• Conde Nast Personal Data Processing Policy

1. General Provisions

1.1. This document defines the policy of CONDE NAST JSC (hereinafter - the Company) in relation to the personal data processing and sets out a system of basic principles applied to the personal data processing in the Company.

1.2. This Policy applies to all operations performed in the Company with personal data using automation technologies or without them.

1.3. This Policy shall be read, understood and executed by all persons authorized to process personal data in the Company and persons involved in organizing the processing and security of personal data in the Company.

1.4. This Policy is developed under Convention No. 108 of the Council of Europe on the Protection of Individuals With Regard to the Automatic Processing of Personal Data and Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’.

1.5. This Policy shall be updated in case of changes in the laws of the Russian Federation on personal data.

2. Introduction

2.1. In accordance with subparagraph 2 of Article 3 of the Federal Law dated July 27, 2006 No. 152-FZ ‘On Personal Data’, the Company is an operator, i.e. a legal entity that independently organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, and actions (operations) performed with personal data. The Company shall not process personal data on behalf of another operator.

2.2. An important condition for the implementation of the goals of the Company is to ensure the protection of the rights and freedoms of man and citizen – personal data subject when processing his/her personal data.

2.3. The Company has developed and implemented documents establishing the procedure for processing and ensuring the safety of personal data to comply with the requirements of the Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’ and its subordinate laws.

3. Principles and Conditions for the Personal Data Processing in the Company

3.1. As the operator the Company shall process the personal data of the following entities:

  1. applicants for filling vacancies - in the composition and for the period necessary for the Company to make a decision on accepting or refusing to accept for work and forming a personnel reserve with the consent of the personal data subject;
  2. employees of the Company - in the composition and for the period necessary to achieve the goals provided for by the laws of the Russian Federation, to carry out and fulfill the functions, powers and duties assigned to the Company by the laws of the Russian Federation, to execute an agreement to which the data subject is either the beneficiary or surety;
  3. relatives of the Company's employees - in the composition and for the period necessary to achieve the goals stipulated by the laws of the Russian Federation, to carry out and fulfill the functions, powers and duties assigned to the Company by the laws of the Russian Federation;
  4. individuals under civil law contracts, representatives of counterparties - in the composition and for the period necessary for the conclusion and execution of a contract to which either the beneficiary or guarantor is a personal data subject;
  5. visitors to any of the websites of CONDE NAST JSC.

3.2. The processing time for personal data shall be determined taking into account the following:

  1. personal data processing goals;
  2. the duration of contracts with personal data subjects and the consent of personal data subjects to the processing of their personal data;
  3. the terms determined by the Order of the Ministry of Culture of the Russian Federation of August 25, 2010 No. 558 ‘On Approval of the List of Typical Administrative Archival Documents Generated in the Course of Activities of State Bodies, Local Authorities and Organizations, Indicating Storage Periods’;
  4. storage periods for the documents established by internal regulatory acts of the Company.

3.3. The Company carries out the processing of personal data on a legal and fair basis.

3.4. When processing personal data, their accuracy, adequacy, and, if necessary, their relevance to the purposes of personal data processing shall be ensured.

3.5. The Company shall not disclose to third parties and shall not distribute personal data without the consent of the personal data subject (unless otherwise provided for by the federal law of the Russian Federation).

3.6. The Company shall not create publicly available sources of personal data.

3.7. The Company shall process special categories of personal data. At the same time, the Company shall fulfill all the requirements for processing special categories of personal data stipulated by Federal Law of the Russian Federation ‘On Personal Data’ No. 152-FZ dated July 27, 2006. The Company shall not process personal data on criminal records.

3.8. The Company shall not process biometric personal data.

3.9. The Company may carry out cross-border transfer of personal data.

3.10. The Company shall process personal data to promote the Company's goods, works and services on the market by making direct contacts with a potential consumer using communication tools with the consent of potential consumer. The Company shall not process personal data for the purposes of political solicitation.

3.11. The Company shall not make decisions producing legal effects concerning the personal data subject or otherwise affect his/her rights and legitimate interests, based on exclusively automated personal data processing.

3.12. The Company shall entrust the processing of personal data to other persons. At the same time, the Company shall fulfill all the requirements for a personal data processing order stipulated by Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’. A visitor to any of the websites of CONDE NAST JSC accepting this Policy regarding the processing of personal data and agreeing with it, shall give his consent to the transfer of his/her personal data by CONDE NAST JSC to third parties for the fulfillment of the objectives of the contracts in connection with which the personal data shall be transferred to a third party.

3.13. The Company shall process personal data using automation technologies and without their use. At the same time, the Company shall fulfill all the requirements for automated and non-automated processing of personal data stipulated by Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’ and its subordinate laws.

4. Rights of Subjects of Personal Data Processed in the Company

4.1. The personal data subject has the right to receive information regarding the processing of his/her personal data. To obtain this information, the personal data subject may send a written request to the address: 125009, Moscow, Bolshaya Dmitrovka Str., house 11, bld. 7 in the manner prescribed by Article 14 of Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’.

4.2. The personal data subject has the right to require the Company to clarify his/her personal data, to block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated processing purpose. The subject of personal data has the right to withdraw his/her consent to the processing of personal data. To exercise these powers, the personal data subject can send a written request (by registered letter with delivery confirmation) to the address: 125009, Moscow, Bolshaya Dmitrovka Str., house 11, bld. 7 in the manner prescribed by Article 21 of Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’.

5. Fulfillment of the Operator Duties by the Company

5.1. The Company receives personal data from personal data subjects, from third parties (persons who are not personal data subjects) and from publicly available sources of personal data (including in the Internet telecommunication network). Moreover, the Company shall fulfill the obligations stipulated by Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’ in the collection of personal data.

5.2. The Company shall stop processing personal data in the following cases:

  1. upon reaching the goals of their processing, or in case of loss of need to achieve these goals;
  2. at the request of the personal data subject, if the personal data processed by the Company are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing;
  3. in case of unlawful processing of personal data, if it is impossible to ensure the legitimacy of the processing of personal data;
  4. in case of withdrawal by the subject of personal data of consent to the processing of his/her personal data (if personal data is processed by the Company on the basis of the consent of the personal data subject);
  5. the reasons due to which the processing of personal data was carried out, were eliminated, unless otherwise provided for by federal law;
  6. in case of liquidation or reorganization of the Company.

5.3. To ensure the fulfillment of the obligations stipulated by Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’ and the regulatory legal acts adopted under it, the Company has taken the following measures:

  1. an individual responsible for organizing the processing of personal data has been designated;
  2. local acts on processing and ensuring the safety of personal data were issued, as well as local acts establishing the procedures aimed at preventing and detecting violations of the laws of the Russian Federation, eliminating the consequences of such violations:
    • Regulation on the personal data processing
    • Regulation on the organization and protection of personal data
    • Other local acts on the processing and security of personal data.
  3. legal, organizational and technical measures have been applied to ensure the safety of personal data;
  4. the internal control of personal data processing compliance with the requirements of Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’ and its subordinate laws, this Policy, and local acts of the Company are carried out;
  5. an assessment of the damage that may be caused to personal data subjects in case of violation of the requirements of the federal laws on personal data has been made, the ratio of the specified harm to the measures taken by the Company aimed at ensuring the fulfillment of obligations stipulated by the requirements of Federal Law No. 152-FZ dated July 27, 2006 ‘On Personal Data’ and its subordinate laws;
  6. Company employees directly involved in the personal data processing have read and understood the provisions of Federal Law of July 27, 2006 No. 152-FZ ‘On Personal Data’ and its subordinate laws, this Policy and local acts of the Company regarding personal data processing.

5.4. The Company is implementing the following requirements for the personal data protection:

  1. a security regime has been established for the premises in which information systems are located that impede the possibility of uncontrolled entry or stay in these premises of unauthorized persons;
  2. personal data storage media security has been implemented;
  3. the head of the Company approved a document defining a list of persons whose access to personal data processed in the information system is necessary to perform official (labor) duties;
  4. to neutralize current threats to the security of personal data, information protection means that have passed the procedure for assessing compliance with the requirements of the laws of the Russian Federation in the field of ensuring information security are used;
  5. appointed official (employee) responsible for ensuring the security of personal data in personal data information systems;
  6. the requirements established by Decree of the Government of the Russian Federation of September 15, 2008 No. 687 ‘On approval of the Regulation on Special Issues in Processing Personal Data Without Automation’ have been fulfilled.