Personal Data Processing Policy Nordic Star Law Offices
Nordic Star Law Offices, a company registered in accordance with the laws of Russian Federation with its business address at Malaya Konyushennaya Street 1/3A, B33, 191186 Saint Petersburg, Russia. In this Policy, such pronouns and possessive forms as “we”, “our” and similar should be understood as referring to Nordic Star Law Offices. At the same time, the pronouns and possessive forms “you”, “your” and the like should be considered as indicating the personal data subject with respect to whom we process information.
Your privacy is very important to us regardless of whether you are a current client or partner of ours, or another individual whose data we process. By using this document, we aim to bring to the attention of all interested parties information about how we process and protect personal data. If you have reason to believe that we are processing your personal data, we recommend that you read this Policy.
The terms used in this Policy and not defined separately (“personal data”, “personal data processing” and others) have the meaning given to them by the legislation of the Russian Federation and, primarily, by the Federal law No. 152-FZ dated 27 July 2006 “On personal data”. However, we process personal data in accordance with all laws that apply to the protection of personal data, including the GDPR, i.e. the European Union’s General Data Protection Regulation 2016/679 GDPR (“Data Protection Laws”).
Due to the applicable data protection legislation in each country we operate, there might be differences in the data collecting, handling, processing and preserving procedures between our office locations. The data sources are separated and combined whenever it is needed, but the data is always protected.
Legal grounds for and purposes of personal data processing
As with any other organization, we process personal data in compliance with the requirements established by applicable law. In particular, the processing of the personal data of employees is carried out pursuant to the provisions of labor and tax legislation, and customers’ data is processed in order to comply with anti-money laundering legislation. If the processing of personal data is not expressly provided for by applicable legal acts, we will process personal data only in the following cases:
where the processing of the personal data is necessary for the conclusion or performance of a contract to or under which you are a party or beneficiary (for example, for the execution of a client’s instruction or interaction with it regarding the provision of services under an agreement that has been concluded);
where the processing of the personal data is necessary for the exercise of our rights and legitimate interests or for the protection of the rights and interests of third parties (for example, in order to identify conflicts of interests, or to ensure the safety of our employees and judicial protection of our rights);
we have received your consent to the processing of your personal data (for marketing or other similar purposes).
Regardless of the specific reasons for processing personal data, we process it in accordance with all laws and other regulatory legal acts that protect personal data including Federal law No. 152-FZ dated 27 July 2006 “On personal data”, the General Data Protection Regulation (GDPR) and the Finnish Act on the Data Protection. We do our best to ensure that your personal data is processed in a transparent and secure manner.
Methods of receiving personal data and its composition
The composition of personal data and how it is obtained depend on the purposes for which the personal data is being processed.
We process the personal data of applicants for vacant positions for the purpose of evaluating employment opportunities. Such data (the individual’s full name; education; profession; and other data specified in the resume) is received directly from employees or their authorized persons by being sent to us via electronic communication channels.
As part of the compliance with labor and tax legislation, as well as with regulations on the procedure for making social payments, we process a wide range of information related to our employees (full name; gender; date of birth (age); place of birth; series and number of their passport, together with the issuing body and date of issuance; marital status; education; profession; income data; military registration data; employment information; insurance number of their individual personal social security account; taxpayer identification number; citizenship; date and place of registration; actual place of residence; work experience; and contact information (phone numbers, email addresses)). Employees supply this information to us directly because it forms part of copies and originals of documents that they provide to us.
The information required for us to perform clients’ instructions, as well as for direct interaction with them (full name; email address, telephone number, position and place of work) are provided to us by clients or their representatives via electronic communication channels. Similarly, we receive more detailed information about our clients, and about the founders, managers and beneficial owners of companies that is necessary for us to identify them in accordance with anti-money laundering regulations (full name; date of birth; citizenship; a copy of the passport and information to determine the financial status of the client and the level of his political influence). At the same time, since such information is used to comply with legal requirements, it can be verified, supplemented and updated using third-party sources (including commercial databases).
Information used for marketing purposes (such as sending invitations to seminars and events, sending newsletters or other news related to our services or to our company as a whole) is collected through direct communication with clients, potential clients and their representatives. We also collect this information through a website accessible at www.nordicstar.law where you can subscribe to our newsletter.
We do not process biometric personal data, and nor do we possess information related to special categories of personal data (including those that disclose racial or ethnic origin, political views, religious or philosophical beliefs, or health data). The only exception is data concerning the health status of our employees, which is processed in compliance with the requirements of current legislation (for calculating social benefits, ensuring proper working conditions and other similar purposes).
Where we store and how we protect personal data
We process personal data both using automation tools and without using them by collecting, systematizing, accumulating, storing, clarifying, using, blocking, transferring (to a limited extent) and destroying it.
When processing personal data using automation tools, we implement organizational, legal and technical measures that exclude the possibility of persons who are not allowed to process such personal data from gaining unauthorized access to it. These measures include, among others:
modeling threats to personal data security;
ensuring the security of premises where personal data information systems are located, preventing the possibility that persons without the right to access such data could gain uncontrolled entry to or stay in those premises;
determining the list of persons whose access to personal data is necessary for them to perform their official duties;
managing access to personal data (including the use of password protection measures);
monitoring the security of personal data (including monitoring the installation of software updates);
ensuring the availability of personal data (including the backup of personal data with established frequency);
ensuring antivirus and malware protection of personal data information systems.
We provide access control to the premises used for the processing of personal data without the use of automation tools. If there are documents in premises that are stored outside of locked cabinets (safes, boxes), persons who do not have the right to access the personal data storage devices kept in them have the right to access these premises only in the presence of authorized employees who monitor compliance with such restrictions on access to personal data.
Personal data of citizens of the Russian Federation is processed using databases located within the Russian Federation.
Transfer and disclosure of personal data to third parties
We do not disclose personal data of clients and other persons to third parties, unless such disclosure is required by applicable law in order to perform contracts with contractors or provide legal services to our clients. In other cases, the transfer of your personal data to third parties is only possible based on your prior consent (at your request). We often use third-party services in our business activities that involve processing personal data. In this regard, personal data may be transferred to providers that process personal data on our behalf when providing us with relevant services (including information technology partners that provide us with hosting services, CRM systems, financial accounting systems, message distribution systems and other similar solutions in the field of business automation). We make sure that all such providers enter into data processing agreements with us whereby they take the legal, organizational and technical measures necessary to ensure that your personal data is protected.
If personal data is transferred to foreign countries, the personal data is transferred to jurisdictions that provide adequate protection of the rights of personal data subjects. The transfer of personal data to countries that do not provide adequate protection of the rights of personal data subjects is carried out only based on your written consent, as well as for the purpose of performing a contract to which you are a party.
Personal data is provided to public authorities (including in the framework of submitting accounting reports, tax reports and other reporting) in accordance with the requirements of applicable law.
Terms of personal data storage
The storage period for personal data depends on the relevance of the purposes for which such personal data is processed. We store personal data at least as long as it is necessary to achieve the purposes of processing mentioned above.
The personal data of applicants is stored until the relevant vacancy is closed. Personal data of employees is processed during the term of their employment contract, and after it terminates throughout the entire period of our activity (to the extent necessary to provide reference information at the request of state bodies and extra-budgetary funds).
Personal data of clients and their representatives is processed throughout the entire period in which we provide them with legal services, as well as for 10 (ten) years after the termination of the contract with the client. The extended information collected in relation to our clients, founders, company managers and their beneficiaries for the purpose of identifying them is stored for at least 5 (five) years after we cease to supply legal services to the clients in question.
Information used for marketing purposes and business contacts with clients is processed until we cease to operate as a legal entity.
The abovementioned processing periods do not affect or limit the rights of personal data subjects granted to you by applicable law (including the right to withdraw your consent to the processing of your data).
Personal data whose processing period has expired is destroyed in a secure manner (with no possibility of restoring it).
Your rights as a personal data subject
In cases where we process your personal data based on your consent, you have the right to withdraw your consent to such processing at any time. In particular, you may unsubscribe from marketing communications at any time: each of our marketing emails contains instructions on how you can unsubscribe; however, you can also unsubscribe at any time by contacting us at email@example.com.
You have the right to access information related to the processing of your personal data by sending a written request for the following information related to such processing of your personal data:
confirmation that your personal data is being processed;
the legal grounds on which and the purposes for which your personal data is processed;
the methods being used in processing your personal data;
information about persons who have access to your personal data or to whom your personal data may be disclosed under a contract with us or under federal law;
what personal data relating to you is being processed, and the source from which it was received, unless the law provides otherwise;
the period for which your personal data will be processed including the period for which it will be stored;
the procedure for exercising the rights provided for by law;
information about any cross-border transfer of data;
information about the location of the database of information containing your personal data;
the name or full name and address of a person who processes personal data on our behalf, if such processing is entrusted or will be entrusted to such a person;
other information provided for by law.
The request for the above information must contain the number of the main document certifying your identity or the identity of your representative, information about the date when this document was issued and which body was the issuing authority, information confirming your relationship with us or information that otherwise confirms that the personal data is being processed. In addition, you or your representative must sign the request. Responses to requests for the information specified above are sent within 30 (thirty) days after we receive them.
You have the right to request us to clarify your personal data, block it or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing.
If we receive a request containing information about our processing of inaccurate personal data or about our improper processing of personal data, we will immediately block such personal data for the verification period. If you are notified that inaccurate personal data is being processed, you will be blocked provided that this does not violate your rights and/or the legitimate interests of third parties.
If the inaccuracy of the processed personal data is confirmed based on the information provided by you, your representative or the authorized body for the protection of personal data rights, we provide the clarification of personal data within 7 (seven) business days from the date when such information was permitted. If it is not possible to update the data within the specified time period, the update is carried out as soon as possible. Data is unblocked when we receive your consent to continue processing it unchanged or when clarification of such data is completed.
If we detect that personal data is being illegally processed based on the results of verification, the violation is eliminated within a period not exceeding 3 (three) business days from the date when illegal processing is confirmed. If it is not possible to ensure that such personal data is processed legally, we will destroy the data within a period not exceeding 10 (ten) business days from the date when we detect the illegal processing of personal data. We will immediately notify you or your representative that the violations have been eliminated or that the personal data has been destroyed, and if the request or application was sent by the authorized body for the protection of personal data rights, we will also notify the body in question.
If you withdraw your consent to the processing of your data, we will stop processing your personal data and destroy it within 30 (thirty) days. The requirements of this clause are not applicable, unless the agreement to which you are a party, beneficiary or guarantor, or applicable law, provides otherwise.
You have the right to file claims with respect to our actions or omissions in the processing and protection of personal data, as well as to take other legal measures to protect your rights. If you believe that the way we are processing your personal data violates applicable law, you can also file a complaint with the Federal Service for Supervision of Communications, Information Technology and Mass Media.
Reviewing and amending the Policy
The electronic version of the current text of the Policy is available on our website. The hard copy of the Policy is stored at Nordic Star Law Offices. We reserve the right to make changes to this Policy. We recommend that you review the Policy from time to time for possible changes. If you have any questions about our personal data processing, please contact us at firstname.lastname@example.org.