APPROVED
"24" October 2023
Policy regarding the processing of personaldata at WU TECH - FZCO- General provisions
- This Policy regarding the processing of personal data (hereinafter referred to as the Policy) defines the policy of WU TECH - FZCO (hereinafter referred to as the Operator) regarding the processing and security of personal data.
- The purpose of this policy is to establish the basic principles and approaches to the processing and security of personal data by the Operator.
- The Policy applies to all personal data of subjects processed in the Company using automation tools and without the use of such tools.
- The Policy is mandatory for familiarization and execution by all persons authorized to Process personal data in the personal data information system.
- The revision and updating of this Policy is carried out in connection with changes in legislation in the field of personal data, based on the results of an analysis of the relevance, sufficiency and effectiveness of the information security measures used, as well as based on the results of other control measures.
- Terms and Definitions
This Policy uses the following terms and definitions:
Automated processing of personal data – processing of personal data using computer technology;
Blocking of personal data - temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);
Information system of personal data - a set of personal data contained in databases, and information technologies and technical means that ensure their processing;
Depersonalization – actions as a result of which it becomes impossible to determine the ownership of personal data to a specific Personal Data Subject without the use of additional information;
Processing of personal data – any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Operator - a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Responsible for organizing the processing of personal data is an official who organizes the adoption of legal, organizational and technical measures in order to ensure the proper performance of functions for organizing the processing of personal data by the Operator in accordance with the provisions of the legislation in the field of personal data;
Personal data – any information relating to a directly or indirectly identified or identifiable individual (Personal Data Subject);
Providing personal data – actions aimed at disclosing personal data to a certain person or a certain circle of persons;
Subject of Personal Data is an individual directly or indirectly identified or determined on the basis of personal data relating to him;
Dissemination of personal data - actions aimed at disclosing personal data to an unknown number of persons (transfer of personal data) or familiarizing with personal data to an unlimited number of persons, including the publication of personal data in the media, posting in information and telecommunication networks or providing access to personal data in any other way;
Destruction of personal data – actions as a result of which it is impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material media of personal data are destroyed.
Platform – software, the exclusive rights to which belong to the Operator, access to which is provided on the Internet at the address: https://wu.tech/.
- Categories of Personal Data Subjects whose personal data is processed by the Operator. Purposes of processing personal data
- The Operator processes personal data received in accordance with the procedure established by law belonging to job candidates and employees of the Operator, users - individuals (borrower, investor), third parties whose data is provided by users, including potential users; other individuals who have contractual relations with the Operator.
- The processing of personal data in the personal data information system by the Operator’s employees is carried out in order to provide users with the functionality of the Platform on the basis of the License Agreement, register information necessary for the provision of services through the Platform, as well as carry out activities provided for by the Operator’s charter, current legislation, as well as for the conclusion, execution and termination of contracts with individuals and legal entities, organizing personnel records of the Operator’s employees, calculating and paying wages, fulfilling obligations under contracts, conducting personnel records, registering and processing information about the professional work activities of employees, assisting employees in training, using various types of benefits in accordance with the law.
- List of personal data processed by the Operator
- The list of personal data processed by the Operator is determined in accordance with the law, taking into account the purposes of processing personal data specified in the Policy section.
- The Processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, intimate life is not carried out by the Operator.
- Rights of the Personal Data Subject
- The subject of personal data has the right to receive information regarding the processing of his personal data, including containing:
- confirmation of the fact of processing of personal data by the Operator;
- legal grounds and purposes of processing personal data;
- the purposes and methods of processing personal data used by the Operator;
- name and location of the Operator, information about persons (except for the Operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract or on the basis of law;
- processed personal data related to the relevant Personal Data Subject, the source of their receipt, unless a different procedure for presenting such data is provided for by law;
- terms of processing of personal data, including periods of their storage;
- name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if the processing has been or will be assigned to such a person;
- other information permitted by law.
- The right of the Personal Data Subject to receive information regarding the processing of his personal data may be limited in cases established by law.
- Consent to the processing of personal data may be withdrawn from the Personal Data Subject. If the subject of personal data withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the Subject of personal data if there are grounds specified in the law.
- The subject of personal data also has other rights established by law.
- Basic principles for processing personal data
- The processing of personal data by the Operator is carried out based on the principles:
- legality of the purposes and methods of processing personal data;
- the integrity of the Operator as an operator of personal data, which is achieved by complying with legal requirements regarding the processing of personal data;
- compliance of the composition and volume of processed personal data, as well as methods of processing personal data with the stated purposes of processing;
- accuracy and sufficiency, and, where necessary, relevance of personal data in relation to the stated purposes of their processing;
- Destruction of personal data upon achievement of the purposes of processing in a manner that excludes the possibility of their recovery;
- the inadmissibility of combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other.
- The Operator’s employees authorized to process personal data are obliged to:
a) Know and strictly follow the provisions:
- legislation in the field of personal data;
- this Policy;
- local acts of the Operator on the processing and security of personal data;
b) Process personal data only as part of the performance of their official duties;
c) Do not disclose personal data processed by the Operator;
d) Report the actions of others that may lead to a violation of the provisions of this Policy;
e) Report known facts of violation of the requirements of this Policy to the person responsible for organizing the processing of personal data by the Operator.
- The security of the Operator’s personal data is ensured by the implementation of agreed measures aimed at preventing (neutralizing) and eliminating threats to the security of personal data, minimizing possible damage, as well as measures to restore data and the operation of personal data information systems in the event of threats being realized.
- Organization of personal data processing
- The operator processes personal data using automation tools and without the use of automation tools.
- The Operator has the right to entrust the processing of personal data to another person with the consent of the Personal Data Subject, unless otherwise provided by law, on the basis of an agreement concluded with this person, a mandatory condition of which is compliance by this person with the principles and rules for processing personal data provided for by law.
- Personal data is not disclosed to third parties or distributed in any other way without the consent of the Personal Data Subject, unless otherwise provided by law.
- Representatives of government authorities (including regulatory, supervisory, law enforcement and other authorities) receive access to personal data processed by the Operator to the extent and in the manner prescribed by law.
- The processing of personal data by the Operator is carried out with the consent of the Personal Data Subject, except in cases established by law.
- Destruction of personal data
- If the purpose of processing personal data is achieved, the Operator stops processing personal data, unless otherwise provided by an agreement between the Operator and the Personal Data Subject.
- If the Personal Data Subject withdraws consent to the processing of his personal data, the Operator stops processing them, unless otherwise provided by the agreement between the Operator and the Personal Data Subject, or if the Operator has the right to process personal data without the consent of the Personal Data Subject on the grounds provided for by law.
- If unlawful processing of personal data is detected, the Operator takes measures to destroy this personal data within a period not exceeding seven working days from the date of detection of unlawful processing of personal data. If it is not possible to destroy personal data within the specified period, the Operator blocks such personal data and ensures the destruction of personal data within a period not exceeding 6 months from the date of detection of unlawful processing of personal data, unless another period is established by law.
- If the destruction of personal data was carried out as a result of processing the request of the Personal Data Subject and (or) a request from the authorized body for the protection of the rights of Personal Data Subjects, the Operator notifies the Personal Data Subject and (or) the authorized body for the protection of the rights of Personal Data Subjects about the actions taken.
- Personal data on paper is destroyed using means that guarantee the impossibility of recovering the media or by deleting it (erasing it out, etc.). Destruction of information from machine-readable media of personal data that has become unusable or has lost its practical value is carried out in a way that excludes the possibility of using and restoring the information.
- The destruction of personal data is carried out in accordance with the current internal processes of the Company.
- Measures aimed at ensuring the fulfillment of the Operator’s obligations regarding the processing and protection of personal data
- The operator independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by law and regulatory legal acts adopted in accordance with it, unless otherwise provided by law.
- The operator takes the following measures to ensure compliance with the obligations provided for by law in the field of processing personal data:
- a person responsible for organizing the processing of personal data is appointed;
- published: Policy regarding the processing of personal data;
- legal, organizational and technical measures are applied to ensure the security of personal data in accordance with the law;
- internal control is carried out over the compliance of the processing of personal data by the Operator with the law and regulations adopted in accordance with it, requirements for the protection of personal data, and the Operator’s policy regarding the processing of personal data;
- the Operator’s employees directly involved in the processing of personal data are familiarized with the provisions of the legislation on personal data, including the requirements for the protection of personal data, documents defining the Operator’s policy regarding the processing of personal data.
- In order to ensure the security of personal data during their processing, the Operator takes necessary and sufficient legal, organizational and technical measures to protect personal data from unauthorized and accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions in relation to personal data, in particular:
- organizational and technical measures are applied to ensure the security of personal data during their processing in personal data information systems, necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by law;
- information security tools that have passed the compliance assessment procedure in accordance with the established procedure are used, anti-virus software, firewalls, electronic signatures, and passwords are used on computers on which personal data is processed.
- limited access to the premises where personal data is processed is organized.
- Responsibility
- 10.1.Control of compliance with the requirements of this Policy is carried out by the person responsible for organizing the processing of personal data by the Operator.
- 10.2.Persons guilty of violating the rules governing the processing of personal data and the protection of personal data processed by the Operator bear liability as provided by law.