BGP Litigation's Personal Data Processing Policy
1.1. This Personal Data Processing Policy of BGP Litigation Limited Liability Company (the "Data Controller", Primary State Registration Number 1097746283910, Taxpayer Identification Number 7726629592, address: 123112, Moscow, PRESNENSKY INTERNAL MUNICIPAL DISTRICT, 6 PRESNENSKAYA EMBANKMENT, BLD. 2, 18TH FLOOR, PREMISES/OFFICE I/1820) (the "Policy") was developed in pursuance of provisions of Federal Law on Personal Data 152-FZ dated 27 July 2006 (the "PD Law") to ensure the protection of the rights and freedoms of individuals and citizens when processing their Personal Data, including the protection of the rights to privacy, personal and family secrets.
1.2. The Policy uses terms and concepts as defined in the PD Law.
1.3. The Policy is published and publicly available on the Data Controller's website at bgplaw.com (the "Website").
1.4. The Policy sets out the key goals, principles, procedure and conditions for the processing of Personal Data of visitors to this website who are Personal Data owners (each a "Website Visitor" or "Personal Data Owner") and steps implemented to ensure the security and protection of their Personal Data.
1.5. The Policy shall apply to all Personal Data of Website Visitors processed by the Data Controller.
1.6. The Data Controller warrants that it shall treat Personal Data received by it as confidential, subject to the provisions of this Policy, and undertakes to use them only for the purposes referred to in the Policy.
Personal Data shall mean any information directly or indirectly relating to an individual, whether identified or being identified individual (the "Personal Data Owner").
Processing of Personal Data shall mean any action (operation) or set of actions (operations) involving automated or non-automated processing of Personal Data. The processing of Personal Data shall include, among other things, collection, recording, systematisation, accumulation, storage, clarification (updating, amendment), retrieval, use, transfer (distribution, provision, access), depersonalisation, blocking, deletion or destruction.
2.3. The Data Controller carries out, in relation to the Personal Data specified in subparagraphs 4.1–4.10 of paragraph 4 of this Policy, mixed processing (both automated and non-automated), including the transfer of Personal Data via the Operator's internal network as well as via the Internet. Such processing includes the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, blocking, deletion, destruction, and transfer (provision, access) of Personal Data with the consent of the Personal Data Owner to BGP Litigation law firm having its registered office at 6 Presnenskaya Embankment, bld. 2, Moscow, 123112.
In relation to the Personal Data specified in subparagraph 4.10 of paragraph 4 of this Policy, the Data Controller also carries out the dissemination of such Personal Data on the basis of consents to the processing of Personal Data for dissemination purposes obtained from the Personal Data Owners specified in subparagraph 4.10 of this Policy.
2.4. While browsing the Website, reading posted texts or downloading other information, certain data about the computer from which the Website Visitor accesses the Website is automatically recorded.
2.5. When the Website is browsed, the Data Controller will collect the following information: the IP address assigned to the device for Internet access, the type of browser and operating system, the URL of the website from which the visitor was directed, the date and time when the Website was visited, the total number and names of pages visited and, the duration of the visit.
2.6. The Data Controller shall process and ensure the protection of Personal Data of Website Visitors who have given their consent to the processing of Personal Data (hereinafter – the "Consent") by submitting information through the selected web forms (each a "Web Form") available on the Website's pages (bgplaw.com or its subdomains *.bgplaw.com) or by sending an email to a corporate mail address ending with @bgplaw.com (the "Corporate Email").
2.7. The Consent shall be deemed given once:
- the Website Visitor has submitted a completed Web Form on the Website of the Data Controller by marking (ticking) the relevant field in the Web Form and clicking the "submit" button below the Web Form on the relevant page of the Website;
- the Website Visitor has clicked on the "submit" button for emailing a letter containing their Personal Data to a Corporate Email;
- the Website Visitor has otherwise sent their Personal Data using the Website.
2.8. The period during which Personal Data may be processed by the Data Controller may not exceed the period during which they are required to be used for the Personal Data processing purposes referred to in paragraph 4 of this Policy. The processing of Personal Data shall also be ceased once the consent of the Personal Data Owner to the processing of their personal data expires or is revoked or any unlawful processing of the Personal Data is detected.
3.1. The website collects standard session log information, including IP address, browser type and language, as well as data on the time of the visit and addresses of the websites from which visitors were directed via links.
3.2. The Data Controller may use cookies (small text files stored in the visitor's browser) or web beacons (electronic images) together with tracking pixels used by the Website to count the number of visitors to a particular page and enables access to certain cookies to analyse Internet traffic, effectively manage the Website and assist in setting up the user interface.
3.3. The collected technical data of Website Visitors shall be used solely for statistical purposes.
3.4. By using the Website, each Website Visitor gives their consent to the Data Controller to upload cookies to the Website Visitor's device in accordance with the terms and conditions set out above.
3.5. A Website Visitor can manage cookies by configuring their browser settings. If cookies are deleted, all data about the Website Visitor's preferences, including the preference not to use cookies, will be deleted.
3.6. In the event that cookies are blocked, changes may affect the user interface, and some components of the Website may become unavailable.
| No. | Personal Data Owner | Purpose of Personal Data Processing | Composition and Volume of Personal Data |
|---|---|---|---|
| 4.1 | Participant (visitor) of an event organized by the Data Controller, including potential participants | Ensuring participation in events organized by the Data Controller, including sending invitations by email, phone calls, or messenger messages; registration for the event | First name, last name, email address, phone number, place of employment (company name), position |
| 4.2 | Counterparty, representative of a counterparty, client, representative of a client, event participant (visitor), Website Visitor | Providing information about news, events, and current commercial offers related to the services provided by the Data Controller, through informational and news mailings, marketing materials, and alerts via email, phone calls, and messenger messages | First name, last name, email address, phone number, place of employment (company name), position |
| 4.3 | Counterparty, including a client (individual or representative of a legal entity), including potential clients who have contacted the Data Controller for the conclusion of a civil law contract | Preparation, conclusion, and execution of a civil law contract | First name, second name, last name; date of birth; email address; phone number; personal Insurance Policy Number; Individual Taxpayer Number; citizenship; identity document details; bank details (account number); position; power of attorney details |
| 4.4 | Job applicant for an open position published on the Website | Recruitment and selection of candidates for employment with the Data Controller | First name, second name, last name; date of birth; marital status; gender; email address; phone number; residential address; registration address; citizenship; identity document details; education details; profession; position; qualification information; details on professional retraining and/or advanced training; employment history (including work experience and current employment details with the name of the organization); information of an evaluative nature on business and personal qualities; information on previous employers; military service details |
| 4.5 | Individual (student) wishing to undertake an introductory, industrial, pre-graduation internship or traineeship with the Data Controller, having applied via the relevant Web Form on the Website | Organization and administration of introductory, industrial, pre-graduation internships and traineeships | First name, last name, date of birth; phone number; email address; name of the higher educational institution; faculty; degree pursued; year of study; level of English proficiency |
| 4.6 | Individual (student) wishing to undertake an internship or traineeship with the Data Controller, or an existing Intern/Trainee of the Data Controller | Notification about news and events of the Data Controller by including the individual in a thematic Telegram channel for interns and by sending informational and news mailings via email, phone calls | First name, last name, phone number, email address |
| 4.7 | Individual (student) wishing to undertake an internship or traineeship with the Data Controller, or an existing Intern/Trainee of the Data Controller | Inclusion in the HR talent pool | First name, last name; date of birth; phone number; email address; name of the higher educational institution; faculty; degree pursued; year of study; level of English proficiency |
| 4.8 | Counterparty, representative of a counterparty, client, representative of a client, event participant, Website Visitor, having contacted the Data Controller via the relevant Web Form on the Website | Inclusion in the Data Controller's IP Club as a member (resident) | First name, last name; corporate email address; phone number; place of employment (company name); position |
| 4.9 | Website Visitor | Receiving requests and providing feedback to Website Visitors | First name, last name; phone number; email address |
| 4.10 | Employee, counterparty, employee of a counterparty, or business partner of the Data Controller | Publication and maintenance of information about employees, counterparties, their employees, and business partners of the Data Controller on the Website, with their consent | First name, last name; specialization; academic degree; professional experience; brief biographical information; awards; photograph |
5. The Personal Data processed by the Data Controller for the purposes specified in paragraph 4 of this Policy do not include special categories of Personal Data or biometric Personal Data, as defined by Articles 10–11 of the PD Law.
6.1. Personal data shall be processed by the Data Controller based on the following principles:
- Personal Data shall be processed lawfully and fairly;
- the processing of Personal Data must be limited to the achievement of specific, predetermined and legitimate purposes. Personal Data may not be processed for goals incompatible with the Personal Data collection purposes;
- only Personal Data that meet the Personal Data collection purposes may be processed;
- the content and scope of Personal Data to be processed must be consistent with the stated processing purposes. Personal Data to be processed must not be excessive in relation to the stated processing purposes;
- Accuracy, sufficiency, and, where necessary, relevance of the processed Personal Data to the purposes of processing shall be ensured;
- other principles set out in the applicable laws of the Russian Federation on Personal Data.
9.1. The Personal Data Owner has the right to:
9.1.1. By personal request or by sending a written request to the correspondence address: 123112, Moscow, Presnensky internal municipal district, 6 Presnenskaya embankment, bld. 2, 18th floor, premises/office I/1820) or by email to office@bgplaw.com, receive information regarding the processing of their Personal Data, including confirmation of the fact that their Personal Data are processed by the Data Controller, legal grounds and purposes of processing, purposes and methods applied by the Data Controller, name and location of the Data Controller, information about persons (other than the Data Controller's employees) who have access to the Personal Data or to whom the Personal Data may be disclosed under a contract or by law, the processed Personal Data related to the specific Personal Data Owner, the source of such data (unless otherwise provided by federal law), the duration of processing, including storage periods, and other information as provided by the PD Law or other federal laws.
9.1.2. Request that the Data Controller clarify, block or destroy their Personal Data if such data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated processing purposes and may also take steps provided for by laws to protect their rights;
9.1.3. Withdraw their consent to Personal Data processing by sending a withdrawal notice to the Data Controller;
9.1.4. Appeal actions or omissions of the Data Controller to the competent authority for the protection of Personal Data Owners' rights or in court if the Data Controller processes Personal Data in violation of the PD Law or otherwise infringes the rights and freedoms of the Personal Data Owner.
12.1. Access to Personal Data of Website Visitors shall be granted only to the Data Controller's authorised employees of BGP Litigation, BGP Litigation law firm, having its registered office at 6 Presnenskaya Embankment, bld. 2, Moscow, 123112, who are obligated to maintain the confidentiality of such information.
12.2. The Data Controller ensures the security regime for Personal Data processing in accordance with the laws of the Russian Federation and internal regulatory acts of the Data Controller, implementing legal, organizational, and technical measures to protect Personal Data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, and other unauthorized actions.
12.3. The protection regime ensures the prevention of violations of confidentiality, integrity, and availability of Personal Data during its processing.
12.4. The Data Controller ensures Personal Data security, including through the following measures:
12.4.1. Legal measures:
- Adoption of internal regulations on Personal Data processing, including this Policy;
- Ensuring unrestricted public access to this Policy, including its publication on the Website;
- Appointment of a person responsible for organizing Personal Data processing;
- Defining the list of persons with access to Personal Data (by internal regulation or management order);
- Signing confidentiality agreements (non-disclosure obligations) with persons having access to Personal Data;
- Including Personal Data security provisions in contracts with third parties, including obligations not to disclose or distribute Personal Data without consent, unless otherwise required by law.
12.4.2. Organizational and technical measures to ensure the security of Personal Data during its processing in Personal Data information systems and on electronic media (computers):
- Identification of security threats during Personal Data processing in information systems;
- application of organizational and technical measures to ensure the security of Personal Data during its processing in Personal Data information systems, as necessary to meet the requirements for Personal Data protection, the fulfillment of which ensures the levels of Personal Data security established by the Government of the Russian Federation;
- use of information security tools that have undergone the conformity assessment procedure in the prescribed manner;
- evaluation of the effectiveness of the implemented measures to ensure the security of Personal Data before the commissioning of the Personal Data information system;
- accounting of electronic media containing Personal Data;
- protection of computers containing Personal Data by access passwords and other information security tools, in accordance with the requirements of applicable legislation;
- detection of incidents of unauthorized access to Personal Data and implementation of measures, including those aimed at identifying, preventing, and eliminating the consequences of cyberattacks on Personal Data information systems, as well as responding to cybersecurity incidents therein;
- ensuring backup and restoration of Personal Data that has been modified or destroyed as a result of unauthorized access;
- granting access to Personal Data contained in Personal Data information systems only through individual passwords;
- use of certified antivirus software with regularly updated databases;
- establishment of access control rules for Personal Data processed in the Personal Data information system, as well as ensuring registration and accounting of all actions performed with Personal Data in the Personal Data information system;
- monitoring the implementation of measures to ensure the security of Personal Data and the protection level of Personal Data information systems.
12.4.3. Other organizational and technical measures to ensure the security of Personal Data:
- storage of Personal Data (physical information carriers) shall be carried out in premises equipped with lockable cabinets (safes), including metal safes, in accordance with the requirements of applicable legislation governing the storage of Personal Data of the relevant category;
- the premises of the Data Controller, where cabinets (safes) containing physical information carriers with Personal Data are located, shall be equipped with locking devices. Keys to such cabinets and premises shall be issued to authorized employees of the Data Controller against signature;
- separate storage of Personal Data (physical information carriers) processed for different purposes;
- implementation of measures aimed at preventing unauthorized access to Personal Data and/or its transfer to persons not entitled to access such information;
- timely detection of incidents of unauthorized access to Personal Data;
- compliance with the retention periods of documents containing Personal Data, as established by the applicable legislation of the Russian Federation;
- destruction of Personal Data upon achieving the purposes of processing, in cases where the need to achieve such purposes no longer exists, or in other cases as required by federal law, unless otherwise provided by applicable legislation;
- monitoring compliance by authorized employees of the Data Controller with the legislation of the Russian Federation and the local regulations of the Data Controller in the field of Personal Data, including this Policy;
- regular training of the Data Controller's employees on the requirements of the legislation in the field of Personal Data.
13.1. This Policy shall be amended or supplemented once the applicable laws of the Russian Federation on Personal Data are appropriately amended or supplemented.
This Policy may be amended and/or supplemented at any time at the Data Controller's discretion. Amendments shall take effect once the Data Controller posts the Policy as amended and/or supplemented on the Website.
13.2. The current version of the Data Controller's Policy is posted and available at bgplaw.com for an unlimited range of persons.
13.3. All matters relating to the processing and protection of Personal Data and not covered by this Policy shall be addressed in accordance with the provisions of the applicable laws of the Russian Federation on Personal Data.
13.4. Compliance with the provisions of this Policy shall be monitored by the person responsible for the Data Controller's Personal Data processing arrangements.