RUS

Personal Data Privacy Policy

This Privacy Policy regulates the confidentiality and protection of personal data processed via the Website and uses the following terms and abbreviations:

Automated Data ProcessingPD processing by automated means; this involves the processing of PD based on predefined algorithms using computer infrastructure, including without limitation PIMS, information and telecommunication networks, AWS, and/or machine-readable media.
AWSan automated workstation consisting of software and hardware (i.e. desktop or portable computing devices) designed to execute specific tasks without human intervention for a particular category of users or tasks.
PIMSa personal information management system that includes all PD stored in databases, as well as the information technologies and hardware used to process such data.
Physical Data Mediuma physical object, such as a paper document or a hardware device, used to record and store voice, sound, or visual information (including PD and processed information).
Manual Data ProcessingPD processing without the use of automated means; this involves algorithm-based searching, accessing, using, updating, disseminating and/or destroying the PD of each PD Subject1 stored on physical data media and/or organised PD sets (such as paper-based filing systems, PIMS databases, electronic files stored on AWS) with direct human intervention.
PD Processingan action/operation or a set of actions/operations performed on PD by automated means and/or manually.
OperatorAsari Legal AB, a Moscow-based law firm(having its registered office at Room 40, Office I, Floor 5, 2 Tsvetnoy Boulevard, 127051 Moscow) which, independently or jointly with other parties, organises and/or performs PD processing, defines the purposes of the PD processing, sets the scope of PD to be processed, and determines operations/actions to be executed on PD.
PDpersonal data, i.e. any information relating to a directly or indirectly identified or identifiable individual (a PD Subject).
Policythe Operator’s Policy on personal data processing and privacy.
User or PD Subjectan individual who accesses or visits the Website and/or otherwise uses its functionality, including but not limited to viewing or searching information available on the Website, registering an account on it, submitting web forms, etc.
Russiathe Russian Federation.
Websitean Internet site operated for the Operator’s benefit and located at https://asari.legal/.
PETsprivacy-enhancing technologies.
Agreementa non-fee agreement between the Operator and the User regulating the use of the Website.
Contentlegally protectable intellectual property on the Website, including literary works (texts, titles, forewords, and annotations); articles; illustrations and cover artwork; music with or without words; graphics and photographs; any derivatives or compilations thereof; user and visual interfaces; brand names and logos; computer software and databases; creative design, structure, specific choice, and coordination of information, its visual representation, the overall “look and feel” and layout of the Website, as well as any other intellectual property elements, whether viewed individually or as a whole.
Monitoring Terms and Conditionsan appendix to the User Agreement regulating data processing and the use of monitoring technologies.
Servicesaccess to the Website’s electronic content, including the right to view and download this content, and to its search and navigation tools.
Law 152-FZRussian Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.

 

Table of Contents

Table of Contents

1. General 4

2. PD Processing Principles, Purposes, and Scope. 4

3. PD Collection and Processing. 5

4. PD Sharing. 6

5. Cessation of Processing and Destruction. 6

6. Processing Management and PD Security. 8

7. Rights of PD Subjects. 9

8.  PD Protection Officer 9

9. Approval and Updates. 10

10. Liability. 10

1.                General

  • In processing PD, the Operator prioritises the principles of legality, fairness, confidentiality, and data security.
    • This Privacy Policy:
  • has been designed to ensure compliance with the applicable PD processing and privacy laws of the Russian Federation.
  • is a public declaration of the Operator’s conceptual principles underlying the processing and protection of PD collected through the Website.
  • outlines the methods and principles used by the Operator to process PD, the Operator’s rights and obligations, the rights of the Users as PD subjects, and measures taken by the Operator to ensure PD security during processing.
  • The Operator has also adopted the Conceptual Framework for PD Processing and Security, which is available for review upon request.

2.                PD Processing Principles, Purposes, and Scope 

  • The Operator processes PD in compliance with the principles of Article 5 of Law No. 152-FZ.
    • Subject to the laws on PD, the Operator performs the following actions to process PD collected via the Website:
Processing PurposesPD Categories and ElementsPD SubjectsLegal Grounds for PD ProcessingProcessing Methods and ActivitiesProcessing and Retention Periods
To improve and enhance the Operator’s activities, in particular through: implementation, analysis, management, enhancement/optimisation, and development of: — safe and productive interaction with Website users/visitors, including their identification, authentication and/or authorisation; prevention of illegal or unauthorised actions and fraud; information security — personalised user experience which includes tailored services, functions, features, options, and recommendations reflecting the User’s needs, interests, preferences, and expectations — efficient User support to address difficulties or incidents   marketing and promotion of the Operator’s products and brand through tailored marketing communications, specifically, targeted marketing messages and personalised and non-personalised advertising (including online advertising)Last name, first name, patronymic Date of birth Contact details Participation in events Professional background and occupation Job title, corporate division, employer Professional and/or academic interests Communication and information exchange patterns Participation in joint activities Data on the User’s device Browser data Internet connection details Visitation and usage of Web resources User’s consent (in particular, to PD processing)Website Users and visitors, whether registered or not Operator’s employees Attorneys Legal interns Event participants IntervieweesPD subject’s consent (under Articles 6(1)(1) and 10.1(1) of Law No. 152-FZ) Operator’s contract with the PD subject (Article 6(1)(5) of Law No. 152-FZ) Rights and/or legitimate interests of the Operator or third parties (Article 6(1)(7) of Law No. 152-FZ)The Operator processes PD using both automatic and manual methods, which includes: collecting, recording, categorising, accumulating, retaining, updating (revising or modifying), extracting, receiving, searching, copying, matching/comparing, merging/binding, using, sharing (transmitting, accessing, distributing), blocking, deleting, and destroying PD    Up to three (3) years after the end of the Website usage (for instance, registration/account termination), unless otherwise required by applicable law, PD subject’s consent, a contract/agreement between the Operator and the PD subject, or the respective policies/rules of third-party cookie providers

3.                PD Collection and Processing

  • The Operator processes the following PD:
    • data and documents submitted by the User or their representative,
    • data from public and/or open sources (such as social media, public databases, etc.),
    • data provided by the appropriate authorities and entities, the Operator’s counterparties, and other stakeholders,
    • site interaction data,
    • User behaviour analytics,
    • datasets generated by matching (comparing) and merging (binding) PD (for instance, to predict the User’s likelihood of collaboration).
  • Unless the applicable PD laws of the Russian Federation otherwise provide, as part of the PD processing, the Operator records, categorises, accumulates, stores, updates (reviews or modifies), and extracts Russian nationals’ PD using databases located in Russia.
  • The Operator does not make any decisions based solely on the automated PD processing that create legal consequences for PD subjects or otherwise affect their rights or legitimate interests.
  • The Operator does not use automated technologies to provide personalised content based on the collection, categorisation, and analysis of User preferences (recommendation engines).

4.                PD Sharing

  • The Operator may engage third parties for PD processing by outsourcing PD processing to third-party providers and/or by sharing PD with third parties without outsourcing, including cross-border data transfer to recipients in the United States, European Union member states, or other foreign jurisdictions that ensure an adequate level of protection for PD subjects’ rights. The Operator may only engage third parties, provided that their engagement is strictly limited to the extent necessary to achieve the purposes of PD processing, and will ensure that each third party is bound by obligations of confidentiality and PD protection (should a third party fail to comply with the provisions of this clause, it will be held liable under the corresponding contracts with the Operator and/or under applicable laws). Such third parties may be:
    • persons listed in clause 7.3.1 of the User Agreement
    • the Website hosting provider
    • user behaviour analytics providers as specified in clause 20 of the User Agreement
    • third-party vendors that provide Website security, functionality, performance, efficiency, and personalisation services as specified in clause 20 of the User Agreement.
    • Third-party providers for PD processing will be chosen based on the relations existing between the Operator and the PD subject in compliance with applicable law, agreements between the Operator and the PD subject, and the PD subject’s consent to PD processing.

5.                Cessation of Processing and Destruction

  • The Operator ceases PD processing in the following instances:
    • The purpose of the PD processing has been achieved or the retention deadline has been reached.
    • The purpose of the PD processing is no longer relevant.
    • Unauthorised PD processing has been identified, including the unauthorised receipt of PD or collection of PD irrelevant to the stated processing purpose.
    • Lawful processing is no longer possible.
    • The PD subject withdraws their consent to PD processing, provided that the PD is no longer required to be retained to achieve processing purposes.
    • Except as otherwise required by law, the PD subject requests that the Operator cease PD processing.
    • The statute of limitation (including for legal claims) has expired for the arrangements under which the PD is or was being processed.
    • The Operator goes into liquidation or certain type of corporate reorganisation.
    • Subject to the provisions of Law No. 152-FZ, the Operator ceases processing by:
      • blocking the PD,
      • destroying the PD, or
      • retaining it as specifically required under the Russian laws on archiving
    • If lawful processing of PD is no longer possible, the original purpose of the processing has been achieved, or the PD subject has withdrawn their consent to PD processing and/or requested cessation, but it is impossible to destroy the PD by the deadlines specified in Law No. 152-FZ (provided that retention of such PD is no longer required for processing purposes), the Operator shall block such PD and destroy it within six (6) months, unless a different timeframe is provided for by applicable law.
    • PD must be destroyed in a manner that prevents any possibility of recovery. If PD cannot be destroyed without damaging their physical medium beyond further use for the intended purpose, then PD must be destroyed together with the physical medium.
    • PD destruction must be documented in accordance with the requirements of the relevant authority mandated to protect the rights of PD subjects.

6.                Processing Management and PD Security

  • When processing PD through the Website, the Operator will implement legal, administrative, and technical measures as required to protect PD from unauthorised or accidental access, destruction, modification, blocking, copying, disclosure, distribution, or other improper handling. Specifically, the following measures are employed to ensure PD security (depending on their applicability based on processing methods and specifics):
    • A PD protection officer has been appointed.
    • The Operator has adopted PD processing policies, bylaws, and internal procedures designed to prevent, identify, and rectify violations of the PD laws.
    • The Operator has implemented internal controls and/or conducted audits to ensure that PD processing complies with Law No. 152-FZ, its subordinate regulations, PD protection requirements, and the Operator’s own PD processing policies and bylaws.
    • Subject to the requirements of the relevant Russian authority mandated to protect the rights of PD subjects, the Operator has assessed the harm that PD subjects may suffer in the event of violations of applicable PD laws, and the adequacy of the measures implemented by the Operator to ensure its compliance with such laws.
    • Parties engaged (permitted) by the Operator for PD processing are provided with and/or are trained in the requirements of applicable PD legislation, including PD protection requirements, the Operator’s policy documents on PD processing, and internal regulations on matters related to PD processing;
    • The Operator has implemented administrative and/or technical measures to ensure secure PD processing; specifically, the Operator has utilised PIMS as necessary to maintain the confidentiality, integrity, availability, and resilience of processes and/or systems used for PD processing.
    • The Operator maintains the capability to restore PD modified or destroyed by unauthorised access or any other security incident.
    • The Operator destroys PD in a manner that prevents its restoration and precludes any subsequent processing and documents the PD destruction as required by the Russian authority mandated to protect the rights of PD subjects.
    • When it learns of any unauthorised or accidental transfer, disclosure or dissemination, or access to, PD resulting in a breach of PD subject rights, the Operator reports the incident to the Russian authority mandated to protect the rights of PD subjects, in accordance with procedure prescribed by PD law.

7.                Rights of PD Subjects

  • PD subjects have the right to be informed by the Operator about the processing of their data.
    • PD subjects have the right to demand that their PD be updated, blocked, or destroyed by the Operator if such PD is incomplete, outdated, inaccurate, illegally obtained, or cannot be considered necessary for the stated processing purposes, and to take further measures as may be provided by law to protect their rights.
    • PD subjects’ right to access their PD may be limited by federal laws, including but not limited to cases where such access would adversely affect the rights and legitimate interests of third parties.
    • PD subjects may withdraw any previously granted consent at any time, in whole or in part, and/or request that the Operator cease PD processing, unless processing is required under Article 6(1), subparagraphs (2) through (11), Article 10(2) or Article 11(2) of Law No. 152-FZ. PD subjects may exercise their right hereunder by sending the corresponding request to the Operator.
    • To exercise and secure their rights and legitimate interests, PD subjects or their representatives may contact the Operator in any manner specified in clause 1.4 of the User Agreement.
    • The Operator will review all requests and complaints submitted by PD subjects, thoroughly investigate any breaches, and take all measures necessary to remediate such breaches without delay. The operator will also take the appropriate disciplinary actions against the parties responsible and will seek to resolve resulting disputes or conflicts amicably.
    • PD subjects may lodge a complaint with the authority mandated to protect the rights of PD subjects to dispute Operator’s actions or omissions.
    • PD subjects have the right to effective judicial remedies to defend their rights or legitimate interests, including without limitation the right to claim material or non-material damages.

8.                PD Protection Officer

  • The PD protection officer’s rights, duties, and statutory liability are governed by Article 22.1 of Law No. 152-FZ and the Operator’s internal PD processing and protection policies.
    • The Operator appoints and removes the PD protection officer through a corporate resolution. The hiring decision is based on the candidate’s competencies, professional qualifications, and personal traits that enable them to fully exercise their powers and effectively carry out their duties.
    • The PD protection officer:
      • monitors the Operator’s compliance with the applicable PD laws, including statutory requirements on PD protection.
      • makes sure that the persons processing PD for the purposes designated by the Operator have sufficient knowledge of the applicable PD laws, including statutory requirements on PD protection, and the Operator’s internal PD processing policies.
      • supervises the receipt and processing of requests and inquiries submitted by PD subjects or their representatives.

9.                Approval and Updates

  • This Policy is approved and enacted by the Operator’s resolution and remains in effect until terminated.
    • The Operator may update this Policy as necessary (the “Updates”). All Updates must be approved by the Operator’s resolution. Once approved, the updated Policy will be posted on the Website, stating when the Update goes into effect.
    • PD subjects are responsible for viewing the Updates. By accessing/using the Website after the updated Policy has come into effect, PD subjects acknowledge that they have read the updated Policy.
    • This Policy is updated as necessary and at least once every three (3) years.
    • This Policy may be updated more frequently to reflect:
      • changes in the regulatory framework governing PD processing and protection in the Russian Federation,
      • changes in the Operator’s internal regulations that directly or indirectly govern PD processing and protection,
      • changes in the way the Operator manages PD processing and protection,
      • changes in the Operator’s business or corporate structure,
      • changes in the Operator’s relations with PD subjects, counterparties, or other persons,
      • reasons for and the extent of violations of Operator’s internal regulations,
      • reasons for and extent of PD security incidents identified within the IT environment, and
      • other factors that may have a material adverse effect on PD processing and protection by the Operator.

10.             Liability

  1. Persons responsible for violation of PD processing and protection regulations will be subject to liability in accordance with applicable law.

[1] PD processing may not be considered automated only on the grounds that such PD is contained in or was extracted from the PIMS.