Buy subscriptionDownloadSupportLocationsAccount

Personal Data Processing Policy

1. General Provisions

  • This document (hereinafter referred to as the Policy) defines the purposes and general principles of personal data processing, as well as the implemented measures for the protection of personal data by the Operator. The Policy is a publicly available document of the Operator and provides the opportunity for anyone to familiarize themselves with it.
  • The Policy is effective indefinitely after approval and until it is replaced by a new version.
  • The terms and definitions used in the Policy are applied in accordance with their meanings as defined in Federal Law No. 152-FZ "On Personal Data".
  • The Operator’s processing of personal data is carried out in compliance with the principles and conditions provided in this Policy and the legislation of the Russian Federation in the field of personal data.

2. Legal Basis for Processing Personal Data

  • Personal data processing is carried out by the Operator on a lawful and fair basis, in accordance with the following documents:
  • - Constitution of the Russian Federation;
  • - Labor Code of the Russian Federation;
  • - Civil Code of the Russian Federation;
  • - Tax Code of the Russian Federation;
  • - Federal Law No. 152-FZ of 27.07.2006 "On Personal Data";
  • - Federal Law No. 63-FZ of 06.04.2011 "On Electronic Signature";
  • - Federal Law No. 99-FZ of 04.05.2011 "On Licensing Certain Types of Activities";
  • - Federal Law No. 126-FZ of 07.07.2003 "On Communications";
  • - Federal Law No. 27-FZ of 01.04.1996 "On Individual (Personalized) Accounting in the Mandatory Pension Insurance System";
  • - Federal Law No. 125-FZ of 22.10.2004 "On Archival Affairs in the Russian Federation";
  • - Federal Law No. 273-FZ of 29.12.2012 "On Education in the Russian Federation";

3. Procedure and Conditions for Personal Data Processing

  • The Operator processes personal data using a mixed method, i.e., both with and without the use of automation tools.
  • The following actions are carried out with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer, provision, access, anonymization, blocking, deletion, destruction.
  • During processing, accuracy, sufficiency, and relevance of personal data with respect to the purposes of processing are ensured. In case of inaccurate or incomplete personal data, it is updated.
  • Obtaining and processing personal data in cases provided by Federal Law No. 152-FZ is carried out by the Operator with the written consent of the data subject. Consent in the form of a paper document signed by the data subject is equivalent to consent in the form of an electronic document signed with a qualified electronic signature.
  • Consent for personal data processing may be given by the data subject or their representative in any form that allows confirming its receipt, unless otherwise established by Federal Law No. 152-FZ.
  • The Operator does not process special categories of personal data concerning racial, national affiliation, political views, religious or philosophical beliefs, or intimate life.
  • Information characterizing a person's physiological features and allowing identification (biometric personal data) may be processed only with the written consent of the data subject.
  • Personal data processing and storage are carried out only as long as required for the purposes of processing, unless there are legal grounds for further processing.
  • Processing of personal data under contracts and other agreements of the Operator, instructions to the Operator, and instructions from the Operator for personal data processing is carried out in accordance with the terms of these contracts, agreements, and instructions. These documents may, in particular, define:
  • - purposes, conditions, and duration of personal data processing;
  • - obligations of the parties, including measures to ensure personal data security;
  • - rights, duties, and responsibilities of the parties regarding personal data processing.
  • In cases not explicitly provided for by law or contract, processing is carried out after obtaining the consent of the data subject. Consent may be expressed by performing actions, accepting the terms of an offer agreement, marking checkboxes, filling in forms, or formalized in writing in accordance with the law.
  • The Operator takes necessary legal, organizational, and technical measures to ensure the security of personal data and protect it from unauthorized (including accidental) access, destruction, modification, blocking, and other unauthorized actions. These measures include, in particular:
  • - appointment of employees responsible for organizing processing and ensuring personal data security;
  • - checking and including, if necessary, confidentiality clauses in contracts;
  • - issuing internal regulations on personal data processing, familiarizing employees, and training users;
  • - ensuring physical security of premises and processing tools, access control, security, and video surveillance;
  • - restricting and differentiating access of employees and other persons to personal data and processing tools, monitoring actions with personal data;
  • - identifying threats to personal data security during processing and forming threat models;
  • - using security measures (antivirus software, firewalls, unauthorized access protection, cryptographic information protection), including those certified according to established procedures;
  • - accounting and storing information carriers to prevent theft, substitution, unauthorized copying, and destruction;
  • - creating backups for data recovery;
  • - internal control over compliance with established procedures, checking effectiveness of measures, responding to incidents.

4. Rights of Data Subjects

  • A data subject has the right to withdraw consent for personal data processing by sending a request to the Operator by mail or in person.
  • A data subject has the right to receive information regarding the processing of their personal data, including:
  • - confirmation of personal data processing by the Operator;
  • - legal grounds and purposes of personal data processing;
  • - purposes and methods of personal data processing applied by the Operator;
  • - name and location of the Operator, information about persons (excluding employees of the Operator) who have access to personal data or to whom personal data may be disclosed under a contract with the Operator or federal law;
  • - personal data processed relating to the subject, the source of their collection, unless otherwise provided by federal law;
  • - processing periods, including storage periods;
  • - procedure for exercising the rights of the data subject under the Federal Law "On Personal Data";
  • - information about any completed or planned cross-border data transfer;
  • - name or full name and address of the person processing personal data on behalf of the Operator, if processing is or will be entrusted to such a person;
  • - other information provided by Federal Law "On Personal Data" or other federal laws.
  • A data subject may request the Operator to clarify, block, or delete their personal data if the data are incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the declared processing purpose, and take legally provided measures to protect their rights.
  • If a data subject believes that the Operator processes their personal data in violation of Federal Law "On Personal Data" or otherwise infringes on their rights and freedoms, the data subject may appeal the Operator's actions or inactions to the authorized body (Federal Service for Supervision of Communications, Information Technology, and Mass Media - Roskomnadzor) or in court.
  • A data subject has the right to protect their rights and lawful interests, including compensation for damages and/or moral harm in court.

5. Rights and Obligations of the Operator

  • The rights and obligations of the Operator are defined by applicable law and the Operator's agreements.
  • Control over compliance with this Policy is carried out by the person responsible for organizing personal data processing.
  • The responsibility of persons involved in processing personal data under the Operator's instructions for unlawful use of personal data is established in accordance with the terms of civil-law contracts or confidentiality agreements concluded between the Operator and the counterparty.
  • Persons guilty of violating regulations governing personal data processing and protection bear material, disciplinary, administrative, civil, or criminal liability in accordance with federal laws, internal acts, and Operator agreements.
  • The Personal Data Processing Policy is developed by the person responsible for organizing personal data processing and is enacted after approval by the Operator’s management. Suggestions and comments for amendments should be sent to support@tunnelrover.com. The Policy is reviewed annually to keep it up to date and updated as necessary.