APPROVED
Order of the Director General No. unnumb.
June 30, 2017

POLICY
in respect of personal data processing on "Ivastroy, LLC"

1. GENERAL PROVISIONS

1.1. This document determines the policy (hereinafter - the Policy) of Ivastroy LLC (hereinafter - the Company) concerning the processing of personal data.
1.2. This Policy is elaborated and approved in accordance with the requirements of article 18.1 of Federal Law dated 27.07.2006 No. 152-FZ On Personal Data and is valid in relation to all personal data, processed in the Company.
1.3. Purpose of this Policy is the provision of protection of the human rights and liberties in the course of processing of his personal data, as well as interests of the Company.
1.4. This Policy determines the goals, principles and conditions of processing of personal data of employees and other persons, whose personal data are processed by the Company, as well as includes the list of measures, used for the purpose of provision of safety of personal data in the course of its processing.

2. GENERAL TERMS AND DEFINITIONS

Personal data automatic processing – personal data processing using computer technology means.
Biometric personal data – information which characterizes physiological and biological peculiarities of a human, on the basis of which his/her personality can be ascertained, and which are used by an operator to ascertain personality of personal data subject.
Personal data blocking – personal data processing temporary extinction (with the exception of cases when processing is necessary to make personal data more exact).
Personal data safety – personal data security state characterized by the ability of users, technical means and information technologies to provide personal data confidentiality, integrity and accessibility at processing in information systems of personal data.
Personal data information system – package of personal data bases, information technologies and technical means, which enable to realize such personal data processing using automation devices or without them.
Personal data confidentiality – obligatory requirement to the Company or the other those who gets an access to personal data not to distribute personal data without the consent of personal data subject or without some other legal grounds.
Personal data processing – any action (operation) or combination of actions (operations) made with personal data using automation devices or without them, including selection, recording, systematization, accumulation, storage, making more exact (updating, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion of personal data.
Accessible personal data – personal data, access to which for unlimited number of persons is given with the consent of personal data subject, or those data, for which confidentiality maintenance requirement is not valid according to Federal laws.
Personal data depersonalization – actions resulting in impossibility to define without additional information who is the owner of personal data.
Operator – State body, municipal body, legal of physical person, who without assistance or jointly with the other persons arranges or carries out personal data processing, and who defines the purposes of processing of personal data which should be processed, and actions (operations) with personal data.
Personal data granting – actions made to disclose personal data to a certain person of a certain circle of persons.
Personal data – any information concerning directly or indirectly defined or being defined physical person (personal data subject). Special categories of personal data – personal data concerning racial, national origin, political views, religious or philosophical convictions, state of health and intimate life of personal data subject.
Company website – package of programs for computers or some other information, access to which is provided using "Internet" (laikovo-gorod.ru).
Personal data transboundary transfer – personal data transfer to the territory of a foreign state, foreign physical person or foreign legal person.
Personal data deletion – actions resulting in impossibility to restore the contents of personal data in information system of personal data, and/or resulting in deletion of personal data material objects.

3. POBJECTIVES OF PERSONAL DATA PROCESSING

3.1. The Company processes personal data with the following objectives:
- provision of observation of the Constitution of the Russian Federation, legal and other normative acts of the Russian Federation, local normative acts of the Company;
- conclusion with the personal data owner of any contracts and agreements, as well as its further implementation;
- performance of obligations under the apartment blocks management contracts;
- provision of information concerning the Company, its services, special proposals and events;
- communications with the personal data owner;
- submission of news items to the personal data owner;
- provision of functioning, safety and improvement of quality of the Company’s sites;
- as well as other purposes, achievement of which is not prohibited by the federal law, international agreements of the Russian Federation.

4. CLASSIFICATION OF PERSONAL DATA AND CATEGORIES OF THE SUBJECTS, WHOSE PERSONAL DATA ARE PROCESSED IN THE COMPANY

4.1. Personal data include any information relating to a directly or indirectly defined or definable individual (personal data subject), which is processed by the Company for the achievement of above mentioned objectives.
4.2. The Company doesn’t perform the processing of special categories of data, connected with the ethnicity, national identity, political opinions, religious and philosophic convictions, state of health, intimate life, previous convictions of the physical bodies, if otherwise is not stated by the law of the Russian Federation.
4.3. The Company performs the processing of personal data of the following categories of the personal data owners:
- physical bodies, expressed their intention to conclude any contracts and agreements with the Company;
- physical bodies, concluded any contracts and agreements with the Company;
- physical bodies, personal data of whom were made public and its processing doesn’t breach their rights and corresponds to the requirements, set by law concerning personal data;
- physical bodies, which are owners, tenants and other persons, registered at the place of living/ residence in the premises of the apartment blocks;
- other physical bodies, expressed their consent for the processing by the Company of their personal data, or processing personal data of whom is required to the Company for the performance of obligations, implementation of the functions and other powers, set and/or provided by the international agreement or the law of the Russian Federation.

5. UNDERLYING PRINCIPLES OF PERSONAL DATA PROCESSING

5.1. Processing of personal data in the Company is carried out on the basis of the following principles:
- legality of the means and methods of personal data processing;
- correspondence of the purposes of personal data processing to the goals that are set out and announced at the time of personal data collection;
- correspondence of the content and scope of the processed personal data, as well as means of its processing to the stated objectives of the processing;
- accuracy of personal data, its sufficiency for the objectives of the processing, inadmissibility of processing of personal data, which are excess in relation to the objectives, stated in the course of collection of such personal data;
- inadmissibility of processing of personal data, incompatible with the objectives of collection of personal data;
- inadmissibility of integration of data basis, containing personal data, processing of which is performed for the purposes, incompatible with each other;
- provision of storage of personal data within the period, not exceeding the period, required for the objectives of personal data processing, if the term of storage of personal data is not set by the federal law, agreement, under which the personal data owner is the party, beneficiary or receiver;
- destruction or depersonalisation of personal data upon the achievement of the processing objectives or in case if there is no further need in the achievement of these objectives, if otherwise is not set by the law of the Russian Federation, agreement, under which the personal data owner is the party, beneficiary or receiver;
- provision of confidentiality and safety of the processed personal data.

6. CONDITIONS OF PERSONAL DATA PROCESSING

6.1. Personal data processing is performed with the observance of the principles and rules, set by the Federal Law dated July 27, 2006 No. 152 - FZ On Personal Data.
6.2. The Company shall process personal data with or without usage of automation devices.
6.3. The Company may include the personal data owners into the public sources of personal data, moreover the Company shall take written consent of the personal data owners for the processing of their data.
6.4. Biometric personal data are not processed in the Company.
6.5. The Company doesn’t perform trans-border transfer of personal data.
6.6. Taking of the decisions only on the basis of automated processing of personal data, which result in the legal consequences in relation to the personal data owners or otherwise influence at their rights and legal interests, is not performed.
6.7. In case when there is no need in written consent of the personal data owner for the processing of his data, consent of the data owner may be provided by the personal data owner or his representative in any form, which allows to get the fact of its receipt.
6.8. The Company is entitled to charge the processing of personal data to another party with the consent of the personal data owner, if otherwise is not stated by the federal law, on the basis of the contract, concluded with this party (hereinafter - charge of the operator). At that the Company shall oblige the person, performing the processing of personal data under the charge of the Company, shall obey the principles and rules of personal data processing, provided by the Federal law dated July 27, 2006 No 152-FZ On Personal Data.
6.9. Provision of access of the state authorities (including control, supervisory, law enforcement and other authorities) to personal data, processed by the Company, shall be performed in accordance with the procedure, set by the RF law.

7. RIGHTS AND LIABILITIES OF THE PERSONAL DATA OWNER

7.1. The personal data owner is entitled to:
- receive information connected with the processing of his personal data in accordance with the procedure, in form and terms, set by the law on personal data;
- require specification of his personal data, its blocking and destruction in case if personal data are not full, if they are outdated, incorrect, if they are unduly received, or if they are not required for the stated objective of the processing;
- take measures for the protection of his rights, provided by law;
- withdraw his consent to the processing of personal data;
7.2. The personal data owner is obliged to provide the full, correct and accurate information concerning his personal data.

8. RIGHTS AND LIABILITIES OF THE COMPANY IN THE COURSE OF PERSONAL DATA PROCESSING

8.1. The Company is entitled to:
- process personal data of the personal data owner in accordance with the stated objective;
- require from the personal data owner of the provision of accurate personal data, required for the conclusion, implementation of the contract, rendering of the purposes, identification of the personal data owner, as well as in other cases provided by law on personal data;
- restrict the access of the personal data owner to his personal data in case if the processing of personal data is performed in accordance with the law concerning the counteraction of the legitimization (laundering) of the proceeds of crime and the financing of terrorism, access of the personal data owner to his personal data breaches the rights and legal interests of the third parties, as well as in other cases provided by law of the Russian Federation;
- process publicly available persona data of the physical bodies;
- process personal data, which shall be published or obligatory disclosed in accordance with the law of the Russian Federation;
- clarify personal data, block and destroy the data in case if personal data are not full, if they are outdated, incorrect, if they are unduly received, or if they are not required for the stated objective of the processing;
- charge personal data processing to another person with the consent of the personal data owner.
8.2. In accordance with the requirements of the federal Law dated July 27, 2006 No 152-FZ On Personal Data the Company is obliged to:
- provide the personal data owner (upon his request) information concerning the processing of his personal data or provide the refusal in case if there is legal justification.
- upon the request of the personal data owner, clarify personal data, block and destroy the data in case if personal data are not full, if they are outdated, incorrect, if they are unduly received, or if they are not required for the stated objective of the processing;
- maintain registration of requests of the personal data owners;
- notify the personal data owner concerning the processing of personal data in case if personal data were received not from the personal data owner except for the cases provided by the RF law.
- in case of achievement of the objective of personal data processing, stop personal data processing and destroy the following personal data in terms, not exceeding thirty days since the date of achievement of the objective of data processing, if otherwise is not set by the contract, under which the personal data owner is the party, beneficiary or receiver, other agreement between the Company and the personal data owner;
- in case of withdrawal by the personal data owner of consent for the processing of his personal data processing, and destroy personal data in terms, not exceeding thirty days since the date of receipt of above mentioned withdrawal, if otherwise is not set by the contract, under which the personal data owner is the party, beneficiary or receiver, other agreement between the Company and the personal data owner; The Company is obliged and shall oblige other parties, receiving the access to personal data, not to disclose them to the third parties and not to distribute personal data without the consent of the personal data owner, if otherwise is not set by the federal law.

9. DATA CONCERNING THE MEASURES OF PERSONAL DATA PROTECTION, REALIZED IN THE COMPANY

9.1. In the course of personal data processing the Company shall take the required legal, organizational and technical measures for the protection of personal data from the illegal or accidental access to them, destruction, change, blocking, copying, rendering, distribution of personal data, as well as other illegal actions in relation to personal data.
9.2. Data concerning the measures of personal data protection, realized in the company
9.3. In order to avoid the damage in the course of personal data processing, the following personal data protection measures are realized in the Company:
Legal measures consist of the following:
- Provision of instructions to all the employees of the Company concerning the requirement of acting law in the sphere of personal data processing;
- Study and application of the legal mechanisms, aimed at the minimization of damage and harm to the personal data owners;
- Development, acceptance and observation of local acts concerning personal data issues.
Organizational measures consist of the following:
- Systematic awareness-raising activities with the employees of the Company concerning the issues of avoidance of damage to the personal data owners;
- Recruitment of the qualified employees;
- Charging of the duties concerning the explanation of this policy to the person, responsible for the processing of personal data of the Company.
Technical measures include the following:
- Avoidance of leakage of confidential information, inter information, which is considered to be trade and business secret by means of provision of special premises for the purpose of processing and storage of this information;
- Provision of informational safety of personal data operators, uninterrupted functioning of technical means of personal data processing. The term ‘technical means, which allow to perform personal data processing’ means computer equipment, computer information complexes and nets, means and systems of transfer, receipt and processing of personal data (means and systems of audio recording, sound amplification, audio reproduction, intercommunication equipment, TV devices, means of production, reproduction of the documents and other technical means of processing of the verbal, graphic, video and alphanumeric information), software (operational systems, data base control systems etc), information protection means, used in the informational systems;
- Provision of physical safety of the objects which are on the balance sheet of the Company;
- Provision of physical safety of the employees of the Company in the course of performance of their job duties, comfortable moral and psychological climate and environment of business cooperation among the employees of the Company;
- Immediate restoration of personal data, modified or destroyed in the result of illegal access to them;
- Permanent control of the provision of personal data safety level in accordance with the requirements of the Order of the RF Government dated 01.11.2012 No 1119 On approving of the requirements on personal data protection in the course of its processing in personal data IT systems.

10. LIABILITY OF THE COMPANY

10.1. Control for the performance of requirements of this Policy, rules and requirements, applied in the course of personal data processing in the Company, shall be performed by the persons, appointed by the order of the executive authority of the Company.
10.2. The Company, as well as its officers and employees bear responsibility for the nonobservance of the principles and conditions of personal data processing, as well as disclosure and illegal usage of personal data, in accordance with the law of the Russian Federation.

11. FINAL PROVISIONS

11.1. This Policy is an internal document of the Company, is publicly available and shall be published at the official web-site of the Company.
11.2. This Policy enters into force since the moment of its approval by the executive authority of the Company.
11.3. This Policy shall be reviewed due to the change of the RF law in the sphere of processing and protection of personal data, according to the results of assessment of relevance, sufficiency and efficiency of the measures, realized by the Company for the protection of personal data.

12. FEEDBACK

12.1. Contact data of the Company for personal data subjects applications on personal data issues:
- E-mail: info@laikovo.ru.
- Postal address: 141400, Moscow region, city of Khimki, Mezhdunarodny block, Pokrovskaya street, bld. 1, premises 301, room No. 12.