GSE JSC PERSONAL DATA PROCESSING POLICY

1. General

1.1. This GSE JSC’s Personal Data Processing Policy has been developed pursuant to Clause 2, Part 1, Article 18.1 of Federal Law “On Personal Data” No. 152-FZ dated July 27, 2006, and is intended to provide unrestricted access to information concerning personal data processing, and information on personal data protection requirements being implemented.

1.2. This Policy describes the procedure for processing and protecting personal data of individuals for the purposes specified in Section 4.

1.3. Personal data are classified as confidential information and are subject to protection from unauthorized and accidental access thereto.

2. Key personal data concepts

1) Personal data – any information relating directly or indirectly to an identified or identifiable individual (personal data subject);

2) Operator – any state authority, municipal body, legal entity or individual who, independently or jointly with other persons, organizes and/or performs the processing of personal data and determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) to be performed with personal data;

3) Personal data processing – any action (operation) or set of actions (operations) performed, with or without the use of automation tools, with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion and destruction of personal data;

4) Automated processing of personal data – processing of personal data using computer technology;

5) Dissemination of personal data – any actions aimed at disclosing personal data to an indefinite number of persons;

6) Provision of personal data – any actions aimed at disclosing personal data to a specific person or a specific number of persons;

7) Blocking of personal data – temporary termination of personal data processing (except in cases where processing is required to clarify personal data);

8) Destruction of personal data – any actions that render it impossible to restore the contents of personal data in the personal data information system and/or result in the destruction of tangible media containing personal data;

9) Anonymization of personal data – any actions that make it impossible to determine, without the use of additional information, whether or not personal data concerned belongs to a specific personal data subject;

10) Personal data information system – a set of personal data contained in personal data databases and information technologies and technical aids that ensure the processing thereof;

11) Cross-border personal data transfer – transfer of personal data to a foreign government agency, a foreign individual, or a foreign legal entity located on the territory of a foreign state;

12) Personal data authorized for dissemination by a personal data subject – personal data access to which has been granted by a personal data subject to an unlimited number of persons by giving their consent to the processing of personal data authorized by such personal data subject for dissemination.

3. Principles and terms of personal data processing

3.1. When processing personal data, GSE JSC shall be guided by the following principles:

- Personal data shall only be processed where there are lawful grounds to do so.
- Personal data processing shall be limited to achieving specific, predetermined and legitimate purposes.
- Merging of databases containing personal data processed for incompatible purposes shall not be allowed.
- Only those personal data that meet the purposes of processing thereof shall be processed. - The content and scope of personal data processed (avoiding excessive data) shall be in line with the purposes of processing declared.
- Personal data shall be accurate, adequate and, where necessary, relevant in relation to the purposes of personal data processing.
- Personal data shall be stored in a form providing for identification of a personal data subject, and they may not be retained any longer than is required for the purposes of personal data processing where no personal data retention period is set by Russian Federation law or an agreement to which such personal data subject is a party, beneficiary or surety.

3.2. Personal data may be processed by GSE JSC in the following cases:

- Consent to personal data processing has been granted by a personal data subject.
- Personal data processing is required for the exercise and performance of functions, powers, and duties imposed on the operator by the Russian Federation law.
- Processing of personal data is performed in connection with an individual’s involvement in constitutional, civil, administrative, criminal or arbitration proceedings.
- Processing of personal data is required for the enforcement of a court ruling, as provided for by Russian Federation law on enforcement proceedings.
- Processing of personal data is required for the performance of an agreement to which a data subject is a party, beneficiary or surety, as well as for entering into an agreement initiated by a data subject.
- Processing of personal data is necessary to protect life, health or other vital interests of a data subject where such data subject’s consent cannot be obtained.
- Processing of personal data is required for the exercise of the rights and legitimate interests of the operator or third parties, or the achievement of socially meaningful goals, provided that no rights and freedoms of the data subject are violated thereby;
- Processing of personal data for statistical or other research purposes, subject to compulsory anonymization.
- Processing of personal data that are subject to publication or statutory disclosure, as provided for by Russian Federation law.

4. Purposes of personal data processing

4.1. Staff recruitment including the recruitment and selection of personnel (applicants) for job vacancies; applicant screening.

Categories and list of personal data processed: last name, given name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; gender; e-mail address; residential address; registration address; telephone number; Personal Insurance Account Number (SNILS); Taxpayer Identification Number (TIN); citizenship; ID document details; profession; position; employment history; education data; personal qualities data; photograph; age; city of residence; information on advanced training, courses completed; foreign languages spoken; expected salary; driving experience; special categories: not processed; biometric data: not processed; Subject categories whose personal data are processed: job seekers. Personal data processing methods: mixed with personal data transferred via the legal entity’s internal network and via the Internet. Duration of personal data processing: until the purpose of processing is achieved. Personal data retention period: 30 days following the decision to deny employment.

4.2. Keeping HR records and HR management including compliance with labor law; keeping employees’ personal records in paper form; assisting employees in getting education and promotions; briefing employees on occupational and fire safety, civil defense and emergency response; special assessment of working conditions (SAWC); professional risks assessment; conducting medical examinations; keeping employee military service records; providing practical training.

Categories and list of personal data processed: last name, given name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; e-mail address; residential address; registration address; telephone number; Personal Insurance Account Number (SNILS); Taxpayer Identification Number (TIN); citizenship; ID document details; profession; position; employment history; military service history; military registration data; education data; previous last name, given name and patronymic; data on advanced training, assessment, awards; foreign languages spoken and proficiency levels; family members; degree of kinship; data on awards, rewards and honorary titles; vacation information; base salary; employee identification number; date and number of the employment contract; relatives’ years of birth; data on professional assessment, advanced training and professional retraining; and on social benefits; unit; length of service; driver's license details; foreign languages spoken; military ID details; name of educational institution; special categories: health information; biometric data: not processed; Subject categories whose personal data are processed: employees; employees’ relatives; dismissed employees; students. Personal data processing methods: mixed with personal data transferred via the legal entity’s internal network and via the Internet. Duration of personal data processing: until employment relations are terminated; until the purpose of processing is achieved. Personal data retention period: 50 years.

4.3. Providing additional benefits and incentives to employees including employee motivation; additional employee insurance; providing financial aid to employees; congratulating employees on various occasions.

Categories and list of personal data processed: last name, given name, patronymic; date of birth; position; employment history; photograph; type of award; organization; length of service in the industry, organization; previous awards; description of achievements; year of birth; month of birth; residential address; telephone number; citizenship; marital status; bank card details; details of the document that entitles an employee to financial assistance (death certificate, birth certificate, etc.); unit; special categories: not processed; biometric data: not processed; Subject categories whose personal data are processed: employees; employees’ relatives. Personal data processing methods: mixed with personal data transferred via the legal entity’s internal network and via the Internet. Duration of personal data processing: until employment relations are terminated; until the purpose of processing is achieved. Personal data retention period: 50 years.

4.4. Providing for employee operations including the issuance of powers of attorney; issuance of electronic signatures; issuance of business cards; compiling an internal contact directory; organizing business trips; making arrangements for remote (distance) work; providing corporate mobile communications; providing company vehicles; providing special-purpose clothing and uniforms. Categories and list of personal data processed: last name, given name, patronymic; registration address, ID document details; position; organization; year of birth; month of birth; date of birth; e-mail address; telephone number; Personal Insurance Account Number (SNILS); Taxpayer Identification Number (TIN); photograph; department; driver’s license details; unit; clothing and footwear sizes; name of personal protective equipment (PPE); special categories: not processed; biometric data: not processed; Subject categories whose personal data are processed: employees; legal representatives. Personal data processing methods: mixed with personal data transferred via the legal entity’s internal network and via the Internet. Duration of personal data processing: until the purpose of processing is achieved; until employment relations are terminated. Personal data retention period: 5 years.

4.5. Ensuring safety and security including ensuring access control; organizing access to customers’ facilities; identifying and investigating security incidents. Categories and list of personal data processed: last name, given name, patronymic; ID document details; position; organization; photograph; year of birth; month of birth; date of birth; place of birth; registration address; Personal Insurance Account Number (SNILS); e-mail address; telephone number; special categories: not processed; biometric data: not processed; Subject categories whose personal data are processed: employees; visitors; operator’s employees; employees of subcontractor organizations and suppliers; dismissed employees; affected persons; guilty persons. Personal data processing methods: mixed with personal data transferred via the legal entity’s internal network and via the Internet. Duration of personal data processing: until the purpose of processing is achieved. Personal data retention period: 10 years.

4.6. Carrying out core (business) activities including pre-contractual work; entering into agreements; processing requests and communicating with personal data subjects; providing access to restricted online resource functions; claim handling. Categories and list of personal data processed: last name, given name, patronymic; year of birth; month of birth; date of birth; place of birth; e-mail address; registration address; telephone number; Personal Insurance Account Number (SNILS); Taxpayer Identification Number (TIN); ID document details; bank account number; position; Primary State Registration Number (OGRN) (for private entrepreneurs); bank details; organization; special categories: not processed; biometric data: not processed; Subject categories whose personal data are processed: counterparties; counterparties’ representatives; customers; online service users. Personal data processing methods: mixed with personal data transferred via the legal entity’s internal network and via the Internet. Duration of personal data processing: until the purpose of processing is achieved. Personal data retention period: 5 years.

4.7. Keeping tax and accounting records including keeping primary documents; salary calculations; organizing a payroll project; making settlements with personal data subjects; making tax deductions and social welfare contributions; exercising due diligence when selecting counterparties. Categories and list of personal data processed: last name, given name, patronymic; year of birth; month of birth; date of birth; place of birth; e-mail address; registration address; telephone number; Taxpayer Identification Number (TIN); ID document details; position; organization; bank details; Primary State Registration Number (OGRN) (for private entrepreneurs); income; bank card details; settlement account number; personal account number; employment history; Personal Insurance Account Number (SNILS); gender; citizenship; document details contained in the birth certificate; profession; unit; deduction amounts; vacation information; tax benefits data; Private Entrepreneur’s Primary State Registration Number; special categories: not processed; biometric data: not processed; Subject categories whose personal data are processed: counterparties; counterparties’ representatives; employees; employees’ relatives; dismissed employees. Personal data processing methods: mixed with personal data transferred via the legal entity’s internal network and via the Internet. Duration of personal data processing: until the agreement is terminated; until employment relations are terminated; until the purpose of processing is achieved. Personal data retention period: 50 years.

4.8. Providing for governing bodies’ activities including keeping the company’s shareholder register; organizing general meetings and governing bodies’ meetings. Categories and list of personal data processed: last name, given name, patronymic; year of birth; month of birth; date of birth; place of birth; registration address; Taxpayer Identification Number (TIN); ID document details; number and type of shares; e-mail address; residential address; telephone number; special categories: not processed; biometric data: not processed; Subject categories whose personal data are processed: shareholders; members. Personal data processing methods: mixed with personal data transferred via the legal entity’s internal network and via the Internet. Duration of personal data processing: until the purpose of processing is achieved. Personal data retention period: permanently.

5. Personal data processing

5.1. Personal data shall be obtained directly from a personal data subject or from another person authorized by the subject to provide their personal data.

5.2. When collecting personal data, including via Internet information and telecommunication system, personal data of citizens of the Russian Federation shall be recorded, systematized, accumulated, stored, clarified (updated, amended) and retrieved using databases located on the territory of the Russian Federation.

5.3. The processing of personal data may be assigned to a third party with the consent of the personal data subject or on the grounds provided for by Russian Federation law. A person processing personal data according to such assignment shall not be required to obtain subjects’ consents to the processing of their personal data.

5.4. Personal data shall be stored in a form providing for identification of a personal data subject, and they may not be retained any longer than is required for the purposes of personal data processing where no personal data retention period is set by Russian Federation law or an agreement to which such personal data subject is a party.

5.5. Personal data shall be stored in a manner that ensures confidentiality thereof.

5.6. Personal data may only be transferred to third parties with the consent of the data subject concerned or as provided for by Russian Federation law.

5.7. Disclosure of personal data to third parties for commercial purposes without the consent of the data subject concerned shall not be permitted. Processing of personal data for the purpose of promoting goods, works and services on the market, as well as for political solicitation shall only be permitted with the data subject’s prior consent.

6. Dissemination of personal data

6.1. Processing of personal data authorized for dissemination by a personal data subject shall be performed as required by Russian Federation personal data law.

6.2. The consent given by a personal data subject to the processing of their personal data authorized for dissemination shall be separate from any other consents to personal data processing given by such personal data subject.

6.3. Where personal data are disclosed by a personal data subject, at their own discretion, to an indefinite number of persons using GSE JSC website functions or services without giving an appropriate consent, further dissemination by other operators of such personal data shall only be permitted with the respective subject’s consent to the processing of personal data authorized for dissemination.

6.4. A personal data subject’s consent to the processing of personal data authorized for dissemination by such personal data subject may impose bans on the transfer (except for granting access) of such personal data by the operator to an indefinite number of persons, as well as bans on the processing or the terms of processing (except for gaining access) of such personal data by an indefinite number of persons.

7. Procedure for interaction with personal data subjects

7.1. Any subject whose personal data is processed by JSC GSI shall have the right of access to their personal data, including the following information:

- confirmation to the effect that personal data is being processed;
- legal grounds for and purposes of personal data processing;
- purposes and personal data processing methods used;
- name and location of the operator, data on the persons (excluding the operator’s employees) who have access to personal data or to whom personal data may be disclosed under a contract with the operator or Russian Federation law;
- list of personal data being processed in relation to a respective data subject and the source of such personal data;
- processing duration of personal data and the retention periods thereof;
- procedure for a data subject to exercise their rights provided for by Russian Federation law;
- information on the effected or proposed cross-border transfers of personal data;
- full name of the person performing the processing of personal data as assigned by the operator where personal data processing is assigned to a third party;
- information on the techniques used by the operator to perform its obligations prescribed by Article 18.1 of Federal Law “On Personal Data” No. 152-FZ.

7.2. GSE JSC shall provide the information specified in Clause 7.1 within ten business days following the receipt of a relevant request from a data subject or their legal representative using the same form in which the request was received (unless otherwise specified in the request). No response to a request shall contain personal data related to other data subjects, unless there are legal grounds for disclosing such personal data. The response period to the request may be extended, but by no more than five business days, provided that the operator gives the data subject a substantiated notice specifying the reasons for such extension.

7.3. A request submitted by a data subject or their representative shall specify:

- the number of the primary ID document of the data subject or their representative;
- information on the issuance date of the aforesaid document and the issuing authority;
- information confirming the relationship between the data subject and GSE JSC (contract number, contract data and other information) or information otherwise confirming the processing of personal data GSE JSC;
- personal data subject’s or their representative’s signature.

7.4. A personal data subject may not submit a repeated request to GSE JSC for information specified in Clause 7.1 until the expiry of thirty days following the date on which the initial inquiry was made or initial request was submitted.

7.5. A personal data subject may request their personal data to be clarified, blocked or destroyed if their personal data being processed by GSE JSC is incomplete, outdated, inaccurate, illegally obtained or no longer required for the processing purpose declared.

7.6. A personal data subject may revoke their consent to the processing of personal data if such consent has been given. A letter revoking consent shall be sent by the personal data subject to GSE JSC and must contain the information specified in Clause 7.3. Should the personal data subject revoke their consent to the processing of personal data, GSE JSC may continue processing their personal data without the subject’s consent, provided that it has grounds to do so as stipulated by Russian Federation law or an agreement to which the personal data subject is a party, beneficiary or surety.

8. Performance of statutory duties

8.1. To ensure performance by GSE JSC of its duties provided for by Personal Data Law of the Russian Federation, it shall take the following steps:

- appoint a person in charge of organizing personal data processing;
- issue documents defining its personal data processing policy, bylaws regarding personal data processing and bylaws setting out the procedures aimed at preventing and detecting violations of Russian Federation law and eliminating the consequences of such violations;
- apply legal, organizational and technical measures to ensure the safety and security of personal data; - exercise internal control to ensure compliance of personal data processing with statutory requirements of the Russian Federation;
- assess the damage that may be done to personal data subjects in the event of a violation of Russian Federation law;
- familiarize GSE JSC employees with the provisions of Russian Federation law and GSE JSC bylaws.

8.2. Should any unauthorized or accidental transfer (provision, dissemination or access to) of personal data be discovered resulting in a violation of personal data subjects’ rights, GSE JSC shall notify the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor):

- within 24 hours following the discovery, about the incident, probable causes of the violation of personal data subjects’ rights, probable damage caused to personal data subjects’ rights and the measures being taken to rectify the consequences of the incident, including information about the liaison officer to be contacted for matters related to the incident discovered;
- within 72 hours following the discovery, about the internal incident investigation findings and the names of the persons whose actions caused the incident (if any).

9. Protection of personal data

9.1. When processing personal data, necessary legal, organizational, and technical measures shall be taken to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision or dissemination, as well as other wrongful actions in respect of personal data.

9.2. To ensure the safety and security of personal data, the following activities shall be undertaken by GSE JSC:

- identifying potential threats to the safety and security of personal data during the processing thereof in personal data information systems;
- taking organizational and technical measures to ensure the safety and security of personal data during the processing thereof in personal data information systems, which measures shall ensure compliance with statutory personal data security levels;
- assessing the effectiveness of the measures being taken to ensure the safety and security of personal data processed in personal data information systems;
- keeping records of hardware personal data media;
- detecting unauthorized access to personal data and responding to such incidents;
- restoring personal data that were modified or destroyed as a result of unauthorized access thereto;
- settings the rules of access to personal data processed in personal data information systems;
- registering and recording the actions performed with personal data in personal data information systems;
- monitoring the measures being taken to ensure the safety and security of personal data in accordance with statutory security levels of personal data.

10. Liability

GSE JSC employees and other persons who were granted access to personal data shall be subject to disciplinary and administrative sanctions and held liable under civil and criminal law for violating the requirements set by Russian Federation law and GSE JSC’s Regulations on Personal Data Processing and Protection, and other bylaws.

11. Final provisions

11.1. This policy is freely accessible to all interested parties, including personal data subjects and the authorities performing monitoring and supervisory functions in the area of personal data.

11.2. This Policy shall take effect once it has been approved, and continue indefinitely. Any and all amendment to this Policy shall be made by separate instruments issued by GSE JSC.

12. Details and contact information

Full name: Globalstroy-Engineering Joint Stock Company.
Abbreviated name: GSE JSC.
TIN: 8608020333
Mailing address for inquiries: 15 Ibragimova St., Bldg. 2, 105318, Moscow, Russia E-mail for inquiries: info@globse.com


We use cookies and analytics systems to collect and analyze information about the performance and usage of the website, as well as to enhance and personalize the content provided. By clicking "Accept" or continuing to use the site, you agree to the processing of cookies and analytics data.

Learn More