QUANTEK LLC Policy on the Protection and Processing of Personal Data

Approved by QUANTEK LLC CEO’s Order No. 2/2021 dated November 1, 2021.

QUANTEK LLC Policy on the Protection and Processing of Personal Data

1. General Provisions

1.1. This document (hereinafter, the Policy) determines the purposes and general principles of personal data processing, as well as the measures for personal data protection implemented by QUANTEK LLC (hereinafter, the Provider or QUANTEK LLC). The Policy is a publicly available document of the Provider and is intended for access by the public.
1.2. The Policy is developed and applied in accordance with clause 2, part 1, Article 18.1 of Federal Law No.152-FZ “On Personal Data” dated July 27, 2006.
1.3. The Policy uses the terms and definitions as stipulated by Federal Law No.152-FZ “On Personal Data” dated July 27, 2006.

2. Provider’s Information

Name: QUANTEK Limited Liability Company
Registration Number (OGRN) 1147847440135, Taxpayer Identification Number (TIN) 7816601369
Physical address: 60 B. Sampsonievsky Prospekt, Building A, Room 1–N, St. Petersburg, 194044

3. Purpose of Processing Personal Data

The Provider processes personal data solely for the following purposes:
3.1. Fulfilling the requirements of applicable law;
3.2. Making decisions on signing employment contracts;
3.3. Maintaining personnel records, signing and fulfillment of obligations under employment contracts;
3.4. Arranging for individual (personalized) registration of employees in the compulsory pension insurance system;
3.5. Filling out and submitting the required reporting forms to the executive authorities and other authorized organizations;

4. Legal Basis for Processing Personal Data

4.1. Настоящий документ разработан на основании и в соответствии со следующими нормативно правовыми актами:

— Constitution of the Russian Federation;

— Civil Code of the Russian Federation;

— Labor Code of the Russian Federation;

— Tax Code of the Russian Federation;

— Doctrine of Information Security of the Russian Federation;

— Federal Law No. 160-FZ “On Ratification of the Council of Europe Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data” dated December 19, 2005;

— Federal Law No. 149-FZ “On Information, Information Technologies and Information Protection” dated July 27, 2006;

— Federal Law No. 126-FZ “On Communications” dated July 7, 2003;

— Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 (hereinafter, FZ No. 152 “On Personal Data”);

— Federal Law No. 27-FZ “On Individual (Personalized) Accounting in the Compulsory Pension Insurance System” dated April 1, 1996;

— Federal Law No. 326-FZ “On Compulsory Medical Insurance in the Russian Federation” dated November 29, 2010;

— Federal Law No. 167-FZ “On Compulsory Pension Insurance in the Russian Federation” dated December 15, 2001;

— Decree of the Government of the Russian Federation No. 687 “On Approval of the Regulations on the Specifics of Processing Personal Data Carried Out Without the Use of Automation” dated September 15, 2008;

— Decree of the Government of the Russian Federation No. 1119 “On Approval of the Requirements for Protection of Personal Data During Their Processing in Personal Data Information Systems” dated November 1, 2012;

— Decree of the Government of the Russian Federation No. 512 “On Approval of Requirements for Tangible Media for Biometric Personal Data and Technologies of Such Data Storage Outside Personal Data Information Systems” dated July 6, 2008; — Russian Federation Presidential Decree No. 188 “On Approval of the List of Confidential Information” dated March 6, 1997;

— Decree of the Government of the Russian Federation No. 687 “On Approval of the Regulations on the Specifics of Processing Personal Data Carried Out Without the Use of Automation” dated September 15, 2008;

— Order of the Federal Service for Technical and Export Control of Russia No. 21 “On Approval of Scope and Content of Organizational and Technical Measures to Ensure Personal Data Security During its Processing in Personal Data Information Systems” dated February 18, 2013;

— Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media No. 996 “On Approval of Requirements and Methods for Depersonalization of Personal Data” dated September 5, 2013;

— Contracts entered into between the Provider and personal data subjects;

— Consent of the personal data subject (written consent in the cases stipulated by applicable law);

— Other regulations and legislation governing relations in the field of personal data security.

4.2. The Provider processes a User’s personal data only if the User enters it and/or sends it personally through special forms on the website https:// https://qntk.ru/. By filling out the relevant forms and/or sending their personal data to the Provider, the User expresses their consent to this Policy.

4.3. The Provider processes anonymized data about the User if it is enabled in the User’s browser settings (saving cookies is enabled).


5. Main Categories of Personal Data Subjects

5.1. Оператором осуществляется как автоматизированная, так и неавтоматизированная обработка персональных данных следующих категорий субъектов персональных данных:
5.1.1. соискателей (кандидатов) на вакантные должности в ООО «КВАНТЕК»;
5.1.2. работников, заключивших трудовые договоры с ООО «КВАНТЕК»;
5.1.3. родственников работников ООО «КВАНТЕК»;
5.1.4. уволенных работников;
5.1.5. физических лиц – клиентов ООО «КВАНТЕК» (пользователи услуг связи, иных услуг, оказываемых ООО «КВАНТЕК», покупатели товаров ООО «КВАНТЕК»);
5.1.6. Individuals who have signed civil law contracts with QUANTEK LLC, except for those specified in paragraph 5.1.5. of this section;
5.1.7. QUANTEK LLC visitors;
5.1.8. Representatives of the aforementioned subjects authorized by a power of attorney;
5.1.9. Other personal data subjects (to ensure the processing purposes specified in section 3 of the Policy are realized).

6. Content and Scope of Personal Data Processing


  Category of Personal Data Subject Personal Data Processing Purpose Personal Data Processed by the Provider Personal Data Processing Period
6.1. Applicants for vacant positions in QUANTEK LLC Recruitment — Full name; — Date and place of birth; — Details of the identity document; — Citizenship; — Registered address; — Residential address; — Phone number; — Email address; — Information on education; — Information on previous employment, work experience; — Other information, optionally included in the questionnaire Time required to achieve the processing goals
6.2. QUANTEK LLC employees — Ensure compliance with current legislation; — Manage the quantity and quality of work performed; — Ensure the personal safety of workers; — Ensure the safety of assets; — Ensure access control — Full name; — Date and place of birth; — Details of the identity document; — Citizenship; — Registered address; — Residential address; — Phone number; — Email address; — Information on education; — Information on previous employment, work experience; — Marital status and family composition; — Photo; — Information on social benefits; — State pension insurance information; — TIN; — Individual pension insurance account number; — Compulsory health insurance information; — Information on military registration; — General information on health and professional fitness necessary to fulfill the employment contract and legal requirements; — Information on wages and other payments and deductions received and made in the course of employment; — Bank account details; — Information on permissions, authorizations, additional training, etc. required to perform professional activities; — Information on incentives and cases of disciplinary actions; For the duration of the employment contract and 5 years from the date of the employee’s dismissal, as required by current law, until the goals of processing are achieved or the consent to process personal data is revoked
6.3. Relatives of QUANTEK LLC employees Ensure compliance with legal requirements — Full name; — Date of birth For the duration of the employment contract and 5 years from the date of the employee’s dismissal, as required by current law, until the goals of processing are achieved or the consent to process personal data is revoked
6.4. Dismissed employees Ensure compliance with legal requirements — Full name; — Date and place of birth; — Details of the identity document; — Citizenship; — Registered address; — Residential address; — Phone number; — Email address; — Information on education; — Information on previous employment, work experience; — Marital status and family composition; — Photo; — Information on social benefits; — State pension insurance information; — TIN; — Individual pension insurance account number; — Compulsory health insurance information; — Information on military registration; — General information on health and professional fitness necessary to fulfill the employment contract and legal requirements; — Information on wages and other payments and deductions received and made in the course of employment; — Bank account details; — Information on permissions, authorizations, additional training, etc. required to perform professional activities; — Information on incentives and cases of disciplinary actions; 5 years from the date of the employee’s dismissal, as required by current law, until the goals of processing are achieved or the consent to process personal data is revoked
6.5. Representatives of the aforementioned subjects authorized by a power of attorney Depends on the category of the personal data subject — Full name; — Details of the identity document; — Residential address; — Details of the document certifying the power of the representative In accordance with clause 4, Article 7 of Federal Law No. 115-FZ “On Counteracting the Legalization (Laundering) of Proceeds of Crime and Financing of Terrorism” dated August 7, 2001, the time frame for personal data processing by representatives authorized by a power of attorney shall be at least 5 years from the date of the agreement’s termination, if the authorized representatives sign documents (reports, agreements, etc.)

7. Principles of Personal Data Processing by the Provider 

The Provider processes personal data according to the following principles:

— Legality of the purposes and methods of personal data processing, good faith and rightness in the Provider’s activities.

— Reliability of personal data, its sufficiency for the purposes of processing, unacceptability of personal data processing that exceeds the objectives stated for personal data collection.

— Processing only the personal data that meets the processing purposes.

— Compliance of the content and scope of processed personal data with the stated processing purposes. Processed personal data shall not be excessive in relation to the stated processing purposes.

— Unacceptability of merging databases containing personal data whose processing is carried out for mutually incompatible purposes.

— Ensuring the accuracy of personal data, its sufficiency, and, if necessary, its relevance in relation to the purposes of personal data processing. The Provider takes the necessary measures or ensures that such measures are taken to remove or update incomplete or inaccurate data.

— Storing personal data in a form that makes it possible to identify the personal data subject no longer than required by the purpose of personal data processing.

7.2. The Provider can process biometric personal data subject to the requirements of applicable laws of the Russian Federation. Biometric personal data can only be processed by the Provider on the basis of the personal data subject’s written consent.

7.3. The Provider can process personal data for the purpose of promoting goods, works, and services on the market through direct contact with a potential consumer only with the prior consent of the personal data subject and shall stop processing it upon their request.

7.4. Personal data can be obtained from someone who is not the personal data subject (from a third party or another source). In this case, prior to personal data processing, the subject shall be notified about the processing of their personal data, except in the following cases:

— The personal data subject has been notified about the processing of their personal data by the relevant Provider;

— The personal data was received by the Provider on the basis of federal legislation or in connection with the fulfillment of a contract where the personal data subject is a party, beneficiary, or guarantor;

— The personal data was made publicly available by the personal data subject or was obtained from a publicly accessible source.


8. Procedure and Conditions of Personal Data Processing

8.1. Personal data shall be processed with the consent of the personal data subjects, unless otherwise stipulated by the legislation of the Russian Federation.

8.2. Personal data can be processed with computer equipment (automated processing) or with direct participation of the person without computer equipment (non-automated processing).

8.3. Personal data can be processed only by those employees of QUANTEK LLC whose job duties include personal data processing.

The specified employees have the right to receive only the personal data necessary to perform their job duties.

8.4. Personal data is processed by:

— Receiving information containing personal data in oral and written form directly from personal data subjects;

— Receiving the originals of required documents from personal data subjects;

— Obtaining duly certified copies of documents containing personal data or copying the original documents;

— Receiving personal data upon sending requests to state authorities, state non-budgetary funds, other state authorities, local self-government authorities, commercial and non-commercial organizations, and individuals in the cases and in the manner specified by the legislation of the Russian Federation;

— Obtaining personal data from publicly available sources;

— Recording (registering) personal data in logs, books, registries, and other accounting forms;

— Entering personal data in QUANTEK LLC’s information systems;

— Using other means and methods of recording personal data received as part of QUANTEK LLC activities.

8.5. Transfer of personal data to third parties (including cross-border transfer) is allowed with the written consent of personal data subjects, except when this is necessary to prevent threats to the life and health of personal data subjects and also in other cases established by the legislation of the Russian Federation.

8.6. When transferring personal data to third parties according to signed contracts, QUANTEK LLC ensures mandatory compliance with the requirements specified by the laws of the Russian Federation and QUANTEK LLC’s regulatory documents regarding personal data.

8.7. Personal data is transferred to authorized executive authorities and organizations (Ministry of Internal Affairs of the Russian Federation, Ministry of Foreign Affairs of the Russian Federation, Federal Tax Service, Pension Fund of the Russian Federation, Federal Compulsory Medical Insurance Fund of the Russian Federation, and others) in accordance with the requirements of the legislation of the Russian Federation.

8.8. Cross-border transfers of personal data to foreign countries that are parties to the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data, as well as other foreign nations that provide adequate protection of the rights of personal data subjects, shall be performed in accordance with the Federal Law “On Personal Data” and may be prohibited or limited in order to protect the constitutional order of the Russian Federation, morality, health, rights and lawful interests of citizens and to ensure national defense and homeland security. Cross-border transfer of personal data to a foreign country that is not a party to the specified Convention is carried out in accordance with legislative acts of the Russian Federation, provided that the legal norms and personal data security measures applied in this country comply with the provisions of the Convention.

8.9. QUANTEK LLC has the right to entrust personal data processing to another legal entity or individual entrepreneur upon the consent of personal data subjects on the basis of a concluded agreement. A legal entity or an individual entrepreneur that processes personal data on behalf of QUANTEK LLC must observe the principles and rules of personal data processing stipulated by the legislation of the Russian Federation regarding personal data.

8.10. If QUANTEK LLC transfers or entrusts personal data processing to another legal entity or individual entrepreneur under a signed contract, the obligation of the specified person to ensure the confidentiality and security of personal data during its transfer or processing should be an essential condition of such contract. 8.11. The periods for personal data storage by QUANTEK LLC are determined according to the legislation of the Russian Federation and QUANTEK LLC’s regulations on document management.


9. Responding to Subjects’ Requests for Access to Personal Data. Updating, Correction, Deletion and Destruction of Personal Data

9.1. The information stated in part 7, Article 14 of the Federal Law “On Personal Data” is made available to the personal data subject or their representative by the Provider when it receives a request from the personal data subject or their representative.

9.2. Information shall be provided in an accessible form and shall not include personal data relating to other personal data subjects, unless there are legitimate grounds for disclosing such personal data.

9.3. If a personal data subject’s request does not reflect all the necessary information in accordance with the requirements of the Federal Law “On Personal Data” or if the subject does not have the right to access the requested information, a reasoned refusal is sent.

9.4. The request must contain information from the main document certifying the identity of the personal data subject or their representative, information confirming the personal data subject’s participation in relations with QUANTEK LLC (contract number, date of contract conclusion, indicative verbal marking and/or other information), or information otherwise confirming the fact of personal data processing by QUANTEK LLC, and the signature (including electronic) of the personal data subject or their representative. The request may be sent as an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

9.5. The right of the personal data subject to access their personal data may be limited in accordance with part 8, Article 14 of the Federal Law “On Personal Data,” including if the personal data subject’s access to their personal data violates the rights and legitimate interests of third parties.

9.6.  QUANTEK LLC shall make the necessary changes within seven business days from the date on which the personal data subject or their representative provides information confirming that personal data is incomplete, inaccurate, or irrelevant.

9.7. QUANTEK LLC shall destroy data within seven business days from the date on which the personal data subject or their representative provides information confirming that personal data was illegally obtained or is not required for the specified processing purpose.

9.8. QUANTEK LLC shall notify the personal data subject or their representative about the changes made and measures taken and shall take reasonable measures to notify the third parties to whom the subject’s personal data was transferred.

9.9. QUANTEK LLC must provide the required information to the agency authorized to protect the rights of personal data subjects upon a request from this agency within thirty days after receiving the request.


10. Requirements for Personal Data Protection Established by QUANTEK LLC

10.1. Personal data is protected during its processing by QUANTEK LLC in accordance with the legislation of the Russian Federation and the requirements of the competent public authority responsible for protection of personal data subjects’ rights, the federal executive body authorized in the field of security, and the federal executive body authorized in the field of technical protection of information and counteraction of technical intelligence.

10.2. QUANTEK LLC takes the necessary organizational and technical measures to protect personal data from accidental or unauthorized access, destruction, change, blocked access, and other unauthorized actions.

10.3. The protection measures implemented by QUANTEK LLC when processing personal data include:

— Adopting local regulations and other documents on processing and protection of personal data;

— Appointing persons responsible for personal data security in QUANTEK LLC’s divisions and information systems;

— Arranging training and methodological work with employees engaged in personal data processing at QUANTEK LLC;

— Ensuring the conditions required to work with tangible media and information systems in which personal data is processed;

— Arranging the accounting of tangible media with personal data and the information systems in which personal data is processed;

— Storing tangible media with personal data in compliance with conditions that ensure the safety of personal data and prevention of unauthorized access to such data;

— Separating personal data processed without the use of automation from other information;

— Ensuring separate storage of tangible media with personal data that contain different categories of personal data or contain personal data that is processed for different purposes;

— Prohibiting the transfer of personal data via open communication channels, computer networks, and the Internet without applying the personal data protection measures established by QUANTEK LLC;

— Ensuring the protection of documents containing personal data on paper and other tangible media during their transfer to third parties using postal services;

— Internal control over compliance with the legislation of the Russian Federation and QUANTEK LLC’s regulatory documents during personal data processing.

— Internal control over compliance with the legislation of the Russian Federation and QUANTEK LLC’s regulatory documents during personal data processing.

11. Organizational Structure of Personal Data Protection

The organizational structure of personal data protection by the Provider:

11.1. QUANTEK LLC CEO. Organizes the structure of personal data protection by the Provider.

11.2. Committee on Classification of Personal Data Information Systems. Reports to the QUANTEK LLC CEO. Determines the types of threats to personal data security and the levels of personal data protection during processing in QUANTEK LLC’s personal data information systems.

11.3. The person in charge of personal data protection. Reports to the QUANTEK LLC CEO. Develops, organizes, and implements measures to ensure personal data protection in QUANTEK LLC.

11.4. QUANTEK LLC information security administrator. Reports to the QUANTEK LLC CEO. Organizes the work to secure personal data during its processing in QUANTEK LLC’s personal data information systems.

11.5. Heads of structural divisions engaged in personal data processing. Report to the QUANTEK LLC CEO and the person in charge of personal data protection.  Responsible for carrying out QUANTEK LLC’s procedure for processing and ensuring the security of personal data.

11.6. Employees of structural divisions processing personal data. Report to the heads of structural divisions. Process personal data and ensure its security in the manner established by QUANTEK LLC. 11.7. Measures to ensure personal data security in the organization can also be developed and implemented on a contractual basis by third-party organizations that have the appropriate licenses.

12. Measures to Ensure Personal Data Security During Automated and Non-Automated Processing

Measures to ensure personal data security during automated and non-automated processing include:

12.1. Determining the scope of the Provider’s personal data information systems;

12.2. Determining the list and type of personal data security threats relevant to the Provider’s personal data information systems;

12.3. Determining the required level of personal data security during its processing in the Provider’s personal data information systems;

12.4. Creating a personal data protection system, including organizational and technical measures to ensure the security of personal data, including:

— Appointing people responsible for the organization of personal data processing in the Company;

— Appointing people responsible for the security of personal data processed in the Provider’s personal data information systems;

— Approving the list of employees who require access to personal data processed in the personal data information systems in order to fulfill their job duties;

— Conducting regular employee trainings on personal data processing and security;

— Establishing a security regime on the premises, where technical means of personal data information systems are installed, preventing uncontrolled access to such premises by people not entitled to access such premises;

— Ensuring security of storage locations for personal data media and security of the media itself;

— Using information protection tools that have passed the established compliance assessment procedure, including encryption (cryptographic) information protection tools;

— Managing access to the information resources of personal data information systems;

— Redundancy of technical equipment, duplication of large arrays of personal data and personal data media;

— Using protected communication channels when transferring personal data via public communication networks (the Internet);

— Preventing malicious programs and backdoors from entering personal data information systems;

— Detecting intrusions into personal data information systems that violate or create conditions for the violation of the established requirements for personal data protection;

— Analyzing the security of personal data information systems through the use of specialized software tools;

— Using anti-virus protection tools;

— Etc.

12.5. Определение типа угроз безопасности персональных данных и необходимого уровня защищенности персональных данных при их обработке в информационных системах персональных данных Оператора производится Комиссией по классификации информационных систем персональных данных в соответствии с положениями Постановления Правительства Российской Федерации от 01.11.2012 №1119 «Об утверждении требований к защите персональных данных при их обработке в информационных системах персональных данных». Состав и полномочия Комиссии по классификации информационных систем персональных данных определяется Приказом Генерального директора ООО «КВАНТЕК».

12.5. The type of threats to personal data security and the necessary level of personal data protection during its processing in the Provider’s personal data information systems is determined by the Committee on Classification of Personal Data Information Systems according to the provisions of Decree of the Government of the Russian Federation No. 1119 “On Approval of the Requirements for Protection of Personal Data During Their Processing in Personal Data Information Systems” dated November 1, 2012.


 The structure and powers of the Committee on Classification of Personal Data Information Systems shall be determined by order of the QUANTEK LLC CEO.

12.6. The Committee’s decision on the types of threats to personal data security and the levels of personal data protection during its processing in QUANTEK LLC’s personal data information systems shall be documented in a corresponding report.

12.7. An evaluation of the effectiveness of measures implemented within the personal data protection system to ensure the security of personal data is carried out:

— Before putting the personal data information system into operation;

— Regularly, with the evaluation’s frequency established by the Company (but not less frequently than required by the current laws of the Russian Federation).

12.8. Third-party organizations licensed to carry out activities related to technical protection of confidential information may be engaged on a contractual basis to assess the effectiveness of the implemented security measures.

12.9. An evaluation of the effectiveness of the implemented personal data protection measures may be carried out as part of the certification of personal data information systems. 12.10. The specific features for ensuring personal data protection during its processing without the use of automation are defined by Decree of the Government of the Russian Federation No. 687 “On Approval of the Regulations on the Specifics of Processing Personal Data Carried Out Without the Use of Automation” dated September 15, 2008 and by separate local regulations of the Provider regarding non-automated personal data processing.