APPROVED BY
General Director of NEWTON LLC
A. Yu. Melnikov


July 10, 2025

Policy of NEWTON Limited Liability Company regarding the processing of personal data

1. General provisions

1.1. This Policy of NEWTON Limited Liability Company regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in accordance with the requirements of clause 2, part 1, article 18.1 of Federal Law No. 152-FZ of July 27, 2006, “On Personal Data” (hereinafter referred to as the Personal Data Law) in order to ensure the protection of human and civil rights and freedoms when processing personal data, including the protection of the rights to privacy, personal and family secrets.
1.2. The Policy applies to all personal data processed by NEWTON Limited Liability Company (hereinafter referred to as the Operator, NEWTON LLC).
1.3. The Policy applies to relations in the field of personal data processing that arose for the Operator both before and after the approval of this Policy.
1.4. In accordance with the requirements of Part 2 of Article 18.1 of the Personal Data Law, this Policy is published in the public domain on the Operator's website on the Internet.
1.5. Key terms used in the Policy:
personal data - any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data);
personal data operator (operator) - a state body, municipal body, legal entity or individual who, independently or jointly with other persons, organises and (or) carries out the processing of personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data;
processing of personal data - any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. The processing of personal data includes, among other things:
·collection;
·recording;
·systematization;
·accumulation;
·storage;
·clarification (updating, modification);
·extraction;
·use;
·transfer (distribution, provision, access);
·depersonalization;
·blocking;
·deletion;
·destruction;
automated processing of personal data - processing of personal data using computer technology;
distribution of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
provision of personal data - actions aimed at disclosing personal data to a specific person or a specific circle of persons;
blocking of personal data - temporary cessation of processing of personal data (except in cases where processing is necessary to clarify personal data);
destruction of personal data - actions that make it impossible to restore the content of personal data in the personal data information system and (or) that result in the destruction of physical media containing personal data;
depersonalization of personal data - actions that make it impossible to determine the ownership of personal data to a specific subject of personal data without using additional information;
personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing.
1.6. Basic rights and obligations of the Operator.
1.6.1. The Operator has the right to:
1) independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law on Personal Data and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;
2) entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of a contract concluded with that person. A person processing personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided for by the Personal Data Law, to maintain the confidentiality of personal data, and to take the necessary measures to ensure the fulfillment of the obligations provided for by the Personal Data Law;
3) in the event that the subject of personal data withdraws their consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in the Personal Data Law.
1.6.2. The Operator shall:
1) organize the processing of personal data in accordance with the requirements of the Personal Data Act;
2) respond to requests and inquiries from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
3) provide the authorized body for the protection of the rights of personal data subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) with the necessary information at the request of this body within 10 working days from the date of receipt of such a request. This period may be extended, but not by more than five working days. To do so, the Operator must send Roskomnadzor a reasoned notification indicating the reasons for extending the deadline for providing the requested information;
4) in accordance with the procedure established by the federal executive authority authorized in the field of security, ensure interaction with the state system for detecting, preventing, and eliminating the consequences of computer attacks on the information resources of the Russian Federation, including informing it of computer incidents that have resulted in the unlawful transfer (provision, distribution, access) of personal data.
1.7. Basic rights of the subject of personal data. The subject of personal data has the right to:
1) receive information concerning the processing of their personal data, except in cases provided for by federal laws. The information is provided to the personal data subject by the Operator in an accessible form and must not contain personal data relating to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it are established by the Law on Personal Data;
2) require the operator to clarify their personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated
purpose of processing, as well as take measures provided for by law to protect their rights;
3) give prior consent to the processing of personal data for the purpose of promoting goods, works, and services on the market;
4) appeal to Roskomnadzor or in court against the unlawful actions or inaction of the Operator in the processing of their personal data.
1.8. Compliance with the requirements of this Policy is monitored by an authorized person responsible for organizing the processing of personal data at the Operator.
1.9. Liability for violation of the requirements of the legislation of the Russian Federation and regulatory acts of LLC “NEWTON” in the field of processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.
2. Purposes of personal data processing
2.1. Personal data processing is limited to achieving specific, predetermined, and lawful purposes. Personal data processing that is incompatible with the purposes of personal data collection is not permitted.
2.2 Only personal data that meets the purposes of its processing is subject to processing.
2.3. The Operator processes personal data for the following purposes:
·carrying out its activities in accordance with the charter of NEWTON LLC, including the conclusion and execution of contracts with counterparties;
·compliance with labor legislation in the context of labor and other directly related relations, including: assisting employees in finding employment, obtaining education, and advancing in their careers; attracting and selecting candidates for employment with the Operator; ensuring the personal safety of employees; monitoring the quantity and quality of work performed; ensuring the safety of property;
maintaining personnel and accounting records; completing and submitting the required reporting forms to the authorized bodies; organizing the registration of employees in individual
(personalized) registration of employees in the mandatory pension insurance and mandatory social insurance systems;
implementation of an access control system.
2.4. The processing of employees' personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.
3. Legal grounds for processing personal data
3.1. The legal basis for processing personal data is a set of regulatory legal acts, in accordance with which the Operator processes personal data, including:
·The Constitution of the Russian Federation;
·The Civil Code of the Russian Federation;
·The Labor Code of the Russian Federation;
·The Tax Code of the Russian Federation;
·Federal Law No. 14-FZ of February 8, 1998, “On Limited Liability Companies”;
·Federal Law No. 402-FZ of December 6, 2011, “On Accounting”;
·Federal Law No. 167-FZ of December 15, 2001, “On Mandatory Pension Insurance in the Russian Federation”;
·other regulatory legal acts governing relations related to the Operator's activities.
3.2. The legal basis for the processing of personal data also includes:
·the charter of LLC “NEWTON”;
·agreements concluded between the Operator and personal data subjects;
·the consent of personal data subjects to the processing of their personal data.
4. Scope and categories of personal data processed, categories of personal data subjects
4.1. The content and scope of personal data processed must correspond to the stated purposes of processing provided for in section 2 of this Policy. Personal data processed must not be excessive in relation to the stated purposes of its processing.
4.2. The Operator may process personal data of the following categories of personal data subjects.
4.2.1. Candidates for employment with the Operator - for the purposes of complying with labor legislation within the framework of labor and other directly related relations, implementing access control:
·surname, first name, patronymic;
·gender;
·citizenship;
·date and place of birth;
·contact details;
·information about education, work experience, qualifications;
·other personal data provided by candidates in their resumes and cover letters.
4.2.2.Employees and former employees of the Operator - for the purposes of complying with labor legislation within the framework of labor and other directly related relations, implementing access control:
·surname, first name, patronymic;
·gender;
·citizenship;
·date and place of birth;
·image (photograph);
·passport details;
·address of registration at the place of residence;
·actual address of residence;
·contact details;
·individual taxpayer number;
·insurance number of individual personal account (SNILS);
·information about education, qualifications, professional training, and professional development;
·marital status, presence of children, family ties;
·information about employment, including incentives, awards, and/or disciplinary actions;
·marriage registration data;
·military registration information;
·disability information;
·information about alimony payments;
·information about income from previous employment;
·other personal data provided by employees in accordance with the requirements of labor legislation.
4.2.3.Family members of the Operator's employees - for the purposes of complying with labor legislation within the framework of labor and other directly related relations:
·surname, first name, patronymic;
·degree of kinship;
·year of birth;
·other personal data provided by employees in accordance with the requirements of labor legislation.
4.2.4. Customers and contractors of the Operator (individuals) - for the purposes of carrying out its activities in accordance with the charter of LLC “NEWTON”, implementing access control:
·surname, first name, patronymic;
·date and place of birth;
·passport details;
·address of residence;
·contact details;
·position held;
individual taxpayer number;
·bank account number;
·other personal data provided by customers and contractors (individuals) necessary for the conclusion and execution of contracts.
4.2.5. Representatives (employees) of the Operator's clients and counterparties (legal entities) - for the purposes of carrying out their activities in accordance with the charter of NEWTON LLC, implementing access control:
·surname, first name, patronymic;
·passport details;
·contact details;
·position held;
·other personal data provided by representatives (employees) of clients and contractors necessary for the conclusion and execution of contracts.
4.3.The Operator's processing of biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which their identity can be established) is carried out in accordance with the legislation of the Russian Federation.
4.4. The Operator does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health, or intimate life, except in cases provided for by the legislation of the Russian Federation.
5. Procedure and conditions for the processing of personal data
5.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
5.2. The processing of personal data is carried out with the consent of the subjects of personal data for the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.
5.3. The Operator processes personal data for each purpose of processing in the following ways:
·non-automated processing of personal data;
·automated processing of personal data with or without the transfer of the information received via information and telecommunications networks;
·mixed processing of personal data.
5.4.The Operator's employees whose job responsibilities include the processing of personal data are allowed to process personal data.
5.5. The processing of personal data for each processing purpose specified in clause 2.3 of the Policy is carried out by:
·obtaining personal data in oral and written form directly from the subjects of personal data;
·entering personal data into the Operator's logs, registers, and information systems;
·using other methods of personal data processing.
5.6. Disclosure to third parties and distribution of personal data without the consent of the personal data subject is not permitted, unless otherwise provided by federal law. Consent to the processing of personal data permitted by the personal data subject for distribution is formalized separately from other consents of the personal data subject to the processing of his or her personal data.
The requirements for the content of consent to the processing of personal data permitted by the subject of personal data for distribution are approved by Order of Roskomnadzor No. 18 dated February 24, 2021.
5.7. The transfer of personal data to the authorities of inquiry and investigation, the Federal Tax Service, the Social Fund of Russia, and other authorized executive authorities and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
5.8. The operator takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, distribution, and other unauthorized actions, including:
·identifying threats to the security of personal data during its processing;
·adopting local regulations and other documents governing relations in the field of personal data processing and protection;
·appointing persons responsible for ensuring the security of personal data in the Operator's structural units and information systems;
·creates the necessary conditions for working with personal data;
·organizes the accounting of documents containing personal data;
·organizes work with information systems in which personal data is processed;
·stores personal data in conditions that ensure its safety and prevent unauthorized access to it;
5.9.The Operator stores personal data in a form that allows the subject of the personal data to be identified for no longer than is required for each purpose of personal data processing, unless the storage period for personal data is established by federal law or contract.
5.9.1. Personal data on paper media is stored at NEWTON LLC for the duration of the storage periods for documents specified by the legislation on archiving in the Russian Federation (Federal Law No. 125-FZ of October 22, 2004, “On Archiving in the Russian Federation,” List of standard administrative archival documents generated in the course of the activities of state bodies, local government bodies, and organizations, with an indication of their storage periods (approved by Order of the Russian Archives Agency No. 236 of December 20, 2019)).
5.9.2. The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data on paper media.
5.10.The operator shall cease processing personal data in the following cases:
·unlawful processing has been detected. The deadline is within three working days from the date of detection;
·the purpose of processing has been achieved;
·the term of validity has expired or the consent of the personal data subject to
the processing of the specified data has been withdrawn, when, according to the Personal Data Law, the processing of such data is permitted only with consent.
5.11.Upon achieving the purposes of personal data processing, as well as in the event of withdrawal of consent to their processing by the personal data subject, the Operator shall cease processing such data if:
· otherwise provided by a contract to which the personal data subject is a party, beneficiary, or guarantor;
· the Operator is not entitled to process the data without the consent of the personal data subject
on the grounds provided for by the Personal Data Law or other federal laws;
·otherwise provided for by another agreement between the Operator and the personal data subject.
5.12.If the personal data subject contacts the Operator with a request to stop processing personal data within a period not exceeding 10 working days from the date of receipt of the relevant request by the Operator, the processing of personal data shall be stopped, except in cases provided for by the Personal Data Law. This period may be extended, but not by more than five working days. To do so, the Operator must send the personal data subject a reasoned notification stating the reasons for the extension.
5.13. When collecting personal data, including through the Internet information and telecommunications network, the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of citizens of the Russian Federation using databases located outside the Russian Federation is not permitted, except in cases specified in the Personal Data Law.
6. Updating, correcting, deleting, destroying personal data, responding to requests from subjects for access to personal data
6.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of the Personal Data Law, shall be provided by the Operator to the personal data subject or their representative within 10 working days from the date of receipt of the request from the personal data subject or their representative. This period may be extended, but not by more than five working days. To do so, the Operator must send the personal data subject a reasoned notification indicating the reasons for extending the period for providing the requested information.
The information provided shall not include personal data relating to other personal data subjects, except where there are legitimate grounds for disclosing such personal data.
The request must contain:
·the number of the main document proving the identity of the personal data subject or his/her representative, information about the date of issue of the specified document and the issuing authority;
·information confirming the participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;
·the signature of the personal data subject or his representative.
The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
The Operator shall provide the information specified in Part 7 of Article 14 of the Personal Data Law to the personal data subject or his representative in the form in which the relevant application or request was sent, unless otherwise specified in the application or request.
If the request (application) of the personal data subject does not contain all the necessary information in accordance with the requirements of the Personal Data Law, or if the subject does not have the right to access the requested information, a reasoned refusal shall be sent to him.
The right of the personal data subject to access their personal data may be restricted in accordance with Part 8 of Article 14 of the Personal Data Law, including if the personal data subject's access to their personal data violates the rights and legitimate interests of third parties.
6.2. In the event of inaccurate personal data being identified when a personal data subject or their representative contacts the Operator, or at their request or at the request of Roskomnadzor, the Operator shall block the personal data relating to that personal data subject from the moment of such a request or receipt of the specified request for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
If the inaccuracy of personal data is confirmed, the Operator shall, on the basis of information provided by the personal data subject or his representative or Roskomnadzor, or other necessary documents, clarify the personal data within seven working days from the date of submission of such information and remove the blocking of personal data.
6.3. If unlawful processing of personal data is identified upon request (inquiry) from the personal data subject or their representative or Roskomnadzor, the Operator shall block the unlawfully processed personal data relating to that personal data subject from the moment of such request or inquiry.
6.4. If the Operator, Roskomnadzor, or another interested party discovers the fact of unlawful or accidental transfer (provision, distribution) of personal data (access to personal data) that has resulted in a violation of the rights of personal data subjects, the Operator shall:
·within 24 hours - notifies Roskomnadzor of the incident,
the alleged causes that led to the violation of the rights of personal data subjects,
the alleged harm caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident, and also provides
information about the person authorized by the Operator to interact with Roskomnadzor on issues related to the incident;
· within 72 hours - notifies Roskomnadzor of the results of the internal
investigation of the identified incident and provides information about the persons whose actions caused it (if any).
6.5. Procedure for the destruction of personal data by the Operator.
6.5.1. Conditions and terms for the destruction of personal data by the Operator:
·achievement of the purpose of personal data processing or loss of the need to achieve this purpose - within 30 days;
·reaching the maximum storage period for documents containing personal data - within 30 days;
·provision by the subject of personal data (or their representative)
of confirmation that the personal data has been obtained illegally or is not necessary for the stated purpose of processing - within seven working days;
·withdrawal by the subject of personal data of their consent to the processing of their personal
data, if its storage for the purpose of processing is no longer required - within 30 days.
6.5.2. Upon achievement of the purpose of personal data processing, as well as in the event of withdrawal of consent to processing by the personal data subject, personal data shall be destroyed if:
·otherwise provided by a contract to which the personal data subject is a party, beneficiary, or guarantor;
·the Operator is not entitled to process personal data without the consent of the data subject
on the grounds provided for by the Personal Data Law or other federal laws;
·otherwise provided for by another agreement between the Operator and the personal data subject.
6.5.3.The destruction of personal data shall be carried out by a commission established by order of the general director of NEWTON LLC.
Made on
Tilda