1. General provisions

1.1. This document defines the policy of the TianDe, Ltd. Company (hereinafter referred to as the “Company”, “Оperator”) in relation to personal data processing (hereinafter referred to as the “Policy”).
1.2. The Policy applies to the processing of personal data of subjects of personal data located on the territory of the Russian Federation.
1.3. The policy applies to the processing of personal data, using automation tools, including information and telecommunication networks, or without the use of such means, if the processing of personal data without the use of such means corresponds to the nature of actions (operations) performed with personal data using automation tools, that is, it allows to search for personal data recorded on the material carrier and contained in the card files or other systematic collections of personal data in accordance with the specified algorithm, and (or) access to such personal data.
1.4. This Policy is publicly available and published on the website at “https://tiande.ru”.
1.5. The Policy is approved by the Regulation of the General Director of the Company and is valid until it is cancelled or replaced by a similar internal document.
1.6. Local regulations and other documents regulating personal data processing are drawn up taking the provisions of this Policy into account.
1.7. Any issue not covered by this Policy shall be governed by the laws of the Russian Federation.

2. Basic terms used in the Policy

2.1. The following terms are used in this document:
- personal data is any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data);
- personal data subject – means a natural person who is directly or indirectly identified or identifiable by means of personal data;
- operator is a legal or natural person, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purpose of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
operator – TianDe, Ltd.
Registered seat: 656019, Russian Federation, Altai Region, Barnaul, E. Alekseevoi 112a. Registration number (ОГРН): 1112223005938, Taxpayer identification number (ИНН\КПП): 2223581514\222301001.
Contact address: 656019, Russian Federation, Altai Region, Barnaul, E. Alekseevoi 112a. Registration number (ОГРН): 1112223005938, Taxpayer identification number (ИНН\КПП): 2223581514\222301001.
E-mail address: support@tiande.ru;
- personal data processing – means any action (operation) or a set of actions (operations) performed using automation or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
- automated processing of personal data – means personal data processing by computer technology means;
- dissemination of personal data – means an activity making personal data available to an undefined group of persons;
- provision of personal data – means an activity making personal data available to a certain person or a certain group of persons;
- blocking of personal data – means temporary termination of personal data processing (except for the case where the processing is required for specification of personal data);
- destruction of personal data – means an activity in the result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) in the result of which personal data carriers are destroyed;
- pseudonymization of personal data – means an activity in the result of which personal data can no longer be attributed to a specific data subject without the use of additional information;
- information system of personal data – means a set of personal data contained in databases, technologies and technical means enabling their processing;
- cross-border processing of personal data – means transmission of personal data on the territory of a foreign state authority of a foreign state to a foreign natural or legal person.

3. Basic rights and duties of personal data subjects

3.1. Personal data subjects are entitled to:
- have access to personal data free of charge except for the cases stipulated by legal regulations of the Russian Federation;
- receive from the operator the following information regarding the processing of personal data:
confirmation of the fact of personal data processing by the operator, legal grounds, purposes and methods of personal data processing, the name and location of the operator, information about persons (except for the operator's employees) who have access to personal data or who may be disclosed personal data on the basis of an agreement with the operator or on the basis of the legislation of the Russian Federation, processed personal data relating to the relevant subject of personal data, the source of their receipt, the terms of personal data processing, including the terms of their storage, the procedure for exercising the rights of the personal data subject, information on the performed or proposed cross-border data transfer, as well as other information provided for by the legislation of the Russian Federation;
- require the operator to clarify their personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take legal measures to protect their rights;
- not to submit to the decision based solely on automated data processing, except as provided by the legislation of the Russian Federation;
- appeal against the actions or inaction of the operator to the authorized body for the protection of the rights of personal data subjects or in court;
- to protect their rights and legitimate interests, including by recognizing the right to damages and (or) compensation for moral damage in court.
3.2. Personal data subjects are obliged to:
- provide accurate information about themselves and provide documents containing personal data that are required by legal regulations of the Russian Federation and local requirements of the operator in the extent required for the purposes of the processing;
- inform the operator about the specification (update, alteration) of their personal data;
- fulfil other obligations stipulated by legal regulations of the Russian Federation.
3.3. In all other cases that are not defined in this Policy, the procedure for implementation of the rights of subjects in relation to personal data and conditions for limitation of these rights is governed by legal regulations of the Russian Federation.

4. Basic rights and duties of the operator

4.1. Considering the current state of the development of technologies, implementation costs and the nature, scope, volume, context and purpose of the processing as well as differently probable and serious risks for the rights and freedoms of natural persons resulting from the processing of personal data, the operator is required to:
- provide the subject of personal data, at his request, with the information provided in the PP.3.1. this Policy;
- if personal data are not received from the subject of personal data, except as provided by the legislation of the Russian Federation, prior to the processing of such personal data to provide the subject of personal data the following information:
1) name or surname, first name, patronymic and address of the operator;
2) purpose of personal data processing and its legal basis;
3) expected users of personal data;
4) the rights of the personal data subject established by the legislation of the Russian Federation;
5) source of personal data;
- when collecting personal data, including through the information and telecommunication network "Internet", to provide record, systematization, accumulation, storage, specification (updating, change), extraction of personal data of citizens of the Russian Federation with use of the databases which are in the territory of the Russian Federation except for the cases provided by the legislation of the Russian Federation;
- to take measures necessary and sufficient to ensure the performance of duties stipulated by the legislation of the Russian Federation;
- publish or otherwise provide unlimited access to the document defining its Policy regarding the processing of personal data, to information on the requirements for the protection of personal data;
- submit documents and local acts and (or) otherwise confirm the adoption of measures aimed at ensuring the performance of the operator's duties, as well as provide other information at the request of the authorized body for the protection of the rights of personal data subjects within thirty days from the date of receipt of such request;
- to inform the personal data subject or his representative in accordance with the legislation of the Russian Federation, information on the availability of personal data relating to the corresponding subject of personal data, as well as provide the opportunity to examine these personal data handling the personal data subject or his representative or within thirty days from the date of receipt of the request of personal data subject or his representative;
- provide the personal data subject or his representative with the opportunity to get acquainted with personal data related to this personal data subject free of charge;
- in the case of achieving the purpose of processing of personal data to terminate the processing of personal data or to ensure its termination (if the processing of personal data is carried out by another person acting on behalf of the operator) and to destroy personal information or to ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the operator) within a period not exceeding thirty days from the date of achievement of the purpose of personal data processing, unless otherwise provided by the contract, the party which, the beneficiary or guarantor under which the personal data subject is, or other agreement between the operator and the personal data subject or if the operator is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by the legislation of the Russian Federation;
- as a legal entity, appoint a person responsible for the organization of personal data processing, which receives instructions directly from the Executive body of the organization, which is the operator, and is accountable to him;
- not to disclose to third parties or distribute personal data without the consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation. This provision also applies to other persons who have access to personal data.
4.2. The operator processing personal data, depending on the purposes of processing specified in paragraph 5 of this Policy, has the right to:
- receive documents containing personal data;
- to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation, on the basis of the relevant agreement concluded with that person;
- require the subject of personal data to clarify the personal data provided in a timely manner;
- to refuse to the subject of personal data in the performance of the repeated request that does not comply with the conditions provided by the legislation of the Russian Federation;
- in the cases provided for by the legislation of the Russian Federation, to carry out processing of personal data without notice to the authorized body for the protection of the rights of personal data subjects.
4.3. The operator has other rights and duties not defined in this Policy pursuant to legal regulations of the Russian Federation.

5. Purpose of obtaining personal data

5.1. The processing of personal data pursuant to this Policy is carried out for the following purposes:
- ensure compliance with legal regulations of the Russian Federation;
- execute judicial acts, acts of other authorities or officials subject to the execution in accordance with legal regulations of the Russian Federation;
- provide services to personal data subjects, fulfil orders, provide options for using the services, perform advertising campaigns, provide targeted advertising and services;
- carry out statistical studies and analyses of statistical data;
- enable participation in incentive events, competitions and similar events;
- keep personal records and issues of employees;
- provide holiday leaves to employees and sending employees on business trips;
- organize and implement remuneration of employees;
- applications for passports and visas and health insurance for those travelling abroad;
- organize individual (personalized) registrations of employees in the system of compulsory pension insurance;
- ensuring control over labor discipline, preservation of material values, protection of trade secrets, ensuring personal safety of employees and third parties;
- filling in and submission of various required reports to executive bodies and other authorized organizations;
- prepare, conclude, execute and terminate civil-law agreements.

6. Legal basis of personal data processing

6.1. The legal basis for the processing of personal data is represented by a set of normative legal acts according to which and in accordance to which the operator carries out the processing of personal data, including:
- legal regulations of the Russian Federation;
- Federal law of 27.07.2006 N 152-FZ “On personal data”;
- other normative legal acts and normative documents of the authorized bodies of the state power of the Russian Federation concerning the issues related to the processing of personal data;
- “Convention on the protection of individuals in the automatic processing of personal data” (Concluded in Strasbourg on 28.01.1981);
- Charter and other local acts of the operator;
- consent of the subjects to the processing of their personal data.
6.2. In particular pursuant to the purposes defined in section 5 of this Policy, reasons for legal processing of personal data of subjects regardless of the method of obtaining these data, are as follows:
- the subject has agreed with the processing of his/her personal data for one or more specific purposes;
- processing of personal data is necessary for the execution of the agreement, the party or beneficiary or guarantor of which is the personal data subject, as well as for the conclusion of the agreement on the initiative of the personal data subject or the agreement under which the personal data subject will be the beneficiary or guarantor.

7. Volume and categories of processed personal data, categories of personal data subjects

7.1. According to the purpose defined in article 5 of this Policy, personal data can be processed from the following categories of subjects:
7.1.1. Users of the “https://tiande.ru” websites who have registered or made a purchase of goods:
- name, surname, father’s name;
- year and place of birth;
- contact details.
7.1.2. Applicants for a job in the operator’s organization:
- surname, name, father’s name;
- gender;
- age;
- education, qualification, work experience and information about further education.
7.1.3. Operator’s employees:
- surname, name, father’s name;
- gender;
- age;
- appearance (photograph);
- details of identity card;
- permanent residence and contact address;
- identification number (ID number) of a person;
- birth certificate number;
- education, qualification, work experience and information about further education;
- marital status including children, family relations;
- information about work activity, including incentives, rewards and / or disciplinary fines;
- details about marriage registration;
- military records;
- information about disablement;
- information about alimony deductions;
- information about incomes from previous workplace;
- other personal data provided by employees in accordance with the requirements of labour-law regulations of the Russian Federation.
7.2. Processing of biometric personal data (information characterizing physiological and biological features of a person on the basis of which his/her identity can be determined) is carried out in accordance with the laws of the Russian Federation.
7.3. The processor does not process personal data of specific categories related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life or criminal record data.

8. Procedure and general conditions of personal data processing

8.1. Personal data processing is carried out with the approval of a personal data subject unless legal regulations of the Russian Federation stipulate otherwise.
8.2. Personal data processing can be carried out by computer technology (automated processing) or with direct participation of a person without using computer technology (non-automated processing).
8.3. Personal data processing is permitted only to those employees of the operator who have this activity outlined in their job description. These employees are entitled to obtain only those personal data that they need for the fulfilment of their work duties.
8.4. Personal data processing is carried out:
- by obtaining information containing personal data in oral, written and electronic form directly from personal data subjects;
- by providing originals of required documents directly from personal data subjects;
- by obtaining certified copies of documents containing personal data or by copying original documents;
- by obtaining personal data during sending inquiries to state authorities, local authority bodies, commercial and non-profit organizations, natural persons in cases and in accordance with the procedure defined by legal regulations of the Russian Federation;
- by obtaining personal data from public resources;
- by recording (registering) personal data in journals, books, registers and other records;
- by using other means and methods of personal data obtaining.
8.5. Personal data processing continues until a personal data subject withdraws his/her consent and also for the period required for the purposes for which the personal data are processed. After achieving the purpose of the personal data processing and in case of withdrawal of the consent of a personal data subject to the personal data processing, personal data shall be erased, unless an agreement between the operator and a personal data subject and legal regulations of the of Russian Federation stipulate otherwise.
8.6. Cross-border transfer of personal data on the territory of foreign States that are parties to the Council of Europe Convention on the protection of individuals in the automatic processing of personal data, as well as other foreign States, providing adequate protection of the rights of personal data subjects, is carried out in accordance with the legislation of the Russian Federation and may be prohibited or limited in order to protect the foundations of the constitutional system of the Russian Federation, morality, health, rights and legitimate interests of citizens, ensuring the country's defense and state security.
8.7. Cross-border transfer of personal data in the territory of foreign States that do not provide adequate protection of the rights of personal data subjects may be carried out with the consent in writing of the personal data subject to cross-border transfer of his personal data, execution of the agreement to which the personal data subject is a party, as well as in other cases provided for by the legislation of the Russian Federation.
8.8. To obtain additional information about the rules of the personal data processing in accordance with this Policy contact the e-mail address support@tiande.ru.

9. Procedure of providing information and answering questions related to processing of personal data of subjects

9.1. Information about the processing of personal data of subjects are provided to a personal data subject or his/her representative after the operator or the processor receives the request from the subject or his/her representative.
9.2. The request shall contain details enabling the operator to identify a personal data subject: details about the identity card of a data subject or his/her representative, information confirming the relationship of a personal data subject towards the operator (number of an agreement, date of a concluded agreement, conditioned word specification and (or) other information) or information confirming the fact of personal data processing in any other way, signature (including an electronic signature) of a personal data subject or his/her representative. The request can be sent in the form of an electronic document with an electronic signature on it pursuant to legal regulations of the Russian Federation.
9.3. The operator is obliged to provide relevant information about measures adopted in connection with the requirement and also to adopt adequate measures and inform third parties whom the personal data of this subject has been transmitted to no later than one month after receiving the request of a personal data subject related to his/her own rights defined in PP 3.1. of this Policy, except for the periods defined by the legislation of the Russian Federation.
9.4. The information provided by the operator and other messages related to the personal data processing are provided in a brief, open, comprehensible and easily accessible form in a clear and comprehensible language. The information is provided in writing or other means, including an electronic form. If a data subject submits the request electronically, the information will be provided also electronically as circumstances allow unless the data subject requires a different method of obtaining the information. At the request of a personal data subject it is possible to provide the information in an oral form if the identification of the data subject is confirmed by other means.
9.5. If the operator does not take action on the request of the data subject, he must inform the data subject immediately, and not later than one month after receiving such a request,. give in writing a reasoned response about the reasons for not taking action.
9.6. If the information specified in the PP. 3.1. this Policy, as well as the processed personal data, have been provided to the subject of personal data on his request, the subject of personal data has the right to contact the operator again or send him a second request in order to obtain the information specified in the PP. 3.1. of this Policy, and familiarization with such personal data not earlier than thirty days after the initial application or direction of the initial request, if a shorter period is not established by the legislation of the Russian Federation, adopted in accordance with the regulatory legal act or agreement, the party or the beneficiary or guarantor for which is the subject of personal data.
9.7. The personal data subject has the right to contact the operator again or send him a repeated request in order to obtain the information specified in the PP. 3.1 of this Policy, as well as for the purpose of familiarization with the processed personal data before the expiration of the thirty-day period after the initial application or sending the initial request, if such information and (or) the processed personal data were not provided to him for review in full on the results of the consideration of the initial application.
9.8. The operator provides the personal data subject or his representative with the opportunity to get acquainted with the personal data related to this personal data subject free of charge.
9.9. Within a period not exceeding seven working days from the date of submission of personal data by the subject or his representative of information confirming that personal data are incomplete, inaccurate or irrelevant, the operator is obliged to make the necessary changes.
9.10. Within a period not exceeding seven working days from the date of submission of personal data by the subject or his representative of the information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the operator is obliged to destroy such personal data.
9.11. The right of a personal data subject to access to his / her personal data may be restricted in accordance with the legislation of the Russian Federation, including if the access of the personal data subject to his / her personal data violates the rights and legitimate interests of third parties.
9.12. The requests and other reports concerning the personal data processing can be sent to the e-mail address support@tiande.ru in an open form, however, the requirements of such requests stipulated in section 9.2. of this Policy must be fulfilled.

10. Requirements for personal data protection

10.1 The safety of personal data during their processing is observed in accordance with legal regulations of the Russian Federation.
10.2. When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures or to ensure their adoption to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data.
10.3. As soon as this Policy comes into effect the operator shall introduce and apply safety measures defined in this section. The operator can update or alter these safety measures unless such updates and alterations deteriorate in general the safety of the personal data processing.
10.4. However, the operator is unable to guarantee that the safety measures adopted for the protection of the data and information provided by automated means shall prevent or exclude any risk of unauthorized data access or loss in case that the leakage of personal data is caused through the fault of activity of their owner. It is purposeful that the computer of the personal data subject is equipped with corresponding software for the data protection during their transfer, receipt of network data (such as updated antivirus systems) and that an internet service provider adopts appropriate measures for ensuring safety of the network data transfer (for example firewall and spam filtering).
10.5. The protective measures carried out by the operator during the personal data processing include:
- accepting local laws and other internal documents in the sphere of the personal data processing and protection;
- ensuring the safety of other persons, with the consent of the subject of personal data which is entrusted with the processing of personal data of the subject before, as well as in the processing of fully or partially carried out by automated means, by conducting an audit for their safety and confidentiality, depending on the level required for admission to processing;
- appointing persons responsible for ensuring the personal data safety;
- performing methodical work and ensuring training of employees engaged in the personal data processing;
- introduction of necessary conditions for the work with material carriers and information systems within which personal data are processed as well as the conditions for their keeping and saving by the processor, ensuring the personal data safety and excluding an unauthorized access to them;
- dividing the personal data processed without automated means from other information;
- ensuring separated storage of material carriers of personal data containing personal data of various categories or containing personal data processed for various purposes;
- ban on the personal data transmission through open communication channels, computer networks and internet without using appropriate measures for ensuring the personal data safety;
- ensuring protection of documents containing personal data in paper and other material carriers during their transmission to third parties via postal services;
- internal inspection of all subjects involved in the personal data processing and their observance of legal regulations of the Russian Federation and local documents of the operator during the personal data processing, including this Policy.

11. Responsibility for violating the procedure of processing of personal data of subjects

11.1. Liability for violation of the requirements of the legislation of the Russian Federation in the field of processing and protection of personal data, as well as the conditions for imposing administrative fines and their amount are determined in accordance with the legislation of the Russian Federation.

The wording approved on
31 December 2014

General Director
TianDe, Ltd.
A.G. Elkin