1.GENERAL PROVISIONS AND SCOPE
1.1. This Policy regarding protection and processing of personal data (hereinafter referred to as the Policy) is drawn up in accordance with Article 18.1 § 2 of Federal Law “On Personal Data” No. 152-FZ of July 27, 2006, as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data, and applies to all information posted by Russian Mining Chemical Company Limited Liability Company (RMCC LLC) — the managing organization of the Brucite+ Group of Companies on the Internet on the website: https://brucite.plus/ .
1.2. The Policy defines the procedure for processing personal data, including the collection, storage, use, transfer and protection of data, as well as the use of cookies, and applies to all personal data that the Controller may receive from the subject of personal data of the Russian segment of the Internet, including the Internet user (hereinafter referred to as the User), during their use of the website of a Russian company — Russian Mining Chemical Company Limited Liability Company, services, services, programs, products or services. The procedure and specifics of personal data processing of Chinese or other Internet segments are determined in accordance with the applicable laws in the relevant country, set forth in the relevant documents governing the processing and protection of personal data, and published on the pages of the websites at the following address: https://brucite.plus/en/company/privacy/ .
1.3. This Policy applies to all users of the website https://brucite.plus/ including visitors, customers and partners. The Controller does not control and is not responsible for third party websites to which visitors, customers and partners can access via links available on the website https://brucite.plus/ .
1.4. The Controller has the right to make changes to this Policy. When changes are made, the date of the last revision update shall be indicated in the title of the Policy. The new edition shall come into effect from the date of its approval, unless otherwise provided by the new edition of the Policy.
2. TERMS AND DEFINITIONS
|
Brucite+ Group of Companies (Brucite+ Group) |
RMCC LLC — the managing organization, KBR LLC, KGK LLC, Vyazma-Brucite LLC, DVBK LLC, BNG Compounds LLC |
|
Website |
a set of interconnected web pages placed in the Internet under the domain name @brucite.plus, administered and managed by RMCC LLC, and intended to provide information on products, services, activities of RMCC LLC and a respective legal entity of the Brucite+ Group of Companies, as well as for interaction with the users of the website, including but not limited to ordering functions, feedback, provision of reference information and other services |
|
Website user |
any individual accessing the website via the Internet, browsing the pages of the website and/or using the information resources, services, functionalities placed on them regardless of the registration and/or authorization procedure, who provides their personal information to the Controller |
|
Registered user |
any individual who has passed the registration and authorization procedure on the website, who has entered their personal data (surname, name, patronymic, phone number, email), created an account in the personal cabinet (login, password), gained access to personalized functions of the website, order placement, sent a request through the feedback form |
|
Unregistered user |
any individual who visits the website without registering, sending requests via the feedback form, but interacts with the website by visiting pages of the website and performing other actions in which their personal data (IP address, cookie data) may be processed |
|
Personal information |
information that the user voluntarily provides when using the website, or that is automatically collected in the course of using the website, and that allows to directly or indirectly identify the user, including name, e-mail address, contact number, IP address, browser type, cookie data, history of interaction with the website and other information defined as personal information in accordance with Russian law |
|
Personal data controller (Controller) |
RMCC LLC is a legal entity that is a member of the Brucite+ Group of Companies, independently or jointly with other persons organizes processing of personal data, as well as determines the purposes of processing of personal data subject to processing, actions (operations) performed with personal data |
|
Personal data |
any information relating to a directly or indirectly identified or identifiable individual (personal data subject) |
|
Personal data subject |
any person whose personal data have been received by the Controller (User) |
|
Processing of personal data |
any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data |
|
Automated processing of personal data |
processing of personal data by means of computer equipment |
|
Blocking personal data |
temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data) |
|
Personal data information system (PDIS) |
an information system, which is a set of personal data contained in a database, as well as information technologies and technical means that allow processing of such personal data with or without the use of automation tools |
|
Depersonalization of personal data |
actions, as a result of which it is impossible to determine without using additional information the identity of personal data to a particular User or other subject of personal data |
|
Personal data made publicly available by the subject of personal data |
personal data, access to which is provided by the personal data subject or at their request by an unlimited number of persons |
|
Provision of personal data |
actions of the Controller aimed at disclosure of personal data to a certain person or a certain circle of persons |
|
Dissemination of personal data |
any actions of the Controller aimed at disclosure of personal data to an indefinite number of persons (transfer of personal data) or familiarization of personal data to an unlimited number of persons, including disclosure of personal data in mass media, placement in information and telecommunication networks or providing access to personal data in any other way |
|
Cross-border transfer of personal data |
transfer of personal data to the territory of a foreign state to a foreign authority, a foreign individual or a foreign legal entity |
|
Cookies |
a part of data automatically located on the hard disk of the user’s computer and containing text information that is necessary for the server to operate the Controller’s website; it is a unique browser identifier and allows storing information on the server that facilitates orientation in the web space, as well as allows analyzing the Controller’s website and evaluating the results of the analysis |
|
Destruction of personal data |
any actions, as a result of which personal data are irretrievably destroyed with the impossibility of further recovery of personal data content in the personal data information system and (or) material carriers of personal data are destroyed |
3. PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING
When processing personal data, the Controller adheres to the following principles:
3.1. processing of personal data is carried out on a lawful and fair basis;
3.1.2. personal data shall not be disclosed to third parties and shall not be disseminated without the consent of the subject of Personal Data, except in cases requiring their disclosure at the request of authorized state authorities, legal proceedings;
3.1.3. determination of specific legitimate purposes prior to the processing, including the collection of personal data;
3.1.4. only those personal data are collected that are necessary and sufficient for the stated purpose of processing;
3.1.5. merging of databases containing personal data processed for incompatible purposes is not allowed;
3.1.6. the processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes;
3.1.7. processed personal data shall be destroyed or depersonalized upon achievement of the purposes of processing or in case of loss of necessity to achieve these purposes, unless otherwise provided for by the federal law.
3.1.8. The Controller does not process personal data concerning race, nationality, political views, religious, philosophical and other beliefs, personal life, membership in public associations, including trade unions.
3.2. Biometric personal data (information that characterizes physiological and biological features of a person, on the basis of which it is possible to establish their identity and which is used by the controller to establish the identity of the personal data subject) is not processed by the Controller.
3.3. The Controller does not carry out cross-border transfer of personal data.
3.4. The Controller forms, updates and localizes the database with personal data of Russian citizens on the territory of the Russian Federation. The Controller does not store personal data of Russian citizens in databases located in foreign countries.
3.5. The Controller stores and processes personal data of Users in accordance with this Policy, internal regulations of specific services of the website only if they are sent independently through special consent and feedback forms located on the website.
3.6. By submitting personal data to the Controller through the consent and feedback forms located on the website, the User expresses their agreement with this Policy and also gives their consent to the processing of their personal data.
3.7. Processing of personal data is carried out both with and without the use of automation. The Controller processes anonymized user data if this is allowed in the user’s browser settings (cookie saving is enabled).
3.8. The Website may transfer the user’s personal information to third parties in the following cases:
3.8.1. The User has consented to such actions.
3.8.2. The transmission is necessary for the user to use a certain service or to fulfill a certain agreement or contract with the user.
3.8.3. the transfer is provided for by Russian law under the procedure established by law.
3.8.4. In case of transfer of the rights to the website, the transferee shall assume all obligations to comply with the terms of this Policy with respect to the personal information of the subject of personal data received by it.
3.9. Processing of user’s personal data shall be carried out until the purposes of their processing are achieved by any lawful means, including in personal data information systems with or without the use of means of automation, or until the personal data subject revokes their consent to the processing of personal data on the basis of a written application in any form.
3.10. The Controller takes necessary organizational and technical measures to protect the user’s personal information from illegal or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties.
3.11. The Controller together with the user takes all necessary measures to prevent losses or other negative consequences caused by the loss or disclosure of the user’s personal data.
3.12. In case of identifying inaccuracies in personal data, the user can update them independently by sending a notification to the Controller at its e-mail address info@brucite.plus , marked “Updating of personal data”.
3.13. The User may withdraw their consent to the processing of personal data at any time by sending a written request via e-mail to the e-mail address: info@brucite.plus marked “Withdrawal of consent to personal data processing” or by sending a written notice to the Controller’s address: to RMCC LLC — 7 Pavlovskaya Street, facility 1C, Moscow, 115093. Upon receipt of such notice, the processing of the subject’s personal data will be terminated and their personal data will be deleted (destroyed), except in cases where the processing may be continued in accordance with applicable law.
3.14. The Controller does not make decisions that give rise to legal consequences in relation to Users or otherwise affect their rights and legitimate interests, based solely on the automated processing of their personal data.
3.15. Users’ personal data may be received, further processed and stored both in hard copy and electronically.
3.16. Storage of personal data in a form that allows identification of the personal data subject is carried out for no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the purposes of processing or in case of loss of necessity in their achievement.
3.17. The Controller is obliged to take precautions to protect the confidentiality of users’ personal data according to the procedure normally used to protect this kind of information in the existing business turnover.
3.18. The Controller blocks personal data related to the respective user from the moment of application or request of the user or their legal representative or the authorized body for the protection of the rights of personal data subjects for the period of verification in case of detection of inaccurate personal data or unlawful actions.
4. PERSONAL INFORMATION. CATEGORIES, PURPOSES, TERMS AND LEGAL BASIS OF PERSONAL DATA PROCESSING
4.1. User’s personal data, which is provided by the user on the Controller’s website includes the following categories of personal information:
4.1.1.Information that the user voluntarily provides when registering an account or using the website services, including:
a) Personal data entered by the User (surname, first name, patronymic, contact phone number, e-mail address);
b) Mandatory data marked with a special designation (necessary for the provision of website services);
c) Additional information provided at the user’s request.
4.1.2.Technical information automatically transmitted to the website services when used by the user:
(a) IP address of the device;
(b) Cookie data;
c) Information about the browser or software used;
(d) Technical parameters of hardware and software;
(e) Time stamps and duration of sessions;
(f) History of pages visited and similar data.
4.1.3.Other information, the processing of which is regulated by the Terms of Use of the website.
4.2. Summary table of personal data of the Website users
| Registered Users: | Unregistered users: | |
|---|---|---|
|
Category of subjects |
- counterparties (buyers, clients, contractors), - counterparty representatives, - employees of counterparties, -applicants, - persons who have sent a request to the Controller using the feedback form; - persons who have expressed their consent to the processing of personal data for the purpose of promoting the Controller’s goods and services
|
website visitors, potential customers |
|
Personal data
|
- last name, first name, middle patronymic, - phone number, - information entered during registration/authorization on the website (login/password), - electronic mail (email) address, - location, - information from feedback forms and consent forms, - technical characteristics of the user’s device (device model, information about the operating system, screen size, IP address; information about the browser), - the address and/or part of the URL of a website, an element of a website; - information about the pages you have viewed; - information about third-party applications that the user employs when interacting with the website, - information about UTM-tags (means of analyzing the ways of going to the website, - information about the links opened when using the website, - number of visits, time of use, speed of launching the website, - information about third-party applications that the user employs when interacting with the website |
technical characteristics of the user’s device (device model, information about the operating system, screen size, IP address; information about the browser), - the address and/or part of the URL of a website, an element of a website; - information about the pages you have viewed; - information about third-party applications that the user employs when interacting with the website, - information about UTM-tags (means of analyzing the ways of going to the website, - information about the links opened when using the website, - number of visits, time of use, speed of launching the website, - information about third-party applications that the user employs when interacting with the website |
|
Purposes of processing |
- familiarization with information and/or materials on the website, use of services, materials and information on the website, placing an order and / or making a transaction (conclusion of a contract of sale of goods); - establishing feedback with the user, including sending notifications, requests regarding the use of the website, provision of services, processing requests and applications from the user; |
- familiarization with information and/or materials on the website, use of services, materials and information on the website; - establishing feedback with the user, including sending notifications, requests regarding the use of the website, provision of services, processing requests and applications from the user; |
|
Purposes of processing |
- providing the user with access to personalized resources of the website; - confirmation of the accuracy and completeness of the personal data provided by the user; - creation of an account for making transactions, if the user has agreed to create an account (personal account); - organization, implementation and efficiency management of procurement procedures, promotion of goods, works and services, - taking due diligence measures with respect to potential and existing counterparties, including managing potential risks and verifying the completeness and reliability of information about the counterparty, - contractual work (conclusion, execution, amendment and termination of contracts and agreements to whichthe user is a party or beneficiary), - ensuring financial and economic activity; - notification of the website user of the order status when creating an account and making a transaction with the Controller; - providing the user with effective customer and technical support in case of problems related to the use of the website; - realization of advertising activities with the consent of the User; - providing the user with their consent, product updates, special offers, price information, newsletters and other information on behalf of the Controller; |
- providing the User with effective customer and
technical support in case of problems related to the use
of the website. - determining user preferences for displaying advertisements; - collecting statistics on user interaction with the website to improve the experience of using the resources or to eliminate various emerging errors in the operation of the website |
|
Purposes of processing |
- determining user preferences for displaying advertisements; - collecting statistics on user interaction with the website to improve the experience of using the resources or to eliminate various emerging errors in the operation of the website |
|
|
Legal basis for processing |
Consent to the processing of personal data |
Consent to the processing of personal data |
|
Processing times |
Until the purposes of processing are achieved for an indefinite period of time or until the user revokes their consent to the processing of personal data |
Until the purposes of processing are achieved for an indefinite period of time or until the user revokes their consent to the processing of personal data |
5. SPECIFICS OF PERSONAL DATA PROCESSING
5.1. The Controller processes and protects personal data received from the website users by filling in the relevant forms (feedback form, consent form for processing personal data, consent to receive advertising notifications and newsletters), as well as those received to the Controller’s e-mail address: info@brucite.plus.
5.2. Collection of personal data by the Controller using the Internet is carried out in two main ways: provision of personal data and automatically collected information.
5.3. Methods of personal data processing: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, destruction.
5.4. The controller obtains through technologies and services web protocols, cookies, web notes. The controller uses software tools Yandex.Metrika, GoogleAnalytics, the functionalities of which allow to determine the unique visitor of the website, form information about their preferences and behavior on the website.
5.5. The Controller uses the following categories of cookies:
- Mandatory, ensuring the operation of the website and its functions (authorization, security);
- Functional, memorizing user settings;
- Promotional, used to display personalized advertisements (subject to the user’s consent).
5.6. The user can restrict or disable the use of cookies at any time by changing the settings of their browser, thus modifying the functionality of the website.
5.7. The user, by continuing to use the website, agrees to the use of cookies in accordance with this Policy.
5.8. The website https://brucite.plus/ is not intended for persons under 18 years of age, therefore the Controller requires that such persons do not provide their personal data through the website. In case the Controller reveals the fact that minors or underage persons have provided their personal data via the website, the Controller will, within a period not exceeding ten working days from the date of revealing such fact, destroy the said personal data or ensure its destruction.
5.9. The Policy does not govern the processing and protection of personal data in relation to any websites or web objects (mobile applications) accessible through the website or to which the website contains links. The presence or inclusion of a link to any such website or facility on the website does not imply any warranty or representation on the part of Controller.
5.10. When the purpose of processing is achieved and/or other legal grounds arise, data destruction is carried out in accordance with the procedure established by the Order of the Federal Service for Supervision of Communications, Information Technology and Mass Communications No. 179 of October 28, 2022 “On Approval of Requirements for Confirmation of Personal Data Destruction”.
5.11. Fromthe way personal data can be destroyed depends on the way it is processed: shredding/deletion of information from databases.
6. PERSONAL DATA PROTECTION
6.1. The main organizational and technical measures of personal data protection used by the Controller are:
6.1.1. Appointment of a person responsible for personal data processing, who is responsible for organization of personal data processing, training and instruction, internal control over compliance of the Controller’s employees with the requirements to personal data protection;
6.1.2. Certification of the security of the Controller’s information systems used for personal data processing, with obtaining a certificate.
6.1.3. Identification of actual security threats to personal data during their processing in the PDIS and development of measures and activities to protect personal data, encryption of personal data during storage and transmission of personal data, use of anti-virus software, regular updating and monitoring of systems, data backup and safe storage of backups;
6.1.4. Establishing the rules of access to personal data processed in the PDIS, as well as ensuring registration and accounting of all actions performed with personal data in the PDIS, journaling user actions in the PDIS, processing and storing logs;
6.1.5. Observance of conditions ensuring the safety of personal data and excluding unauthorized access to them;
6.1.6. Detection of unauthorized access to personal data and taking measures, physical protection of servers and technical premises;
6.1.7. Restoration of personal data modified or destroyed due to unauthorized access to it;
6.1.8. Training of the Controller’s employees directly involved in personal data processing, provisions of the Russian legislation on personal data, including requirements to personal data protection, documents defining the Controller’s policy on personal data processing, local acts on personal data processing;
6.1.9. Implementation of internal controls and audits.
6.2. The main legal measures for the protection of personal data used by the Controller are:
6.2.1. Obtaining the consent of the subject of personal data to their processing;
6.2.2. Adherence to the principles of minimization: The Controller processes only that personal information about the user, which is necessary and sufficient to achieve the purposes of personal data processing. The processing of redundant personal data irrelevant to the purposes of processing is not allowed.
6.2.3. Informing personal data subjects of their rights and purposes of processing in accordance with this Policy;
6.2.4. Ensuring the realization of the rights of personal data subjects to access, rectification, withdrawal of consent and other rights in the field of personal data protection;
6.2.5. Conclusion of contracts with personal data processors that include requirements for personal data protection;
6.2.6. Registration in the register of personal data controllers of the Federal Service for Supervision of Communications, Information Technologies and Mass Media (Roskomnadzor), if applicable.
6.3. The special measures for the protection of personal data during their online processing are:
6.3.1. Antivirus Defense;
6.3.2. Firewalling;
6.3.3. Wireless access;
6.3.4. Centralized infrastructure management;
6.3.5. Using HTTPS on all pages of the website (SSL certificate);
6.3.6. CAPTCHA and form protection against spam and bots;
6.3.7. Protection against SQL injection, XSS and CSRF attacks ;
6.3.8. Setting up a role model of access to the website, limiting access to the admin panel by IP;
6.3.9. Installing security plug-ins;
6.3.10. Storing data on secure servers.
7. THE RIGHTS OF THE PERSONAL DATA SUBJECT.
RIGHTS AND OBLIGATIONS OF THE PERSONAL DATA CONTROLLER
7.1. The subject of personal data has the right to:
7.1.1. To receive, in an accessible form, information regarding the processing of personal data, in case of a request that complies with Article 14 § 3 of the Law on Personal Data, to obtain the following information:
а) confirmation of the fact of personal data processing by the Controller;
b) legal basis and purposes of personal data processing;
c) methods of personal data processing applied by the Controller;
d) name and location of the Controller, information on persons (except for the Controller’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Controller or on the basis of federal law;
e) the terms of personal data processing, including the terms of their storage;
f) the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Controller, if the processing is or will be entrusted to such a person.
7.1.2. Demand from the Controller to clarify their personal data, block or destroy them;
7.1.3. Withdraw consent to the processing of personal data.
7.1.4. To appeal against actions or omissions of the Controller.
7.1.5. Exercise other rights provided for by law.
7.2. The controller shall have the right to:
7.2.1. process the user’s personal data if there is a legal basis to do so;
7.2.2. require from the user the authenticity of the personal data provided, their sufficiency for the purposes of processing, as well as in other cases provided for by the legislation of the Russian Federation;
7.2.3. to limit the user’s access to their personal data in cases established by law;
7.2.4. to entrust the processing of personal data to another person;
7.2.5. continue processing the user’s personal data if the user withdraws consent on other legal grounds;
7.2.6. exercise other rights provided for by Russian law.
7.3. Controller Responsibilities:
7.3.1. take measures necessary and sufficient to ensure the fulfillment of lawful duties;
7.3.2. provide the user, at their request, with information regarding the processing of their personal data;
7.3.3. clarify, block or destroy personal data within the prescribed timeframe data within the established time limits;
7.3.4. explain to the user the legal consequences of refusing to provide their personal data, if their provision is mandatory;
7.3.5. ensure that the requirements for localization of personal data are met;
7.3.6. take legal, organizational, technical and other measures to ensure the security of personal data;
7.3.7. makes an assessment in accordance with the requirements of the Russian legislation in case it is necessary to carry out a trans-border transfer of personal data;
7.3.8. familiarize the Controller’s employees directly involved in personal data processing with the provisions of the Russian legislation in the field of personal data processing, including requirements to personal data protection, this Policy and other local acts on personal data processing;
7.3.9. to conduct an assessment of possible harm to users in accordance with the requirements established by the authorized body for the protection of the rights of personal data subjects;
7.3.10. to destroy personal data in case of achievement of the purposes of their processing or upon occurrence of other legal grounds within the terms, methods and in the manner prescribed by the requirements of the authorized body for the protection of the rights of personal data subjects;
7.3.11. to notify the authorized body for the protection of the rights of personal data subjects in cases established by law, as well as to conduct internal investigations in case of personal data incidents;
7.3.12. to carry out internal control and audit of compliance of personal data processing in accordance with the requirements of the legislation of the Russian Federation;
7.3.13. confirm the destruction of personal data in cases stipulated by the legislation, as well as fulfill other obligations stipulated by the legislation of the Russian Federation.
8. FINAL PROVISIONS
8.1. This Policy is a local normative act of the Controller. Public accessibility of this Policy is ensured by publication on the Controller’s website.
8.2. This Policy may be revised in any of the following instances:
8.2.1. in case of changes in legislation in the field of personal data processing and protection;
8.2.2. in cases of receiving orders from competent state authorities to eliminate non-compliances affecting the scope of this Policy;
8.2.3. by decision of the Controller’s management;
8.2.4. when changing the purposes and terms of personal data processing;
8.2.5. when changing the organizational structure, structure of information and/or telecommunication systems (or introducing new ones);
8.2.6. when applying new technologies for processing and protection of personal data, including transmission and storage;
8.2.7. in the case of a need to change the process of personal data processing related to the Controller’s activities.
8.3. in case of non-compliance with the provisions of this Policy, the Controller and its employees shall be liable in accordance with the applicable law. Control over the fulfillment of the requirements of this Policy shall be exercised by the persons responsible for the organization of personal data processing by the Controller, as well as for the security of personal data.
8.4. This Policy is a local act of RMCC LLC, comes into effect from the moment of its approval and is valid indefinitely until a new version of the Policy is adopted.