Personal Policy

1 Introduction

1.1 Purpose and applicability

This Policy on personal data processing (hereinafter - the Policy) is developed in compliance with the following main legislative acts of the Russian Federation on personal data (hereinafter - PD), regulatory and procedural documents issued by state executive authorities and local documents of LLC “Ingka Hanim Ltd.” on information security (hereinafter - the Company):

  • Russian Federal Law No. 152-FZ of 27.07.2006 “On Personal Data” (hereinafter - 152-FZ)
  • Resolution No. 1119 of the Government of the Russian Federation of 01.11.2012 “On approval of requirements for protection of personal data when processing them in personal data information systems”
  • Resolution of the Government of the Russian Federation of 15.09.2008 No. 687 “On Approval of the Regulation on the processing of personal data carried out without automation facilities.”
  • Russian Labour Code
  • Information security rules for users.

The purpose of the Policy is to establish the procedure for processing and ensuring security of PD of employees and clients of the Company.

The Rule shall be reviewed and followed by all employees of the Company. Each employee of the Company by signing the consent to the transfer and processing of his/her PD to the Company certifies, in particular, that he/she read and understood the Rule.

1.2 Terms and Definitions

Personal Data (PD) shall mean any information relating to an individual (an owner of personal data) who is or can be directly or indirectly identified.

Personal data processing shall mean actions (operations) with PD including the collection, retention, updating, changing, distribution, depersonalisation and destruction of PD.

Depersonalisation of personal data shall mean actions as a result of which it is impossible to identify appurtenance of PD to a particular individual.

Personal Data Information System (PDIS) shall mean an information system, that constitutes a complex of PD contained in the database, as well as information technologies and hardware ensuring PD processing.

Confidential data mean a high-priority information for business, the disclosure of which can lead to tangible financial losses, damage to image of the Company and/ or legal sanctions against the Company.

Personal data group owner is an employee of the Company who manages work flow in which the PD group is used, and therefore, is authorised to resolve issues related to the alteration of the PD group list, processing processes and the procedure for access to the data.

Responsible for arrangement of PD processing shall mean an appointed person responsible for arrangement and protection of PD in the Company, Information Security Manager.

2 Arrangement of Personal Data Processing

2.1 Guiding principles

The processing of personal data in the Company shall be based on the following principles:

  • PD shall be processed fairly and lawfully, and shall be collected for specific, explicit, and legitimate purposes.
  • PD content, scope, storage period shall correspond to the objectives of PD processing. Ensure, that PD are accurate and relevant.
  • Each PD group has its PD owner from among the managers of the work flow, in framework of which the PD group is processed. PD group owner shall control and be fully liable for processing of the data.
  • Ensure protection of PD and compliance with PDIS access mode in accordance with the information security rules of Ingka Group and the Company.
  • Third parties may access PD only with the consent of the PD owner, as well as on the grounds specified in the federal law or specified in the contract with the Company. I this case, the contract shall contain a provision on confidentiality and ensuring protection of PD.

2.2 Personal Data Processing Objectives

The Company declares the following PD processing objectives:

  • Ensuring compliance with the requirements of the Russian Federation Labour Code and other legislative acts of the Russian Federation;
  • Making the decision on candidates hiring, discharging the employer’s obligations under employment agreements and under civil law contracts;
  • Provision of social benefits, health insurance and recreation for employees of the Company;
  • Effective interaction with visitors, tenants, potential tenants, customers of Khimki Business Park Multifunctional Complex, Coworking PO2RT, Conference & Service Center of Khimki Business Park and users of the Company's electronic services;
  • Coperation with clients and representatives of partners under contracts.

PD may be processed by authorised employees of the Company only for the purposes mentioned above.

2.3 Consent For Personal Data Processing

Processing of a certain category of PD may be carried out only with the consent of the PD owner or without the consent, if the processing of that PD category by the Company is stipulated by the requirements of the Russian Federation laws.

Upon receipt of the consent, PD owners shall be familiarised with the PD processing objectives, with the list of collected data and the list of actions with PD, on processing of which the consent is given. It is required to specify the period of validity of the consent and the procedure for withdrawal thereof.

The form of PD owner’s consent to his/her PD processing shall be developed in the Company’s appropriate unit that processes the PD. The Form shall be approved by the employee in charge of PD processing in the Company (see Chapter 4.4) and by the owner of the relevant PD category.

The Form of consent to PD processing is specific to each business process in the framework of which PD are processed, so the Form Template shall be developed jointly with an Employee responsible for PD processing arrangement in the Company.

2.4 Procedure and conditions for personal data processing

Collected personal data of the Russian Federation citizens must be recorded, systematised, accumulated, stored, clarified (updated, revised) and extracted with the use of databases located in the Russian Federation.

All PD both on paper and in electronic form may be obtained only from the PD owner himself/herself, with the exception of cases when PD are obtained from public sources (including catalogues, address books). If PD are obtained from a third party, PD owner shall be notified from whom the PD were received and for what purpose.

It is prohibited to request, receive and process PD concerning race or ethnicity, political opinions, religious or other beliefs. Processing of PD concerning the state of health is allowed only in cases stipulated by the effective laws of the Russian Federation.

Owners of PD groups shall control correct processing of PD during the whole cycle of use thereof in line with the logic of their business processes, including the destruction process (depersonalisation) of PD, after the objectives of the data processing have been achieved.

Employees of the Company shall have access to PD when it is necessary for business. All exceptions to this rule shall be approved by the Owner of the relevant group of PD.

If the Company entrusts processing of PD a third party under an agreement, the agreement shall contain an essential condition for indication of the purpose of the transfer and a list of categories of PD transferred for processing, as well as the obligation of the third party to ensure confidentiality of PD and security of PD during their processing.

If the Owner of the relevant group of PD or an appointed project manager want to arrange a new procedure for processing of PD, introduce changes to the existing procedure for processing of PD, transfer PD for processing to a third party, they shall consult Responsible for arrangement of PD processing.

3 Personal Data Security

3.1 Confidentiality

PD security shall be achieved by eliminating unauthorized, including accidental access to personal data, that can result in the destruction, modification, blocking, copying, distribution of personal data, as well as other illegal actions. This is achieved by applying organizational measures and means for technical protection of information (e.g., encryption tools, access authorisation facilities, information leakage prevention), ensuring the availability, integrity and confidentiality of PD.

According to the information system classification approved in the Company, all PD, with the exception of PD, which are in the public domain, and, in some cases, depersonalised PD, are classified as confidential information, and all the protection measures identified in the information security documents for this category of data are applied to them.

PD and PD processing results can only be stored in authorized PDIS databases, on secure encrypted external electronic media, as well as in hard copies retained in places closed to public access.

The Company’s Employees authorised within the frameworks of performance of their job duties to access PD shall not distribute, disclose PD to third parties without the consent of PD owner, unless otherwise provided by the laws of the Russian Federation.

The Company transfers PD to third parties (receiving party) for processing, only with the consent of the PD owner, and only if it is necessary to achieve the objectives of the PD processing, moreover, an essential condition of the contract with the third party shall be the third party's obligation to ensure reliable protection of the transferred PD.

3.2 Access Authorisation

Basic rules for access to PD are the following:

  • The Company’s authorised employee only may access PD, and only that part of the PD, which is associated with his/her job duties. Head of the Company’s Business Unit shall be responsible for monitoring the processing of PD by his/her employees, as well as for the timely withdrawal of access to PD from an employee in case the latter violates provisions hereof.
  • PD may be accessed only using a private password via standard IT services of the Company, set up in strict compliance with the need-to-know principle. An employee may not provide his/her access to other persons, as well as use other person’s access for work with PD.
  • Workplaces of the Company’s employees engaged in PD processing shall be organised and supplied with everything required to prevent any unauthorized access to the electronic and paper documents that contain PD, including the possibility of peeping.

3.3 Rules for PD processing

Basic rules for PD processing by the Company’s employee:

  • Make the minimum required number of copies of electronic and paper documents with PD, promptly destroy unnecessary copies of documents.
  • Depersonalise PD before they are processed, if applicable.
  • Follow the Clear Desk and Clear Screen policy when working with PD.
  • PD transferred via unsecured means of communication, including the Internet, or PD on external storage media, shall be encrypted with the corporate standard encryption facilities.
  • It is prohibited to report, provide (orally or in writing) PD to other employees or third parties who are not authorised to have access to the PD.

4 Liability and Rights

4.1 Rights of Personal Data Owner

When processing PD it is necessary to secure the following rights of the owner in relation to his/her PD that are guaranteed to the owner by the laws of the Russian Federation:

  • The right to receive information on the content, objectives, methods, terms and legal basis of their PD processing.
  • The right to obtain information on the persons who may gain an access to PD or processing PD on behalf of the Company, on actual or proposed cross-border transferring of PD.
  • The right to update their PD, as well as block or delete the PD that are inaccurate, illegally obtained or are not necessary for the stated purpose.

4.2 Person Responsible for Arrangement of Processing

In order to develop and implement measures to ensure PD security when they are processed in the Company’s PDIS, the official person responsible for arrangement of PD processing is determined by the Policy: Responsible for Arrangement of PD Processing. The official person, in particular, shall:

  • Implement internal control over compliance by the Company’s employees with the Russian Federation law on personal data and the Policy.
  • Bring to the attention of the Company’s employees the provisions of the Russian Federation law on PD and requirements of the Policy.
  • Arrange and supervise obtaining and processing of PD owner's complaints and requests.
  • Conduct inspection of security of PD processed in PDIS, including verification of user accesses to PD, implementation of security requirements of each PDIS, correct operation of PD security system, etc.

4.3 Liability of the Company

Pursuant to requirement of FZ-152 the Company:

  • provides the PD owner at his/her request with information regarding the processing of his/her PD or provides the lawful refusal within thirty days from the date of receipt of the written request of the PD owner or his/her representative
  • specifies processes PD at the written request of the PD owner, blocks or deletes PD if they are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of the processing within the period not exceeding seven working days from the date of submitting by the PD owner or by his/her representative an evidence confirming that facts
  • Destroys (depersonalises) PD within 30 days when:
    • The objective of PD processing is achieved
    • It is no longer necessary to achieve objectives of the PD processing
    • PD owner withdraws his/her consent to his/her PD processing.
  • In the event of a request or inquiry of an authorized body protecting rights of owners of PD on reliability of PD or wrongful acts with them, the revealed violations shall be rectified. The Company shall inform the said body on rectification of the violation or on destruction of PD if it is impossible to rectify the violation in due time, within 10 working days.

PD group owner initiates the process of PD destruction upon achievement of the objectives of processing thereof, or if it is no longer necessary to achieve that objectives. In other cases PD destruction shall be initiated by the Responsible for the arrangement of PD processing.

The person carrying out PD destruction shall draw-up and sign the PD Destruction Report, which he/she shall send to the Responsible for PD processing arrangement.

4.4 Liability of Employee

Employees of the Company shall be personally liable for compliance with requirements to processing and security of PD established hereby. An employee of the Company may be made accountable in the event of:

  • deliberate or negligent disclosure of PD
  • loss of physical media that contain PD
  • violation of requirements of the Policy.

unauthorised access to PD, disclosure of PD, and infliction to the Company, its employees or clients of financial or other damage, the persons at fault shall bear liability stipulated by the laws of the Russian Federation.

Close
BREEAM IN-USE CERTIFICATION

We are pleased and proud to inform you that Khimki Business Park has successfully passed the BREEAM in-Use certification graded "very good" and "good"

BREEAM in-Use certification is a tool which allows developers to reduce current costs and to improve the environmental impact of the existing buildings

Find out more about the certification on the official webpage of BREEAM