1.1. This Policy (hereinafter – the “Policy”) has been developed in accordance with the Constitution of the Russian Federation, the Labour Code of the Russian Federation, Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter – the “Personal Data Law”), and other regulatory legal acts in the field of personal data protection and processing.
1.2. The purpose of this Policy is to protect the personal data of individuals from unauthorized access and disclosure. Personal data is always confidential, strictly protected information.
1.3. The Policy comes into force from the moment of its approval and remains in effect indefinitely until replaced by a new Policy.
2.1. Personal Data (PD): Any information relating to a directly or indirectly identified or identifiable individual (data subject).
2.2. PD Subject: Any individual providing personal data to the Operator, including but not limited to: employees, representatives, members of management bodies, job applicants, employees or representatives of partners and clients.
2.3. Operator: The organization that, independently or jointly with others, organizes the processing of personal data and determines the purposes of processing, the content of personal data to be processed, and the actions (operations) performed with them. The Operator is JSC “ASTROS RUS”, located at: 188510, Russian Federation, Leningrad Region, Lomonosovsky Municipal District, Villovskoye Settlement, Territory of Industrial Zone “Gorelovka”, Quarter 5, Volzhskoye Shosse, Building 2a, Structure 8, Premises 100 (hereinafter – the Operator, the Company).
2.4. Processing of Personal Data: Any action (operation) or set of actions (operations) performed with or without automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
2.5. Automated Processing of Personal Data: Processing of personal data using computer technology.
2.6. Personal Data Information System (PDIS): The totality of personal data contained in databases and the information technologies and technical means ensuring their processing.
2.7. Personal Data Made Public by the PD Subject: PD to which access by an unlimited number of persons has been provided by the data subject or at their request.
2.8. Blocking of Personal Data: Temporary cessation of personal data processing (except where processing is necessary to clarify the data).
2.9. Destruction of Personal Data: Actions because of which it becomes impossible to restore the content of personal data in the personal data information system and/or which result in the destruction of the physical media containing the personal data.
2.10. Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor): The federal authority authorized to ensure and control compliance with personal data protection legislation.
2.11. Other Terms: Other terms not defined in this section of the Policy shall be applied in accordance with the legislation.
3.1. The key principles adhered to by Astros Logistics when processing personal data comply with the requirements of Russian legislation.
3.2. The principles adhered to by the Operator are:
• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality/Security
• Accountability
3.3. Explanation of the Principles:
3.3.1. Lawfulness, Fairness, and Transparency. The Operator must process PD only on lawful grounds, have the consent of data subjects, process PD in good faith and fairly, and ensure the processing process is clear and understandable to data subjects and other stakeholders.
3.3.2. Principle of Purpose Limitation. The Operator does not have the right to use data for purposes other than those for which it was granted rights by the data subject. The purposes of PD use must be defined in the Company’s documents.
3.3.3. Principle of Data Minimization. The Operator must not possess more data than is necessary for the processing purposes.
3.3.4. Principle of Accuracy. The Operator must take all necessary measures to ensure that the stored data is accurate and not misleading.
3.3.5. Principle of Storage Limitation. Personal data must be processed and stored only for as long as necessary to achieve the processing purposes. The Operator cannot store PD indefinitely.
3.3.6. Principle of Integrity and Confidentiality. The Operator is obliged to ensure the protection of PD at both the administrative and technical levels. Protection measures, including pseudonymization and encryption, must be proportionate to the volume of data processed and the potential damage from its leakage. Company employees must be instructed on PD handling procedures, and policies must be implemented with responsible persons appointed.
3.3.7. Principle of Accountability. The Operator is responsible for violations in the field of PD handling. This principle imposes on the Operator the obligation to comply with all other principles, including maintaining records of confidentiality, data protection, use, and verification, and appointing a data protection officer.
[1] Astros Logistics refers to the following legal entities: JSC “ASTROS RUS”, JSC “ASTROS LC”, LLC “RusIntert”, LLC “EMS Distribution”, LLC “ALERS TLR”, LLC “CUSTOMS”.
4.1. Purposes of personal data processing:
• Execution of labour relations, development and training of Employees, and other purposes established by labour legislation.
• Execution of civil-law relations.
• Conducting the Operator’s commercial activities.
• Conducting negotiations.
• Organizing access for individuals to the Operator’s territory.
• Ensuring the security of property and Employees.
• Fulfilling the Operator’s obligations to provide benefits and guarantees to its employees.
• Compliance with legal requirements, including tax and archival legislation.
4.2. The Operator processes personal data of the following PD subjects in accordance with the purposes specified in clause 4.1:
4.2.1. Individuals in an employment relationship with the Company (Employees).
4.2.2. Individuals who have resigned from the Company (Former Employees).
4.2.3. Individuals whose PD processing is necessary for providing benefits/guarantees to employees (Family Members).
4.2.4. Individuals who are job candidates, including students and interns (Applicants).
4.2.5. Individuals in civil-law relationships with the Company, including trainees (Contractors).
4.2.6. Individuals who are visitors to the Company (Visitors).
4.2.7. Individuals who are Employees or representatives of clients, partners (Clients).
4.3. This Policy governs the procedure for processing personal data of all specified categories of PD subjects.
4.4. Separate local regulations/policies may be adopted for specific categories of subjects if necessary for specific regulation of their personal data protection procedures, or if required by law (e.g., for Employees per the Labour Code).
5.1. Personal data is processed:
• in specific cases without obtaining the consent of the PD subject,
• with the written consent of the PD subject.
5.2. Processing without the subject’s consent occurs in the following cases:
• when processing is necessary for performing functions, powers, and duties imposed by Russian law;
• in other cases where such consent is not required by law according to Article 6 of the Personal Data Law.
5.3. Processing with the subject’s consent occurs in the following cases:
• when processing personal data made publicly available by the subject or at their request;
• in other cases, not covered by Article 6 of the Personal Data Law.
5.4. The list of personal data processed with the subject’s consent is specified in the consent form, indicating the purposes of processing.
5.5. Before providing their PD, the subject must:
• review this Policy,
• provide the personal data required by law to achieve the processing purposes,
• give written consent for the processing of personal data not required by law but which the subject is willing to knowingly provide to the Operator for the purposes specified in such consent.
5.6. Consent can be given by the subject or their representative in any form that allows confirmation of its receipt, unless otherwise stipulated by federal law.
5.7. Consent can be formalized in the following ways:
• in hard copy with the subject’s handwritten signature,
• electronically using a digital signature, as prescribed by law,
• as a scanned document sent via email or other remote systems with additional sender identity verification.
5.8. The Operator uses standard consent forms developed in accordance with Article 9 of the Personal Data Law.
5.9. The PD subject is provided with a standard consent form to complete, sign, and submit to the Operator via the established company method.
5.10. The standard consent form for Employees is an appendix to the relevant policy, which employees review and sign before concluding an employment contract.
5.11. The PD subject decides freely and willingly to provide their personal data and give consent for processing. In the standard form, the subject must specify which data they permit or prohibit processing, setting limitations if necessary.
5.12. The standard consent form is a template developed per legislation; all data in the consent can be adjusted, corrected, or excluded by the subject, except where specific information is required by Article 9 of the Personal Data Law.
5.13. Consent must be specific, substantive, informed, conscious, and unambiguous.
5.14. If consent is obtained from the subject’s representative, the Operator verifies the representative’s authority.
5.15. Consent from individuals who are Employees or representatives of clients/partners is ensured by the legal entity that sent them. The Operator may request additional consent if more PD than needed for site access is processed.
5.16. Consent can be withdrawn by the subject in the following forms:
• hard copy with a handwritten signature, provided in any format personally or via mail,
• electronically using a digital signature, as prescribed by law,
• as a scanned document sent via email or other remote systems with additional sender identity verification.
5.17. If consent is withdrawn, the Operator may continue processing PD as required by law without consent.
6.1. Obtaining PD.
6.1.1. The Operator obtains all PD directly from the subject with their consent. If PD can only be obtained from a third party, the subject must be notified or their consent obtained.
6.1.2. The Operator must inform the subject of the purposes, intended sources, methods of obtaining PD, the nature of the PD, the list of actions, the consent validity period, withdrawal procedure, and consequences of refusal.
6.1.3. Documents containing PD are created by:
• copying original documents (with written consent),
• entering information into the Operator’s accounting forms,
• obtaining original documents as required by law,
• other methods consistent with legislation.
6.2. Processing PD.
6.2.1. Processing is conducted:
• using automation means,
• without using automation means.
6.3. Storage of PD.
6.3.1. PD may be obtained, processed, and stored on paper or electronically.
6.3.2. PD on paper are stored in locked cabinets or rooms with restricted access.
6.3.3. PD processed automatically for different purposes are stored in separate folders.
6.3.4. Storing documents containing PD in open electronic directories is prohibited.
6.3.5. PD is stored no longer than required by the processing purposes and is destroyed upon achieving the purposes or if no longer necessary.
6.3.6. Electronic storage is permitted on servers located within the Russian Federation.
6.4. Destruction of PD.
6.4.1. The procedure for destruction is defined by a separate internal act of the Operator, in accordance with legal requirements.
6.4.2. Destruction of documents/media containing PD is carried out by burning, shredding, chemical decomposition, or rendering into an amorphous mass/powder. Shredding is permitted for paper documents.
6.4.3. PD on electronic media are destroyed by erasure or formatting.
6.4.4. The fact of destruction is documented by a certificate of destruction.
6.5. Transfer of PD to Third Parties.
6.5.1. The Operator transfers PD to third parties in the following cases:
• the subject has given consent,
• transfer is provided for by Russian or other applicable law.
6.5.2. List of entities to whom PD is transferred as required by law (consent not required):
• Social Fund of Russia (SFR),
• Tax authorities,
• Military commissariats and other structures responsible for military registration and defence,
• Statistical bodies (depersonalized data),
• Other legal entities as mandated by law.
6.5.3. List of entities to whom PD is transferred based on subject consent:
• Medical insurance organizations (except as provided by law),
• Banks for transferring funds to individuals,
• Other legal entities (counterparties, partners).
6.5.4. PD is transferred only in the volume necessary to avoid excessive disclosure.
7.1. In accordance with regulatory requirements, the Operator has established a Personal Data Protection System (PDPS), consisting of legal, organizational, and technical protection subsystems.
7.2. The legal protection subsystem comprises a set of legal, organizational, administrative, and regulatory documents ensuring the creation, operation, and improvement of the PDPS.
7.3. The organizational protection subsystem includes the management structure of the PDPS, an access control system, and information protection when working with Employees, partners, and third parties.
7.4. The technical protection subsystem includes a complex of technical, software, and hardware-software tools ensuring PD protection.
7.5. Key protection measures used by the Operator include:
• 7.5.1. Appointing a person responsible for PD processing, who organizes processing, training, instruction, and internal control over compliance.
• 7.5.2. Identifying current security threats to PD during processing and developing measures for protection.
• 7.5.3. Developing a policy regarding the processing of personal data.
• 7.5.4. Establishing rules for access to PD processed in the information system, ensuring logging of all actions performed with PD.
• 7.5.5. Assigning individual access passwords for Employees based on their job duties.
7.5.6. Use of information security tools that have undergone the established conformity assessment procedure.
7.5.7. Certified antivirus software with regularly updated databases.
7.5.8. Compliance with conditions ensuring PD integrity and preventing unauthorized access.
7.5.9. Detection of unauthorized access incidents to personal data and implementation of corrective measures.
7.5.10. Restoration of PD modified or destroyed due to unauthorized access.
7.5.11. Training for Operator’s employees directly involved in PD processing on Russian PD legislation requirements, including protection requirements, documents defining the Operator’s PD processing policy, and local acts on PD processing.
7.5.12. Implementation of internal control and audit.
8.1. The Company has established rules for access to processed PD.
8.2. To ensure PD integrity and confidentiality, all operations related to processing and storing PD must be performed by Company employees within their official duties.
8.3. The following have access to PD:
8.3.1. Full Access:
• General Director
• IT Director
8.3.2. Limited Access (required for performing job functions):
• HR Director
• HR Department employees
• Department heads (access to their subordinates’ data)
• Accounting employees
• Legal Department employees
• Finance Department employees
• Customer Service Group employees
• Administrative Group
• IT Department
• System Administration and Technical Support Group
8.4. Personal files and documents containing PD are stored in locked cabinets protecting against unauthorized access.
8.5. Personal computers containing PD are protected by access passwords.
9.1. PD Subject Rights:
9.1.1. The subject has the right to access their PD and the following information:
• Confirmation of PD processing
• Legal grounds and purposes of PD processing
• PD processing methods
• PD storage location, information about persons with access to PD
• PD processing periods, including storage terms
• Name and address of the processor acting on the Operator’s behalf
9.1.2. The PD subject has the right to contact the Operator and send requests through official communication channels.
9.1.3. The subject has the right to appeal the Operator’s actions or inaction.
9.1.4. The subject has the right to withdraw their PD, except where processing is required by law.
9.2. PD Subject Obligations:
• Provide the Operator with accurate PD
• Promptly inform the Operator about PD changes
9.3. Operator Obligations:
• Comply with current legislation governing PD processing and protection
• Adhere to this Policy and procedures established by other local acts
10.1. The Company ensures unrestricted access to this Personal Data Processing Policy by publishing it on the website astroslogistics.ru, on the internal portal, and by making it available in open access on paper media and through other methods.
10.2. The Operator’s internal local acts and documents on PD processing and protection are provided in accordance with the procedure established by legislation.
