Personal Data Processing Policy

1. General Provisions

• 1.1. This Personal Data Processing Policy of Icewood LLC (hereinafter – the Controller) (hereinafter – the Policy) defines the procedure and conditions for processing personal data, as well as measures to ensure its security.
• 1.2. The Policy has been developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, Federal Law No. 152-FZ of 27.07.2006 "On Personal Data," as well as other normative legal acts of the Russian Federation.
• 1.3. The purpose of the Policy is to ensure the protection of the rights and freedoms of an individual and a citizen when processing their personal data, as well as to comply with the requirements of the legislation of the Russian Federation in the field of personal data.
• 1.4. Key concepts used in the Policy:
  • personal data — any information relating directly or indirectly to an identified or identifiable natural person (data subject);
  • controller — a person who organizes and/or carries out the processing of personal data and determines the purposes and scope of the personal data to be processed;
  • processing of personal data — any action (operation) with personal data, including collection, storage, use, transfer, depersonalization, and destruction;
  • confidentiality of personal data — the obligation of the controller and other persons who have gained access to personal data not to allow its dissemination without the consent of the subject or the existence of other legal grounds./

2. Purposes of Personal Data Processing

The Controller processes personal data solely for the following purposes:

• preparation, conclusion, and execution of civil law contracts;
• maintaining HR and accounting records;
• ensuring compliance with the labor legislation of the Russian Federation;
• ensuring compliance with the tax legislation of the Russian Federation;
• ensuring compliance with the pension legislation of the Russian Federation;
• ensuring compliance with the social insurance legislation of the Russian Federation;
• recruitment of personnel (candidates) for the Controller's vacant positions;
• processing inquiries and applications from visitors to the Controller's website for the purpose of subsequent interaction.

3. Legal Basis for Personal Data Processing

The processing of personal data by the Controller is carried out on the basis of:

• The Labor Code of the Russian Federation;
• The Tax Code of the Russian Federation;
• Federal Law No. 27-FZ of 01.04.1996 "On Individual (Personified) Accounting in the Compulsory Pension Insurance System";
• Federal Law No. 167-FZ of 15.12.2001 "On Compulsory Pension Insurance in the Russian Federation";
• Federal Law No. 165-FZ of 16.07.1999 "On the Fundamentals of Compulsory Social Insurance";
• civil law contracts concluded with data subjects or their representatives;
• consent of data subjects to the processing of their personal data (in cases where such processing is based on consent).

4. Scope of Processed Personal Data and Categories of Subjects

4.1. The personal data processed may include:

• last name, first name, patronymic;
• date and place of birth;
• address of registration and residence;
• contact details (phone number, email address);
• position, profession;
• data from an identity document;
• SNILS (Individual Insurance Account Number), TIN (Taxpayer Identification Number);
• information on employment history (work experience, employment details, work record book);
• information on education, qualifications, and educational documents;
• bank details for salary payment;
• other personal data provided by data subjects in the course of executing a contract or applying for a vacancy.

4.2. Categories of data subjects:

• employees of the Controller, former employees, candidates for vacant positions;
• counterparties (natural persons);
• representatives of counterparties (legal entities);
• clients and website visitors

5. Procedure and Conditions for Personal Data Processing

• 5.1. Personal data is processed using mixed methods (both automated and non-automated processing).
• 5.2. Personal data may be transferred:
  • via the Controller's internal network (for accounting and document management);
  • via the Internet (when using electronic document management systems, as well as when working with the feedback form on the website).
• 5.3. The processing of personal data shall cease upon achievement of the processing purposes, expiration of storage periods, withdrawal of consent by the data subject, or liquidation of the Controller.
• 5.4. Personal data is stored on the territory of the Russian Federation in data centers that comply with legal requirements.
• 5.5. The website uses cookies and the Yandex.Metrica analytics service (YANDEX LLC, 16 L. Tolstoy St., Moscow, 119021, Russia) to collect and analyze anonymized data about the actions of website visitors, as well as to improve its performance and the quality of services provided. The Yandex.Metrica service automatically receives and processes data transmitted by the user's browser, including IP address, cookie information, device parameters, and on-site actions. This data is processed in an anonymized form and used exclusively for statistical purposes. A website visitor may refuse the use of cookies by changing their browser settings or block the transfer of data to Yandex.Metrica using the browser add-on: https://yandex.ru/support/metrica/ru/general/opt-out.html.

6. Measures to Ensure the Security of Personal Data

The Controller takes the necessary organizational and technical measures to protect personal data, including:

• appointing a person responsible for organizing the processing of personal data;
• developing and approving local regulations on the processing and protection of personal data;
• using certified information security tools, including antivirus software and encryption tools (CIPF KS1, CryptoPro CSP 5.0);
• restricting and recording employee access to personal data;
• logging and recording all actions with personal data in information systems;
• data backup and recovery;
• organizing a security regime for the premises where personal data is processed;
• conducting internal audits for compliance of personal data processing with legal requirements.

7. Rights of Data Subjects and Procedure for Their Exercise

• 7.1. Data subjects have the right to receive information about the fact, purposes, and methods of processing their personal data, as well as to access their personal data.
• 7.2. A data subject has the right to demand the clarification, blocking, or destruction of their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing.
• 7.3. To exercise their rights, data subjects may send a written request to the Controller's address: bldg. 1A, 20 Kulakova St., Strogino municipal district, Moscow, 123592, or by email: mail@icewood.net.

8. Final Provisions

• 8.1. This Policy is a publicly available document and shall be posted on the Controller's official website.
• 8.2. The Controller has the right to amend the Policy in the event of changes in the legislation of the Russian Federation or its own internal procedures.
• 8.3. The current version of the Policy is always available on the Controller's website.