8 800 700–11–91Personal account
En

Personal data processing policy

(legal entity - LLC "First Free Legal Music Platform")

1. General provisions

1.1. This Policy defines the procedure for processing personal data and measures to ensure the security of personal data in LLC "First Free Legal Music Platform" (hereinafter referred to as the Company) in order to protect the rights and freedoms of individuals and citizens in the processing of their personal data, including the protection of the right to privacy, personal and family secrecy.

1.2. The policy of personal data processing in the Company (hereinafter ─ Regulations) is developed in accordance with the Federal Law of 27.07.2006 No. 152─FZ “On Personal Data” (hereinafter ─ FZ─152).

1.3. The following terms and definitions are used in this Policy: state authority, municipal authority, legal or natural person, independently or jointly with other persons organizing and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data;

  • any information relating to a directly or indirectly identified or identifiable natural person (personal data subject);
  • any action (operation) or set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
  • processing of personal data by means of computer equipment;
  • actions aimed at disclosure of personal data to an indefinite number of persons (transfer of personal data) or familiarization of personal data to an unlimited number of persons, including disclosure of personal data in mass media, placement in information and telecommunication networks or providing access to personal data in any other way;
  • actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
  • temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data);
  • actions, as a result of which it is impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;
  • actions, as a result of which it is impossible to determine without the use of additional information whether personal data belong to a particular subject of personal data;
  • a set of personal data contained in databases and information technologies and technical means ensuring their processing;
  • transfer of personal data to the territory of a foreign country to a foreign authority, a foreign natural person or a foreign legal entity.

1.4. The Policy applies to all personal data of subjects processed by the Company with or without the use of automation tools.

1.5. This Policy shall be accessible to any subject of personal data.

2. Principles and conditions of personal data processing

2.1. The Company processes personal data on the basis of the following principles:

  • of legality and fairness;
  • limiting the processing of personal data to the achievement of specific, predetermined and legitimate purposes;
  • prevention of personal data processing incompatible with the purposes of personal data collection.
  • preventing the merging of databases containing personal data processed for incompatible purposes;
  • processing only those personal data that meet the purposes of their processing;
  • compliance of the content and scope of processed personal data with the stated purposes of processing;
  • preventing the processing of redundant personal data in relation to the stated purposes of their processing;
  • ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing;
  • destruction or depersonalization of personal data upon achievement of the purposes of their processing or in case of loss of necessity in achievement of these purposes, in case of impossibility of elimination by the Company of the admitted violations of personal data, unless otherwise provided by the federal law.

2.2. The Company processes personal data only if at least one of the following conditions is met:

  • personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data;
  • processing of personal data is necessary to achieve the purposes provided for by the law, for the implementation and fulfillment of the functions, powers and duties assigned to the operator by the legislation of the Russian Federation;
  • processing of personal data is necessary for the execution of a contract to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor;
  • processing of personal data is necessary to exercise the rights and legitimate interests of the Company or third parties or to achieve socially important goals, provided that the rights and freedoms of the subject of personal data are not violated;
  • processing of personal data to which the subject of personal data or at his/her request (hereinafter ─ publicly available personal data) is granted access by an unlimited number of persons;
  • Processing of personal data subject to publication or mandatory disclosure in accordance with federal law.

2.3. The Company and other persons who have access to personal data are obliged not to disclose to third parties and not to disseminate personal data without the consent of the subject of personal data, unless otherwise provided by federal law.

2.4. For information support purposes, the Company may create publicly available sources of employee personal data, including directories and address books. Publicly available sources of personal data may include the employee's surname, name, patronymic, date and place of birth, position, contact telephone numbers, e-mail address with the employee's consent. Information about an employee shall be excluded from publicly available sources of personal data at any time at the employee's request or by decision of a court or other authorized state bodies.

2.5. The Company may entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided for by federal law, on the basis of an agreement concluded with such person (hereinafter referred to as the Bank's order). The person processing personal data on behalf of the Company shall comply with the principles and rules of personal data processing stipulated by the Federal Law─152.

2.6. The Company may process special categories of personal data relating to racial, national origin, political views, religious or philosophical beliefs, state of health, intimate life if:

  • the personal data subject has consented in writing to the processing of his/her personal data;
  • personal data made publicly available by the subject of personal data;
  • personal data processing is carried out in accordance with the legislation on state social assistance, labour legislation, legislation of the Russian Federation on state pension support pensions, and labour pensions;
  • processing of personal data is necessary for the establishment or exercise of the rights of the personal data subject or third parties, as well as in connection with the exercise of justice;
  • Processing of personal data is carried out in accordance with the legislation of the Russian Federation on countering terrorism, on countering corruption, on enforcement proceedings, criminal and enforcement legislation of the Russian Federation;
  • processing of personal data is carried out in accordance with the legislation on compulsory types of insurance, insurance legislation. Processing of special categories of personal data shall be immediately terminated if the reasons that led to their processing are eliminated, unless otherwise established by federal law.

2.7. The Company may process personal data on criminal record only in cases and in accordance with the procedure determined in accordance with federal laws.

2.8. Information that characterises the physiological and biological features of a person on the basis of which his/her identity can be established ─ biometric personal data ─ may be processed by the Company only with the written consent of the employee.

2.9. Cross-border transfer of personal data in the territory of foreign countries, including with the use of Google Analytics can be carried out by the Company only if the subject of personal data agrees to it. Prior to trans-border transfer of personal data, the Company shall make sure that the foreign state where the personal data is transferred to ensures adequate protection of the rights of personal data subjects.

3. Rights of the subject of personal data

3.1. The subject of personal data decides to provide his/her personal data and consents to their processing freely, of his/her own free will and in his/her own interest. Consent to the processing of personal data may be given by the subject of personal data or his/her representative in any form allowing to confirm the fact of its receipt, unless otherwise established by federal law. The Company is obliged to provide proof of obtaining the consent of the subject of personal data to the processing of his/her personal data or proof of the existence of the grounds specified in the Federal Law № 152.

3.2. The subject of personal data has the right to receive information regarding the processing of his/her personal data, unless such right is restricted in accordance with federal laws. The subject of personal data has the right to demand that the Company clarify his/her personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his/her rights.

3.3. Processing of personal data for the purpose of promoting goods, works, services on the market by means of direct contacts with potential customers by means of communication, as well as for political promotion purposes is allowed only with the prior consent of the subject of personal data. The said processing of personal data is recognised as being carried out without the prior consent of the subject of personal data, unless the Company can prove that such consent was obtained. The Company shall immediately cease processing of personal data for the above purposes at the request of the subject of personal data.

3.4. It is prohibited to make decisions based solely on the automated processing of personal data that give rise to legal consequences in respect of the personal data subject or otherwise affect his or her rights and legitimate interests, except in cases provided for by federal laws or with the written consent of the personal data subject.

3.5. If the personal data subject believes that the Company processes his/her personal data in violation of the requirements of the Federal Law─152 or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal against the Company's actions or inaction to the Authorised Body for the Protection of the Rights of Personal Data Subjects or in court. The subject of personal data has the right to defend his rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.

4. Ensuring the security of personal data

4.1. The security of personal data processed by the Company is ensured by the implementation of legal, organisational, technical and software measures necessary and sufficient to ensure the requirements of federal legislation in the field of personal data protection.

4.2. The Company uses the following organisational and technical measures to purposefully create unfavourable conditions and insurmountable obstacles for intruders attempting to gain unauthorised access to personal data in order to acquire, modify, destroy, infect with malicious computer software, substitute and perform other unauthorised actions:

  • appointment of officials responsible for the organisation of personal data processing and protection;
  • limiting and regulating the composition of employees who have access to personal data;
  • familiarising employees with the requirements of federal legislation and the Company's regulations on processing and protection of personal data;
  • ensuring accounting and storage of material data carriers and their handling, preventing theft, substitution, unauthorised copying and destruction;
  • identification of threats to personal data security during their processing, formation of threat models on their basis;
  • development on the basis of the threat model of the personal data protection system for the relevant class of information systems;
  • verification of readiness and efficiency of information protection means use;
  • implementation of a permissive system of user access to information resources, software and hardware means of processing and protection of information;
  • registration and recording of actions of users of personal data information systems;
  • password protection of user access to the personal data information system;
  • application of means of access control to communication ports, information input─output devices, removable machine media and external information storage devices;
  • application, where necessary, of cryptographic information protection means to ensure the security of personal data during transmission via open communication channels and storage on machine data carriers;
  • implementation of anti-virus control, prevention of introduction of malicious programmes (software─viruses) and software bookmarks into the corporate network;
  • application of firewalling;
  • detection of intrusions into the Company's corporate network that violate or create preconditions for violation of the established requirements for personal data security;
  • centralised management of the personal data protection system;
  • ensuring the recovery of personal data modified or destroyed due to unauthorised access to it;
  • training of employees using information protection means applied in personal data information systems on the rules of working with them;
  • accounting of applied information protection means, operational and technical documentation for them;
  • use of information protection means that have undergone the conformity assessment procedure in accordance with the established procedure;
  • monitoring of users' actions, conducting proceedings on the facts of violation of personal data security requirements;
  • placement of technical means of personal data processing within the protected area;
  • organisation of access control to the Company's territory;
  • maintaining technical means of security and signalling of the premises in a state of constant readiness.

5. Final Clauses

5.1. Other rights and obligations of the Company, as an operator of personal data, are determined by the legislation of the Russian Federation in the field of personal data. The Company's officials guilty of violating the norms governing the processing and protection of personal data shall bear material, disciplinary, administrative, civil, legal or criminal liability in accordance with the procedure established by federal laws.