Data Processing and Protection Policy
Effective from:
Published at:
1. General provisions
1.1. This Policy for the processing and protection of personal data (the “Policy”) of the personal data operator Limited Liability Company Volvo Cars (the “Company”) located at: Building 5, 39 Leningradskaya Street, city of Khimki, Moscow Region, 141402 Russia, defines the basic principles, procedures and conditions for the processing of personal data, the requirements for the protection of personal data and the main rules and obligations of personal data subjects and of the personal data operator.
1.2. This Policy is the Company’s principal internal regulation that defines the requirements for the processing and protection of personal data.
1.3. The Company grants unlimited access to this Policy by publishing it on its website at https://www.volvocars.com/ru/legal/privacy.
2. Principles of the processing of personal data
2.1. The Company processes personal data in accordance with the following principles:
- the purposes and methods for the processing of personal data should be legitimate and fair;
- the processing of personal data should be limited to achieving specific and lawful purposes determined in advance;
- it should be prohibited to combine the databases which contain personal data processed for mutually incompatible purposes;
- the volume and contents of personal data that is processed should correspond to the purposes of the processing of the personal data;
- it should be prohibited to process personal data if such processing is incompatible with the purposes for which such personal data was collected;
- it should be ensured that the personal data is accurate, sufficient and, where necessary, updated for the purposes of the processing;
- personal data should be stored in a format allowing for the personal data subject to be identified, but for no longer than is required for the purposes of the processing.
3. Purposes of the processing of personal data
3.1. The Company conducts the processing of personal data for the following purposes:
- to exercise and perform functions, powers and obligations imposed on the Company by Russian legislation and international treaties to which Russia is a party;
- to provide assistance with employment;
- to perform rights and obligations of parties to employment relationships;
- to provide informational support of the Company’s activities;
- to assist employees, when they so request, in providing information when they take out a loan;
- to hold corporate events;
- to work with other members of Volvo Car Group;
- to agree, conclude and perform contracts and other transactions;
- to conclude and perform sale and purchase agreements and lease agreements for VOLVO cars and other agreements with clients;
- to conduct marketing, analytical and statistical research and surveys relating to the sale of VOLVO cars, the supply of maintenance and repair services, financial services under Volvo Car Financial Services programmes, roadside assistance services, including to conduct surveys to assess whether clients are satisfied with the services provided;
- to supply services connected with the use of VOLVO cars (including warranty and after-sales services, as well as roadside assistance services);
- to ensure that VOLVO cars are used safely and the safety of the life and health of owners and users of VOLVO cars, as well as to distribute information about product recall campaigns;
- to give information about updates of and changes to the products and services of the Company and the dealership centre, including amendments made to the terms and conditions and policies;
- to give information about new products, services and events of the Company and of dealership centre;
- to assess and improve the Company’s offers and to exchange information with clients;
- to promote the goods, work and services of the Company, its partners and dealership centre on the market, including by contacting clients directly via means of communication (via electronic communications networks by using telephone, facsimile and mobile radio-telephone communication, Internet, fax, SMS and mail);
- to personalise proposals for clients as part of the promotion of goods, work and services of the Company, dealership centres and partners, to determine that a client is a regular customer and to increase satisfaction with the quality of services;
- to administer and handle inquiries, complaints, claims and other requests as well as to defend the Company and clients in pre-trial and court proceedings;
- to check whether there are grounds for a discount for a VOLVO car to be granted if the client participates in programmes to support the Company’s sales;
- to check whether a client is reliable (including when a vehicle is leased under the Volvo Car Drive service);
- to provide assistance with documenting car insurance;
- to identify a user as a multiple visitor of the websites of Volvo Car Group;
- to analyse the conduct of visitors of the websites of Volvo Car Group in order to optimise communication with website users and the structure of the websites of Volvo Car Group;
- to create a profile of a website user's interests in order to be able to display on other websites advertisements of Volvo products and services that are important for the website user;
- to personalise offers for website users as part of the promotion of goods, work and services of the Company, its partners and dealership centres.
4. Legal grounds for the processing of personal data
4.1. The following, among others, constitute the legal grounds for the processing of personal data:
- the Russian Civil Code;
- the Russian Labour Code;
- the Russian Tax Code;
- Federal Law No. 167-FZ “On compulsory pension insurance in the Russian Federation” dated 15 December 2001;
- Federal law No. 125-FZ “On compulsory social insurance against workplace accidents and occupational diseases” dated 24 July 1998;
- Federal Law No. 255-FZ “On compulsory social insurance against temporary incapacity for work and in connection with maternity leave” dated 29 December 2006;
- Federal Law No. 115-FZ “On the legal status of foreign nationals in the Russian Federation” dated 25 July 2002;
- Federal Law No. 109-FZ “On registering foreign nationals and stateless persons with migration authorities in the Russian Federation” dated 18 July 2006;
- Federal Law No. 63-FZ “On an electronic signature” dated 6 April 2011;
- Federal Law No. 27-FZ “On individual (personalised) record-keeping in the compulsory pension insurance system” dated 1 April 1996;
- Federal Law No. 53-FZ “On military duty and military service” dated 28 March 1998;
- “The Fundamental Principles of the Legislation of the Russian Federation on Notaries” No. 4462-1 dated 11 February 1993;
- Russian Law No. 1032-1 “On employment in the Russian Federation” dated 19 April 1991;
- Federal Law No. 426-FZ “On special assessment of working conditions” dated 28 December 2013;
- Russian Law No. 2300-1 “On the protection of consumers' rights” dated 7 February 1992;
- Federal Law No. 38-FZ “On advertising” dated 13 March 2006;
- Decision No. 877 of the Customs Union Commission 'On adopting the Technical Regulations of the Customs Union "On the safety of machines and equipment"’ dated 9 December 2011;
- other Russian regulatory and legal acts serving as a basis for the processing of personal data;
- the Company’s charter;
- contracts concluded between the Company and its contracting parties;
- contracts concluded with personal data subjects;
- consents of personal data subjects.
5. Personal data that is processed
5.1. The Company processes personal data of the following categories of personal data subjects:
- candidates;
- employees;
- relatives of employees;
- invited employees of Volvo Car Group;
- members of the Company’s management bodies as well as members and beneficial owners of the Company;
- representatives of dealership centres;
- representatives of contracting parties that are legal entities, of contracting parties who are individual entrepreneurs and of their representatives, and of contracting parties who are individuals;
- clients (individuals and their representatives);
- subscribers for newsletters;
- website users; and
- visitors.
5.2. The content and volume of personal data for each category of personal data subjects is determined by the need to achieve specific purposes of processing such data and by the Company's need to perform its rights and obligations, as well as the rights and obligations of the corresponding personal data subject.
6. Procedure and conditions for the processing of personal data
6.1. The Company processes personal data by collecting, recording, systematising, accumulating, storing, updating (renewing or modifying), extracting, using, transferring (distributing, providing or accessing to), blocking, deleting or destroying personal data.
6.2. The processing of personal data is mixed (both automated and non-automated) and includes the use of the Company’s corporate intranet and the Internet.
6.3. A personal data subject is the direct source of information regarding all personal data. Unless Russian legislation stipulates otherwise, the Company has a right to obtain personal data of a personal data subject from third parties; however, the personal data subject must be notified to that effect.
6.4. The Company has a right to transfer personal data of personal data subjects to third parties, including a cross-border transfer of such personal data to foreign states, including to those that do not ensure adequate protection of personal data subjects’ rights, provided that the requirements stipulated by Russian legislation are complied with.
6.5. The Company has a right to instruct the processing of personal data to another party, with the corresponding personal data subject's consent, unless a federal law stipulates otherwise, under a contract (or instruction to process personal data) concluded with such party. A party that processes personal data further to an instruction must comply with the principles and rules for the processing of personal data set out in Russian legislation.
6.6. In an instruction to process personal data, the Company indicates the purposes of the processing and the list of actions with personal data which the party that processes personal data further to the instruction is entitled to perform. It also establishes the obligations of such party to ensure the confidentiality and safety of personal data while it is being processed, as well as requirements under Russian legislation for the protection of personal data that is being processed.
6.7. When the Company processes personal data, it should comply with the requirements that ensure the confidentiality and safety of personal data.
6.8. The Company’s employees and other persons who are granted access to personal data assume obligations to ensure the confidentiality of personal data being processed.
6.9. Personal data should be stored in a form which allows the personal data subject to be identified, but for no longer than is required in accordance with the purposes of processing the personal data, unless another period is set by Russian legislation or a contract to or under which the personal data subject is a party, beneficiary or a guarantor.
6.10. Personal data is destroyed when the purposes of the processing of personal data have been achieved, if such purposes no longer need to be achieved or after the expiry of the personal data storage period established by a federal law or a contract to or under which the personal data subject is a party, beneficiary or a guarantor.
7. Updating, correcting and destroying personal data
7.1. The Company undertakes reasonable measures to keep personal data accurate and updated and to delete it if the personal data is recognised to be obsolete, inaccurate or redundant, or if the purposes of the processing of the personal data have been achieved.
7.2. If it is discovered that personal data is inaccurate or the processing of it is illegal, the Company should update the personal data or cease the processing of it.
7.3. The Company should cease the processing of personal data under the following procedure and within the following timeframes (unless Russian legislation provides otherwise):
- if any unlawful actions with personal data are identified, the Company rectifies the violations within a period not exceeding 3 business days from when such actions are identified. If it is impossible for the Company to rectify the violations committed within a period not exceeding 10 business days from when unlawful actions with personal data were identified, the Company destroys the personal data. The Company notifies the personal data subject or his/her legal representative of the destruction of the personal data and, if an application or request has been filed with a competent authority responsible for the protection of rights of personal data subjects, the Company also notifies the competent authority;
- when the purpose of the processing of personal data is achieved, the Company ceases the processing of such personal data and destroys the relevant personal data within a period not exceeding 30 business days from when the purpose of the processing of the personal data was achieved;
- if a personal data subject revokes his/her consent to the processing of his/her personal data, the Company ceases the processing of the personal data and destroys it (except for personal data that must be stored under current legislation) within a period not exceeding 30 business days from when the revocation was received.
7.4. If it is impossible to destroy the personal data within the above timeframes, the Company blocks such personal data or arranges for it to be blocked, and subsequently arranges for the personal data to be destroyed within a period not exceeding 6 months, unless Russian legislation provides for a different timeframe.
7.5. Personal data should be destroyed in such a way that no further processing of such personal data is possible.
8. Measures to protect and ensure the security of personal data
8.1. The Company undertakes the necessary technical and organisational measures under Russian legislation in the area of personal data protection in order to ensure the protection of such data from unauthorised access, modification, disclosure or destruction.
8.2. The Company undertakes the following measures to ensure the protection and safety of personal data it processes:
- a person is appointed who is responsible for organising the processing of personal data,
- internal regulations regarding the processing of personal data are issued which establish procedures aimed at preventing and identifying violations or Russian legislation;
- legal, organisational and technical measures provided for by the corresponding regulatory legal acts are applied to ensure the security of personal data when it is processed in the Company’s personal data information systems;
- audits are conducted from time to time of the conditions of the processing of personal data to perform internal control over whether personal data is processed in compliance with the requirements established by Russian legislation and the Company’s internal regulations;
- record is kept of machine-readable personal data storage devices;
- certified tools are used for the protection of information;
- personal data is restored that was modified or destroyed as a result of unauthorised access to it;
- rules are established for access to personal data that is processed in personal data information systems and all actions are registered and recorded that are performed with personal data in personal data information systems;
- measures undertaken to ensure the safety of personal data are monitored;
- the Company's employees who are directly involved in the processing of personal data are acquainted with provisions of Russian legislation concerning personal data including requirements for the protection of personal data and the Company’s internal regulations regarding the processing of personal data.
9. Rights and obligations of personal data subjects
9.1. A data subject has a right to receive information concerning the processing by the Company of his/her personal data including information containing:
- confirmation of the processing of the personal data;
- legal grounds for and the purpose of the processing of the personal data;
- purposes of the processing of the personal data and methods used by the Company;
- the Company’s name and address, information about the persons (excluding the Company’s employees) who have access to personal data or about the persons to whom personal data may be disclosed on the basis on an agreement with the Company or on the basis of a federal law;
- a list of the personal data that is processed relating to the personal data subject and the source of the personal data, if a federal law does not stipulate a different procedure for providing such information;
- timeframes for the processing of the personal data, including the period for which it is stored;
- procedure for how the personal data subject can exercise his/her rights provided for by legislation on personal data;
- information about a cross-border transfer of personal data which has been performed or is contemplated;
- the full name and address of the party processing the personal data at the Company’s instruction if such other party has been or will be instructed to perform the processing; and
- other information provided for by legislation on personal data.
9.2. A personal data subject may demand that the Company correct, block or destroy his/her personal data if it is incomplete, obsolete, inaccurate, was received unlawfully or is unnecessary for the declared purpose of the processing. The data subject may also take any measures provided for by legislation to protect his/her rights.
9.3. A personal data subject may revoke his/her consent to the processing of his/her personal data.
9.4. If a personal data subject believes that the Company is processing his/her personal data in violation of legal requirements, the personal data subject is entitled to contest the Company’s actions or inaction before the competent authority responsible for protecting the rights of personal data subjects or in court.
9.5. A personal data subject’s right to access his/her personal data can be limited in accordance with Russian federal laws.
9.6. A data subject is obliged to:
- provide the Company with accurate personal data;
- inform the Company on a timely basis of any changes or additions to his/her personal data;
- exercise his/her rights in accordance with the law and other regulatory legal acts and the Company's internal regulations regarding the processing and protection of personal data;
- perform any other obligations provided for by law and other regulatory legal acts as well as by the Company’s internal regulations in the area of the processing and protection of personal data.
10. Rights and obligations of the Company
10.1. When it processes personal data, the Company has a right to:
- establish rules for the processing of personal data in the Company, amend and supplement its internal regulations, and independently draw up and use, within the framework of the statutory requirements, forms of documents required to perform the obligations of a personal data operator;
- exercise any other rights provided for by the law, other regulatory legal acts and the Company’s internal regulations regarding the processing and protection of personal data.
10.2. When it processes personal data, the Company is obliged to:
- ensure that personal data is processed solely for the purposes for which the personal data was collected;
- take the necessary measures for incomplete, inaccurate or non-relevant data to be deleted or corrected;
- obtain from a personal data subject a consent to the processing of his/her personal data, including in writing in the cases established by Russian legislation;
- protect personal data from unlawful use or loss;
- perform any other obligations provided for by Russian legislation and the Company’s internal regulations regarding the processing and protection of personal data.
11. Responses to requests of personal data subjects
11.1. The Company provides to a personal data subject a response to his/her request for information connected with the processing of his/her personal data further to a corresponding written application of the personal data subject.
11.2. Below is the address for personal data subjects to apply to the Company regarding the processing of personal data:
- Building 5, 39 Leningradskaya Street, city of Khimki, Moscow Region, 141402.