Skip to main content

Personal data processing policy of TopTech limited liability company

    1. General

    1.1. This Personal Data Processing Policy of Toptech Limited Liability Company (hereinafter referred to as the Policy) has been developed pursuant to the requirements of Article 18.1, part 1, paragraph 2 of Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (hereinafter referred to as the Per-sonal Data Law) in order to ensure the protection of human and civil rights and freedoms in the pro-cessing of personal data, including protection of the rights to privacy, personal and family secrecy.

    1.2. The Policy applies to all personal data processed by Toptech Limited Liability Company (hereinafter referred to as the Controller, Toptech LLC).

    1.3. The Policy applies to the relations in the area of personal data processing arising for the Controller both before and after the approval of this Policy.

    1.4. Pursuant to the requirements of Article 18.1, part 2 of the Personal Data Law, this Policy is made publicly available on the Controller’s website in the Internet.

    1.5. Main terms used in the Policy:

    • Personal Data shall mean any information related to an individual (a personal data subject) di-rectly or indirectly identified or identifiable
    • Personal Data Controller (Controller) shall mean a state authority, municipal authority, legal entity or individual, independently or jointly with other persons organizing and/or carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data
    • Personal Data Processing shall mean any action (operation) or set of actions (operations) with personal data performed with or without the use of automation equipment. Personal Data Pro-cessing includes, but is not limited to:
      • collection,
      • recording,
      • systematization,
      • accumulation,
      • storage,
      • adjustment (update, modification),
      • recovery,
      • use,
      • transfer (distribution, provision, access),
      • anonymization,
      • blocking,
      • deletion,
      • destruction
    • Automated Personal Data Processing shall mean processing of personal data by computerized means
    • Personal Data Distribution shall mean actions aimed at disclosure of personal data to an in-definite number of persons
    • Personal Data Provision shall mean actions aimed at disclosure of personal data to a specific person or number of persons
    • Personal Data Blocking shall mean temporary cessation of personal data processing (excluding cases when processing is necessary to update personal data)
    • Personal Data Destruction shall mean actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which tangible media containing personal data are destroyed
    • Personal Data Anonymization shall mean actions, as a result of which it becomes impossible to determine the belonging of personal data to a particular personal data subject without using ad-ditional information
    • Personal Data Information System shall mean a set of information technology and technical means contained in databases of personal data and ensuring their processing
    • Cross-Border Transfer of Personal Data shall mean transfer of personal data to the territory of a foreign country to a foreign authority, a foreign individual or a foreign legal entity.

    1.6. Main rights and obligations of the Controller.

    1.6.1. The Controller shall have the right to:

    • independently determine the composition and the list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the Personal Data Law and regulations adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws
    • entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with such person. The person processing personal data on the instruction of the Controller shall comply with the principles and rules of personal data processing stipulated by the Personal Data Law, observe confidentiality of personal data, take necessary measures aimed at ensuring fulfillment of obligations stipulated by the Personal Data Law
    • in case the personal data subject revokes his/her consent to personal data processing, the Controller has the right to continue processing personal data without the consent of the personal data subject if there are grounds specified in the Personal Data Law.

    1.6.2. The Controller shall:

    • organize personal data processing in accordance with the requirements of the Personal Data Law
    • respond to applications and requests of personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law
    • report the necessary information to the authorized agency for the protection of the rights of personal data subjects (the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)) at the request of that agency within 10 business days from the date of receipt of such a request. The stated time may be extended by no more than five business days. For this purpose, the Controller shall send Roskomnadzor a substantiated notification specifying the reasons for extension of time for providing the requested information
    • in accordance with the procedure determined by the federal agency authorized in the area of se-curity, ensure interaction with the state system of detection, prevention and liquidation of con-sequences of computer attacks on information resources of the Russian Federation, including informing it of computer incidents that resulted in the unlawful transfer (provision, distribution, access) of personal data.

    1.7. Main rights of the personal data subject. The personal data subject shall have the right to:

    • receive information regarding the processing of his/her personal data, except as provided by federal laws. The Controller shall provide information to the personal data subject in an accessible form, and such information shall not contain personal data related to other personal data subjects, unless there are legitimate grounds for disclosure of such personal data. The list of information and the procedure for its receipt are stipulated by the Personal Data Law
    • require the controller to update his/her personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as take measures provided by law to protect his/her rights
    • impose a condition of preliminary consent when processing personal data for the purpose of marketing goods, works and services
    • appeal to Roskomnadzor or in court against unlawful acts or omissions of the Controller in processing his/her personal data.

    1.8. Compliance with the requirements of this Policy shall be controlled by the agent responsible for the organization of personal data processing at the Controller.

    1.9. Liability for violation of the requirements of the legislation of the Russian Federation and regulations of Toptech LLC in the area of processing and protection of personal data shall be determined according to the legislation of the Russian Federation.

    2. Purposes of Personal Data Collection

    2.1. Personal data processing is limited to the achievement of specific, predetermined and legitimate pur-poses. Personal data processing inconsistent with the purposes of personal data collection is not al-lowed.

    2.2. Only the personal data that meet the purposes, for which they are processed, shall be processed.

    2.3. The Controller shall process personal data for the following purposes:

    • ensuring compliance with the Constitution of the Russian Federation, federal laws and other regulations of the Russian Federation,
    • carrying out of its activity according to the Articles of Association of Toptech LLC,
    • maintaining personnel records,
    • assisting employees in employment, education and promotion, ensuring personal safety of em-ployees, controlling the quantity and quality of work performed, ensuring the safety of property,
    • engaging and selecting candidates for employment with the Controller,
    • organizing individual (personified) registration of employees in the compulsory pension in-surance system,
    • completing and submitting required reporting forms to executive agencies and other authorized entities,
    • acting within civil law relations,
    • keeping accounts,
    • implementing access control.

    2.4. Personal data of employees may be processed solely for the purpose of ensuring compliance with laws and other regulations.

    3. Legal Grounds for Personal Data Processing

    3.1. A legal ground for personal data processing is a set of regulations, pursuant to and according to which the Controller processes personal data, including:

    • the Constitution of the Russian Federation,
    • the Civil Code of the Russian Federation,
    • the Labor Code of the Russian Federation,
    • the Tax Code of the Russian Federation,
    • Federal Law No. 14-FZ dated February 08, 1998, On Limited Liability Companies,
    • Federal Law No. 402-FZ dated December 06, 2011, On Accounting,
    • Federal Law No. 167-FZ dated December 15, 2001, On Compulsory Pension Insurance in the Russian Federation,
    • other Regulations governing relations connected to the Controller’s activity.

    3.2. The following documents also form the legal basis for personal data processing:

    • the Articles of Association of Toptech LLC,
    • agreements made between the Controller and personal data subjects,
    • consent of the personal data subjects to processing of their personal data.

    4. Scope and Categories of Personal Data Processed; Categories of Personal Data Subjects

    4.1. The content and the volume of personal data processed shall be consistent with the stated purposes of processing set out in Section 2 of this Policy. The personal data processed shall not fall beyond the scope of the stated purposes of their processing.

    4.2. The Controller may process personal data of the following categories of personal data subjects.

    4.2.1. Candidates for employment with the Controller:

    • full name,
    • gender,
    • citizenship,
    • date and place of birth,
    • contact details,
    • information on education, work experience, qualifications,
    • other personal data provided by candidates in their resumes and cover letters.

    4.2.2. Employees and former employees of the Controller:

    • full name,
    • gender,
    • citizenship,
    • date and place of birth,
    • image (photo),
    • passport data,
    • address of registration at the place of residence,
    • actual residence address,
    • contact details,
    • taxpayer identification number,
    • insurance individual account number (SNILS),
    • information on education, qualifications, professional training and professional development,
    • marital status, parental status, family relations,
    • information on labor activity, including incentives, awards and/or disciplinary penalties,
    • information on marriage registration,
    • information on military registration,
    • information on disability,
    • information on alimony withholding,
    • information on income from previous employment,
    • other personal data provided by employees as required by labor legislation.

    4.2.3. Family members of the Controller’s employees:

    • full name,
    • degree of kinship,
    • year of birth,
    • other personal data provided by employees as required by labor legislation.

    4.2.4. Clients and counterparties of the Controller (individuals):

    • full name,
    • date and place of birth,
    • passport data,
    • address of registration at the place of residence,
    • contact details,
    • position,
    • taxpayer identification number,
    • settlement account number,
    • other personal data provided by clients and counterparties (individuals) necessary for execution and performance of agreements.

    4.2.5. Agents (employees) of clients and counterparties of the Controller (legal entities):

    • full name,
    • passport data,
    • contact details,
    • position,
    • other personal data provided by agents (employees) of clients and counterparties necessary for execution and performance of agreements.

    4.3. Biometric personal data (information that characterizes physiological and biological features of a person, on the basis of which his/her identity can be established) shall be processed by the Controller in accordance with the legislation of the Russian Federation. Provision of biometric personal data may not be mandatory, except as provided by law. The Controller shall not require the personal data subject to provide his/her biometric personal data and/or give consent to their processing, if, according to the federal law, it is not mandatory for the controller to obtain consent to the processing of biometric personal data.

    4.4. The Controller does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, state of health, intimate life, except as provided by the leg-islation of the Russian Federation.

    5. Personal Data Processing Procedure Conditions

    5.1. Personal data shall be processed by the Controller as required by the legislation of the Russian Fed-eration.

    5.2. Personal data shall be processed with the consent of personal data subjects to the processing of their personal data, as well as without the same in cases provided by the legislation of the Russian Federation.

    5.3. The Controller carries out both automated and non-automated processing of personal data.

    5.4. The Controller’s employees whose job description includes personal data processing are allowed to process personal data.

    5.5. Personal data shall be processed by:

    • obtaining personal data orally and in writing directly from personal data subjects,
    • obtaining personal data from readily available sources,
    • entering personal data into the Controller’s logs, registers and information systems,
    • using other means of personal data processing.

    5.6. Personal data may not be disclosed to third parties or distributed without the consent of the personal data subject, unless otherwise provided by federal law. Consent to processing of personal data authorized by the personal data subject for distribution shall be executed separately from other consents of the per-sonal data subject to the processing of his/her personal data.

    The requirements for the contents of the consent to processing of personal data authorized by the personal data subject for distribution are approved by Roskomnadzor Order No. 18 dated February 24, 2021.

    5.7. Personal data shall be transferred to inquiry and investigation agencies, the Federal Tax Service, the Social Fund of Russia and other authorized executive agencies and entities as required by the legislation of the Russian Federation.

    5.8. The Controller shall take the necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, distribution, and other unauthorized actions, including such measures as:

    • identifying security threats to personal data during their processing,
    • adopting local regulations and other documents governing relations in the area of personal data processing and protection,
    • appointing persons responsible for ensuring personal data security in business units and in-formation systems of the Controller,
    • creating the necessary conditions for work with personal data,
    • organizing registration of documents containing personal data,
    • organizing work with information systems where personal data are processed,
    • storing personal data in conditions that ensure their safety and prevent unauthorized access to them,
    • organizes training of the Controller’s employees processing personal data.

    5.9. The Controller shall store personal data in a form that allows identifying the personal data subject for no longer than required by the purposes of personal data processing, unless the period of personal data storage is established by a federal law, an agreement.

    5.10. When collecting personal data, including through the Internet, the Controller shall ensure recording, systematization, accumulation, storage, adjustment (update, modification), recovery of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation, except as specified in the Personal Data Law.

    6. Update, Correction, Deletion and Destructionof Personal Data; Responses to Requests of Subjectsfor Access to Personal Data

    6.1. Confirmation of the fact of personal data processing by the Controller, legal grounds and purposes of personal data processing, as well as other information specified in Article 14, part 7 of the Personal Data Law shall be provided by the Controller to the personal data subject or his/her agent within 10 business days from the time of application or receipt of the request of the personal data subject or his/her agent. The stated time may be extended by no more than five business days. For this purpose, the Controller shall send the personal data subject a substantiated notification specifying the reasons for extension of time for providing the requested information.

    The information provided shall not include personal data related to other personal data subjects, unless there are legitimate grounds for disclosure of such personal data.

    The request shall contain:

    • the number of the main identity document of the personal data subject or his/her agent, information on the date of issue of the said document and the issuing authority,
    • the information confirming the personal data subject’s participation in relations with the Con-troller (agreement number, date of agreement conclusion, conventional verbal mark and/or other information), or information otherwise confirming the fact of personal data processing by the Controller,
    • the signature of the personal data subject or his/her agent.

    The request may be sent in the form of an electronic document and signed with an electronic signature according to the legislation of the Russian Federation.

    If an application (request) of the personal data subject does not reflect all the necessary information as required by the Personal Data Law or the subject does not have rights of access to the requested in-formation, a substantiated refusal shall be sent to him/her.

    The right of the personal data subject to access his/her personal data may be restricted according to Article 14, part 8 of the Personal Data Law, including if the access of the personal data subject to his/her personal data violates the rights and legitimate interests of third parties.

    6.2. In the event that inaccurate personal data are revealed upon application of a personal data subject or his/her agent or at their request or at the request of Roskomnadzor, the Controller shall block personal data related to such personal data subject from the time of such application or receipt of the said request for the period of verification, if blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

    If the fact of inaccuracy of personal data is confirmed, the Controller, based on the information provided by the personal data subject or his/her agent or Roskomnadzor, or other necessary documents, shall update the personal data within seven business days from the date of provision of such information and unblock personal data.

    6.3. In case of detection of unlawful processing of personal data upon application (request) of the personal data subject or his/her agent or Roskomnadzor, the Controller shall block the unlawfully processed personal data related to such personal data subject from the time of such application or request.

    6.4. If the Controller, Roskomnadzor or any other interested party reveals the fact of unlawful or accidental transfer (provision, distribution) of personal data (access to personal data) resulting in violation of rights of personal data subjects, the Controller shall:

    • within 24 hours, notify Roskomnadzor of the incident, the supposed reasons that resulted in the violation of the rights of personal data subjects, the probable damage caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident, as well as provide information on the person authorized by the Controller to liaise with Roskom-nadzor on issues related to the incident,
    • within 72 hours, notify Roskomnadzor of the results of the internal investigation of the revealed incident and provide information on the persons whose actions caused the incident (if any).

    6.5. When the purposes of personal data processing are achieved, as well as in case the personal data subject withdraws consent to their processing, the personal data shall be destroyed:

    • unless otherwise provided by the agreement to which the personal data subject is a party, bene-ficiary or guarantor,
    • if the Controller may not carry out processing without the consent of the personal data subject on the grounds provided by the Personal Data Law or other federal laws,
    • unless otherwise provided by another agreement between the Controller and the personal data subject.

    6.6. If the personal data subject submits a request to stop processing personal data to the Controller, within a period not exceeding 10 business days from the date of receipt of the relevant request by the Con-troller, the processing of personal data shall be stopped, except as provided by the Personal Data Law. The stated time may be extended by no more than five business days. For this purpose, the Controller shall send the personal data subject a substantiated notification specifying the reasons for extension of time.

    Contact us

    Please feel free to raise any questions

    © TopTech LLC, 2022-2025

    All materials on this website are the intellectual property of TopTech LLC. All rights are reserved and belong to TopTech LLC. It is prohibited to copy, distribute (including by copying to other sites and resources on the internet) or any other use of information and materials without the prior consent of the copyright holder.