ERSONAL DATA PROCESSING POLICY
the Global Broker Solutions Limited Liability Company (GBS-Broker LLC)

1. General provisions

1.1. This Personal Data Processing Policy of the Global Broker Solutions Limited Liability Company (GBS-Broker LLC) (hereinafter referred to as the Policy) has been developed in order to comply with the requirements of clause 2, part 1, article 18.1 of the Federal Law of the Russian Federation dated 27.07.2006 No. 152-ФЗ on Personal Data Protection (hereinafter referred to as the Law on Personal Data Protection) and to ensure the protection of rights and freedoms of individuals and citizens when processing their personal data.

1.2. The Policy applies to all personal data processed by the Global Broker Solutions Limited Liability Company (hereinafter referred to as the Data Processor, GBS-Broker LLC).

1.3. Pursuant to the requirements of part 2 of article 18.1 of the Law on Personal Data Protection, this Policy is published in freely accessible form in the Internet information and telecommunication network on the Data Processor's website.

1.4. General definitions used in this Policy:

Personal Data shall mean any information relating to a directly or indirectly identified or identifiable natural person (Data Subject);

Personal Data Processor (Data Processor) shall mean a state authority, municipal authority, legal entity or natural person who, independently or jointly with others, organizes and (or) carries out the processing of personal data, as well as determines the purposes of personal data processing, the categories of personal data that are subject to processing, the operations that are carried out with personal data;

Processing of Personal Data shall mean any action (operation) or series of actions (operations) with personal data, carried out with or without the use of automated tools. The processing of personal data includes, but is not limited to:

• collection;
• recording;
• systematization;
• accumulation;
• storage;
• clarification (updating, modification);
• extraction;
• use;
• communication (dissemination, provision, access);
• depersonalization;
• blocking;
• erasure;
• destruction;

Automated Processing of Personal Data shall mean processing of personal data by means of computer equipment;

Dissemination of Personal Data shall mean actions intended to disclose personal data to an unspecified number of persons;

Provision of Personal Data shall mean actions intended to disclose personal data to a specific individual or group of individuals;

Blocking of Personal Data shall mean temporary cessation of processing of personal data (except in cases where processing is necessary to clarify personal data);

Destruction of Personal Data shall mean actions as a result of which it becomes impossible to recover the contents of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;

Depersonalization of Personal Data shall mean actions that make it impossible to determine the association of personal data with a particular individual without the use of additional information;

Personal Data Information System shall mean a set of information technologies and technical means contained in databases of personal data and ensuring their processing;

International Data Transfer shall mean the transfer of personal data to the territory of a foreign country to a foreign authority, a foreign natural person or a foreign legal entity.

1.5. Basic rights and obligations of the Data Processor.

1.5.1. The Data Processor shall have the right to:

1)    independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations established by the Law on Personal Data Protection and regulatory legal acts adopted in accordance with the Law, unless otherwise provided by the Law on Personal Data Protection or other federal laws;

2)    entrust the processing of personal data to another person with the consent of the Data Subject, unless otherwise provided by federal law, on the basis of a contract concluded with this person. The person who processes personal data on behalf of the Data Processor is obliged to comply with the principles and rules of personal data processing established by the Law on Personal Data Protection;

3)    If the Data Subject withdraws his/her consent to the processing of personal data, the Data Processor shall be entitled to continue the processing of personal data without the Data Subject's consent if there are grounds specified in the Law on Personal Data Protection.

1.5.2. The Data Processor shall be obliged to:

1)   organize the processing of personal data in accordance with the requirements of the Law on Personal Data Protection;

2)   respond to the complaints and requests of the data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data Protection;

3)   provide the competent authority for the protection of the rights of data subjects (Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor)) with the necessary information at the request of this authority within 30 days from the date of receipt of such a request.

1.6. Basic rights of the Data Subject. The Data Subject shall have the right to:

1)    obtain information regarding the processing of his/her personal data, except in cases provided for by federal laws. The information shall be provided by the Data Processor to the Data Subject in an accessible form and shall not contain personal data relating to other data subjects, unless there are legitimate grounds for disclosure of such personal data. The list of information and the procedure for obtaining it shall be determined by the Law on Personal Data Protection.

2)    obtain from the Data Processor the clarification, blocking or destruction of his/her personal data if incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing, as well as to take the measures provided for by law to protect his/her rights;

3)    appeal to Roskomnadzor or to a court of law against unlawful acts or omissions of the Data Processor in the processing of his/her personal data.

1.7. The control of the implementation of the requirements of this Policy is carried out by the authorized person in charge of the organization of the processing of personal data by the Data Processor.

1.8. Responsibility for violation of the requirements of the legislation of the Russian Federation and regulations of GBS-Broker LLC in the field of processing and protection of personal data shall be determined in accordance with the legislation of the Russian Federation.

2. Purposes of personal data collection

2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data incompatible with the purposes for which it was collected is not permitted.

2.2. Only personal data that is relevant to the purposes of its processing may be processed.

2.3. The Data Processor shall process personal data for the following purposes:

• to ensure compliance with the Constitution of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation;
• to carry out customs operations for the declaration of goods for personal use;
• to provide transportation and forwarding services;
• to maintain personnel records management;
• to attract and select candidates for employment with the Data Processor;
• to organize the individual (personalized) registration of employees in the mandatory pension insurance system;
• to fill in and submit the required reporting forms to the executive authorities and other authorized organizations;
• to carry out civil law relations;
• to maintain accounting records;
• to carry out access control.

2.4. Personal data of employees may only be processed for the purpose of ensuring compliance with laws and other regulatory legal acts.

3. Legal basis for personal data processing

3.1. The legal basis for the processing of personal data is a set of regulatory legal acts, pursuant to and in accordance with which the Data Processor processes personal data, including but not limited to:

• Customs Code of the Eurasian Economic Union;
• Labor Code of the Russian Federation;
• Tax Code of the Russian Federation;
• Federal Law on Limited Liability Companies No. 14-ФЗ dated 08.02.1998;
• Federal Law on Transport Forwarding Activity No. 87-ФЗ dated 30.06.2003;
• Federal Law on Accounting No. 402-ФЗ dated 06.12.2011;
• Federal Law on Information, Information Technologies and Protection of Information No. 149-ФЗ dated 27.07.2006;
• Federal Law on Compulsory Pension Insurance in the Russian Federation No. 167-ФЗ dated 15.12.2001;
• Order of the Federal Customs Service of Russia No. 1060 dated July 05, 2018;
• other legal acts regulating the relations related to the activity of the Data Processor.

3.2. The legal basis for the processing of personal data shall also be

• Articles of Association of GBS-Broker LLC;
• contracts concluded between the Data Processor and data subjects;
• consent of data subjects to the processing of their personal data.

4. Scope and categories of personal data processed, categories of data subjects

4.1. The content and scope of the personal data processed shall be consistent with the stated purposes of the processing as set forth in Section 2 of this Policy. The personal data processed shall not be redundant in relation to the stated purposes of its processing.

4.2. The Data Processor may process personal data of the following categories of data subjects.

4.2.1. Candidates for employment with the Data Processor:

• last name, first name, patronymic;

• citizenship;

• date and place of birth;phone number;

• e-mail address; 

• information about education, work experience, qualifications;

• other personal information provided by candidates in their resumes and cover letters.

4.2.2. Employees and former employees of the Data Processor:

• ●     last name, first name, patronymic;

• ●     sex;

• ●     citizenship;

• ●     date and place of birth;

• ●     passport data;

• ●     address of registration at the place of residence;

• ●     residence address;

• ●     phone number;

• ●     e-mail address;

• ●     taxpayer identification number;

• ●     personal insurance policy number (SNILS);

• ●     information about education, qualifications, professional training and professional development;

• ●     marital status, children, relatives;

• ●     work activity information, including incentives, awards and/or disciplinary actions;

• ●     marriage registration data;

• military registration information;

• disability information;

• maintenance deduction information;

• information about income from previous employment;

• other personal information provided by employees as required by law.

4.2.3. Family members of employees of the Data Processor:

• last name, first name, patronymic;

• degree of relationship;

• year of birth;

• other personal information provided by employees as required by law.

4.2.4. Customers and counterparties of the Data Processor (individuals):

• last name, first name, patronymic;

• date and place of birth;

• passport data (series, number, date of issue, issuing authority);

• taxpayer identification number;

• address of registration at the place of residence;

• product delivery address;

• phone number;

• e-mail address;

• taxpayer identification number;

4.3. The Processor shall process personal biometric data (information characterizing physiological and biological features of a person, on the basis of which his/her identity can be established) in accordance with the legislation of the Russian Federation.

4.4. The Data Processor shall not process special categories of personal data concerning race, nationality, political opinions, religious or philosophical beliefs, health condition, intimate life, except as provided by the legislation of the Russian Federation.

5. Procedures and conditions for processing personal data

5.1. The Data Processor shall process personal data in accordance with the requirements of the legislation of the Russian Federation.

5.2. Processing of personal data shall be carried out with the consent of the data subjects to the processing of their personal data, as well as without such consent in the cases provided by the legislation of the Russian Federation.

5.3. The Data Processor shall carry out both automated and non-automated processing of personal data.

5.4. The employees of the Data Processor whose job description includes the processing of personal data are authorized to process personal data.

5.5. The processing of personal data shall be carried out through:

1. ●     collection;

2. ●     record;

3. ●     systematization;

4. accumulation;

5. ●     storage;

6. ●     clarification (updating, modification);

7. ●     extraction;

8. ●     use;

9. ●     communication (dissemination, provision, access);

10. ●     depersonalization;

11. ●     blocking;

12. ●     erasure;

13. ●     destruction;

5.6. Personal data may not be disclosed to third parties or disseminated without the consent of the Data Subject, unless otherwise provided by federal law.

5.7. The transfer of personal data to the bodies of inquiry and investigation, the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other authorized executive authorities and organizations shall be carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The Data Processor shall take the necessary legal, organizational and technical measures to protect personal data against unauthorized or accidental access, destruction, modification, blocking, dissemination and other unauthorized actions, including:

• identify threats to the security of personal data during its processing;

• adopt local normative acts and other documents regulating relations in the field of processing and protection of personal data;

• appoint persons responsible for ensuring the security of personal data in the structural subdivisions and information systems of the Data Processor;

• create the necessary conditions for working with personal data;

• organize records of documents containing personal data;

• organize work with information systems in which personal data is processed;

• store personal data in conditions that ensure its security and prevent unauthorized access to it;

• inform the employees of the Data Processor who process personal data about the provisions of the law and local regulations on the processing of personal data.

5.9. The Data Processor shall store personal data in a form that allows identifying the Data Subject for no longer than necessary for the purposes of personal data processing, unless the period of personal data storage is established by federal law or contract.

5.10. When collecting personal data, including through the information and telecommunication network Internet, the Data Processor shall ensure recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation.

6. Updating, correcting, deleting and destroying personal data, responding to subjects' requests for access to personal data

6.1. Confirmation of the fact of personal data processing by the Data Processor, legal grounds and purposes of personal data processing, as well as other information specified in сlause 7 of article 14 of the Law on Personal Data Protection, shall be provided by the Data Processor to the Data Subject or his/her representative upon application or upon receipt of a request from the Data Subject or his/her representative.

The information provided shall not include personal data relating to other data subjects, unless there are legitimate reasons for disclosing such personal data.

The request shall contain the following information:

• number of the main identity document of the Data Subject or his/her representative, information on the date of issue of the said document and the issuing authority;
• information confirming the Data Subject's participation in the relationship with the Data Processor (contract number, date of conclusion of the contract, conventional word designation and/or other information), or information otherwise confirming the fact of processing of personal data by the Data Processor;
• signature of the Data Subject or his/her representative.

The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

If the application (request) of the Data Subject does not contain all the necessary information according to the requirements of the Law on Personal Data Protection, or if the Data Subject does not have the right to access the requested information, a reasoned refusal will be sent to the Data Subject.

The Data Subject's right of access to his/her personal data may be limited in accordance with part 8 of article 14 of the Law on Personal Data Protection, including if the Data Subject's access to his/her personal data violates the rights and legitimate interests of third parties.

6.2. If, at the request of the Data Subject or his/her representative or at the request of Roskomnadzor, inaccurate personal data are found, the Data Processor shall block the personal data relating to the Data Subject from the moment of the request or the receipt of the said request for the period of verification, if the blocking of the personal data does not violate the rights and legitimate interests of the Data Subject or third parties.

If the fact of inaccuracy of personal data is confirmed, the Data Processor shall, on the basis of the information submitted by the Data Subject or his/her representative or Roskomnadzor, or other necessary documents, clarify the personal data and unblock the personal data within seven working days from the date of submission of such information.

6.3. In case of detection of unlawful processing of personal data upon application (request) of the Data Subject or his/her representative or Roskomnadzor, the Data Processor shall block the unlawfully processed personal data of the Data Subject from the moment of such application or request.

6.4. When the purposes for which the personal data have been processed have been achieved, as well as in the event that the Data Subject withdraws his/her consent to the processing, the personal data shall be destroyed:

• unless otherwise provided by the contract to which the Data Subject is a party, beneficiary or guarantor;
• if the Data Processor is not entitled to perform the processing without the consent of the Data Subject for the reasons provided by the Law on Personal Data Protection or other federal laws;