PJSC LUKOIL Personal Data Processing Policy
1. General Provisions
1.1. The personal data processing policy of PJSC LUKOIL (hereinafter referred to as the Policy) establishes the procedure for processing personal data at PJSC LUKOIL (hereinafter also referred to as the Company or the Operator) in accordance with Article 18.1 of Federal Law No. 152-FZ of July 27, 2006, On Personal Data (hereinafter referred to as the Federal Law) and defines the guidelines, purposes, procedure, methods, and legal grounds for the processing of personal data. It also contains information on requirements that have been implemented for the protection of personal data.
1.2. The purpose of this Policy is to establish conditions for ensuring the protection of the rights and freedoms of personal data subjects when processing their personal data, including the protection of the rights to privacy, personal and family secrecy. The Policy also aims to inform personal data subjects and individuals involved in the processing of personal data that PJSC LUKOIL adheres to the fundamental principles of lawfulness, fairness, data minimization, and the alignment of the content and scope of processed personal data with the stated processing purposes.
1.3. The Policy applies to all actions involving personal data in the Company, regardless of the methods, timing, and processing purposes.
1.4. The Policy applies to all personal data processed by the Company, is publicly available, and is posted on the Company’s official website. The Operator takes all possible measures to ensure unrestricted access to the Policy.
1.5. The personal data operator is PJSC LUKOIL: INN 7708004767, OGRN 1027700035769, actual address: 101000, Moscow, Sretensky Boulevard, 11, registration number in the register of personal data processing operators, No. 08-0009299 (pd.rkn.gov.ru).
1.6 The person in charge of personal data processing at PJSC LUKOIL is the Head of the Personal Data Processing Department, e-mail: personal.data@lukoil.com.
2. Terms and Definitions
For the purposes of this Policy, the following terms and definitions apply:
Personal data – any information related directly or indirectly to a specific or identifiable individual (personal data subject).
Personal data processing – any action (operation) or set of actions (operations) performed with or without the use of automation tools on personal data, including its collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction.
Automated personal data processing – processing of personal data using computer technology.
Distribution of personal data – actions taken for disclosing personal data to an indefinite number of people.
Provision of personal data – actions taken for disclosing personal data to a specific person or a specific number of people.
Blocking of personal data – temporary cessation of the processing of personal data (except in cases when processing is necessary to clarify personal data).
Destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and/or that destroy the physical media containing personal data.
Depersonalization of personal data – actions that make it impossible to determine the ownership of personal data by a specific personal data subject without using additional information.
Personal data information system – a set of personal data contained in databases and the information technologies and technical means that ensure the processing of such data.
Cross-border transfer of personal data – transfer of personal data to the territory of a foreign nation, to a foreign state authority, to a foreign individual, or to a foreign legal entity.
Confidentiality of personal data – a requirement that must be observed by the operator or other person who has access to personal data not to disclose personal data to third parties and not to distribute personal data without the consent of the personal data subject or the existence of another legal basis for disclosure.
3. Personal Data Processing Guidelines
When processing personal data PJSC LUKOIL uses the following guidelines:
3.1. Personal data is processed on a lawful and fair basis.
3.2. The processing of personal data is limited to the achievement of specific, predetermined, and lawful purposes. The processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.
3.3. The merging of databases containing personal data processed for incompatible purposes is not permitted.
3.4. The content and scope of the personal data processed shall be consistent with the stated processing purposes. The personal data processed shall not be excessive in relation to the stated processing purposes.
3.5. When processing personal data, the accuracy, adequacy, and relevance of personal data in relation to the personal data processing purposes shall be ensured. The operator shall take the necessary measures to delete or clarify incomplete or inaccurate data.
3.6. Personal data shall be stored in a form that allows the identification of the data subject for no longer than is necessary for the personal data processing purposes, unless the storage period for personal data is established by federal law or by a contract to which the data subject is a party, beneficiary, or guarantor.
3.7 Processed personal data shall be destroyed or anonymized upon achievement of the processing purposes or in the event that the need to achieve these purposes ceases to exist, unless otherwise provided for by federal law.
4. Categories of Personal Data Subjects
4.1. The main categories of subjects whose personal data is processed by the Company are:
employees of PJSC LUKOIL, as well as former employees of the Company;
employees of other entities of the LUKOIL Group;
family members and close relatives of employees of PJSC LUKOIL and other entities of the LUKOIL Group;
candidates for vacant positions;
candidates for management positions in the entities of the LUKOIL Group;
counterparties (individuals, as well as individuals representing legal entities);
individuals involved in court and arbitration cases related to the protection of the rights and legitimate interests of PJSC LUKOIL and other entities of the LUKOIL Group;
persons whose information is subject to disclosure;
members of the Board of Directors of PJSC LUKOIL and their relatives;
shareholders of PJSC LUKOIL and their authorized representatives;
visitors to PJSC LUKOIL facilities;
users of PJSC LUKOIL websites who have provided their personal data to PJSC LUKOIL;
authors of appeals to PJSC LUKOIL;
other individuals who have provided their personal data for the purposes of its processing as provided for by Section 5 of this Policy.
5. Processing Purposes
5.1 The main personal data processing purposes at the Company are:
the performance by PJSC LUKOIL of the functions, powers, and duties provided for by the legislation of the Russian Federation and the Charter of PJSC LUKOIL;
ensuring the implementation of guarantees of employees' labor rights, the creation of favorable working conditions, the protection of the rights and interests of parties to labor relations, and compliance with the labor legislation of the Russian Federation and legislation on occupational safety;
providing assistance in employment, forming a personnel reserve in the entities of the LUKOIL Group;
preparing statistical documentation in accordance with laborand tax legislation, as well as other reports to state and local government bodies in specified cases;
providing additional guarantees and compensation to employees of PJSC LUKOIL and their family members, as well as other personal data subjects who are entitled to social security in accordance with internal regulations of PJSC LUKOIL;
ensuring the conclusion, execution, and termination of contracts (agreements) with PJSC LUKOIL;
compliance with the legislation of the Russian Federation on joint-stock companies, antitrust legislation, and securities legislation;
ensuring access control and internal security at PJSC LUKOIL facilities;
consideration of appeals from citizens of the Russian Federation and other individuals;
management of socially significant and corporate events of PJSC LUKOIL;
carrying out sponsorship and charitable activities of PJSC LUKOIL;
ensuring online coverage of the operations of PJSC LUKOIL and other entities of the LUKOIL Group on PJSC LUKOIL websites on the Internet;
preparing reference materials for internal information support of the operations of PJSC LUKOIL and other entities of the LUKOIL Group;
improving the website, increasing its efficiency and usability.
5.2. The composition, scope, and categories of personal data processed by the Company shall be determined pursuant to the legislation of the Russian Federation and the Company's internal regulations, with due regard to the personal data processing purposes set forth in clause 5.1 above.
5.3. The Operator may develop internal regulations in the area of personal data, in which, depending on the tasks and functions performed by the structural divisions of PJSC LUKOIL, it may specify certain personal data processing purposes defined by PJSC LUKOIL, as well as provide additional information defining the specifics of personal data processing in the structural divisions of PJSC LUKOIL within the scope of the purposes defined by this Policy.
5.4. The Company does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, intimate life, or criminal record, except in those cases provided for by the legislation of the Russian Federation.
The Company processes information that characterizes the physiological and biological characteristics of a person by which his or her identity can be established and which is used by the Operator to establish the identity of the personal data subject (biometric personal data) only in the manner provided for by the legislation of the Russian Federation.
6. Legal Grounds for Personal Data Processing
Depending on the processing purposes, the Operator processes personal data as follows:
6.1. With the consent of personal data subjects to the processing of their personal data. This consent must be specific, informed, and conscious. Consent to the processing of personal data may be given by the personal data subject or their representative in any form that enables confirmation of its receipt unless otherwise provided by federal law. In cases provided for by federal law, consent to the processing of personal data shall be given in writing;
6.2. For the purposes of complying with the laws of the Russian Federation, international treaties of the Russian Federation, and for the implementation and performance of the functions, powers, and duties assigned to the Operator by the legislation of the Russian Federation;
6.3. For the purpose of executing or concluding a contract to which the personal data subject is a party, beneficiary, or guarantor, including in the event that the Company exercises its right to assign rights (claims) under such a contract;
6.4. To execute a court order, an order of another authority or official, subject to enforcement in accordance with the legislation of the Russian Federation on enforcement proceedings;
6.5. To protect the life, health, or other vital interests of the personal data subject, if it is impossible to obtain the consent of the personal data subject;
6.6. To exercise the rights and legitimate interests of the Operator or third parties or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the personal data subject;
6.7. For statistical or other research purposes provided that personal data is anonymized;
6.8 In other cases provided for by the legislation of the Russian Federation.
7. Methods of Personal Data Processing, Conditions for Its Termination
7.1. The Company processes personal data in the following ways:
non-automated personal data processing;
automated personal data processing with or without the transfer of the information received via information and telecommunications networks;
mixed processing of personal data.
achievement of the personal data processing purposes;
expiration of consent to the processing of personal data;
the withdrawal of consent to the processing of personal data by the data subject;
the detection of cases of unlawful processing of personal data;
loss of necessity to achieve the personal data processing purposes;
liquidation of the Operator as a legal entity.
8. Transfer of Personal Data
8.1. In order to comply with the legislation of the Russian Federation, to achieve the personal data processing purposes, and in the interests of personal data subjects, the Company, in the course of its operations, provides personal data to state authorities, local government bodies, foundations, public and commercial organizations in cases provided for by the legislation of the Russian Federation.
8.2. The Company has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation, on the basis of a contract concluded with that person (hereinafter referred to as the assignment). The assignment must specify:
a list of actions (operations) with personal data that will be performed by the legal entity processing personal data;
the processing purposes;
the obligation of such a legal entity to maintain the confidentiality of personal data and ensure the security of personal data during its processing;
requirements for the protection of processed personal data in accordance with the requirements of the Federal Law;
the liability of such a legal entity to the Company.
8.3. A person processing personal data on behalf of the Company is not required to obtain the consent of the personal data subject for the processing of their personal data.
8.4. If the Company entrusts the processing of personal data to another legal entity, the Company shall be liable to the personal data subject for the actions of that entity. A legal entity processing personal data on behalf of the Company shall be liable to the Company.
8.5. The transfer of personal data within the Company is carried out in accordance with the Company’s internal regulations.
8.6. Cross-border transfer of personal data is carried out by the Company only with the written consent of the personal data subject for such transfer, except in cases provided for by federal law.
8.7. Before initiating cross-border transfer of personal data, the Company is obliged to ensure that the foreign state to which the personal data is transferred provides adequate protection of the rights of personal data subjects.
8.8. Cross-border transfer of personal data to foreign countries that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), as well as other foreign states that provide adequate protection of the rights of personal data subjects, shall be carried out in accordance with federal law and may be prohibited or restricted in order to protect the foundations of the constitutional order of the Russian Federation, morality, health, rights, and legitimate interests of citizens, and to ensure the defense of the country and the security of the state.
9. Time Limits for Personal Data Processing, Storage, and Destruction
9.1 The time limits for processing and storing personal data of the categories of personal data subjects specified in clause 4.1 of this Policy are determined in accordance with the requirements of the legislation of the Russian Federation and internal regulations of PJSC LUKOIL regulating these issues, as well as the provisions of the contract to which the personal data subject is a party, beneficiary, or guarantor, and in their absence, the consent of the personal data subject to the processing of personal data.
9.2. Personal data shall be processed no longer than is necessary for the purposes of personal data processing, unless otherwise provided for by the legislation of the Russian Federation.
9.3. The Company shall store personal data in a form that permits identification of the personal data subject no longer than is necessary for the processing purposes, unless a longer retention period is established by federal law of the Russian Federation or by a contract to which the personal data subject is a party, beneficiary, or guarantor.
9.4. When storing personal data, the Company undertakes to use databases located in the Russian Federation in accordance with Part 5 of Article 18 of the Federal Law.
9.5. The company ensures the separate storage of personal data processed without the use of automation tools, including the use of a separate physical medium for each category of personal data.
When recording personal data on physical media, it is not permitted to record personal data on the same physical medium if the processing purposes are known to be incompatible.
9.6. The storage period for archival documents containing personal data is determined based on the requirements of the legislation on archival matters in the Russian Federation.
9.7. Personal data shall be destroyed or anonymized upon achievement of the processing purposes or in the event that the need to achieve them is no longer necessary, unless otherwise provided by the legislation of the Russian Federation.
9.8. The procedure and methods for destroying personal data are determined by internal regulations of PJSC LUKOIL in the area of personal data, depending on the methods of personal data processing and the physical media on which personal data is recorded and stored.
10. Protective Measures in Place
The company takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as from any other unlawful actions in relation to it. In accordance with federal law, such measures include, in particular:
10.1. Appointment of a person in charge of organizing the processing of personal data.
10.2. Issuance by the Operator of internal regulations in the area of personal data:
defining the operator's policy regarding the processing of personal data;
defining the categories and list of personal data being processed, the categories of subjects whose personal data is being processed, the methods and terms of their processing and storage, the procedure for destroying personal data upon achievement of the purposes of their processing or upon the occurrence of other legal grounds for each personal data processing purpose;
establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation and eliminating the consequences of such violations.
10.3. Application of legal, organizational, and technical measures to ensure the security of personal data in accordance with federal law.
10.4. Implementation of internal control and/or auditing of the compliance of the processing of personal data with the requirements for personal data protection, this Policy, and other internal regulations of the Operator.
10.5. Conducting an assessment of the harm that may be caused to personal data subjects in the event of a violation of the Federal Law, the correlation between the resultant harm and the measures taken by the Operator to ensure the fulfillment of the obligations provided for by the Federal Law.
10.6. Familiarization of the Operator's employees who directly process personal data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, this Policy, other internal regulations on the processing of personal data, and training these employees.
10.7. Identification of threats to the security of personal data when processing it in personal data information systems.
10.8. Application of organizational and technical measures necessary to comply with personal data protection requirements to ensure the security of personal data when processing it in personal data information systems, the implementation of which ensures the levels of personal data protection established by the Government of the Russian Federation.
10.9. Application of information protection measures that have undergone established conformity assessment procedures.
10.10. Assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system.
10.11. Accounting for machine media containing personal data.
10.12. Detection of unauthorized access to personal data and taking measures, including measures to detect, prevent, and eliminate the consequences of computer attacks on personal data information systems and to respond to computer incidents in them.
10.13. Restoration of personal data modified or destroyed as a result of unauthorized access to it.
10.14. Establishment of rules for access to personal data processed in the personal data information system as well as ensuring the registration and recording of all actions performed with personal data in the personal data information system.
10.15. Development and implementation of internal regulations governing the processing and protection of personal data.
10.16. Limiting the number of employees who have access to personal data.
10.17. Establishment of a special access regime to premises where personal data is processed and/or physical media containing personal data is stored.
10.18. Limiting the number of persons with access to premises where personal data is processed and/or physical media containing personal data is stored.
10.19. Establishing a procedure for the destruction of personal data.
10.20. Placement of technical means for processing personal data within a secure area.
10.21. Backing up information to enable the recovery of personal data.
10.22. Conducting periodic monitoring of measures taken to ensure the security of personal data and the level of protection of personal data information systems.
11. Rights and Obligations of Personal Data Subjects
11.1. The personal data subject has the right:
11.1.1. To receive information regarding the processing of their personal data, including:
confirmation of the fact that the Company processes personal data;
the legal grounds and purposes of personal data processing;
the purposes and methods used by the Company to process personal data;
the Company's name and registered address, and information about persons (other than the Company's employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Company or on the basis of federal law;
the personal data being processed that relates to the relevant data subject, the source of such data, unless another procedure for providing such data is provided for by federal law;
the time limits for personal data processing, including the retention period;
the procedure for exercising the personal data subject's rights as provided for by federal law;
information about the actual or intended cross-border transfer of data;
the name or surname, first name, patronymic, and address of the person processing personal data on behalf of the Company, if the processing is or will be entrusted to such a person;
other information provided for by the legislation of the Russian Federation.
11.1.2. To request that the Company clarify, block, or destroy their personal data if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated processing purpose.
11.1.3. To withdraw consent to the processing of personal data in cases provided for by law.
11.1.4. To appeal the actions or omissions of the Company to the authorized body for the protection of the rights of personal data subjects or in court if they believe that the Company is processing their personal data in violation of the requirements of the Federal Law or is otherwise violating their rights and freedoms.
11.1.5. To protect their rights and legitimate interests including compensation for losses and/or moral damage in court.
11.2. The personal data subject is obliged to:
11.2.1. Provide the Company with accurate personal data, the content of which is established by the legislation of the Russian Federation and internal regulations of the Company.
11.2.2. Notify the Company of any changes to their personal data within the time limits established by the legislation of the Russian Federation and the Company's internal regulations.
12. Liability
The Company’s employees involved in the processing of personal data shall bear disciplinary, civil, administrative, or criminal liability in accordance with the current legislation of the Russian Federation for violations of the rules governing personal data processing and the requirements for personal data protection.
