Information on personal data processing

In order to maintain a business reputation and guarantee the compliance with the provisions of the Federal Law of the Russian Federation No. 152- FZ and (or) applicable foreign legislation in the field of personal data processing and protection in full, including the European Union Regulation No. 2016/679 (hereinafter referred to as the Legislation), JSC Severstal Management, the companies controlled by it and their subsidiaries (hereinafter collectively referred to as the Companies) consider it mandatory to comply with the objectives, principles and conditions of legal validity of personal data processing. The Companies also strive to follow the best international practices in the field of processing and protection of personal data.

The policy objective

To ensure the protection of the rights and freedoms of a person (hereinafter referred to as the Subject) when processing his or her personal data in accordance with the applicable Legislation, including the protection of the rights to privacy, personal and family secrets.

Principles of personal data processing

  • To comply with the Subjects’ rights when processing their personal data.
  • To process personal data on a legal and fair basis to achieve the purposes of its processing.
  • To prevent the processing of personal data that doesn’t meet the purposes of processing, is redundant or contained in databases, the processing purposes of which are incompatible.
  • To ensure the accuracy, sufficiency and relevance of personal data during its processing in relation to the purposes of its processing.
  • To store personal data for no longer than required by the purposes of processing.
  • To erase or depersonalize personal data upon the achievement of the purposes of its proce

Terms and conditions of personal data processing

  • Personal data shall be processed in compliance with the principles and rules stipulated by the applicable Legislation.
  • Recording, systematization, accumulation, storage, clarification and extraction of personal data of the citizens of the Russian Federation when collecting personal data shall be performed using databases located in the territory of the Russian Federation, unless otherwise provided by the applicable Legislation.
  • A cross-border transfer of personal data shall be allowed if personal data is collected in the territory of the Russian Federation in accordance with the applicable Legislation.
  • Any persons (including directors, officers, employees, agents, representatives or other intermediaries) who fulfill assignments or render services for or on the behalf of any of the Companies and who have gained access to personal data shall undertake to maintain the confidentiality and not to process it without a specific legal basis.
  • Upon receipt of personal data from the European Union or in other applicable cases, personal data shall be processed with the prior receipt of the Subject’s consent to the processing of personal data or notification of the Subject about the processing of his or her personal data or on other legal grounds provided for by the applicable Legislation

Ways to meet the objectives

  • To refuse to process special categories of personal data, the processing of which is prohibited according to the applicable Legislation.
  • To ensure the protection of information systems in which personal data is processed against the impact of immediate security threats taking into account the assessment of harm done to the Subjects.
  • To take comprehensive organizational and technical measures to ensure the security of personal data during its processing in information systems, as well as without using any automation tools.
  • Systematic monitoring of the compliance of personal data processing with the requirements of the applicable Legislation.
  • To carry out activities to inform and train personnel in the personal data processing and protection rules.
  • To hold guilty persons liable for violation of the applicable Legislation and internal documents of the Company controling the personal data processing procedure.