Contact sales department
Eng
search

Personal Data Processing and Protection Policy

1. Purpose of the policy and general provisions

1.1. The Policy of JSC Ilim Group on processing and protection of personal data (hereinafter, the Policy) establishes essential principles and goals, conditions, list of actions, methods for personal data processing, functions of JSC Ilim Group during personal data processing, rules for employees of JSC Ilim Group (hereinafter, the Company) during personal data processing, rights of personal data subjects, and personal data protection principles.

1.2. This Policy is publicly available on the Company’s website.

1.3. This Policy applies to all personal data processed by the Company.

1.4. This Policy may be amended or supplemented by an order of the Company’s Chief Executive Officer.

2. Scope

2.1. This Policy applies to all organizational units, Branches, Representative Offices, and remote structural units of the Company.

2.2. This Policy is recommended for adoption by subsidiaries of JSC Ilim Group. This Policy applies to the subsidiaries once approved by the management bodies of the subsidiaries as an internal company document.

2.3. All employees of the Company shall be responsible for due compliance with this Policy to the extent of their functional responsibilities.

3. Laws and other regulations of the Russian Federation for determination of the policy on personal data processing in JSC Ilim Group

3.1. This Policy was developed in accordance with the requirements of the laws and other regulations of the Russian Federation:

  • the Constitution of the Russian Federation.
  • the Labor Code of the Russian Federation;
  • Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, as amended;
  • Resolution of the Government of the Russian Federation No. 1119 of November 01, 2012 “On approval of the requirements for protection of personal data during its processing in the personal data information systems”;
  • Resolution of the Government of the Russian Federation No. 687 of September 15, 2008 “On approval of the Regulations on specific features of personal data processing performed without means of automation”;
  • Resolution of the Government of the Russian Federation No. 512 of July 06, 2008 № 512 “On approval of the requirements for biometric data physical media and technologies for storage of such data outside the personal data information systems”; and
  • Other laws of the Russian Federation and regulations of the authorized government authorities.

3.2. In order to implement the provisions of the Policy, JSC Ilim Group develops relevant internal regulations and other documents, including:

  • Regulations on Protection of the Rights of Personal Data Subjects in JSC Ilim Group;
  • Regulations on Ensuring Security of Personal Data During its Processing in the Personal Data Information Systems of JSC Ilim Group.
  • List of positions in the structural units of JSC Ilim Group requiring personal data processing in case of replacement;
  • Regulations for processing of personal data of the structural units of JSC Ilim Group, its branches, ROPs, and representative office; and
  • Other local regulations and documents governing personal data processing in JSC Ilim Group.

4. Terms and definitions

4.1. The Company: JSC Ilim Group, including its Head Office (HO), Remote Structural Units (ROPs), Representative Offices and Branches.

4.2. Data Operator: JSC Ilim Group acting severally or jointly with other persons, arranging, and/or carrying out the processing of personal data, as well as determining the purpose of personal data processing, composition of personal data for processing and actions (operations) performed with personal data.

4.3. Personal data: any information related to a directly or indirectly identified or identifiable natural person (personal data subject).

4.4. Personal data processing: any action (operation) or an aggregate of actions (operations) performed with or without the use of automation software with personal data, including its collection, recording, systematization, accumulation, storage, clarification (update, adjustment), retrieval, usage, transmission (propagation, submission, access), including cross-border transmission, anonymization, blocking, removal, and destruction.

4.5. Personal data provision: any action aimed at personal data disclosure to a particular person or to a particular group of persons.

4.6. Disclosable personal data: personal data that the data subject allowed to provide access to and share with general public by providing their consent to personal data processing.

4.7. Personal data dissemination: any action aimed at personal data disclosure to general public.

4.8. Cross-border transmission of personal data: transmission of personal data to a foreign country to the authority of a foreign country, foreign person, or foreign entity.

4.9. Blocking of personal data: temporary suspension of personal data processing (except for cases when processing is required for personal data validation).

4.10. Personal data destruction: any action that results in failure to recover personal data in the personal data information system or in destruction of the physical media on which personal data is stored.

4.11. Data anonymization: any action resulting in impossibility to define whether the personal data relates to the specific data subject without using additional information.

4.12. Personal data information system: an aggregate of personal data contained in data bases and information technologies and technical means to ensure its processing.

4.13. Automated processing of personal data: processing of personal data using computer equipment.

4.14. Personal data subject: a natural person who is directly or indirectly identified or is identifiable using personal data.

5. List of subjects whose personal data is processed in JSC Ilim Group

JSC Ilim Group processes the personal date of the following categories of personal data subjects:

5.1. Personal data subjects who have employment relations with the Company, being employees of its structural units of the Head Office, ROPs, branches and representative offices;

5.2. Personal data subjects who are not employees of the Company, including:

  • candidates to be employed by JSC Ilim Group;
  • employees of the controlled companies, as part of fulfillment of Ilim Group’s responsibilities under the contracts involving delegation of authority of the sole executive body to the management company, JSC Ilim Group;
  • Company contractors who are natural persons;
  • other personal data subjects (to ensure achievement of processing goals stated in section 6 of the Policy)

6. Principles and goals of personal data processing

6.1. Personal data in JSC Ilim Group is processed considering the need to ensure protection of the rights and freedoms of Company employees and other personal data subjects, including protection of personal and family privacy, based on the following principles:

6.1.1. Personal data in JSC Ilim Group is processed in a lawful and fair manner;

6.1.2. Processing of personal data is limited to achievement of specific, explicitly stated and legitimate purposes;

6.1.3. Personal data may not be processed for any purpose that is incompatible with that for which the information is collected;

6.1.4. Only the personal data meeting the purpose of its processing shall be processed;

6.1.5. Personal data that is processed is adequate and relevant to the declared purposes of its processing. The declared purpose of personal data processing shall not be exceeded;

6.1.6. Personal data processing shall be accurate, sufficient and relevant to the purpose of its processing;

6.1.7. There shall be no integration of databases containing personal data processed for conflicting purposes;

6.1.8. The Company takes all necessary actions or ensures such actions are taken to delete or update insufficient or inaccurate personal data;

6.1.9. Processed personal data are deleted or anonymized after the processing goal is achieved, or in case the relevant need ceases to exist, unless stipulated otherwise by the federal law;

6.1.10. Personal data is retained in the manner allowing to identify a personal data subject, but no longer than it is required for personal data processing, unless the personal data retention period is stipulated by any law, contract where a party, beneficiary, or a surety is a personal data subject.

6.2. Personal data is processed in JSC Ilim Group in order to:

6.2.1. Ensure compliance with the Constitution of the Russian Federation, laws and other regulations of the Russian Federation, internal regulations of the Company;

6.2.2. Perform functions, authority and responsibilities vested by the laws of the Russian Federation with JSC Ilim Group, including those to submit personal data to the government authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, and other bodies;

6.2.3. Regulate employment relations with the employees of JSC Ilim Group (including employment, training and promotion), ensure personal safety, protection of life, health and other vital interests of personal data subjects;

6.2.4. Prepare, sign, implement and terminate contracts/agreements with contractors;

6.2.5. Ensure site access and internal security control at the facilities of JSC Ilim Group;

6.2.6. Make reference materials to provide internal information support to the operations of the Company, its branches and representative offices, subsidiaries and organizations of JSC Ilim Group;

6.2.7. Exercise rights and lawful interests of JSC Ilim Croup when carrying out activities stipulated by the Articles of Association and other internal regulations of JSC Ilim Group or third parties, or to achieve socially significant goals;

6.2.8. Enforce court rulings, deeds of other bodies or executives, to be enforced in accordance with the laws of the Russian Federation on enforcement proceedings.

6.2.9. Identify and prevent the conflict of interest of Company employees;

6.2.10. Regulate and restrict access to the protected details that constitute the personal data of others;

6.2.11. Accomplish other lawful purposes.

7. Functions of JSC Ilim Group during personal data processing

7.1. The Company takes necessary and sufficient actions to ensure compliance with the requirements of Russian laws and internal regulations of JSC Ilim Group on personal data, including, but not limited to:

  • Takes legal, organizational, technical measures to protect personal data from unlawful or accidental access thereto, destruction, amendment, blocking, copying, provision, distribution of personal data, and from other unlawful actions with respect to personal data;
  • Publishes internal regulations which determine the policy and matters concerning processing and protection of personal data in JSC Ilim Group, ensures communication of the laws of the Russian Federation and internal regulations of the Company on personal data to Company employees, and their training;
  • Appoints persons responsible for processing of persona data in JSC Ilim Group;
  • Discontinues processing and destroys personal data in cases stipulated by the laws of the Russian Federation on personal data;
  • Obtains consents of the personal data subjects to process personal data, except for the cases expressly stipulated by current laws;
  • Performs other actions stipulated by the laws of the Russian Federation on personal data.

7.2. As a Data Operator, JSC Ilim Group shall be entitled to:

  • independently determine the scope and list of actions necessary and sufficient to ensure fulfillment of responsibilities stipulated by the Personal Data Law and related regulations, unless stipulated otherwise by the Personal Data Law or other federal laws;
  • delegate processing of personal data to another person upon consent of the personal data subject, unless otherwise provided for in the federal law, based on the relevant contract to be entered into with such person;
  • in case a personal data subject withdraws their consent for personal data processing, the Data Operator is entitled to continue personal data processing without the consent of the
  • personal data subject on the grounds specified in the Federal Law “On Personal Data”.

8. Conditions for personal data processing

Personal data may be processed only in the following cases:

8.1. Data is processed with the consent of the personal data subject for personal data processing (including disclosable, general, and special (biometrical) data unless specified by the current legislation).

8.2. The Company shall not disclose or distribute personal data to any third parties, unless stipulated otherwise by the law.

8.3. In case personal data processing is delegated to another person with the consent of the personal data subject under a contract with this person, this contract shall contain a list of actions (operations) with personal data, processing goals, responsibility of this person to keep personal data confidential, and ensure personal data protection when it is processed, as well as requirements for personal data protection in accordance with article 19 of the Federal Law «On Personal Data».

8.4. For the purpose of internal information support, the Company may prepare internal reference materials (including, but not limited to, the Company’s address directory and organization) to include personal data with the written consent of the personal data subject/owner unless stipulated otherwise by the laws of the Russian Federation. Reference materials may include full name, place of work, position, year and place of birth, address, subscriber number, e-mail, photo, other personal data provided by the personal data subject.

8.5. Access to the personal data processed in the Company is provided based on an order of the Chief Executive Officer with respect to the persons holding positions included in the list of positions of the structural units of the Company, its branches and representative offices, whose personal data is processed in case of replacement.

9. List of actions to be performed with data and methods of its processing

All personal data of the employees is provided directly by the personal data subjects.

9.1. The Company may take the following actions when processing personal data: collect, record, systematize, accumulate, retain, clarify (update, amend), retrieve, use, transmit (distribute, submit, access), including cross-border transmission, anonymization, blocking, removal, and destruction of personal data.

9.2. Personal data in JSC Ilim Group is processed using the following methods:

  • non-automated processing of personal data;
  • automated processing of personal data and transmission of the information received via information and telecommunication networks or without them;
  • combined method for processing of personal data;

10. Rights of personal data subjects

10.1. The personal data subject is entitled to:

  1. receive information concerning the processing of their personal data, except for the cases stipulated by the federal laws. Information is provided to the personal data subject by the Data Operator in an accessible format, it shall not contain personal data of other personal data subjects, except for cases when there are legal grounds for disclosure of such personal data. The list of information and procedure for its receipt is established by legislation.
  2. request the Data Operator to clarify their personal data, block or destroy personal data if it is incomplete, outdated, inaccurate, unlawfully received, or is not required for the declared processing purpose, and take all lawful actions to protect the rights;
  3. refer to the Data Operator to adjust, withdraw, fully or partially, block or destroy personal data, and file complaints or proposals to HR_communication@ilimgroup.ru;
  4. appeal with Roskomnadzor or in court any unlawful actions or omission of the Data Operator during personal data processing.

11. Measures JSC Ilim Group takes to ensure fulfillment of the operator’s responsibilities during personal data processing

In order to ensure fulfillment of responsibilities of the Data Operator, the Company takes the following necessary and sufficient actions stipulated by current laws:

11.1. Obtains consents of personal data subjects to process personal data, except for the cases expressly stipulated by the current laws of the Russian Federation;

11.2. Separates personal data processed without automation from other information, in particular, by storing it on separate physical media, in special sections, ensuring separate storage of personal data and its physical media under the conditions ensuring personal data security to exclude any unauthorized access thereto;

11.3. Performs internal control of personal data processing to comply with the Federal Law «On Personal Data» and related regulations, requirements to protection of personal data, this Policy, internal regulations of the Company;

11.4. Arranges training and methodological work with the employees of Company’s structural units, its branches and representative offices, holding positions included in the list of positions of the structural units whose personal data is processed in case of replacement;

11.5. Bans transmission of personal data without any measures to ensure personal data security (except for publicly available and/or anonymized personal data) established in the Company;

11.6. Takes other actions stipulated by the personal data laws of the Russian Federation.

12. Control over compliance with the laws of the Russian Federation and internal regulations of JSC Ilim Group regarding personal data, including requirements for personal data protection

12.1. Control over compliance with the personal data laws and internal regulations of the Company by its structural units, branches and representative offices, including actions taken to prevent failure to comply with the requirements of current laws, identification of possible leak channels of and unauthorized access to personal data, elimination of consequences of failure to comply with the requirements in order to check compliance of personal data processing in the structural units with the laws of the Russian Federation and regulations of the Company by the persons responsible for personal data processing together with the Information Security Department. As regards non-automated processing of personal data, this will be checked by the persons responsible for data process in the Company jointly with the Asset Protection Directorate.

12.2. Compliance with the personal data laws of the Russian Federation and internal regulations of JSC Ilim Group by the Company’s structural units, its branches and representative offices, including the requirements for protection of personal data, is supervised by the person responsible for the processing of the Company’s personal data.

12.3. Heads of those units shall be held responsible for compliance with the data protection laws of the Russian Federation and internal regulations of the Company by the Company’s structural units, its branches and representative offices, as well as for ensuring confidentiality and security of personal data in the said units of JSC Ilim Group.