DATA PROTECTION POLICY

APPROVED BY
Director General, Mindbox Ltd.

“13” August 2021

Data Protection Policy

  1. Subject Matter and Purpose

Data Protection Policy (hereinafter referred to as the “Policy”) sets out the objectives, measures, duties and liability for ensuring the protection of personal data concerning individuals located in the territory of the European Union.
When processing personal data, all employees of Mindbox Ltd. (hereinafter referred to as the “Company”) must follow this Policy.
The policy is designed to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”).
  1. Policy Objectives

Policy Objectives:
  • to establish a list of measures to ensure the security of personal data within the GDPR;
  • to establish the obligations of employees to comply with the relevant measures to ensure the security of personal data under the GDPR;
  • to establish liability measures for violation of personal data security measures under the GDPR.
  1. Security measures under the GDPR

In order to comply with GDPR requirements, the Company applies the following measures to ensure the security of personal data:
  • antivirus protection measures;
  • measures for identifying and authenticating users of personal data information systems;
  • measures to control logical and physical access to resources of personal data information systems;
  • security measures for access and password policy;
  • measures for the safe storage of data;
  • measures for reserving technical means, software and databases, information security tools and their recovery in case of emergency situations;
  • security measures when using the Internet and email;
  • measures to detect and respond to information security incidents;
  • measures to inform the Company’s employees about information security measures.
Information security measures are implemented within the information security management system and are regulated in the following documents:
  • Company’s Information Security Policy;
  • Instructions to data protection officer in the Company.
In addition to the existing measures to ensure information security, including ensuring the security of personal data under Russian law, the Company applies the following measures to ensure the security of personal data in order to comply with the GDPR:
  • Data Protection by Default и Data Protection by Design;
  • Data Protection Impact Assessment, DPIA;
  • use only processors that provide sufficient guarantees to implement appropriate technical and organizational measures.
    1. Data Protection by Default и Data Protection by Design
When designing new or changing existing personal data processing processes or information systems where personal data is processed, the Company applies the following measures:
  • identifies the possibility of reducing the number of personal data collected from individuals for new processing purposes and, if possible, reduces their number;
  • identifies the possibility to minimize the collection of personal data requested from individuals for new processing purposes and, if possible, reduces their composition;
  • identifies the possibility of reducing the period of storage of personal data collected from individuals for new processing purposes and, if possible, reduces the period of their storage;
  • identifies obstacles to the exercise of the rights of personal data subjects and, if possible, neutralizes the corresponding obstacles;
  • plans measures to implement measures to ensure the security of personal data.
    1. Data Protection Impact Assessment, DPIA
The Company assesses the impact on the protection of personal data independently and with the involvement of third-party organizations. DPIA is based on the Privacy Impact Assessment Methodology (PIA Methodology) developed by the French data protection Supervisory authority (Commission Nationale de l’Informatique et des Libertés / CNIL).
The Company conducts DPIA with a certain frequency on a regular basis. The planned review is carried out at least once every three years.
An unscheduled review of the DPIA should be carried out in the following cases:
  • changes in the nature of the business processes (purposes, categories of personal data being processed, processing and storage term, data transfer outside the European Union, the number of software used, network topology and network elements);
  • changes to the list of applicable security measures;
  • changes in the technologies used for processing personal data or the usage of processors that use such technologies;
  • occurrence of a personal data information security incident.
    1. Use only processors that provide sufficient guarantees to implement appropriate technical and organizational measures.
Data Processing Agreement (DPA) is signed with each data processor that the Company plans to engage, which describes the requirements necessary for the processors to comply with the security of personal data, before directly transmitting personal data to them.
  1. Data Security Obligations under the GDPR

Data security obligations, including ensuring the security of personal data under Russian legislation in the field of personal data processing are assigned equally to the IT-Director, Heads of departments and employees of the Company, and are described in the documents provided in section 3 of this Policy, as well as in the Company’s approved regulations on these departments and job descriptions of employees.
The Company’s obligations to ensure information security and ensure the security of personal data in accordance with the legislation of the Russian Federation are also applied to meet the requirements of the GDPR. in addition, the Policy establishes additional obligations for fulfilling the requirements of the GDPR, presented in subsections 4.1. — 4.4. of this Policy.
The duties of the Data Protection Officer (DPO) to ensure the security of personal data in order to comply with the GDPR requirements are described in the approved Instructions of the DPO.
    1. IT Director duties on data security under the GDPR
As part of the implementation of the GDPR requirements, the IT Director has the following responsibilities:
  • taking measures to implement the principles of Data Protection by Default and Data Protection by Design as part of the development of new or improvements to existing information systems and information resources of the Company;
  • ensuring regular testing and evaluation of the effectiveness of technical measures to ensure the security of personal data;
  • keeping the provisions of Privacy Policy up to date;
  • providing data protection officer with information about the measures applied to ensure the security of personal data and about the information and network technologies, software and hardware used in the processing of personal data in the Company to conduct Data Protection Impact Assessment.
    1. Obligations of heads of the Company’s departments to ensure the security of personal data within the GDPR
As part of the implementation of the GDPR requirements, the heads of the Company’s structural departments are required to organize the process of signing data processing agreements with processors before directly transferring personal data to them.
    1. Obligations of the Company’s employees to ensure the security of personal data under the GDPR
In order to comply with the GDPR requirements, the Company’s employees are required to take measures to comply with the principles Data Protection by Default and Data Protection by Design when developing new personal data processing processes in the Company.
  1. Changes to the Policy and entry into force

The Company will review this Policy in the following cases:
  • when changing the list of applicable security measures under the GDPR;
  • when changing obligations for ensuring the security of personal data in the framework of the GDPR;
  • in case of changes in the legislation of the European Union in the field of personal data processing;
  • in case of changes in the European Union’s court practice in the field of data protection.
All questions and comments related to this Policy should be sent to #legal department by dpo@mindbox.cloud.
This Policy is considered effective from the moment it is approved by the Company’s Director General.

Tell us a little about yourself

We’ll respond within 24 hours

Partnership request

Typically we’re answering within 24 hours