Approved by
Foggybus Limited

Viacheslav Khokhulin

1st of February, 2015

As last amended on 13th of June, 2018

Foggybus Limited Privacy Policy

1. General provisions

1.1. Foggybus Limited (hereinafter referred to as the "Operator") for the purposes of observation of individuals’ rights to private life and the requirements of legislation on personal data processing, with responsible attitude to the safety of information, public disclosure of which can inflict harm to individuals, has adopted this Operator’s Privacy Policy related to the processing of personal data (hereinafter - the "Policy"), which establishes basic rules of the Operator’s work with personal data. This Policy was last reviewed and amended on on 1st of March, 2016 due to change of name of the Opeator.

1.2. The term Personal data in this Policy is used in the meaning defined by the legislation of Great Britain with regard to the practice of application and interpretation of the said term by judicial and other law-enforcement authorities of Great Britain. At the same time to the extent of technical and organizational possibility and if not contrary to the legislation of Great Britain, for the purposes of this Policy the term Personal data shall also include any other data related somehow to the private life of individuals taking into account current international practice on personal data protection in the countries providing an adequate protection of personal data.

1.3. Personal data related to the individual cannot be used by the Operator without the consent of the said individual (hereinafter - "the subject of personal data", "the subject") except as otherwise expressly provided in this clause of the Policy. The Operator has the right to use the personal data without consent of the subject of personal data in order to perform the contract (agreement) with the relevant subject, to fulfill lawful governmental requirements, as well as in other cases expressly permitted by applicable law.

1.4. In case this policy allows the use of personal data without consent of the subject of personal data, the Operator, if it is technically and organizationally possible, and is not prohibited by applicable law, shall notify the subject of personal data on the kind of personal data to be processed by the Operator and on the purpose of the aforesaid. In particular, when the use of personal data is carried out in order to perform a contract or agreement with the subject of personal data, the Operator prior to the conclusion of the relevant contract notifies the subject of the personal data on the kind of personal data to be processed by the Operator and on the purpose of the aforesaid.

1.5. Personal data cannot be used with the purpose of causing material or else damage to persons, complication of exercising of rights and freedoms of individuals. Limitation of rights of individuals on the basis of usage of information on their social origin, racial, national, linguistic, religious and political affiliation is prohibited and punishable according to the legislation.

1.6. The operator undertakes to ensure the safe processing of personal data and avoidance of unauthorized access, deletion or modification of such personal data. The said measures must comply with the existing level of technological development and shall be applied taking into account the degree of harm that may be caused to the subjects of personal data in case of unauthorized access, deletion or modification of personal data, but in any event such measures should be not lower than the requirements of the applicable legislation.

2. The contents of the personal data.

2.1. Regardless of the existing court practice, the Operator also treats the following information as the personal data:

  • questionnaire and biographical data;
  • IP of computer devices;
  • home or mobile phone number;
  • any other personal data.

3. Obligations of the Operator

3.1. In order to safeguard the rights and freedoms of the person and of the individual the Operator and its representatives must comply with the following general requirements for personal data processing:

3.1.1. The personal data can be processed solely for the purpose of performance of contracts, enforcing the laws and other regulations, as well as to comply with other legal interests of the Operator or of the subjects of personal data;

3.1.2. In determining the scope and content of the personal data, the Operator shall rely on the effective legislation;

3.1.3. All personal data shall be obtained from the subject of personal data. If the personal data can be obtained only from a third party, the subject must be notified in advance and the appropriate consent must be received from him. The subject must be informed of the purposes, expected sources and ways of obtaining personal data, as well as of the nature of personal data to be received;

3.1.4. In order to observe the individuals’ interests, the Operator reserves the right to establish a special procedure for protection of information that does not relate to personal data according to applicable legislation but is referred to such data pursuant to this Policy.

4. Collection, processing and storage of personal data

4.1. Processing of the subject’s personal data shall mean any action (operation) or a combination of actions (operations) carried out with personal data including collection, recording, systematization, accumulation, storage, adjustment (update, change), extraction, use, transfer (distribution, assignment, access), depersonalization, blocking, deletion, destruction.

4.2. Procedure of obtaining personal data.

4.2.1. All personal data shall be obtained from the subject himself. If the personal data of the subject can be obtained only from a third party, the subject must be notified of it in advance and his written consent shall be obtained.

4.2.2. The Operator must inform the subject of the purposes, expected sources and ways of obtaining personal data, as well as of the nature of personal data to be received and of the consequences of the subject’s refusal to give written consent for personal data collection.

4.3. When transferring personal data of the subject, the Operator must comply with the following requirements:

  • not to disclose personal data to third parties without the subject's consent, except in cases established by statute;
  • not to disclose personal data for commercial purposes without subject's prior consent;
  • notify in advance the persons receiving subject’s personal data that the data can be used only for the purposes for which it is communicated, and require those persons to confirm that this rule is observed. Persons receiving the subject’s personal data are required to observe its security. This provision does not apply to the exchange of the subjects’ personal data in the order prescribed by federal law;
  • grant access to personal data of the subjects only to specially authorized persons. The said persons shall be entitled to receive only the personal data of the subject that is needed for undertaking a specific function;
  • not to request information about the subject’s health, excluding information that is relevant to the issue of possibility of work performance by the subject;
  • transfer the subject’s personal data to the subject’s representative according to the order prescribed by law, and to limit the information only to personal data of the subject which is required for the performance of the representative’s functions.

4.4. Transfer of personal data from the subject or his representatives to external user may be allowed in minimum quantities and only in order to complete tasks corresponding the objective reason for collecting such data.

4.5. Personal data is collected and used, to the extent of justified purpose of such personal data processing. The Operator seeks the ways and methods of using exclusively anonymous personal data to the extent and degree of justified purpose of such personal data processing.

5. Responsibility for personal data disclosure

5.1. Personal responsibility is one of the main requirements of the Operator with respect to the system of personal data protection and a compulsory condition to ensure the effectiveness of this system.

5.2. The manager granting access to confidential document to the employee bears personal responsibility for such permission.

5.3. Each employee of the Operator receiving confidential document for work, is solely responsible for the data carrier safety and confidentiality of personal data.

5.4. Persons guilty in violating the procedure stated by the law for the collection, storage, use or distribution of information related to individuals (personal data) bear disciplinary, administrative, civil or criminal liability pursuant to applicable legislation.

6. Final provisions

6.1. This Policy can be changed by the Operator with due consideration to the changing requirements of the legislation and the development of technical and organizational measures of personal data protection. The Operator shall notify regarding the changes in this Policy by replacing the current version located in the Internet by the new version, or by publication of amendments to this Policy.

6.2. The questions that are not regulated by the Policy shall be resolved in accordance with the legislation of Great Britain. With regard to protection of personal data of individuals of other countries, the Operator can take into account legal provisions of such an individual’s country of residence, or of the other territory related to the individual.