Follow us on Twitter
    Sign InGet Started
    default

    Personal Data Processing Policy

    Policy regarding the processing of personal data of "Iconicompany" platform users

    General Provisions

    Purpose

    This document defines the policy of Limited Liability Company "Iconicompany" (PSRN 1221800009232 TIN 1840111903, hereinafter – the Operator) regarding the processing of personal data (hereinafter – the Policy).

    This document is publicly available and posted on the Internet on the "Iconicompany" platform website at: https://iconicompany.com/ (hereinafter – the Platform).

    The Operator, when processing personal data, ensures the protection of the rights and freedoms of data subjects during the processing of their personal data and takes measures to ensure the fulfillment of the personal data operator's obligations stipulated by Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" and regulatory legal acts adopted in accordance with it.

    The Operator's local normative acts regulating the processing of personal data are developed in accordance with the provisions of the Policy.

    Key concepts used in the Policy:

    • personal data - any information relating directly or indirectly to an identified or identifiable natural person (personal data subject);
    • personal data subject - a natural person to whom personal data belongs;
    • operator - "Iconicompany" (PSRN 1221800009232 TIN 1840111903), organizing and/or carrying out the processing of personal data, as well as defining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data;
    • personal data processing - any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (dissemination, provision, access), blocking, deletion, destruction of personal data;
    • automated personal data processing - personal data processing using computer technology;
    • non-automated personal data processing - personal data processing carried out with direct human involvement;
    • personal data dissemination - actions aimed at disclosing personal data to an indefinite circle of persons;
    • personal data provision - actions aimed at disclosing personal data to a specific person or a specific circle of persons;
    • personal data blocking - temporary cessation of personal data processing (except in cases where processing is necessary to clarify personal data);
    • personal data destruction - actions resulting in the impossibility of restoring the content of personal data in the personal data information system and/or resulting in the destruction of material carriers of personal data;
    • personal data information system - a set of personal data contained in the Operator's databases, and information technologies and technical means ensuring personal data processing;
    • user - a natural person, a representative of a legal entity, or a legal entity created in accordance with the legislation of the Russian Federation, who uses the Platform in accordance with the user agreement concluded with the Operator;
    • user agreement - an agreement on the basis of which the Operator grants the user a non-exclusive right to use the Platform.
    • cross-border personal data transfer - transfer of personal data to the territory of a foreign state, a foreign state authority, a foreign natural person, or a foreign legal entity;
    • cookie files - information that may contain the following data about the personal data subject: device IP address, geolocation data, information about the program used to access the Platform, technical characteristics of the equipment and software used by the subject, date and time of access to the Platform, as well as other similar information.

    When processing personal data, the Operator is guided by the following principles:

    • Personal data processing is carried out on a legal and fair basis;
    • Personal data processing is limited to achieving specific, predetermined, and legitimate goals, which are specified in the Policy, in the consent of the personal data subject, in agreements and contracts concluded between the Operator and the personal data subject;
    • Combining databases containing personal data, the processing of which is carried out for incompatible purposes, is not allowed;
    • Only personal data that corresponds to the purposes of their processing is subject to processing. The content and scope of processed personal data correspond to the declared processing purposes;
    • The processed personal data are not excessive in relation to the declared processing purposes;
    • When processing personal data, the accuracy of personal data, their sufficiency, and, where necessary, their relevance to the purposes of personal data processing are ensured;
    • The Operator takes the necessary measures or ensures their taking (if personal data processing is carried out by a third party) to delete or clarify incomplete or inaccurate data;
    • Personal data storage is carried out in a form that allows identifying the personal data subject, no longer than required by the purposes of personal data processing, unless a different personal data storage period is established by law or by a contract to which the personal data subject is a party or beneficiary;
    • Processed personal data are subject to destruction upon achievement of the processing goals or in case of loss of necessity to achieve these goals, unless otherwise provided by federal law.

    1. Purposes of Personal Data Collection

    1.1. The Operator, using the Platform, collects and stores only personal data that is necessary to achieve one or more goals specified in clause 2.2 of the Policy.

    1.2. The Operator processes personal data for the following purposes:

    • Ensuring the proper functioning of the Platform;
    • Concluding and executing a contract to which the personal data subject is a party or beneficiary;
    • Sending notifications and promotional materials aimed at advertising services provided by the Operator;
    • Reviewing user requests, claims, and applications and sending a corresponding response or the Operator's decision;
    • Exercising and fulfilling the functions, powers, and duties assigned to the Operator by the legislation of the Russian Federation;
    • Exercising the rights and legitimate interests of the Operator or third parties, provided that the rights and freedoms of the personal data subject are not violated.

    2. Legal Grounds for Personal Data Processing

    2.1. The legal grounds for personal data processing are a set of normative legal acts in execution of which and in accordance with which the Operator carries out personal data processing. Such normative acts include:

    • International legal acts regulating the processing of subjects' personal data;
    • Constitution of the Russian Federation;
    • Civil Code of the Russian Federation;
    • Federal Law No. 38-FZ of March 13, 2006 "On Advertising";
    • Federal Law No. 63-FZ of April 06, 2011 "On Electronic Signature";
    • Federal Law No. 115-FZ of August 07, 2001 "On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism";
    • Federal Law No. 161-FZ of June 27, 2011 "On the National Payment System";
    • Federal Law No. 149-FZ of July 27, 2006 "On Information, Information Technologies, and Information Protection";
    • Subordinate normative acts: decrees of the President of the Russian Federation, resolutions of the Government of the Russian Federation, instructions of the Bank of Russia;
    • Charter and other local normative acts of the Operator.

    2.2. The Operator has the right to process personal data of subjects based on agreements concluded with them and based on their consent to personal data processing.

    2.3. If the basis for the Operator's processing of a subject's personal data is the subject's consent, such consent can be given on the Platform by checking a box in the corresponding web form or by activating (clicking) the corresponding button on the Platform.

    3. Scope and Categories of Processed Personal Data, Categories of Personal Data Subjects

    3.1. The Operator processes personal data of Platform users to ensure the proper functioning of the Platform;

    3.2. The Operator processes personal data of subjects who use the Platform without undergoing full registration and who have subscribed to notifications and receive advertisements for the Operator's services:

    • name;
    • email address;
    • phone number;
    • cookie files.

    3.3. The Operator processes personal data of subjects registered on the Platform as performers, as well as personal data of beneficiaries and beneficial owners of the Platform user for the purpose of concluding and executing a contract to which the personal data subject is a party or beneficiary:

    • surname, first name, patronymic;
    • date and place of birth;
    • citizenship;
    • passport data (including registration address);
    • residence address;
    • individual personal account insurance number (SNILS);
    • individual taxpayer identification number (INN);
    • information on the status of an individual entrepreneur;
    • bank account details;
    • mobile phone number;
    • email address;
    • cookie files.

    3.4. The Operator processes personal data of subjects who are representatives of users registered on the Platform:

    • surname, first name, patronymic;
    • passport data;
    • validity period of the document on the basis of which the representative acts.

    3.5. The Operator processes personal data of subjects who have sent a request to the Operator via the corresponding web form of the Platform:

    • surname, first name, patronymic;
    • email address;
    • phone number;
    • cookie files.

    3.6. The Operator processes other personal data for exercising and fulfilling the functions, powers, and duties assigned to the Operator by the legislation of the Russian Federation, including special categories of personal data, guided by the provisions of Federal Law No. 115-FZ of August 07, 2001 "On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism".

    3.7. The Operator does not process publicly available, biometric data (information characterizing physiological and biological features of a person, on the basis of which his identity can be established), as well as data belonging to special categories (racial or ethnic origin, political views, religious or philosophical beliefs, health status, intimate life).

    3.8. Consent to personal data processing may be expressed by taking actions, accepting the terms of the user agreement, placing appropriate marks of consent to personal data processing, activating (clicking) functional buttons on the Platform, filling in fields in forms, blanks, questionnaires posted on the Platform, or formalized in writing in accordance with the legislation.

    3.9. The Operator obtains personal data from the subject by the personal data subject filling out the corresponding web form on the Platform.

    3.10. The personal data subject agrees that the Operator has the right to process the subject's personal data received from third parties, including data from state information systems.

    4. Procedure and Conditions for Personal Data Processing

    4.1. The Operator independently or jointly with other persons organizes and/or carries out personal data processing, as well as determines the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

    4.2. The Operator performs the following actions with the subject's personal data:

    • collection of personal data through the Platform, through information systems, and from other sources;
    • recording;
    • systematization;
    • accumulation;
    • storage of personal data on the Operator's servers or the personal data processor using information protection tools;
    • clarification (update, change);
    • extraction;
    • use;
    • transfer (dissemination, provision, access) to third parties with the consent of the personal data subject;
    • blocking, deletion, destruction of personal data in cases provided by law.

    4.3. The Operator performs the actions specified in clause 5.1 of the Policy with all categories of personal data indicated in section 4 of the Policy, unless otherwise specifically defined in the legal basis for processing (regulatory act, agreement, consent, etc.).

    4.4. The Operator carries out automated and non-automated processing of the subject's personal data.

    4.5. The term of personal data processing is from the moment the subject's personal data is provided and legal grounds for processing arise until the achievement of the personal data processing purposes specified in the Policy, no less than 5 (five) years from the termination of relations with the personal data subject. An extended personal data processing period may be provided by law.

    5. Conditions for Transferring Personal Data to Third Parties

    5.1. The Operator, in accordance with clause 5.3 of the Policy, may transfer the subject's personal data to third parties to achieve the purposes specified in clause 2.2 of the Policy.

    5.2. When transferring personal data to third parties, the Operator informs them about the measures taken by the Operator to protect personal data and maintain their confidentiality. When entrusting personal data processing, the Operator has the right to demand from third parties to take the measures specified in this clause.

    5.3. The Operator discloses personal data of subjects to third parties in cases:

    • existing consent of the personal data subject for transfer and a concluded agreement between the Operator and a third party for personal data processing;
    • legislation provides for the Operator's obligation to disclose or transfer the subject's personal data.

    5.4. The Operator has the right to transfer personal data to investigative bodies, other authorized bodies on the grounds provided by the current legislation of the Russian Federation.

    6. Rights and Obligations of the Operator and the Personal Data Subject

    6.1. The Operator ensures the rights of personal data subjects in the manner established by Chapters 3 and 4 of the Federal Law "On Personal Data".

    6.2. The Operator, in the process of personal data processing, has the right to:

    • Process personal data of subjects in accordance with the provisions of the Policy;
    • Provide personal data of subjects to third parties in accordance with the provisions of the Policy and on the basis provided by current legislation;
    • Require the personal data subject to timely clarify the provided personal data;
    • Require the personal data subject to provide accurate personal data, necessary and sufficient for the purpose of their processing;
    • Entrust personal data processing to another (third) person with the consent of personal data subjects.

    6.3. The Operator is obliged to:

    • observe and ensure the confidentiality of personal data, namely, not to disclose to third parties and not to disseminate personal data without the consent of the personal data subject, unless otherwise provided by the Policy and the legislation of the Russian Federation;
    • when collecting personal data, including through the information and telecommunications network "Internet", ensure the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation;
    • terminate processing or block, destroy the personal data of the subject in cases provided by the current legislation of the Russian Federation;
    • take measures to clarify, destroy the personal data of the personal data subject in connection with his (legal representative's) appeal with legitimate and justified demands;
    • store personal data in a form that allows identifying the subject, for the necessary period determined in accordance with the Policy;
    • provide information about the ongoing personal data processing in relation to the personal data subject upon the request (appeal) of the latter or his representative.

    6.4. The personal data subject has the right:

    • to free familiarization with the provisions of the Policy and the volume of personal data processed by the Operator. The right of the personal data subject to access his personal data may be restricted in accordance with the legislation of the Russian Federation, as well as other international acts;
    • to receive information concerning the Operator's processing of his personal data. The scope of information provided is defined in Part 7 of Article 14 of the Federal Law "On Personal Data";
    • to demand from the Operator the clarification of his personal data, their blocking or destruction in case the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, and also to take measures provided by law to protect his rights;
    • to appeal the actions or inactions of the Operator to the authorized body for the protection of the rights of personal data subjects or in court;
    • to protect his rights and legitimate interests, including compensation for losses and/or moral damage in court;
    • to interact with the Operator through a representative. The powers of the representative to represent the interests of each personal data subject are confirmed by a power of attorney issued in accordance with the legislation of the Russian Federation;
    • to withdraw consent to personal data processing in part or in full.

    6.5. The personal data subject is obliged to:

    • provide the Operator with accurate information about himself to the extent necessary to achieve the processing purpose;
    • inform the Operator about the clarification (update, change) of his personal data.

    7. Updating, Correction, Deletion, and Destruction of Personal Data

    7.1. The Operator has the right to verify the accuracy and relevance of personal data specified by the subject.

    7.2. The accuracy and relevance of personal data may be carried out by the following methods at the Operator's discretion:

    • sending requests to state information systems;
    • comparing the subject's personal data with information stored in the information systems used by the Operator for personal data processing;
    • sending a request to the personal data subject;
    • other methods provided by the Operator's information system.

    7.3. The Operator makes appropriate changes to personal data within 7 (seven) working days from the date of receiving information from the personal data subject or his representative confirming that the personal data is incomplete, inaccurate, or outdated;

    7.4. The Operator destroys personal data within 7 (seven) working days from the date the personal data subject or his representative provides information confirming that the personal data was unlawfully obtained by the Operator or that the personal data is wholly or partially unnecessary for the stated processing purpose.

    7.5. In case of detecting unlawful processing of the subject's personal data, as well as upon receiving an appeal from the subject, his representative, or the authorized body for the protection of personal data subjects' rights, the Operator blocks the personal data for the duration of the check. Upon completion of the check, the Operator has the right, within 3 (three) working days from the date of detecting unlawful personal data processing, to cease their processing or, within 7 (seven) working days, to clarify the personal data and unblock them. If the Operator cannot ensure the lawfulness of personal data processing, then within 10 (ten) days from the establishment of unlawful processing, the personal data is destroyed.

    7.6. Upon achievement of the processing purpose or upon receiving a withdrawal of consent to personal data processing from the subject (in the absence of another basis for personal data processing), the Operator destroys or anonymizes the personal data within 30 (thirty) days.

    7.7. Upon receiving an appeal or request from the personal data subject, his representative, or from the authorized body for the protection of personal data subjects' rights, the Operator notifies them of the measures taken, which are provided for in this section, within 30 (thirty) days from the date of taking the corresponding measures.

    8. Protection Measures Implemented by the Operator During Personal Data Processing

    8.1. The Operator, when processing personal data, to comply with the provisions of Articles 18.1 and 19 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", takes the following measures:

    • development and adoption of local normative acts regulating the processing and protection of personal data by the Operator;
    • approval by the head of the Operator of a document defining the list of persons whose access to personal data processed in the information system is necessary for them to perform their official (labor) duties;
    • appointment of officials responsible for ensuring the security of personal data in information systems;
    • familiarization of employees who have access to subjects' personal data with the Operator's local normative acts;
    • organization of training and methodological work with employees who process personal data at the Operator;
    • ensuring security and access control in the premises where material carriers containing personal data of subjects are stored;
    • exercising internal control and audit of personal data processing processes for compliance with legislation, local normative acts of the Operator;
    • organizes the collection and storage of personal data using databases located on the territory of the Russian Federation;
    • categorizes subjects' personal data depending on the methods, purposes of personal data processing, the volume of personal data, possible harm that may be caused to personal data subjects as a result of violating personal data confidentiality;
    • defines protection measures for each category of personal data in local normative acts;

    8.2. To ensure the security of personal data, the Operator performs the following actions:

    • identifies actual threats to personal data security during their processing in the Operator's information system;
    • determines personal data protection levels;
    • uses information protection tools that have passed appropriate verification and ensure adequate protection of a specific category of personal data;
    • restores personal data that has been altered or destroyed as a result of unauthorized access to personal data and to the Operator's information system;
    • organizes control and accounting of actions of employees and other persons who have gained access to the Operator's information system;
    • uses antivirus protection on all Operator's devices connected to the information system;
    • organizes accounting and safekeeping of material carriers that contain personal data;

    8.3. Control over the relevance of the protection measures used by the Operator is carried out by the authorized employee of the Operator at least once every three years.

    9. Confidentiality

    9.1. The Operator recognizes personal data as confidential information and processes such information in accordance with legislation (Art. 7, Part 2 of Art. 18.1, Part 1 of Art. 19 of the Federal Law "On Personal Data") and local normative acts containing provisions on working with confidential information.

    9.2. Confidential information should be understood as information that the Operator received from the subject, including personal data, and for which the Operator has introduced a confidentiality regime. Confidentiality is the regime, means, and measures of protection that the Operator takes to protect confidential information from third parties.

    9.3. Confidentiality is not required with respect to:

    • personal data after their anonymization;
    • personal data, to which an unlimited circle of persons has been granted access by the personal data subject or at his request;
    • personal data subject to publication or mandatory disclosure in accordance with the legislation of the Russian Federation.

    9.4. The provision by the Operator of information to third parties acting on the basis of a contract with the Operator for the fulfillment of obligations to the personal data subject does not constitute a violation of personal data confidentiality.

    10. Responses to Subject Requests

    10.1. The information specified in Part 7 of Article 14 of the Federal Law "On Personal Data" is provided to the personal data subject or his representative by the operator upon request or upon receiving a request from the personal data subject or his representative.

    10.2. The information is provided in an accessible form, and it does not include personal data relating to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data.

    10.3. The request is drawn up in free form, in legible font (handwriting) and must contain the data of the primary document identifying the personal data subject or his representative, information confirming the personal data subject's participation in relations with the Operator, or information otherwise confirming the fact of personal data processing by the Operator, the applicant's address for sending a response to the request, the signature (including electronic) of the personal data subject or his representative. If the request is signed by the representative of the personal data subject, a copy of the document confirming the representative's authority to act on behalf of the personal data subject must be attached to the request.

    10.4. If the appeal (request) of the personal data subject does not reflect all necessary information in accordance with the Policy and the requirements of the Federal Law "On Personal Data" or the subject does not have access rights to the requested information, the Operator has the right to request additional information or send a motivated refusal through the communication channel through which the Operator received the appeal.

    10.5. The right of the personal data subject to access his personal data may be restricted in accordance with Part 8 of Article 14 of the Federal Law "On Personal Data", including if the personal data subject's access to his personal data violates the rights and legitimate interests of third parties.

    10.6. A request, appeal from a personal data subject, or withdrawal of consent to personal data processing are considered received by the Operator on the date of registration of incoming correspondence with the Operator.