Ovio

PERSONAL DATA PROCESSING POLICY

PERSONAL DATA PROCESSING POLICY

1. GENERAL PROVISIONS

1.1 This Policy defines the activities of GNC-ALFA CJSC, registered at: 1, Abovyan Khakhakhutyan Street, Kotayk Marz, 2201, Armenia (hereafter referred to as the Company) in relation to the processing of personal data of all subjects whose data is processed by the Company, being an operator or processor of personal data within the meaning of the Law of the Republic of Armenia dated 18.05.2015 No. ՀՕ-49-Ն “On the Personal Data Protection” (hereafter referred to as the Law).

1.2 The Policy has been developed in accordance with the provisions of the Law, the Company’s Information Security Policy and other local and legislative acts of the Republic of Armenia.

1.3 The goals of this Policy are to ensure adequate protection of personal data, as well as other information about the personal data subjects from unauthorized access and disclosure, as well as to unify the procedure for processing such data by the Company in accordance with the requirements of the legislation of the Republic of Armenia.

1.4 This Policy applies to all actions performed by the Company with personal data using or without the use of automation tools.

1.5 For the purpose of this Policy, terms are used with the following meanings:

1.5.1 personal data operator is state or local government body, state or municipal institution or organization, legal entity or individual that organizes and (or) processes personal data;

1.5.2 data subject is an individual to whom the personal data relates;

1.5.3 biometric personal data are information characterizing the physical, physiological and biological characteristics of a person;

1.5.4 personal data of a special category are information relating to race, nationality or ethnic origin, political views, religious or philosophical beliefs, membership in a trade union, state of health and intimate life of a person;

1.5.5 publicly available personal data are information that becomes available to a certain or unspecified circle of persons with the consent of the data subject or when taking conscious actions aimed at making them publicly available, as well as information provided by law as publicly available information;

1.5.6 authorized person is a legal entity or individual, a state or local government body, a state or municipal institution or organization, which, in cases established by law or on the basis of a contract, has been ordered by the data operator to collect, enter, systematize or otherwise process personal data;

1.5.7 personal data is information about the personal life, marital status, physical, physiological, intellectual, social condition of a person or other similar information;

1.5.8 services are a set of works (services) related to the Company’s activities aimed at meeting the needs of personal data subjects;

1.5.9 counterparty is a party to a civil contract concluded with the Company;

1.5.10 personal account is a set of protected website pages created as a result of registration of the personal data subject by filling out a special form, using which the subject has the opportunity to receive legally and technically significant information regarding the Company’s services, conclusion, execution, termination of contracts, as well as carry out other actions provided for by the explicit functions of the personal account;

1.5.11 website is information resource of the Company on the global computer network of Internet;

Other terms used in this Policy are used in the meanings defined by the Law.

1.6 The Policy is mandatory for familiarization and execution by all persons authorized to process personal data in the Company, and persons involved in organizing the processing and ensuring the personal data protection in the Company.

1.7 This Policy comes into force from the moment of its approval.

1.8 Providing unlimited access to the Policy is implemented by publishing it in the public domain on the Company’s website.

2. PRINCIPLES OF PERSONAL DATA PROCESSING

2.1 The Company takes actions to protect the privacy of personal data subjects, as well as their rights to confidentiality, regardless of the methods of collecting personal data, taking into account the following principles of their processing:

2.1.1 principle of legality – Personal data will be processed for lawful and specified purposes and may not be used for other purposes without the consent of the data subject. If the subject does not agree with the processing of personal data, the Company notifies those services, the implementation of which is directly related to the personal data processing, may be unavailable, and use of the website is limited;

2.1.2 principle of limiting goals – Personal data is processed by the Company only for express and legitimate purposes and must not be further processed in a manner incompatible with these purposes;

2.1.3 principle of proportionality – Personal data is processed in the minimum amount necessary to achieve legitimate purposes. If the purpose of data processing can be achieved by depersonalization, then the company does not process personal data.

2.1.4 principle of reliability – The processed personal data must be complete, accurate, clear and, where possible, up to date. The personal data subject must take all reasonable measures to ensure that incomplete, outdated or inaccurate personal data, depending on the purposes of their processing, are deleted or corrected without delay.

2.1.5 principle of minimal involvement of subjects – In the event that the Company can receive personal data from another body through a unified electronic information system, the submission of personal data necessary for certain actions from the personal data subject is not required.

2.1.6 principle of limiting the storage period of data – Personal data must be stored in a form that allows the personal data subject to be identified, but not longer than required for the purposes of personal data processing;

2.1.7 principle of confidentiality and data security – Personal data must be processed by the Company in a manner that ensures adequate security of personal data, including protection from unauthorized or illegal processing, as well as from accidental loss, destruction or damage, using appropriate legal, organizational and technical measures.

3. PURPOSES AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

3.1 The Company, acting as an operator or data processor, processes personal data of subjects for the purposes and on the grounds specified in Appendix LI 01.08.15 “Personal Data of Data Subjects Processed by the Company”

3.2 The Company ensures that the content and volume of personal data processed corresponds to the stated purposes of processing and, if necessary, takes measures to eliminate their redundancy in relation to the stated purposes of processing.

3.3 When changing any of the processing purposes specified in Appendix LI 01.08.15 “Personal Data of Data Subjects Processed by the Company”, for which the Company took the consent of the personal data subject, in the absence of other grounds for such processing, the Company is obliged to request from the personal data subject to re-consent in accordance with the changed purpose.

3.4 The Company may process personal data of subjects within the framework of the following actions (or a set of actions, including with or without the use of any automation, technical means): collection, input, systematization, formation, storage, use, transformation, recovery, transfer, correction, blocking, depersonalization, destruction.

3.5 Main methods of personal data processing by the Company:

3.5.1 using automation tools;

3.5.2 without using them;

3.5.3 mixed method.

3.6 The Company processes special personal data only with the consent of the personal data subject or without consent in cases provided for by the legislation of the Republic of Armenia.

In particular, the Company may process special personal data of persons related to employee accidents (health data). At the same time, the Company takes measures aimed at preventing risks that may arise during the processing of such personal data for the rights and freedoms of personal data subjects.

3.7 The Company, if necessary, to achieve the purposes of data processing, has the right to transfer personal data to third parties in compliance with the requirements of the legislation of the Republic of Armenia.

3.8 The terms of processing of personal data by the Company are determined taking into account:

3.8.1 established purposes for personal data processing;

3.8.2 terms of contracts concluded with personal data subjects;

3.8.3 validity periods of consents of personal data subjects to the processing of their personal data;

3.8.4 deadlines determined by the local legal act specified in paragraph 10 of this Policy and the legislation of the Republic of Armenia.

3.8.5 The Company stops processing personal data in the following cases:

3.8.6 upon the occurrence of conditions for termination of the processing of personal data or upon expiration of the established deadlines;

3.8.7 upon achievement of the purposes of their processing or in case of loss of the need to achieve these purposes;

3.8.8 at the request of the personal data subject, in cases provided for by the legislation of the Republic of Armenia on the personal data protection;

3.8.9 in case of unlawful processing of personal data, if it is impossible to ensure the legality of the personal data processing;

3.8.10 in case of liquidation of the Company.

4. OTHER INFORMATION ABOUT THE PERSONAL DATA SUBJECTS

4.1 The Company also has the right to process other information about personal data subjects, which includes:

4.1.1 data automatically received by the server when accessing the website using bookmarks (cookies), see “Cookie Policy”.

4.1.2 data automatically received by the server when accessing the website and subsequent user actions on the website (including, but not limited to: host IP address, type of operating system of the website user, browser type, website pages visited by the user, etc.).

4.2 The information specified in paragraph 4.1 of this Policy is processed by the Company in order to obtain anonymous (depersonalized) and aggregate statistics to improve functionality, as well as improve the quality of the website, improve the Company’s services, as well as for the purpose of preventing and suppressing dishonest behaviour on the part of personal data subjects, assistance in the prevention, detection and suppression of offenses and crimes and ensuring the display of personalized and relevant content to website users.

4.3 The Company, if necessary and to achieve the purposes of processing information about personal data subjects specified in paragraph 4.1 of this Policy, has the right to transfer such information to third parties in compliance with the requirements of the legislation of the Republic of Armenia.

4.4 The Company may process information about personal data subjects specified in paragraph 4.1 of this Policy within the framework of the actions, conditions, methods and terms specified in paragraphs 3.4, 3.5, 3.7, 3.8 of this Policy.

5. PROCEDURE AND CONDITIONS FOR PERSONAL DATA PROCESSING

5.1 The basis for the personal data processing is the consent of the personal data subject, with the exception of cases established by the legislation of the Republic of Armenia, when the personal data processing is carried out without obtaining such consent.

5.2 The consent of the personal data subject is a free, unambiguous, informed expression of their will, through which they authorize the processing of their personal data.

Refusal to give consent to the personal data processing gives the Company the right to refuse the personal data subject to provide services (works) to the Company, the implementation of which is directly related to the personal data processing.

5.3 The storage of personal data is carried out in a form that allows identifying the personal data subject, for a period no longer than required by the purposes of the personal data processing, except in cases where the storage period for personal data is established by the legislation of the Republic of Armenia, a contract concluded (to be concluded) with the personal data subject for the purpose of performing actions established by this contract or other laws of the Republic of Armenia.

5.4 The condition for terminating the personal data processing may be the achievement of the goals of the personal data processing, the expiration of the period for the personal data processing, the withdrawal of the consent of the personal data subject to the processing of their personal data, as well as the identification of unlawful processing of personal data.

5.5 After the termination of the personal data processing, the Company destroys it, which involves physical destruction of the media or erasure of information from it. Methods and rules for destroying personal data depend on where it is contained – on paper or electronic media. The Company gets rid of paper documents: by heat treatment (burning) or by shredding (you need to make sure that the integrity of the media or information cannot be restored in any way). Digital media is physically destroyed, causing severe damage that cannot be repaired. The Company has the right to choose the method of destruction of integrity independently; this could be exposure to chemically aggressive compounds, surface erosion, sandblasting, ultrasonic or electrochemical treatment. The main task is to reduce to zero the likelihood of obtaining personal data from destroyed media.

5.6 The Company, acting as an authorized person, processes personal data of entities that are clients of third parties, acts on behalf of the personal data processing in accordance with the legislation of the Republic of Armenia.

6. PROCEDURE, CONDITIONS AND PURPOSES OF PROCESSING BIOMETRIC DATA

6.1 Biometric personal data is processed only with the consent of the data subject, except in cases provided for by law, and if the implementation of the purpose pursued by law is possible only by processing these biometric data.

6.2 The use and storage of biometric personal data can only be carried out on such tangible media, using such technologies or in such ways that ensure the protection of this data from illegal penetration, illegal use, destruction, transformation, blocking, copying, distribution of personal data and other things.

6.3 The Company processes biometric data for two purposes:

6.3.1 to provide access to certain areas

6.3.2 to record visits to the company’s area

6.4 The procedure and conditions for processing biometric data are the same as for personal data.

7. RIGHTS OF PERSONAL DATA SUBJECTS AND MECHANISM FOR EXERCISING THESE RIGHTS

7.1 The personal data subject has a set of rights in relation to their personal data specified in the appendix LI 01.08.16 “The Set of Rights of the Subject in Relation to Their Personal Data”.

7.2 Exercise of one or more powers specified in the appendix LI 01.08.16 “The Set of Rights of the Subject in Relation to Their Personal Data”, carried out by the personal data subject by submitting a request (application) in writing by registered mail, or in the form of an electronic document. At the same time, the right to revoke previously granted consent to the personal data processing can be exercised in electronic form, corresponding to the form of expression of such consent.

7.3 The request (application) must contain:

7.3.1 full name of the personal data subject; address of residence (place of stay);

7.3.2 date of birth;

7.3.3 identification number (if indicated when giving consent or the personal data processing is carried out without the consent of the personal data subject);

7.3.4 statement of the essence of the requirement;

7.3.5 personal signature or electronic digital signature.

7.4 The request (application) must be submitted:

7.4.1 in writing to the address: 1, Abovyan Khakhakhutyan Street, Kotayk Marz, 2201, Armenia or;

7.4.2 in the form of an electronic document filled out in the Company’s sales and service offices

7.4.3 in electronic form to the email address: pdpօ@ovio.am

7.5 Any information (including personal data) that the personal data subject provides when registering a personal account can be used by the Company in accordance with this Policy.

7.6 Termination of the Company’s processing of the subject’s personal data may make it impossible to further provide the subject with the Company’s services.

7.7 A person who provided the Company with incomplete, outdated, false information about themselves, or information about another personal data subject without the latter’s consent, is liable in accordance with the legislation of the Republic of Armenia.

8. MEASURES TAKEN BY THE COMPANY TO PROTECT PERSONAL DATA OF SUBJECTS

8.1 The Company takes and constantly improves the necessary legal, organizational and technical measures to ensure the protection of personal data from unauthorized or accidental access to it, modification, blocking, copying, distribution, provision, deletion of personal data, as well as from other unlawful actions in regarding personal data.

8.2 Legal measures taken by the Company:

8.2.1 The Company has developed and put into effect documents establishing the procedure for processing and ensuring the protection of personal data, which ensure compliance with the requirements of the Law and other acts of legislation of the Republic of Armenia regulating relations in the field of personal data.

8.3 Organizational measures taken by the Company include:

8.3.1 appointment by the Company of a person and (or) structural unit responsible for internal control over the processing of personal data;

8.3.2 familiarization of the Company's employees with the requirements of the legislation of the Republic of Armenia and the Company's regulatory documents in the field of working with personal data;

8.3.3 definition by the Company of a list of persons whose access to personal data processed in the information system is necessary for the performance of their job duties;

8.4 Publication of internal documents defining the Company’s policy regarding the personal data processing, local legal acts on the personal data processing, as well as local legal acts establishing procedures aimed at preventing and identifying violations when working with personal data, eliminating the consequences of such violations.

8.5 Technical measures taken by the Company include: implementation of technical and cryptographic protection of personal data.

9. CROSS-BORDER TRANSFER OF PERSONAL DATA

9.1 Before the start of cross-border transfer of personal data, the Company is obliged to make sure that the foreign state to whose territory it is intended to transfer personal data provides reliable protection of the rights of personal data subjects.

9.2 Cross-border transfer of personal data to the territory of foreign states that do not meet the above requirement can be carried out only in cases provided for by the Law.

10. FINAL PROVISIONS

10.1 Issues related to the personal data processing not covered by this Policy are regulated by other local legal acts of the Company, as well as by the legislation of the Republic of Armenia.

10.2 In the event that any provision of the Policy is found to be contrary to the legislation of the Republic of Armenia, the remaining provisions consistent with the legislation of the Republic of Armenia remain in force and are valid, and any invalid provision will be considered deleted/modified to the extent necessary for ensuring its compliance with the legislation of the Republic of Armenia.

10.3 The operator has the right, at their own discretion, to change and (or) supplement the terms of this Policy without prior and (or) subsequent notification of personal data subjects. The current version of the Policy is constantly available on the Company’s website.

Gift up to 50 000

PERSONAL DATA PROCESSING POLICY