1. General provisions

1.1. This Policy of United Toll Systems Limited Liability Company in regard to the processing of personal data (hereinafter referred to as the Policy) has been developed in order to implement the requirements of Article 18.1, part 1, clause 2 of Federal Law dated 27 July, 2006 No.152-FZ "On Personal Data" (hereinafter – the Law on Personal Data) and this Policy also applies to all personal data that UTS LLC (hereinafter referred to as the Operator, the Company) receives from subjects of personal data.

1.2. The Policy applies to the relations on the processing of personal data that have arisen in the Company, both before and after the official approval of the Policy.

1.3. Main terms used in the Policy:

1.3.1. Personal data – any information relating to a directly or indirectly specific or designated private individual (subject of personal data).

1.3.2. Processing of personal data – any action (operation) or a set of actions (operations) containing personal data, performed with the use of automation tools or without their use. The processing of personal data includes the following:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating, modification);
  • retrieval;
  • usage;
  • transfer (dissemination, provision, access);
  • depersonalization;
  • blocking;
  • deletion;
  • destruction

1.3.3. Automated processing of personal data – the processing of personal data using computing technology.

1.3.4. Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons.

1.3.5. Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons.

1.3.6. Blocking of personal data – the temporary suspension of the processing of personal data (except in cases when processing is necessary to clarify personal data).

1.3.7. Destruction of personal data – actions, that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material media of personal data are destroyed.

1.3.8. Depersonalization of personal data – actions, that make it impossible (without the use of additional information) to determine the ownership of personal data pertaining to a specific subject of personal data.

1.3.9. The Operator of personal data (the Operator) – a state body, municipal body, legal entity or natural person, independently or jointly organizing and (or) processing personal data, as well as determining the objectives of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

1.3.10. The Site – Internet sites hosted on the unitoll.ru domain and its subdomains. The Site is the official site of the Company.

1.3.11. The User of the Site is a capable private individual who has joined the Agreement on the Use of Materials and Services of the Website (User Agreement), located on page https://unitoll.ru/en/about/company/personal_data_policy/ in his own interest or on behalf of and in the interests of a represented legal entity.

1.3.12. Subjects of personal data – employees and former employees of the Company, candidates filling in vacant positions, as well as relatives of employees, customers (users of toll roads served by the Operator) and contractors of the Company, their representatives, Users of the Site.

1.3.13. Cross-border transfer of personal data – transfer of personal data to a government body on the territory of a foreign state, to a foreign natural person or a foreign legal entity.

1.4. The Operator, having received access to personal data, is obliged to respect the confidentiality of the personal data – not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided for by federal law.

1.5. The Subject of personal data has the right to receive information concerning the processing of his personal data, including the following:

  • confirmation of the processing of personal data by the Operator;
  • legal grounds and objectives for the processing of personal data;
  • objectives and methods of personal data processing applied by the Operator;
  • designated name and location of the Operator, information about persons (except for the Operator’s employees) who have access to the personal data or who may be exposed to personal data on the basis of an agreement with the Operator or on the basis of a federal law;
  • processed personal data relating to the relevant subject of personal data, the source of their receipt, if a different procedure for submitting such data is not provided for by federal law;
  • time limits for processing personal data, including the time limits for their storage;
  • the procedure for the exercising of rights by the subject of personal data, provided for by federal law;
  • information on completed or intended cross-border data transfer;
  • designated name or full name (surname, name, patronymic) and address of the person who processes personal data on behalf of the Operator, if the processing is entrusted to or will be entrusted to such a person;
  • other information provided for by the Law on Personal Data or other federal laws.

1.6. The Subject of personal data is entitled to:

  • require that the Operator clarify his personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated objective of processing, as well as take measures provided for by law to protect his rights.
  • receive information regarding the processing of his personal data in the Company, including the sources of their receipt;
  • require that all persons are notified who previously were exposed to his inaccurate or incomplete personal data, about all exceptions made to them, corrections or additions;
  • withdraw his consent to the processing of personal data.

1.7. The Operator of personal data is entitled to:

  • adopt local regulations to develop the Policy;
  • provide personal data of subjects to third parties, if it is provided for by current legislation (tax, law enforcement agencies, etc.);
  • refuse to provide personal data in cases stipulated by law;
  • use the personal data of the subject without his consent in cases stipulated by law.

1.8. Responsibilities of the Operator of personal data:

  • to organize the processing of personal data in the Company in accordance with the requirements of the Law on Personal Data;
  • to ensure the protection of personal data processed by the Company against unauthorized use or loss;
  • to receive personal data only from the subject of personal data. In cases where personal data can only be obtained from third parties, to do so solely based on the written consent of the subject of personal data;
  • promptly and in accordance with the requirements of the legislation of the Russian Federation, respond to queries and requests from subjects of personal data, and their legal representatives, namely:
  • to inform the subject of personal data or his representative about the availability of personal data relating to the relevant subject of personal data, as well as provide an opportunity to get acquainted with this personal data;
  • in case of refusal, upon demand from the subject of personal data or his representative, to provide the relevant personal data or confirm the presence of the relevant personal data in the Company to the subject of personal data, give a reasoned response in writing containing a reference to the provision of federal law, which serves as a basis for such a refusal;
  • to provide free of charge the subject of personal data or his representative with an opportunity to get acquainted with the personal data relating to this subject of personal data, as well as, at the request of the subject of personal data or his representative, make the necessary changes and destroy the data if they are not necessary for the stated objective of processing, and take reasonable steps to notify third parties to whom the personal data of this subject were transferred to about changes made to the personal data;
  • to provide the necessary information to the authorized body on the protection of the rights of the subject of personal data upon request from this body within thirty days from the date of receipt of such a request;
  • to eliminate violations of the law committed when processing personal data;
  • to clarify, block and destroy personal data in the cases provided for in subsections 2–6 of Article 21 of the Law on Personal Data.

1.9. When collecting personal data, the Operator is obliged to provide the subject of personal data at his request with information provided for in paragraph 7 of Article 14 of the Law on Personal Data.

1.10. When collecting personal data, including through the information and telecommunications network (the Internet), the Operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in clauses 2, 3, 4, 8 of part 1 of Article 6 of the Law on Personal Data.

1.11. The Company publishes the Policy in free access, placing it on its official website in the information and telecommunications network (the Internet).

1.12. Control over compliance with the requirements of the Policy is carried out by an authorized person responsible for organizing the processing of personal data in the Company.

2. Objectives for collecting personal data

2.1. The processing of personal data is limited by the achievement of specific, predetermined and legitimate objectives. The processing of personal data incompatible with the objectives for collecting personal data is prohibited.

2.2. The objectives of the processing of personal data by the Operator include:

  • ensuring the protection of the rights and freedoms of a person and a citizen in the processing of his personal data, including the protection of the rights to privacy, personal and family secrets;
  • providing the User with access to personalized resources of the Site;
  • establishing feedback with the User, including sending notifications, requests regarding the use of the Site, provision of services, processing queries and requests from the User;
  • determining the location of the User to ensure security and prevent fraud;
  • providing the User with effective customer and technical support in the event of problems related to the use of the Site;
  • implementing promotional activities with the consent of the User.

3. Legal grounds for the processing of personal data

The Company processes personal data of subjects of personal data, guided by:

  • the Constitution of the Russian Federation;
  • the Labour Code of the Russian Federation;
  • this Policy;
  • local regulations of the Company, developed in the elaboration of the Policy;
  • contracts concluded between the Company and subjects of personal data;
  • consent to the processing of personal data.

4. Volume and categories of processed personal data, categories of subjects of personal data

4.1. The content and volume of processed personal data correspond to the stated processing objectives. The processed personal data should not be redundant in relation to the stated objectives of their processing.

4.2. Categories of subjects of personal data processed by the Operator include:

4.2.1. Operator's employees, former employees, candidates for filling in vacant positions, as well as relatives of employees;

4.2.2. Clients and counterparties of the Operator;

4.2.3. Representatives/employees of the clients of the Operator (legal entities);

4.2.4. Users of the Site.

4.3. Within each category of the subjects of personal data processed by the Operator, for each category the following personal data are processed:

4.3.1. Operator's employees, former employees, candidates for filling in vacant positions, as well as relatives of employees:

  • personal identifier;
  • full name (surname, name, patronymic) of the subject of personal data;
  • type of document certifying the identity of the subject of personal data;
  • the series and number of the document certifying the identity of the subject of personal data, information about the date of issue of the specified document and the issuing authority;
  • the address of registration and the address of the actual residence of the subject of personal data;
  • postal address of the subject of personal data;
  • contact phone, fax (if available) of the subject of personal data;
  • email address of the subject of personal data;
  • TIN of the subject of personal data;
  • number of the insurance certificate of compulsory pension insurance;
  • date of birth;
  • marital status;
  • information about family members;
  • education;
  • information about labour and general work experience;
  • information about military registration;
  • information about the salary of the employee;
  • information about social benefits;
  • specialty;
  • position held;
  • the presence of a criminal record;
  • place of work or study of family members and relatives;
  • the content of the employment contract;
  • originals and copies of orders on personnel;
  • identification record and employment record book;
  • bank account details;
  • documents attached to personnel directives;
  • documents containing materials on professional development and retraining, certification, office investigations;
  • copies of reports sent to statistics authorities;
  • personal photo;
  • business cards;
  • other documents stipulated by agreements concluded between the Operator and the subject of personal data.

4.3.2. Clients and counterparties of the Operator:

  • full name (surname, name, patronymic) of the subject of personal data;
  • type of document certifying the identity of the subject of personal data;
  • the series and number of the document certifying the identity of the subject of personal data, information about the date of issue of the specified document and the issuing authority;
  • the address of registration and the address of the actual residence of the subject of personal data;
  • postal address of the subject of personal data;
  • contact phone, fax (if available) of the subject of personal data;
  • email address of the subject of personal data;
  • TIN of the subject of personal data;
  • number of the insurance certificate of compulsory pension insurance;
  • date of birth;
  • other documents stipulated by the agreements concluded between the Operator and the subject of personal data.

4.3.3. Representatives / employees of the clients of the Operator (legal entities):

  • full name (surname, name, patronymic) of the subject of personal data;
  • type of document certifying the identity of the subject of personal data;
  • the series and number of the document certifying the identity of the subject of personal data, information about the date of issue of the specified document and the issuing authority;
  • the address of registration and the address of the actual residence of the subject of personal data;
  • postal address of the subject of personal data;
  • contact phone, fax (if available) of the subject of personal data;
  • email address of the subject of personal data;
  • TIN of the subject of personal data;
  • number of the insurance certificate of compulsory pension insurance;
  • other documents stipulated by the agreements concluded between the Operator and the subject of personal data.

4.3.4. Users of the Site:

  • full name (surname, name, patronymic) of the subject of personal data;
  • contact phone number, e-mail address of the subject of personal data;
  • other documents stipulated by the agreements concluded between the Operator and the subject of personal data.

5. Procedure and conditions for the processing of personal data

5.1. The Operator performs the processing of personal data – operations performed with the use of automation tools or without the use of such tools with personal data, including the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, usage, transfer (provision, access) , depersonalization, blocking, deletion, destruction of personal data.

5.2. The processing of personal data is carried out in compliance with the principles and rules provided for by the Law on Personal Data.

5.3. The processing of personal data by the Operator is limited to the achievement of specific, predetermined and legitimate objectives. Only personal data that meets the objectives of processing are subject to processing. The content and volume of processed personal data must comply with the stated processing objectives.

5.4. The storage of personal data should be carried out in a form that allows to determine the subject of personal data no longer than is required by the objectives for processing personal data, unless the period for storing personal data is established by federal law or by contract, to which the beneficiary or guarantor is the personal data subject. The personal data to be processed shall be destroyed or depersonalized upon the achievement of the processing objectives or if there is no further need to achieve these objectives, unless otherwise provided for by federal law.

5.5. When storing personal data, the Operator of personal data is obliged to use the databases located on the territory of the Russian Federation, in accordance with Part 5 of Art. 18 of the Law on Personal Data.

The use and storage of biometric personal data outside information systems of personal data can only be carried out on specific material storage media and using specific storage technology that protects these data from unauthorized or accidental access to them, their destruction, modification, blocking, copying, provision, as well as dissemination.

Personal data when being processed without the use of automation, should be separated from other items of information, in particular, by way of recording such data on separate material media (hereinafter referred to as material media), in special sections or in the fields of forms (blanks). When recording personal data (the processing objectives of which are not compatible) on material media, it is not allowed to record personal data on one material medium. For the processing of various categories of personal data, carried out without the use of automation, for each category of personal data a separate material medium should be used.

5.6. A condition for the termination of the processing of personal data may be the achievement of the objectives for processing personal data, the expiration of the validity period of consent or withdrawal of the consent of the subject of personal data to the processing of his personal data, as well as the identification of the illegal processing of personal data.

5.7. The Operator has the right to entrust the processing of personal data to another person on the basis of an agreement with this person, including a state or municipal contract.

The person who processes personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided for by the Law on Personal Data.

In addition, the Operator is entitled to transfer personal data to inquiry and investigation bodies, other authorized bodies on the grounds stipulated by the current legislation of the Russian Federation.

5.8. The Operator and other persons who have obtained access to personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided for by federal law.

5.9. The Operator is obliged to take measures that are necessary and sufficient to ensure the fulfillment of the obligations stipulated by the Law on Personal Data and the regulatory legal acts adopted in accordance with it. The Operator determines the composition and list of measures independently.

5.10. When processing personal data, the Operator takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as protection from other illegal actions in regard to personal data.

6. Updating, correction, deletion and destruction of personal data, answers to requests from subjects demanding access to personal data

6.1. The Operator is obliged to inform, in the manner provided for in Article 14 of the Law on Personal Data, the subject of personal data or his representative about the availability of personal data relating to the relevant subject of personal data, as well as to provide an opportunity to get acquainted with these personal data when contacting the subject of personal data or his representative or within thirty days from the date of receipt of the request of the subject of personal data or his representative.

6.2. The Operator is obliged to provide gratis the opportunity to the subject of personal data or his representative to get acquainted with personal data relating to this subject of personal data. Within a period not exceeding seven working days from the date of submission by the subject of personal data or his representative information confirming that personal data are incomplete, inaccurate or irrelevant, the Operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date of submission by the subject of personal data or his representative information confirming that such personal data is illegally obtained or not necessary for the stated objective of processing, the Operator is obliged to destroy such personal data. The Operator is obliged to notify the subject of personal data or his representative about the changes made and measures taken and take reasonable measures to notify third parties to whom the personal data of this subject were transferred to.

6.3. In case of confirmation of the fact of inaccuracy of personal data, the Operator, on the basis of information provided by the subject of personal data subject or his representative or the authorized body for the protection of the rights of personal data subjects, or other necessary documents, is obliged to clarify personal data or ensure their clarification (if personal data is processed by another person acting on the instructions of the Operator) within seven working days from the date of submission of such information and cease the blocking of personal data.

6.4. The Operator is obliged to terminate the processing of personal data or to ensure the termination of the processing of personal data by a person acting on behalf of the Operator:

  • in case of unlawful processing of personal data, carried out by the Operator or by a person acting on behalf of the Operator, within a period not exceeding three working days from the date of such identification;
  • in case of a withdrawal by the subject of personal data of consent to the processing of his personal data by the Operator;
  • in case of achievement of the objective of processing personal data, to destroy the personal data or ensure its destruction (if personal data is processed by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of achievement of the objective of personal data processing. In the absence of the possibility of destruction of personal data within a specified period, the Operator blocks such personal data or ensures the blocking of it (if the processing of personal data is carried out by another person acting on behalf of the Operator) and ensures the destruction of personal data within six months, if another time limit is not stipulated by federal laws.

7. Final provisions

7.1. This Policy is subject to change in case of adoption of regulations that establish new requirements for the processing and protection of personal data or the introduction of changes to existing regulatory legal acts.

7.2. This Policy is approved and enacted by the order of the Company and is mandatory for all employees who have access to the personal data of employees.

7.3. Persons guilty of violating the rules for processing personal data and the requirements for the protection of personal data of an employee, established by the current legislation of the Russian Federation and the Policy, are liable under the legislation of the Russian Federation.