Policy on the Processing of Personal Data at MONT LLC
1. GENERAL PROVISIONS
1.1 The policy of MONT LLC (hereinafter referred to as the Operator) regarding the processing of personal data (hereinafter referred to as the Policy) defines its primary goals, principles, conditions, and methods for processing personal data. It includes lists of data subjects and types of personal data processed by the Operator, outlines the rights of individuals whose data is processed, details the Operator’s responsibilities during data processing, and specifies the requirements for safeguarding personal data.
1.2 The policy aims to safeguard individuals' rights and freedoms, including privacy and confidentiality of personal and familial information, during the processing of their personal data by the Operator.
1.3 The policy was developed in accordance with the following legal frameworks: Law No. ZR-49-N of July 1, 2015, 'On the Protection of Personal Data'; Law No. ZR-11-N of November 15, 2003, 'On Freedom of Information'; the requirements of the Constitution of the Republic of Armenia; and other relevant regulatory acts in the field of personal data. Additionally, the policy aligns with Council of Europe Convention No. 108, 'On the Protection of Individuals with regard to the Automatic Processing of Personal Data.
1.4 This Policy serves as the foundation for developing internal regulatory documents that govern the processing of personal data of both employees and other individuals by the Operator.
1.5 This Policy forms the basis for subsidiaries of the Operator to develop local regulations that outline how personal data should be processed within these organizations.
1.6 This Policy applies to all personal data processed by the Operator, whether processed through automated means or without the use of such tools.
2. BASIC CONCEPTS USED IN THIS POLICY
2.1 In accordance with the law of July 1, 2015 No. ZR-49-N “On the PROTECTION OF PERSONAL DATA”, the following basic concepts are used in this Policy:
- Personal data — any information directly or indirectly related to a specific or identifiable individual (subject of personal data);
- A personal data processing operator — a legal entity that independently or jointly with others organizes and/or carries out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data subject to processing, and the actions (operations) performed with personal data;
- Processing of personal data — any action (operation) or set of actions (operations) performed with personal data, whether by automated means or without such means, including collection, recording, organization, accumulation, storage, adaptation (updating, changing), retrieval, use, transmission (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data;
- Automated processing of personal data — processing of personal data using computer technology;
- Dissemination of personal data — actions aimed at disclosing personal data to an unspecified group of persons;
- Disclosure of personal data — actions aimed at disclosing personal data to a specific individual or group of individuals;
- Blocking of personal data — temporary cessation of processing personal data (except in cases where processing is necessary to clarify personal data;
- Destruction of personal data — actions resulting in the impossibility of restoring the content of personal data in the personal data information system and/or resulting in the destruction of material carriers of personal data;
- Anonymization of personal data — actions resulting in the impossibility, without the use of additional information, to determine the ownership of personal data to a specific subject of personal data;
- Personal data information system — a collection of personal data contained in databases and the information technologies and technical means that ensure their processing;
- Cross-border transfer of personal data — the transfer of personal data to the territory of a foreign state to an authority of a foreign state, foreign individual, or foreign legal entity.
2.2 The following concepts are used to achieve the purposes of this Policy:
- Administrative and economic activities — internal processes aimed at supporting the Operator's current operations with material resources (such as purchasing office supplies, equipment, consumables, household goods, communication services, etc.); organizing document management (maintaining archives, libraries, databases); managing the operation of buildings, premises, and territories (maintenance, cleaning, interior decoration, and repairs); and organizing workflow processes.
- Information — information (messages, facts) regardless of their presentation form;
- User — an individual utilizing an operational automated system or network to perform specific functions and tasks before them;
- Subject of personal data — a specific or identifiable individual to whom the personal data relates;
- Operator's employee — an individual who has entered an employment contract with the Operator;
- Close relatives — individuals who are relatives in the direct ascending and descending line (parents and children, grandparents and grandchildren), full-blood and half-blood (having a common father or mother) siblings;
- Candidate — an individual applying for a vacant position, whose personal data has been obtained by the Operator;
- Supplier of the Operator — a term used to collectively refer to corporate counterparties, i.e., legal entities, individual entrepreneurs, or an individual, as well as foreign legal entities, who have entered or intend to enter a contract with the Operator for the supply of goods or products, performance of work, or provision of services;
- Operator's partner — a legal entity, individual entrepreneur, or an individual engaged in private practice as established by Russian legislation, who has entered or intends to enter a contract with the Operator for the purchase of goods or products, receipt of works or services performed or provided by the Operator;
- Representative of a partner or supplier- an individual whose personal data has been provided to the Operator and:
- acts on behalf of the partner or supplier based on power of attorney or within the scope of their employment duties;
- Retail customer — an individual who has entered a contract with the Operator for the purchase of goods or products, receipt of works or services performed or provided by the Operator, including the acquisition of services by adhering to the terms of a public contract, and whose personal data has been provided to the Operator;
- Operator's counterparty — the party to an agreement with the Operator;
- Publicly available personal data — personal data to which unrestricted access is provided based on law, by the subject of personal data, or at their request, including data that, according to legislation, must be disclosed or published;
- Biometric personal data — information that characterizes the physiological and biological features of a person, based on which their identity can be established, and which the Operator uses to identify the subject of personal data;
- Special categories of personal data — personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, health condition, or intime life;
- Access to personal data — the act of certain individuals (including employees) reviewing the personal data of subjects processed by the Operator, with the requirement to maintain the confidentiality of this information;
- Confidentiality of personal data — the obligation of individuals who have access to personal data not to disclose or distribute such data to third parties without the consent of the data subject, unless otherwise required by law.
3. LEGAL BASIS FOR PROCESSING PERSONAL DATA
3.1 The legal basis for processing personal data consists of a set of regulatory legal acts, in compliance with which the Operator carries out the processing of personal data, including:
- Constitution of the Republic of Armenia;
- Labor Code of the Republic of Armenia;
- Law No. ЗР-49-Н of July 1, 2015 "On Personal Data Protection" and Law No. ЗР-11-Н of November 15, 2003 "On Freedom of Information";
- Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108, concluded in Strasbourg on January 28, 1981);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union "On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)" (adopted in Brussels on April 27, 2016).
3.2 To implement the provisions of the Policy, the Operator develops relevant local regulations and other documents, including:
- Policy on the Processing and Protection of Personal Data at the Operator;
- Local regulatory acts and documents (orders, instructions, logs, notifications, etc.) regulating and reflecting the Operator's procedures for processing and ensuring the security of personal data.
4. PURPOSES OF PROCESSING PERSONAL DATA
4.1 The Operator collects, processes, and stores only the personal data that is necessary.
4.2 The Operator processes personal data for the following purposes:
- Ensuring compliance with the Constitution of the Republic of Armenia, laws, and other regulatory legal acts of the Republic of Armenia, as well as local regulatory acts of the Operator;
- Performing functions, powers, and duties assigned to the Operator, including the provision of personal data to tax authorities, the Pension Fund of the Republic of Armenia, the Social Insurance Fund of the Republic of Armenia, the Federal Compulsory Health Insurance Fund, as well as other authorities;
- Regulating labor relations with the Operator's employees (employment, training, monitoring the quantity and quality of work performed, ensuring the safety of property, etc.);
- Maintaining personnel records and personal files of the Operator's employees, including granting vacations and sending them on business trips;
- Attracting and selecting candidates for employment;
- Concluding any agreements with the data subject and their subsequent execution;
- Preparing, concluding, executing, and terminating contracts with counterparts;
- Informing and conducting events, actions, surveys, and research by the Operator;
- Accepting partnership proposals and conducting further negotiations;
- Provision of personal data to a person about the Operator’s services, informing about offers and development of new products and services and also about Operator’s subsidiary company services;
- Compiling statistical reports, including for submission to tax and other authorities;
- Ensuring access control in the premises of the Operator;
- Compiling reference materials for internal informational support of the Operator's activities and its subsidiaries;
- Enforcing court judgments, decisions of other authorities or officials, which are subject to execution under the legislation of the Republic of Armenia on enforcement proceedings;
- Protecting the Operator's rights and legitimate interests while conducting administrative and economic activities;
- Regulating labor and other directly related relationships;
- Providing user customer support and services;
- To achieve the objectives provided by international agreements of the Republic of Armenia or by law, in order to fulfill and execute the functions, powers, and duties imposed on the Operator by the legislation of the Republic of Armenia.
4.3 The Operator does not verify the accuracy of the personal information provided by the User and does not monitor its currency. The User bears all responsibility, as well as potential consequences, for providing inaccurate or outdated personal information.
5. PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING
5.1 The Operator processes personal data on a legal and fair basis in compliance with the following general principles:
- Compliance of the processing of personal data with the achievement of specific, predetermined and legitimate purposes;
- Prohibition of processing personal data that is incompatible with the purposes of collecting such data;
- Prohibition of merging databases containing personal data that are processed for incompatible purposes;
- Processing only personal data that meets the purposes of their processing;
- Compliance of the content, volume, nature and method of processed personal data with the stated purposes of their processing;
- Prohibition of processing excessive personal data in relation to the purposes of their processing stated during the collection of personal data;
- Ensuring during the processing of personal data their accuracy, sufficiency, and relevance to the purposes of processing personal data;
- Ensuring and taking necessary measures to delete or rectify incomplete or inaccurate data;
- Storing personal data in a form that allows identifying the data subject no longer than necessary for the purposes of their processing, unless the retention period for personal data is established by the legislation of the Republic of Armenia, a contract, or an agreement in which the data subject is a party, beneficiary, or guarantor;
- Destruction or depersonalization of processed personal data to achieve the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by law;
- Ensuring proper protection of personal data, their confidentiality and security of processed personal data.
5.2 Processing of personal data is permitted in the following cases:
- Consent of the person to the processing of their personal data;
- Providing an individual with access to personal data (or at their request) by an unlimited number of persons;
- The necessity to achieve the purposes provided by an international agreement of the Republic of Armenia or by law, for the implementation and performance of functions, powers, and duties imposed on the Controller by the legislation of the RA;
- Тhe involvement of an individual whose personal data is processed in constitutional, civil, administrative, criminal, and arbitration proceedings, as well as for the enforcement of court judgments subject to enforcement under the legislation of the RА;
- Execution of an agreement to which the subject of personal data is or will be a party, or a beneficiary or guarantor, as well as when concluding an agreement on the initiative of the subject of personal data;
- Processing of personal data that is subject to publication or mandatory disclosure in accordance with the legislation of the RA;
- To exercise the rights and legitimate interests of the Operator or third parties.
6. CLASSIFICATION OF THE PERSONAL DATA
6.1 The Operator processes the following categories of personal data:
6.2 Individuals who are applicants for vacant positions - with the consent of the subjects of personal data, in the composition and within the time frame necessary for the Operator to decide to accept or refuse employment, as well as for the formation of a personnel reserve;
6.3 Individuals included in the management bodies of the Operator - with the consent of the subjects of personal data, in the composition and within the time frame necessary to achieve the goals provided for by the legislation of the Republic of Armenia, to implement and fulfill the functions, powers and duties assigned by the legislation of the RA;
6.4 Individuals who are in labor relations with the Operator, with its subsidiaries - in the composition and within the time frame necessary to achieve the goals provided for by the legislation of the RA, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the RA to the Operator, to form a personnel reserve, and also for the conclusion and execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, including for the purpose of providing insurance;
6.5 Individuals who are relatives of the Operator’s employees - with the consent of the subjects of personal data, in the composition and within the time frame necessary for the implementation and fulfillment of the functions, powers and duties assigned by the legislation of the Republic of Armenia to the Operator, the exercise of the rights and legitimate interests of the Operator, as well as for the conclusion and execution of an agreement, a party to which, or a beneficiary or guarantor of which, is the person of personal data, including for the purpose of providing insurance;
6.6 физических лиц, осуществляющих выполнение работ, оказание услуг и(или) поставку товаров и заключившие с Оператором договор гражданско-правового характера;
6.7 Foreign employees of the Operator (hereinafter referred to as “expats”) - with the consent of the subjects of personal data, in the composition and within the time frame necessary to achieve the goals provided for by the legislation of the Republic of Armenia, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the RA to the Operator, to provide assistance expats when issuing invitations, visas and for registering for migration, obtaining a work permit, a patent, for forming a personnel reserve, as well as for concluding and executing an agreement to which the person of personal data is a party, or the beneficiary or guarantor, including for the purpose of providing insuranc;
6.8 Relatives of expatriates of the Operator - with the consent of the subjects of personal data, in the composition and within the time frame necessary to achieve the goals provided for by the legislation of the Republic of Armenia, to implement and fulfill the functions, powers and responsibilities assigned by the legislation of the Republic of Armenia to the Operator, to provide assistance in issuing invitations, visas and for registration migration registration, exercise of the rights and legitimate interests of the Operator, as well as for the conclusion and execution of an agreement to which the subject of personal data is a party, or a beneficiary or guarantor, including for the purpose of providing insurance;
6.9 Individuals who are representatives of the Operator’s existing and potential suppliers - with the consent of the subjects of personal data, in the composition and within the time frame necessary for interaction with suppliers;
6.10 Individuals who are dependent on the Operator’s employee;
6.11 Individuals who receive income from the Operator but are not in labor relations with it - in the composition and within the time frame necessary for the implementation and fulfillment of the functions, powers and duties assigned by the legislation of the RA to the Operator.;
6.12 Individuals who are representatives of partners - with the consent of the subjects of personal data, in the composition and within the time frame necessary to interact with partners;
6.13 Individuals whose personal data has been made publicly available by them, and their processing does not violate their rights and complies with the requirements established by the Law on Personal Data;
6.14 Individuals who have consented to the processing of their personal data by the Operator, or individuals whose personal data processing is necessary for the Operator to achieve the purposes stipulated by an international agreement of the Republic of Armenia or by law, for the exercise and fulfillment of the powers and duties assigned to the Operator by Armenian legislation.
7. RIGHTS AND OBLIGATIONS OF THE OPERATOR AND SUBJECTS OF PERSONAL DATA
7.1 The subject of personal data has the right:
- Receive information regarding the processing of his personal data in the manner, form and time frame established by the Law on Personal Data;
- Demand clarification of your personal data, their blocking or destruction if they are incomplete, outdated, inaccurate, unreliable, illegally obtained or are not necessary for the stated purpose of processing, as well as if they are used for purposes not previously stated when providing consent to processing personal data;
- Withdraw their consent to the processing of personal data;
- Take measures provided by law to protect their rights and legitimate interests;
- To obtain from the Operator the information necessary to exercise their rights and legitimate interests regarding the processing of their personal data. This can be done by contacting the Operator and submitting a request personally or through a representative, ensuring that the request includes all the required information as stipulated by Armenian legislation.
7.2 Subjects whose personal data is processed by the Operator are obliged to:
- Provide reliable information about yourself and provide documents containing personal data, the composition of which is established by the legislation of the Republic of Armenia and the local regulations of the Operator to the extent necessary for the purpose of processing;
- Inform the Operator about clarification (updating, changing) of your personal data.
7.3 The Operator has the right to:
- Process personal data of the Subject of personal data in accordance with the stated purpose;
- Require the Subject of Personal Data to provide reliable personal data necessary for the execution of the contract, provision of services, identification of the Subject of Personal Data, as well as in other cases provided for by the Law on Personal Data;
- Restrict access of the Subject of Personal Data to their personal data in cases where such access violates the rights and legitimate interests of third parties, as well as in other cases provided by the legislation of the RA;
- Process publicly available personal data of individuals;
- For the purpose of internal information support of the Operator, create internal reference materials which may include, with the written consent subject of the data, unless otherwise provided by Armenian legislation, their surname, first name, patronymic, place of work, position, year and place of birth, address, phone number, email address, and other personal data provided by the data subject;
- Carry out the processing of personal data subject to publication or mandatory disclosure in accordance with the legislation of the RA;
- Assign the processing of personal data to another person with the consent of the data subject based on a contract concluded with that person.
7.4 The operator processing personal data of personal data subjects is obligated to:
- Process personal data received in accordance with the procedure established by current legislation;
- Consider requests from the subject of personal data (legal representative of the subject of personal data) regarding the processing of his personal data and give reasoned answers;
- Carry out operational and archival storage of the Operator’s documents containing personal data of the subjects of personal data, in accordance with the requirements of the legislation of the RA.
- When collecting personal data, including through the information and telecommunications network “Internet”, the Operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of citizens of the RA using databases located on the territory of the Republic of Armenia, except for the cases specified in paragraphs 8, 9, 10 of the law of July 1, 2015 No. ZR-49-N “ON PROTECTION OF PERSONAL DATA”.
8. FUNCTIONS OF THE OPERATOR AND REQUIREMENTS FOR PERSONAL DATA PROTECTIO
8.1 The Operator processes personal data on a legal and fair basis, to fulfill the functions, powers and duties assigned by law, to exercise the rights and legitimate interests of the Operator, its employees and third partie.
8.2 The list of personal data processed by the Operator is determined in accordance with the legislation of the RA, local regulations of the Operator and taking into account the purposes of processing personal data.
8.3 8.3 The Operator receives personal data directly from the subjects of personal data, processes the personal data of the subjects with their consent, which can also be expressed by performing implicit actions on the Operator’s website, including, but not limited to, placing an order, registering in a personal account, by subscribing to the newsletter in accordance with this Policy.
8.4 The operator of the bottom panel transmits data to government agencies within the framework of his powers in accordance with the requirements of the RA.
8.5 The operator provides access to the processed personal data only to those employees who need it in connection with the performance of their official duties and in compliance with the principles of personal responsibility.
8.6 The Operator processes personal data in compliance with confidentiality, which means the obligation not to disclose to third parties or distribute personal data without the consent of the Personal Data Subject, unless otherwise provided by the legislation of the RA.
8.7 The Operator ensures the confidentiality of the personal data of the Personal Data Subject on its part, on the part of its affiliates, on the part of its employees who have access to the personal data of individuals, and also ensures the use of personal data by the above-mentioned persons solely for purposes consistent with the law, contract or other agreement concluded with the Personal Data Subject.
8.8 The Operator processes personal data using the following methods:
- Non-automated processing of personal data;
- Automated processing of personal data with transmission of the received information through information and telecommunication networks or without such transmission;
- Mixed processing of personal data.
8.9 Actions for processing personal data include collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction.
8.10 The Operator protects the User’s personal information in accordance with the requirements for the protection of this type of information and is responsible for using safe methods to protect such information.
8.11 The operator is entitled to transfer the user's personal information (including to organizations that carry out recording, systematization, accumulation, clarification, storage, retrieval, directly sending special offers to the user, information about new products and advertising campaigns, processing requests and inquiries, as well as carrying out the destruction of personal information) to third parties.
8.12 To protect the user's personal information, ensure its proper use, and prevent unauthorized and/or accidental access to it, the Operator applies necessary and sufficient technical and administrative measures. The personal information provided by the user is stored on servers with limited access located in secured premises.
8.13 The Operator does not process special categories of personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health, or intimate life.
8.14 The measures of protection implemented by the Operator in processing personal data include:
- Obtaining consent from the subjects of personal data for processing their personal data, except in cases provided by the legislation of the RA;
- Appointment of officials responsible for organizing the processing and ensuring the security of personal data in the divisions and information systems of the Operator;
- Approval and implementation of local regulations and other documents establishing and regulating the Operator’s issues of processing, protection and security of personal data;
- Ensuring separate storage of personal data and their material carriers, containing different categories of personal data and the processing of which is carried out for different purposes;
- Organization of accounting of material media of personal data and information systems where personal data is processed;
- Establishing a prohibition on transmitting personal data through open communication channels, computer networks outside controlled zones, and without applying security measures established by the Operator for personal data protection (except for publicly available and/or anonymized personal data);
- Storage of material carriers of personal data under conditions ensuring the integrity of personal data and preventing unauthorized access to them;
- Application of a set of legal, organizational and technical measures to ensure the security of personal data to ensure the confidentiality of personal data and their protection from unlawful actions:
- Providing unlimited access to the Policy by posting it on the Operator's official website on the Internet information and telecommunications network;
- Establishing rules for access to personal data processed in the Operator's information system, as well as ensuring the registration and accounting of all actions with them;
- Assessment of the harm that may be caused to Subjects of personal data in case of violation of the law of July 01, 2015 No. ZR-49-N "On THE PROTECTION OF PERSONAL DATA";
- Identification of threats to the security of personal data during their processing in the Operator's information system;
- Implementation of organizational and technical measures, as well as utilization information security tools, necessary to achieve the established level of protection for personal data;
- Ensuring the protection of documents containing personal data on paper and other physical media when they are transferred to third parties using postal services;
- Detection of unauthorized access to personal data and taking measures to respond, including the recovery of personal data modified or destroyed as a result of unauthorized access to them;
- Implementation of internal control over the compliance of personal data processing with the requirements of the legislation on personal data, including the law of July 01, 2015. No. ZR-49-N "On the Protection of PERSONAL DATA", regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, Policies, Regulations and other local acts, including control over the measures taken to ensure the security of personal data and their level of security during processing in the Operator's information system;
- Implementation of other measures provided for by the legislation of the Republic of Armenia in the field of personal data.
8.15 The Operator's information security system is continuously developing and improving based on the requirements of international and national information security standards, as well as the best international practices.
8.16 Система информационной безопасности Оператора непрерывно развивается и совершенствуется на базе требований международных и национальных стандартов информационной безопасности, а также лучших мировых практик.
9. FINAL PROVISIONS
9.1 This Policy is a publicly accessible document and shall be posted on the Operator's official website.
9.2 The Policy shall be updated in case of amendments to legislative acts and regulatory documents regarding the processing and protection of personal data.
9.3 Employees are familiarized with the provisions of this Policy under a personal signature.
9.4 The provisions of this Policy are mandatory for compliance by all employees who have access to personal data at the Operator and/or are involved in organizing processes related to the processing and security of personal data.
9.5 Responsibility for violations of the requirements of the legislation of the Republic of Armenia and regulatory acts of the Operator in the field of processing and protection of personal data is determined in accordance with the current legislation of the Republic of Armenia.