Personal Data Processing Policy

1 General

  1. 1.1 This personal data processing policy (the "Policy") has been drawn up in accordance with the requirements of Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" (the "Law on Personal Data") and it sets forth the procedure for processing personal data in ORION PARTNERS Law Firm LLC ("Orion"), as well as the measures taken by Orion to ensure the security of personal data collected using the website of Orion with the domain name https://orion-law.com (the "Website").

  2. 1.2 Orion sets as its most prominent goal and pre-requisite for its activities the observance of human and civil rights and freedoms while processing personal data, including the protection of the rights to privacy, personal and family secrets.

  3. 1.3 The Policy applies solely to the Website and to all personal data that Orion may receive about a Website visitor (a "User"). The processing by Orion of personal data of other categories of personal data subjects shall be regulated by other local acts of Orion.

  4. 1.4 The legal basis for the processing of personal data is a set of regulatory legal acts, pursuant to and in accordance with which Orion processes personal data, as well as the Charter and other documents of Orion.

  5. 1.5 The main terms and concepts used in the Policy shall be interpreted in accordance with their definition set forth in the Law on Personal Data.

2 Purposes of personal data processing

  1. 2.1 Personal data of Website Users are processed for the following purposes:

  2. 2.1.1 informing Users by sending e-mails;

  3. 2.1.2 promotion of services;

  4. 2.1.3 provision of reference and marketing information to Users;

  5. 2.1.4 receipt of feedback from Users;

  6. 2.1.5 consideration of employment applications and hiring employees;

  7. 2.1.6 improvement of the Website and description of services provided by Orion;

  8. 2.1.7 ensuring safety of using the Website and its efficient operation;

  9. 2.1.8 information support;

  10. 2.1.9 collection, processing and publication of information obtained during interviews on the Website;

  11. 2.1.10 gathering statistics and analyzing operation of the Website;

  12. 2.1.11 for other purposes being in compliance with applicable laws of the Russian Federation.

3 Terms of personal data processing

  1. 3.1 The processing of personal data shall be carried out provided that the personal data subject grants their consent to the processing of their personal data.

  2. 3.2 The processing of personal data is necessary to achieve the goals stipulated by an international treaty concluded by the Russian Federation or by law, in order to perform the functions and the obligations and to execute the powers established by laws of the Russian Federation applicable to Orion.

  3. 3.3 The processing of personal data is required for the administration of justice, execution of judicial acts or acts of any other body or official to be executed in accordance with laws of the Russian Federation on enforcement proceedings.

  4. 3.4 The processing of personal data is required for the performance of an agreement to which the personal data subject is a party or under which they act as beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the personal data subject or an agreement under which the personal data subject will act as beneficiary or guarantor.

  5. 3.5 The processing of personal data is required to exercise rights and legitimate interests of Orion or third parties, or to achieve publicly significant goals, provided that the rights and freedoms of the personal data subject are not violated.

  6. 3.6 The processing of personal data for subsequent distribution, the access of an unlimited number of persons to which is granted or allowed by the personal data subject, shall be carried out in compliance with the prohibitions and conditions stipulated by the Law on Personal Data.

  7. 3.7 Any personal data subject to publication or mandatory disclosure in accordance with the Law on Personal Data shall be processed.

  8. 3.8 No processing of biometric personal data or special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status or intimate life shall be carried out on the Website.

  9. 3.9 The achievement of goals of personal data processing, no further need to achieve these goals, the expiration of personal data processing period, the withdrawal of consent by a Website User to the processing of their personal data as well as any detection of unlawful processing of personal data may serve as a basis for terminating the processing of personal data.

  10. 3.10 The prohibitions on the transfer (other than granting access) and the processing of personal data permitted for distribution or the terms of processing (other than obtaining access) personal data permitted for distribution established by a personal data subject may not apply in cases of processing personal data in state, social and other public interests determined by laws of the Russian Federation.

4 Principles of personal data processing

  1. 4.1 The processing of personal data shall be carried out on a legal and fair basis.

  2. 4.2 The processing of personal data shall be limited to the achievement of specific, predetermined and legitimate goals.

  3. 4.3 No processing of personal data that is incompatible with the goals of collecting personal data shall be allowed.

  4. 4.4 Combining databases containing personal data the processing of which is carried out for goals being incompatible with each other may not be allowed.

  5. 4.5 The content and scope of processed personal data shall correspond to the stated processing goals. The redundancy of processed personal data in relation to the stated processing goals may not be allowed.

  6. 4.6 Personal data shall be stored in a form that allows identifying the personal data subject no longer than required by the goals of processing personal data.

  7. 4.7 While processing personal data, Orion ensures the accuracy of personal data, their sufficiency, and, if applicable, their relevance to the goals of processing personal data. Orion shall take the necessary measures and/or ensure the necessary measures are taken to remove or clarify incomplete or inaccurate data.

  8. 4.8 Orion does not verify the authenticity of information provided by a User, and proceeds from the fact that a User provides reliable and sufficient information and controls its relevance.

5 Confidentiality of personal data

Orion and other persons receiving access to personal data may not disclose to third parties or distribute the personal data without the consent of the personal data subject, unless otherwise provided by the Law on Personal Data.

6 List of actions performed by Orion with the personal data received

  1. 6.1 Orion shall collect, record, systematize, accumulate, store, clarify (update, amend), extract, use, transfer (distribute, provide, give access), depersonalize, block, delete and destroy personal data.

  2. 6.2 Orion shall carry out automated processing of personal data with or without the receipt and/or transmission of the received information via information and telecommunication networks.

  3. 6.3 Orion shall process personal data for no longer than is required by the goals of their processing, unless other periods are provided for by applicable laws of the Russian Federation on personal data.

7 Personal data processing procedure

  1. 7.1 The processing of personal data of Website Users shall be performed subject to receiving their consent thereto. Website Users give their consent to the processing of their personal data when subscribing to news by clicking on the "Subscribe to News" button.

  2. 7.2 If a User does not agree with the terms of the Policy, the use of the Website and/or any services available when using the Website shall be immediately ceased.

  3. 7.3 List of Users' personal data processed on the Website using automation tools:

    1. 7.3.1 surname, first name, patronymic;

    2. 7.3.2 telephone number;

    3. 7.3.3 e-mail;

    4. 7.3.4 any other information which a User decided to provide.

  4. 7.4 In order to gather statistics and analyze the operation of the Website, Orion processes information about Users’ visits to the Website without the relevant information being provided by Users themselves. The above information may be obtained using such metric services as Google Analytics and Yandex.Metrica. The metric services Google Analytics and Yandex.Metrica allow processing the following data:

    1. 7.4.1 IP address;

    2. 7.4.2 information about the browser;

    3. 7.4.3 data from cookies;

    4. 7.4.4 access time;

    5. 7.4.5 referrer (address of the previous page).

  5. 7.5 If a Website User does not agree to cookies being stored on their device, they may independently disable this option in their browser settings. Stored cookies may also be deleted at any time in the browser’s system settings. A Website User may change the browser settings to accept or reject by default all cookies or cookies from specific websites, including the Website.

  6. 7.6 In case of disagreement with the use of metric services, Internet statistics settings and tools, a Website User shall cease using the Website.

  7. 7.7 Following the blocking of Google Analytics and Yandex.Metrica, as well as disabling of some cookies, some functions of the Website may become unavailable.

  8. 7.8 The period for processing of personal data shall be determined by the achievement of the goals for which the personal data were collected, unless a different period is stipulated by the contract or applicable law.

  9. 7.9 The personal data of Website Users shall be stored for the period necessary to achieve the goals of collecting personal data or for the period stipulated by the Law on Personal Data. Upon reaching the goals and/or expiration of the personal data processing period, the personal data of Website Users shall be destroyed without notifying Website Users.

  10. 7.10 In case of detection of any inaccuracies in their personal data, a User may update them independently by sending Orion a notification to the email address info@orion-law.com marked "Updating personal data".

  11. 7.11 A User may at any time withdraw their consent to the processing of personal data by sending Orion a notification to the email address info@orion-law.com marked "Withdrawal of consent to the processing of personal data".

  12. 7.12 All information collected by third-party services, including by payment systems, means of communication and other service providers, shall be stored and processed by such persons (Operators) in accordance with their user agreements and privacy policies. Orion shall not be liable for any actions of third parties, including the service providers specified in this clause.

8 Cross-border transfer of personal data

  1. 8.1 Orion may perform cross-border transfers of personal data in accordance with the Law on Personal Data.

  2. 8.2 Prior to the commencement of a cross-border transfer of personal data, Orion shall notify an authorized body for the protection of the rights of personal data subjects of its intention to carry out a cross-border transfer of personal data (such notification shall be sent separately from the notification of the intention to process personal data). A notification of intent to carry out a cross-border transfer of personal data shall contain the information stipulated in clause 4 of Article 12 of the Law on Personal Data. It shall be sent in a hard copy or in electronic form and signed by an authorized person.

  3. 8.3 Prior to submitting the notification provided for in clause 8.2 hereof, Orion is obliged to obtain from the authorities of a foreign state, foreign individuals or foreign legal entities to whom the cross-border transfer of personal data is planned the information stipulated in clause 5 of Article 12 of the Law on Personal Data.

  4. 8.4 After submitting the notification provided for in clause 8.2 hereof, Orion has the right to carry out cross-border transfers of personal data to the territory of foreign states:

    1. 8.4.1 being parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data;

    2. 8.4.2 contained in the list approved by an authorized body for the protection of the rights of personal data subjects which features foreign states providing adequate protection of the rights of personal data subjects but not being parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

  5. 8.5 Cross-border transfers of personal data to the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be performed by Orion after submitting the notification provided for in clause 8.2 hereof in case of protection of life, health or other vital interests of personal data subjects or other persons.

  6. 8.6 Cross-border transfers of personal data may be prohibited or limited in order to protect the foundations of the constitutional order of the Russian Federation, morality, health, rights and legitimate interests of citizens, to ensure the national defense and state security, to protect the economic and financial interests of the Russian Federation, to provide diplomatic and international legal means of protection of the rights, freedoms and interests of citizens of the Russian Federation, sovereignty, security, territorial integrity of the Russian Federation and its other interests in the international arena from the date of adoption by an authorized body for the protection of the rights of personal data subjects of the decision provided for in Article 12 of the Law on Personal Data.

  7. 8.7 The use of the Website implies the User’s consent to the cross-border transfer of personal data for the purposes of Article 12 of the Law on Personal Data.

9 Measures to ensure the security of personal data

  1. 9.1 The security of personal data processed by Orion shall be ensured by the introduction of legal, organizational, technical and software measures necessary and sufficient to comply with the requirements of laws of the Russian Federation.

  2. 9.2 In order to protect Users’ personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution or other illegal actions of third parties, Orion shall take the following organizational and technical measures:

    1. 9.2.1 limiting the composition of Orion employees having access to personal data;

    2. 9.2.2 determination of the level of protection of personal data while processing personal data in information systems;

    3. 9.2.3 establishment of rules for delimiting access to personal data processed in personal data information systems and ensuring registration and recording of all actions performed with personal data;

    4. 9.2.4 restriction of access to the premises where the main technical equipment and personal data information systems are kept and where non-automated processing of personal data is carried out;

    5. 9.2.5 keeping records of machine carriers of personal data;

    6. 9.2.6 arranging for backup and restoration of the operability of personal data information systems as well as personal data modified or destroyed as a result of any unauthorized access thereto;

    7. 9.2.7 establishment of requirements for the complexity of passwords used to access personal data information systems;

    8. 9.2.8 administration of antivirus control, prevention of the penetration of malicious software (software viruses) and software backdoors into the corporate network;

    9. 9.2.9 arranging for timely updates to software used in personal data information systems and to information security tools;

    10. 9.2.10 regular assessment of the effectiveness of measures taken to ensure the security of personal data;

    11. 9.2.11 detection of unauthorized access to personal data and taking measures to establish the causes and to eliminate possible consequences thereof;

    12. 9.2.12 control over the measures taken to ensure the security of personal data and levels of security of personal data information systems.

  3. 9.3 Orion may involve third parties for the purpose of processing personal data of Website Users, and Orion shall ensure that such third parties undertake corresponding obligations as to the confidentiality of personal data.

  4. 9.4 For the purpose of providing services, Orion may, if necessary, hire external consultants, both in Russia and abroad. In such case Orion shall ensure the performance by such external consultants of obligations pertaining to personal data within the framework of and in accordance with the Policy.

  5. 9.5 The Website may contain links to other websites, the procedure for processing personal data on which may differ from the one provided for by the Policy. Prior to using such websites, Users should read their privacy policy and similar documents posted on such websites.

10 Basic rights and obligations of Orion

  1. 10.1 Orion may independently determine the composition and the list of measures necessary and sufficient to ensure the performance of the obligations stipulated by the Law on Personal Data and any regulations adopted thereunder, unless otherwise provided for by the Law on Personal Data or other federal laws.

  2. 10.2 In the event that a personal data subject withdraws their consent to the processing of personal data and submits a request to terminate processing their personal data, Orion may continue processing the personal data without the consent of the personal data subject on the grounds specified in the Law on Personal Data.

  3. 10.3 Orion shall:

    1. 10.3.1 organize the processing of personal data in the manner prescribed by applicable laws of the Russian Federation;

    2. 10.3.2 upon request, provide a personal data subject with information regarding the processing of their personal data;

    3. 10.3.3 respond to inquiries and requests from personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;

    4. 10.3.4 upon request, disclose to an authorized body for the protection of the rights of personal data subjects the necessary information within ten (10) days after receipt of such request;

    5. 10.3.5 publish or otherwise provide unrestricted access to the Policy;

    6. 10.3.6 take legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision distribution or any other illegal actions in relation to personal data;

    7. 10.3.7 terminate the transfer of (distribution or provision of, access to) personal data, terminate processing and destroy personal data in the manner and in cases stipulated by the Law on Personal Data;

    8. 10.3.8 perform other obligations pr by the Law on Personal Data.

11 Basic rights and obligations of personal data subjects

  1. 11.1 Personal data subjects may:

    1. 11.1.1 receive information regarding the processing of their personal data, unless otherwise stipulated by federal laws, and this information shall be provided by Orion in a comprehensible form and may not contain personal data relating to other personal data subjects, unless there are legal grounds for the disclosure of such personal data;

    2. 11.1.2 request Orion to update, block or destroy their personal data if the personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated processing goal, as well as take legal measures to protect their rights;

    3. 11.1.3 provide prior consent to the processing of their personal data in order to promote goods, works and services on the market;

    4. 11.1.4 revoke their consent to the processing of personal data and submit a request to terminate processing personal data;

    5. 11.1.5 file an appeal with an authorized body for the protection of the rights of personal data subjects or challenge in court illegal actions or inaction of Orion in the course of processing their personal data;

    6. 11.1.6 exercise other rights provided for by laws of the Russian Federation.

  2. 11.2 Personal data subjects shall notify Orion of any clarification (update, amendment) of their personal data.

  3. 11.3 Any persons providing Orion with false information about themselves or information about another personal data subject without the consent of the latter shall be held liable in accordance with laws of the Russian Federation.

12 Final provisions

  1. 12.1 Any User may receive any clarifications on issues of interest regarding the processing of their personal data by contacting Orion via e-mail info@orion-law.com.

  2. 12.2 The Policy may be amended subject to any amendments being introduced to applicable laws of the Russian Federation on personal data, and may also be amended at any time at the discretion of Orion. The Policy shall remain valid for an unlimited term until replaced by a new version hereof.

  3. 12.3 The up-to-date version of the Policy is available on the Internet at https://orion-law.com/policy.

  4. 12.4 Other rights and obligations of Orion in connection with the processing of personal data that are not reflected in the Policy are determined by the laws of the Russian Federation on personal data.