PJSC LUKOIL Personal Data Processing Policy
1. General Provisions
1.1. PJSC LUKOIL Personal Data Processing Policy (hereinafter the Policy) has been developed in line with Article 18.1 of Federal Law No. 152-FZ “On Personal Data” as of July 27, 2006 (hereinafter the Federal Law) and contains information on the applicable requirements to personal data processing and protection.
1.2. The Policy is developed in line with the requirements of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe, the Constitution of the Russian Federation, international agreements of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation related to personal data.
1.3. The purpose of this document is to inform the personal data owners and other persons engaged in personal data processing of PJSC LUKOIL’s (hereinafter - the Company or the Operator) adherence to the fundamental principles of legitimacy, justice, non-redundancy, correlation of the content and scope of the personal data processed to the declared processing purposes.
1.4. Protection of rights and freedoms of an individual as part of personal data processing, including protection of rights to privacy, personal and family secrets is one of the Company’s priorities.
1.5. The Policy covers all personal data processed in the Company and constitutes a public document.
2. Legal grounds for personal data processing
2.1. Personal data are processed by the Operator in view of the processing purposes:
2.1.1. With consent of personal data owners to their personal data processing;
2.1.2. For the purpose of compliance with the laws of the Russian Federation, international agreements of the Russian Federation, decrees by the RF Government and other regulatory legal acts of the Russian Federation;
2.1.3. For the purpose of agreement execution whose Party, beneficiary or guarantor is represented by the personal data owner, including the cases when the Company realizes its right to cession of rights (claims) under such agreement.
3. Purposes and applied methods of personal data processing
3.1. Personal data are processed in the Company either with application of automation technologies, including information personal data systems, or without them (mixed personal data processing).
3.2. Should the automated data processing method be used, personal data are transmitted via the Operator’s internal network and via Internet, i. e., information and telecommunication network.
3.3. Personal data are processed for the following purposes:
3.3.1. Rendering assistance to the employees and candidates in employment, training and career development, quantity and quality control of the work performed, compliance with the labor legislation and other regulations containing the norms of labor legislation;
3.3.2. Provision of social benefits and guarantees, personal safety or protection of other vital interests of the Company’s employees or those of the LUKOIL Group Organizations and their family members;
3.3.3. Conclusion and execution of civil law contracts, including service contracts;
3.3.4. Compliance with the RF laws on joint-stock companies, information disclosure;
3.3.5. Compliance with antitrust legislation;
3.3.6. Compliance with the securities legislation;
3.3.7. Protection of rights and legal interests of the Company, the LUKOIL Group Organizations, and those of their officers in court, dispute settlement and administrative authorities;
3.3.8. Preparation of statements or requests, notifications, etc. provided for by the legislation to be submitted to the Pension Fund of the Russian Federation, Social Insurance Fund of the Russian Federation, Federal Compulsory Medical Insurance Fund, Federal Tax Service and other state bodies and services;
3.3.9. Consolidation of statistic data and figures across the LUKOIL Group;
3.3.10. Conduct of inspections and audits in the LUKOIL Group Organizations;
3.3.11. Organization of bidding procedures provided for by the local regulations of PJSC LUKOIL;
3.3.12. Preparation of the letters of attorney granted to the employees of PJSC LUKOIL, the LUKOIL Group Organizations, other organizations and private individuals;
3.3.13. Organizing access and on-site control in the administrative buildings of the Company, property protection;
3.3.14. Keeping corporate phone and other information books, publications at in-house portals, recognition boards and in public personal data systems;
3.3.15. Fulfillment of other obligations as part of the legal grounds specified in cl. 2.1 hereof.
4. Processed personal data and data sources
4.1. Personal data are handed over to the Operator immediately by the personal data owner or his/her representative, unless a different personal data submission procedure is provided for by the Federal law.
4.2. The personal data can be accepted from a person other than the personal data owner, provided that the personal data owner agrees to submit his/her personal data to the Company for processing, unless a different personal data submission procedure is stipulated by the Federal law.
4.3. Processing of special personal data categories (those concerning ethnicity, national identity, political stance, religious or philosophical beliefs, health status, love life), biometrical personal data (those characterizing physiological and biological features of an individual that help identify the data owner) shall be prohibited in the Company, except for the cases provided for by the Federal law.
4.4. It shall be prohibited to use personal data for political solicitation, as well as for the promotion of goods, works and services, except for the cases provided for by the Federal law.
4.5. The Company shall process personal data owned by:
4.5.1. The Company’s employees, their relatives;
4.5.2. LUKOIL’s BoD members and their relatives, candidates to LUKOIL’s BoD;
4.5.3. Members of LUKOIL’s Audit Commission and their relatives, candidates to LUKOIL’s Audit Commission;
4.5.4. Candidates considered for labor contract execution;
4.5.5. Persons, whose personal data processing is related to the fulfillment of the agreements concluded;
4.5.6. Parties to the labor contracts or civil law contracts concluded with the LUKOIL Group Organizations;
4.5.7. Persons who were previously Parties to labor relations with the Company;
4.5.8. Potential contractors (private individuals);
4.5.9. Founders (private individuals) of potential contractors;
4.5.10. Persons acting as the sole executive bodies of the companies included into the LUKOIL Group;
4.5.11. Shareholders and their relatives;
4.5.12. Lawyers, notaries maintaining relations with the Company;
4.5.13. Drafters of written requests to PJSC LUKOIL;
4.5.14. Other personal data owners (for the purposes of personal data processing outlined in cl. 3.3 hereof).
5. Personal data processing and storage period
5.1. Personal data shall not be processed until the legal grounds for personal data processing outlined in cl. 3 hereof arise.
5.2. Personal data processing shall be suspended as soon as processing purposes are achieved, legal grounds for data processing cease to exist, and the document storage period, provided for by the legislation on archive-keeping in the Russian Federation and the local regulations of PJSC LUKOIL, expires.
5.3. Upon processing period expiration the personal data are either destroyed or depersonalized to be used for statistical or other research purposes.
6. Rights of personal data owners
6.1. The personal data owner shall be entitled to be informed of his/her personal data processing within the time period and according to the procedure provided for by the Federal law.
6.2. The personal data owner shall be entitled to require adjustment of his/her personal data from the Operator, their blocking or destruction, provided that the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the declared processing purpose; the data owner shall have the right to take the measures provided for by the Federal law to protect his/her rights.
6.3. The access rights of the personal data owner to his/her personal data can be limited in accordance with the Federal law.
6.4. The decisions based solely on the automated personal data processing, which either leads to origination of the legal consequences towards the personal data owner or otherwise affects his/her rights and legal interests, shall be made, provided that the data owner granted his/her written consent.
6.5. The personal data owner shall be entitled to challenge the actions or failure to act on the part of the Operator by filing a petition to the authorized body for protection of personal data owner rights or by legal means.
6.6. The personal data owner shall be entitled to protect his/her rights and legal interests, including reimbursement of expenses and (or) compensation for moral injury by legal means.
7. Cross-border personal data transmission
7.1. The Company exercises cross-border personal data transmission, i.e., personal data transmission to a foreign country, a foreign regulatory authority, a foreign private individual or a legal entity.
7.2. The personal data can be transmitted across the borders of the foreign countries that are Parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe, as well as other foreign countries that ensure proper protection of personal data owner rights (the list of such countries shall be subject to approval by the authorized bodies for protection of personal data owner rights), without written consent of the personal data owner to cross-border transmission in view of the personal data processing purposes outlined in cl.3.3 hereof.
7.3. The personal data shall be transmitted across the borders to the countries that are incapable of ensuring proper protection of personal data owner rights:
7.3.1. With written consent of the personal data owner to cross-border transmission of his/her personal data;
7.3.2. For the execution purpose of the contract the personal data owner is Party to;
7.3.3. To protect the lives, health, other vital interests of the personal data owner or other persons, should it be impossible to obtain written consent of the personal data owner;
7.3.4. In the cases provided for by the international agreements of the Russian Federation, federal laws (should it be necessary to protect the constitutional system of the Russian Federation, to ensure national defense and security, as well as to ensure stable and smooth functioning of the transportation industry, protection of personal, social and state interests in the transportation area from unlawful interference).
7.4. The Operator shall transmit the personal data in view of the purposes and personal data categories across the borders, including the following countries: Austria, Azerbaijan, Belarus, Belgium, British Virgin Islands, Bulgaria, Hungary, Ghana, Germany, Greece, Georgia, Denmark, India, Iraq, Spain, Italy, Kazakhstan, Canada, Cyprus, Kyrgyzstan, China, Ivory Coast, Latvia, Lithuania, Republic of Macedonia, Republic of Moldova, the Netherlands, Norway, United Arab Emirates, Ukraine, Estonia, Poland, Portugal, Romania, Serbia, Slovakia, United Kingdom of Great Britain and Northern Ireland, United States of America, Turkey, Uzbekistan, Finland, France, Croatia, Montenegro, Czech Republic, Switzerland, Sweden, Japan.
8. Information on third parties engaged in personal data processing
8.1. The Operator shall be entitled to charge a third party with personal data processing with consent of the personal data owner, unless otherwise provided for by the Federal law, by virtue of the agreement concluded with this person.
8.2. In the respective order (agreement) the Operator shall define the list of actions (operations) with personal data to be conducted by the person responsible for personal data processing, the processing purposes, the confidentiality obligations towards the personal data assumed by the respective person, as well as the obligations to protect the personal data as they are processed, and the requirements to protection of the personal data processed.
8.3. The person responsible for personal data processing by the Operator’s order shall not be obliged to obtain consent from the personal data owner to processing of his/her personal data.
8.4. Should the Operator charge a third party with personal data processing, the responsibility for the actions of the said person before the personal data owner shall be borne by the Operator. The person responsible for personal data processing by the Operator’s order shall bear responsibility before the Operator.
9. Information on applicable requirements to personal data protection
9.1. In the course of personal data processing the Operator shall take required legal, organizational and technical measures to protect the personal data from unlawful or accidental access, destruction, adjustment, blocking, copying, submission, sharing or other unlawful actions with regard to the personal data.
9.2. The personal data shall be protected by means of the following:
9.2.1. Appointment of persons responsible for organizing personal data processing and personal data safety;
9.2.2. Issuance of local regulations on personal data processing and protection focused on prevention and tracing violations of the RF laws, elimination of respective consequences;
9.2.3. Making a list of positions that require personal data processing of the persons filling such positions;
9.2.4. Conduct of trainings, rendering methodological support, informing, against signature, the employees engaged in personal data processing of the fact of their participation in personal data processing, as well as of the rules for personal data processing and protection set by the regulatory legal acts of the executive bodies and the local regulations of PJSC LUKOIL;
9.2.5. Registration and recording of operations with personal data;
9.2.6. Registration of physical personal data storage media and control over their use in order to exclude cases of their loss, theft, substitution, unauthorized copying or destruction;
9.2.7. Keeping records of personal data owners’ appeals and their execution;
9.2.8. Transmission of personal data within the Company solely among the persons holding the positions included into the list of positions that require personal data processing of the persons filling such positions;
9.2.9. Implementation of the personal data processing procedure within the protected area, as well as organizing physical protection of the personal data storage media, locations and tools for their processing;
9.2.10. Granting access to the premises utilized for personal data processing and/or storage of physical data storage media;
9.2.11. Identifying threats to personal data safety while they are processed within the information personal data systems, development, if appropriate, a personal data protection system while they are processed within the information personal data systems and setting access rules to personal data;
9.2.12. Tracing cases of unauthorized access to personal data and taking relevant measures;
9.2.13. Making standard forms for personal data collection so that each personal data owner could review his/her personal data without infringing on the rights and legal interests of other personal data owners;
9.2.14. Inclusion into the standard forms providing for indication of personal data, of special columns, in which the personal data owner could express his/her consent to personal data processing without automation means (in case written consent to personal data processing is required) by putting a mark;
9.2.15. Regular control over compliance of the personal data protection measures taken with the RF legislation on personal data and applicable local regulatory acts adopted in pursuance of the said legislation.
10. Responsibility for violation of personal data processing rules and requirements to personal data protection
According to the applicable RF legislation the Company’s employees engaged in personal data processing shall bear disciplinary, civil, administrative or criminal responsibility for violation of personal data processing rules and requirements to personal data protection.
11. Contact details
11.1. Name of the Operator: Public Joint-Stock Company LUKOIL Oil Company TAXPAYER IDENTIFICATION NUMBER (INN): 7708004767. Physical address: 11, Sretensky bul., Moscow, 101000 Tel. fax: +74956274444.
11.2. Registration number in the register of personal data operators (http://rkn.gov.ru/personal-data/register/): 08-0009299.
11.3. Person responsible for personal data processing in PJSC LUKOIL – Vice President for Human Resources Management and Social Policy of PJSC LUKOIL А.А. Moskalenko, tel. +74956274444, e-mail: Anatoly.Moskalenko@lukoil.com.
11.4. Person responsible for protection of personal data in PJSC LUKOIL is the head of Economic, Internal and Information Security Division – deputy head of Corporate Security Department O.A. Knysh, tel. +74956274444, e-mail: Oleg.Knysh@lukoil.com.
11.5. Authority for the protection of the rights of subjects of personal data: The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), Office for the Protection of the Rights of Personal Data Subjects.
11.6. Territorial body of Roskomnadzor for Moscow and Moscow Oblast: GSP-7 (official municipal post), 2, bldg. 10, Starokashirskoye Sh., Moscow, 117997, tel. +74959570820, fax: +74959570848, e-mail: email@example.com, web-site: 77.rsoc.ru.