1.1. The OJSC MMK Personal Data Processing Policy (the “Policy”) defines the main principles, purposes, terms and methods of personal data processing, lists of data subjects and personal data processed at OJSC MMK, OJSC MMK’s functions in relation to personal data processing, the rights of data subjects, as well as the requirements for personal data protection implemented at OJSC MMK.
1.2. The Policy has been developed taking into account the requirements of the Russian Constitution and Russian legislation on personal data.
1.3. The provisions of this Policy serve as the basis for the development of local regulations governing the processing of personal data relating to OJSC MMK employees and other data subjects at OJSC MMK.
1.4. The Policy provides a framework for OJSC MMK subsidiaries and entities to develop local regulations defining the policy for personal data processing at these organisations.
2. Russian laws and regulations providing a framework for the OJSC MMK Personal Data Processing Policy
2.1. The following regulations provide a framework for the OJSC MMK Personal Data Processing Policy:
• Labour Code of the Russian Federation
• Federal Law No. 152-FZ On Personal Data, dated 27 July 2006
• Federal Law No. 160-FZ On Ratifying the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, dated 19 December 2005
• Federal Law No. 149-FZ On Information, Information Technology and Information Protection, dated 27 July 2006
• Executive Order of the Russian President No. 188 On the Approval of the List of Confidential Information, dated 6 March 1997
• Resolution of the Government of the Russian Federation No. 687 On the Approval of the Regulation on the Specifics of Non-Automated Processing of Personal Data, dated 15 September 2008
• Resolution of the Government of the Russian Federation No. 512 On the Approval of the Requirements for Physical Carriers of Biometric Data and the Technologies for Storing Such Data Outside Personal Data Information Systems, dated 6 July 2008
• Resolution of the Government of the Russian Federation No. 1119 On the Approval of the Requirements for the Protection of Personal Data During Their Processing in Personal Data Information Systems, dated 1 November 2012
• Order of the FSTEC of Russia No. 21 On the Approval of the Scope and Content of Organisational and Technical Measures to Ensure the Security of Personal Data During Their Processing in Personal Data Information Systems, dated 18 February 2013
• Order of Roskomnadzor No. 996 On the Approval of the Requirements and Methods for the Pseudonymisation of Personal Data, dated 5 September 2013
• Other laws and regulations of the Russian Federation and regulations of authorised public authorities
2.2 To implement the provisions of this Policy, OJSC MMK develops relevant local regulations and other documents, including:
• Regulations on the Procedure for Personal Data Processing at OJSC MMK
• The Order on the Appointment of a Person Responsible for Personal Data Processing Arrangements and on the Establishment of a Commission for Personal Data Protection
• The Regulation On the Approval of the Lists of Employee Roles with Access to Personal Data and Responsible for Implementing Data Protection Measures.
3. Key terms and definitions used in OJSC MMK’s local regulations governing the processing of personal data
Personal data – any information relating to a directly or indirectly identified or identifiable individual (data subject).
Operator – a public authority, municipal authority, legal entity or individual which, alone or jointly with others, organises and/or carries out the processing of personal data, and which determines the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed on personal data.
Personal data processing – any action (operation) or a set of actions (operations) which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, accumulation, storage, rectification (update, alteration), retrieval, use, transmission (dissemination, sharing or otherwise making available), pseudonymisation, restriction, erasure or destruction of personal data.
Automated processing of personal data – the processing of personal data using computer equipment.
Dissemination of personal data – actions aimed at disclosing personal data to the public.
Sharing of personal data – actions aimed at disclosing personal data to a certain person or a certain group of persons.
Restriction of personal data – the marking of stored personal data with the aim to temporarily exclude them from processing (except when the processing is needed for the rectification of personal data).
Destruction of personal data – actions performed on personal data contained in a personal data information system which make the restoration of such data impossible and/or actions resulting in the destruction of physical carriers of personal data.
Pseudonymisation of personal data – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
Personal data information system – the totality of personal data contained in databases and the information technologies and technical means for processing these data.
Cross-border transfer of personal data – the transmission of personal data to a foreign authority, a foreign national or a foreign legal entity located in a foreign state.
4. The principles and purposes of personal data processing
4.1. As a personal data operator, OJSC MMK carries out the processing of personal data relating to OJSC MMK employees and other data subjects not employed by OJSC MMK.
4.2. The processing of personal data at OJSC MMK is carried out in such a manner as to ensure the protection of the rights and freedoms of OJSC MMK employees and other data subjects, including the protection of the right to privacy, personal and family secrets, and is based on the following principles:
• Personal data shall be processed lawfully and fairly
• The processing of personal data shall be limited to what is necessary in relation to specific, pre-defined and legitimate purposes. Personal data shall not be processed in a manner that is incompatible with the purposes for which they are collected
• The merging of databases containing personal data to be processed for purposes that are incompatible with one another shall not be permitted
• Only personal data that comply with the purposes for which they are processed shall be processed
• The scope and volume of personal data to be processed shall be compatible with the stated purposes for which they are processed. The personal data to be processed shall not be excessive in relation to the stated purposes for which they are processed
• In the course of personal data processing, steps must be taken to ensure that personal data are accurate, adequate and, where necessary, relevant to the purposes for which they are processed. The operator shall take appropriate measures to erase or rectify incomplete or inaccurate data or ensure that such measures are taken
• Personal data shall be stored in a format that allows the identification of the data subject for no longer than the processing purposes, unless the personal data storage time is prescribed by the Federal Law or agreements to which the data subject is a party, beneficiary or guarantor
• The personal data processed shall be subject to destruction or pseudonymisation once the purposes for which they are processed are achieved or when such purposes cease to be relevant, unless otherwise stipulated by the Federal Law
4.3. Personal data are processed at OJSC MMK for the following purposes:
• The execution of employment contracts
• Providing military enlistment offices with the information required for military records
• Ensuring civil protection
• Assistance in employment and training
• Providing access to information resources
• Ensuring security and access controls
• The provision of incentives and rewards, organising celebrations
• Preventing dereliction of duty
• Making arrangements for social support, health improvement and recreation for employees, their families and former employees
• Private pension provision
• Obtaining licences
• Making arrangements for voluntary insurance
• Ensuring the safety of property
• The enforcement of decisions by courts and other authorities within relevant jurisdictions
• Claims management
• The execution of civil contracts
• The maintenance and safe-keeping of the Company’s register of shareholders
• Handling requests from citizens
5. List of data subjects whose personal data are processed at OJSC MMK
5.1. The personal data of the following categories of data subjects are processed at OJSC MMK:
• Employees of OJSC MMK’s business units
• Employees of Entities within OJSC MMK Group that have instructed OJSC MMK to process their personal employee data based on their contract
• Other data subjects (to ensure that the processing purposes specified in Section 4 of this Policy are met)
6. List of personal data processed at OJSC MMK
6.1. For the purposes specified in Paragraph 4.3, the following personal data shall be processed by OJSC MMK:
• Last name, first name, patronymic/middle name(s) (including the previous last names, first names and/or patronymics/middle names, if changed)
• Date, month and year of birth
• Place of birth
• Nationality information (including previously held nationalities, other nationalities held)
• ID details (type, series, number, date and place of issue, issuing authority)
• Residential address (registration address, actual residence address); contact telephone number or other contact details
• Details of state pension insurance certificate
• Taxpayer identification number
• Details of mandatory health insurance policy
• Details of the certificate of state registration of civil status acts
• Family status, family composition
• Employment records
• Military service details and details of military records
• Information on education, including postgraduate vocational education (educational establishment name and year of graduation, name and details of the education certificate, qualification, major as per the education certificate)
• Academic degree information
• Information on foreign language skills, degree of proficiency
• A medical report in the prescribed form confirming that the employee does not have a disease rendering him/her incapable of performing the duties of his/her job under the employment contract
• State awards, other awards and recognitions
• Information on professional retraining and/or professional development
• Information about paid annual leave, sabbaticals and unpaid leaves
• Salary information
• Bank account number
• Other personal data as may be required to meet the purposes specified in Paragraph 4.3 of this Policy
6.2. The processing of special categories of personal data relating to race, ethnicity, political views, religious or philosophical beliefs, state of health and intimate life shall not be carried out at OJSC MMK, except when provided for in Paragraph 2 of Article 10 of Federal Law No. 152-FZ On Personal Data, dated 27 July 2006.
7. OJSC MMK’s functions in processing personal data
7.1. When processing personal data, OJSC MMK:
• independently determines the scope and list of measures required and adequate to meet its obligations under Federal Law No. 152-FZ On Personal Data, dated 27 July 2006, and laws and regulations made thereunder, unless otherwise stipulated by federal laws
• appoints a person responsible for organising the processing of personal data
• issues documents defining OJSC MMK’s policy in relation to the processing of personal data, local regulations on the processing of personal data, as well as local regulations establishing procedures for the prevention and identification of violations of Russian laws and addressing the consequences of such breaches
• takes (or ensures) the necessary legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, restriction, copying, sharing and dissemination, as well as from other unlawful actions in relation to personal data
• runs internal monitoring and/or audits of compliance of personal data processing with the Federal Law and laws and regulations made thereunder, as well as the requirements for personal data protection, the OJSC MMK Personal Data Processing Policy and OJSC MMK’s local regulations
• ensures that OJSC MMK employees directly involved in the processing of personal data are familiarised with the provisions of Russian personal data laws, including the requirements for personal data protection, documents defining the OJSC MMK Personal Data Processing Policy, local regulations on the processing of personal data, and/or that these employees receive training
• ensures unrestricted access to this Policy via the appropriate information and telecommunication network
• stops processing and destroys personal data in cases specified by Russian personal data laws
• ensures that the personal data processed without the use of automated means are separated from other information, in particular by recording them on separate physical data carriers or in special sections
•ensures the separate storage of personal data and their physical carriers processed for different purposes and containing different categories of personal data
• forbids the transfer of personal data via open communication channels, computer networks outside the controlled Company network and over the internet without the application of measures established at OJSC MMK to ensure the security of personal data (except for publicly available and/or pseudonymised personal data)
• stores physical data carriers in such a way that ensures the safety of personal data and prevents unauthorised access
• runs internal monitoring of compliance of personal data processing with the Federal Law On Personal Data and laws and regulations made thereunder, as well as this Policy and OJSC MMK’s local regulations
• takes other measures as required by Russian personal data laws.
8. The terms of personal data processing at OJSC MMK
8.1. The processing of personal data at OJSC MMK shall be carried out on the basis of the consent of the data subject concerned, unless otherwise provided by the Russian Federation’s personal data laws.
8.2. OJSC MMK shall not disclose personal data to third parties without the consent of the data subject concerned, nor shall it disseminate personal data unless otherwise provided by the Federal Law.
8.3. OJSC MMK may assign the processing of personal data to another person with the consent of the data subject concerned, based on a contract signed with such person. The contract must contain a list of actions (operations) to be performed on personal data by the person processing such personal data, the purposes of processing, the obligation of such person to respect the confidentiality of personal data and ensure the security of personal data during processing, as well as the requirements for the protection of personal data processed as stipulated in Article 19 of Federal Law On Personal Data.
8.4. For the purposes of internal information support, OJSC MMK may create internal reference materials which, subject to the written consent of the data subject concerned and unless otherwise provided by the legislation of the Russian Federation, may include his/her last name, first name, patronymic/middle name(s), place of work, position, year and place of birth, address, subscriber number, e-mail address or other personal data provided by the data subject.
8.5. Access to the personal data processed at OJSC MMK shall be limited only to OJSC MMK employees who hold positions included in the list of positions at OJSC MMK business units with access to personal data processed.
9. The list of actions performed on personal data, and data processing methods
9.1. OJSC MMK carries out the collection, recording, organisation, accumulation, storage, rectification (update, alteration), retrieval, use, transmission (dissemination, sharing or otherwise making available), pseudonymisation, restriction, erasure and destruction of personal data.
9.2. The processing of personal data at OJSC MMK is carried out in the following ways:
• Non-automated processing of personal data
• Automated processing of personal data with or without the transmission of the information received via information and telecommunication networks
• Mixed processing of personal data
10. The rights of data subjects
10.1. Data subjects have the right to obtain information regarding the processing of their personal data, including the following:
• Confirmation of personal data processing by the operator
• Legal grounds for and purposes of personal data processing
• The operator’s purposes and methods of personal data processing
• The name and address of the operator, information on individuals and entities (except for the operator employees) who have access to personal data or to whom such personal data may be disclosed under a contract with the operator or the Federal Law
• Personal data processed and related to the relevant data subject and their source, unless the Federal Law establishes a different procedure for sharing such data
• Timelines for personal data processing, including personal data storage
• The procedure for the data subject to exercise their rights under the Federal Law
• Information on the actual or proposed cross-border transfer of personal data
• The full name and address of the individual or entity processing personal data on behalf of the operator, if such processing is or will be assigned to such individual or entity
• Other information under the Federal Law or other federal laws
10.2 The data subject may:
• request that OJSC MMK rectify, restrict or erase their personal data if such personal data are incomplete, outdated, inaccurate, unlawfully obtained or are not necessary for the stated purposes of processing, as well as take measures provided by law to protect their rights
• withdraw their consent to the processing of their personal data
• protect their rights and legal interests, including the right to seek compensation for losses and/or moral damages in court
• exercise any other rights specified by the laws of the Russian Federation.
11. Monitoring of compliance with the legislation of the Russian Federation and local regulations of OJSC MMK on personal data, including requirements for the protection of personal data
11.1. Monitoring of compliance by OJSC MMK business units with the legislation of the Russian Federation and local regulations of OJSC MMK on personal data, including the requirements for the protection of personal data, is carried out to detect violations of Russian personal data laws, identify possible channels of data leakage or unauthorised access to personal data, and address the consequences of such breaches.
11.2. Internal monitoring of compliance by OJSC MMK business units with the legislation of the Russian Federation and local regulations on personal data is carried out by OJSC MMK’s Commission for Personal Data Protection.
11.4. Business unit managers shall be accountable for ensuring compliance with the Russian legislation and local regulations of OJSC MMK covering personal data in their respective business units.