Policy for the processing and protection of personal data

Purpose of the Policy

To ensure protection of rights and freedoms of a human and a citizen (personal data subject) including protection if his/her rights to personal and family privacy when processing his/her personal data (PD) in AO Severstal Management and its managed companies in accordance with the laws.

Principles of Personal Data Processing

  • To respect the rights of personal data subjects when processing their personal data;
  • To ensure personal data processing on a legal and fair basis in order to serve the purposes of the PD processing;
  • To prohibit processing of the personal data which does not service the purposes of its processing, is redundant or contained in those databases which processing purposes are incompatible;
  • To ensure accuracy, sufficiency and relevance of personal data with respect to purposes of its processing;
  • To store personal data in the form which enables the personal data subject’s determination not longer than required for the purposes of the PD processing;
  • To destroy or anonymize personal data upon having served its processing purposes or in case of no further need to serve these purposes.

Conditions of Personal Data Processing

  • Personal data is processed respecting principles and rules as stipulated by laws and regulations in the sphere of personal data;
  • Personal data is processed upon consent of the PD subject or without such consent in cases stipulated by the federal law;
  • Recording, systematization, accumulation, storage, clarification, retraction of personal data of the Russian Federation citizens when collecting PD are performed using databases available inside the Russian Federation unless otherwise provided for by law;
  • Cross-border transmission of personal data is performed only after having collected the data inside the Russian Federation in accordance with the laws;
  • Persons having access to the personal data shall maintain confidentiality and not distribute personal data without consent of the PD subject unless otherwise provided for by the federal law.

Ways to Serve the Purpose

  • To ensure security of PD information systems from PD safety hazards taking into account assessment of any damage to PD subjects;
  • To apply comprehensive organizational and technical measures needed to comply with the legislation requirements to personal data protection when processing in PD information systems, as well as without automation means in order to ensure PD safety;
  • To ensure systematic verifications of compliance with the legislation requirements and local regulations to personal data processing;
  • To implement measures on raising the personnel’s awareness and to conduct training on personal data processing and protection;
  • To ensure inevitability of punishment for breaking this Policy.