1. Introduction

1.1. The most important condition for implementing the goals of InvestRiskFree Ltd (hereinafter - the Company) is to ensure necessary and sufficient level of information security of the Company’s assets that particularly include natural persons' personal data.

1.2. One of the top-priority tasks of the Company is to ensure personal data protection.

1.3. This Policy is designed in accordance with the requirements of the Federal Law of 27 July 2006 N 152-FZ “On personal data” and establishes the principles, procedures and conditions of processing personal data of different individuals, whose personal data is processed by the Company with the purpose of ensuring protection of personal rights and freedoms during this process, including the right to personal and family privacy.

1.4. Personal data is confidential, strictly protected information and is subject to the requirements established by the internal documents of the Company regarding protection of confidential information.

2. Definition and scope of personal data

2.1. The list of the processed personal data to protect by the Company is formed in accordance with the Federal Law of July 27, 2006 N 152-FZ "On personal data", the Charter and internal documents of the Company.

2.2. Any information directly or indirectly related to an identified or identifiable natural person (the subject of personal data) is regarded by the Company as personal data.

2.3. Depending on the subject of personal data, the Company processes personal data of the following categories of subjects of personal data:

natural persons providing their personal data subsequent to the conclusion of a contract (agreement) according to which the Company provides services to a natural person, or any other contracts (agreements) that are concluded or may be concluded in the future between the Company and a natural person;  

natural persons applying to the Company for employment and providing their personal data, and employees of the Company;

natural persons being affiliated persons to the Company or chiefs, partners (stockholders) or employees of a legal entity affiliated to the Company;

natural persons applying to the Company with any demand and providing their personal data.

3. Personal data processing purposes

3.1. The Company processes personal data for the following purposes:

to provide intermediary (broking) services in accordance with concluded agreements, to prepare for conclusion, conclude and implement employment agreements, to prepare for conclusion, conclude and implement other agreements, to provide information (to refuse to provide information), to promote in the market (including via direct contacts with clients by the means of communication, including electronic means of communication, items of mail, SMS) products (services) of the Company, common products of the Company and third parties, products (goods, works, services) of third parties;

to assist the employees of the Company in employment, training and advancement, to provide for personal security of the employees, to control quality and quantity of the work performed and to provide for property preservation of the employees and the Company as an employer; 

to perform functions assigned to the Company by the legislation of the Russian Federation in accordance with the Civil Code of the Russian Federation, the Labour Code of the Russian Federation, the Tax Code of the Russian Federation, by the Federal Laws “On Combating Legalisation (Laundering) of Illegally Gained Income and Financing of Terrorism”, “On Currency Regulation and Currency Control”, “On the Insurance of Deposits of Physical Persons with Banks of the Russian Federation”, or by any other regulatory acts that regulate the Company's operations.

4. Terms and conditions for personal data processing

4.1. Personal data processing of the Company is pursuant to:

legality and reasonableness of the purposes and ways of personal data processing;

compatibility of the purposes of personal data processing with the purposes which were predetermined and stated when processing personal data, and with the authority of the Company;

compatibility of the extent and the methods of proceeding personal data with their purposes;

reliability of personal data, its sufficiency for the purposes of processing, impermissibility of processing personal data which is excessive towards the purposes which were stated when processing personal data;

impermissibility of integrating databases containing personal data for incompatible purposes;

storing personal data in the way which enables to define the subject of the personal data only as long and no longer than the purposes of its processing require;

destruction of personal data when the purpose of its processing is achieved or in case of no further need for achieving them except if otherwise is permitted by the Federal law.

4.2. Processing personal data is pursuant to the terms defined by the law of the Russian Federation.

4.3. When processing personal data the Company provides accuracy of personal data, their reasonableness and, where necessary, their relevancy towards the purposes of processing personal data. The Company takes reasonable measures (provides the process of taking) for destructing or updating incomplete or inaccurate personal data.

4.4. The Company does not place the subject's personal data in the public sources without their advance consent.

5. Personal data processing period

5.1. The time period of processing personal data is defined in accordance with the due dates stated in the subject's personal data consent, by Order No. 558 of August 25, 2010, of the Ministry of Culture of the Russian Federation, "On Approval of the ‘List of Standard Archive Managerial Documents Produced by State Authorities, Municipal Bodies and Institutions’ Stating the Storage Period" and other requirements of the legislation of the Russian Federation.

5.2. The Company issues and retains the documents that provide details of subjects of personal data. Requirements to the use of given pro forma documents by the Company are stated by the Regulation No. 687 of September 15, 2008, of the Government of the Russian Federation “On Approval of the Statute on Special Aspects of Personal Data Processing Without the Use of Automation Technology”.

6. Rights and obligations

6.1. Rights and obligations of the Company

6.1.1. As an operator of personal data the Company has a right to:

defend its interests in court;

provide clients' personal data to banking institutions, to the Deposit Insurance Agency and to business correspondence delivery service for the ends of carrying out obligations arising from the agreement;

provide subjects’ personal data to state or other competent authorities, if stipulated in the current legislation of the Russian Federation (taxation authority, law enforcement authority, Bank of Russia etc.);

refuse to provide personal data in cases defined in the legislation of the Russian Federation;

process subjects’ personal data without their consent in cases provided for in the legislation of the Russian Federation.

6.2. Rights and obligations of personal data subjects

6.2.1 The subject of personal data has a right to:

demand clarification on his/her personal data, its blocking or destruction if personal data is incomplete, obsolete, invalid, illegally received or is not necessary for stated processing goal; and to take measures prescribed by the law for the protection of their rights

demand the summary of their personal data processed by the Company and the data origination;

receive information about the personal data processing period, including its retention period;

demand notification of persons who previously received their invalid or incomplete personal data with all the exceptions, corrections or additions made;

appeal to competent authorities for protection of the rights of personal data subjects or appeal through legal proceedings against misconduct or lack of action while processing its personal data;

defend through legal proceedings their rights and legitimate interests, including the right to loss indemnity and (or) compensation for moral harm.

7. Provision of personal data security

7.1. Company takes necessary security measures to defend personal data from random or unauthorized access, obliteration or change, or access denial and other unauthorized activities.

7.2. For the purposes of personal data security arrangements coordination, the Company employs a personal data security officer.

8. Final provisions

8.1. This Policy is approved by the President, the information is publicly available and is subject to be posted on the official Company website.

8.2. In case of making modifications in statutes in force, and emerging of new statutes and special statutory documents about processing and security of personal data, this Policy is subject to change and supplement.

8.3. The control over the implementation of the conditions of this Policy is executed by the personal data security officer.

8.4. Responsibility of Company`s employees who have access to personal data for failure to comply with requirements regulating personal data processing and protection is determined in accordance with the legislation of the Russian Federation and the Company`s internal documents.