audits, as well as monitoring of the application of implemented personal data protection procedures in the Company are determined by the Internal Audit Department together with the person responsible for personal data processing based on relevant demand.

12.2. The person responsible for personal data processing and heads of the Company’s structural units involved in personal data processing check compliance with applicable personal data processing and security legislation, and make sure the employees involved in personal data processing are aware of the process.

13.  FINAL PROVISIONS

13.1. The Company may, from time to time, amend this Policy to outline the current personal data processing procedure. Every time, when we amend the Policy, we will enter a new version date on the title page. If you want to know how exactly the Company protects your personal data, we recommend you to regularly check this Policy for any updates.

14.  CONTACTS

14.1 The Company is committed to protecting your personal data privacy.

14.2. If you have any questions about how we handle your personal data (e.g., information update or consent withdrawal), please contact a personal data officer of the Company at HR_communication@ilimgroup.ru.

14.3. You may also report on Policy violation (including on an anonymous basis) by contacting the Ethics Hot Line at: 8-800-500-70-77,
8-800-200-2565 or hotline@ilimgroup.ru.