Home / Privacy Policy

Privacy Policy

LAST UPDATED: 29 April 2022

This Privacy Policy (the “Policy”) was adopted by CMS International B.V., a company incorporated in the Netherlands with registration No. 34310455, acting through its representative office located at: 10 Presnenskaya Naberezhnaya, block C, 123112 Moscow, Russian Federation, with taxpayer’s identification number (INN) 9909298550 (the “Company” or “we”). This Policy is designed to provide a detailed description of our approaches to the collection and processing of personal data when you use our website cms-law.ru (the “Website”) or any other website containing a reference to this Policy.

Our Website contains information about the Company’s activities, our team, practice areas, services as well as newsletters, guides, alerts and other materials in the world of law. When the Website is being used, we may collect and process certain personal data, and the Policy describes whose data we process, what data we process, for which purpose processing occurs, and other details of personal data processing and protection.

The Company acts in the capacity of personal data controller (as defined below) according to Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” (the “Law”) and other laws and regulations of the Russian Federation relating to personal data.

This Policy is governed and interpreted in accordance with Russian law.

1. Terms and Definitions

The terms indicated below shall have the following meaning:

  • automated personal data processing” means personal data processing with the use of computer equipment.
  • biometric personal data” means information on physiological and biological features of an individual allowing to identify this individual and used by the personal data controller for the purpose of identification.
  • blocking of personal data” means any temporary termination of personal data processing (except for cases where processing is required to clarify personal data).
  • cross-border transfer of personal data” means the transfer of personal data to the territory of a foreign state, to the state authorities of such foreign state, to a foreign individual or foreign legal entity.
  • depersonalisation of personal data” means actions resulting in the impossibility to identify a particular individual to whom personal data relates without the use of additional information.
  • destruction of personal data” means actions resulting in the impossibility to recover personal data in information systems and/or actions resulting in the destruction of tangible media containing personal data.
  • information system of personal data” means personal data contained in the databases of personal data along with information technologies and technical means used to process personal data.
  • non-automated personal data processing” means any action with personal data, provided that the use, specifications, dissemination and destruction of personal data is carried out with the direct participation of an individual.
  • personal data” means any information relating to a directly or indirectly identified or identifiable individual (the personal data subject).
  • personal data authorised by the data subject for dissemination” means personal data which the personal data subject makes accessible to the public by granting consent to the processing of personal data authorised by the data subject for dissemination.
  • personal data controller” means a legal entity, separately or jointly with other entities, arranging and/or carrying out personal data processing, as well as determining the purposes of personal data processing, the scope of personal data to be processed, actions or operations performed on personal data.
  • personal data processing” means any action or operation, or set of actions or operations performed with personal data with the use of automated means or without such means, including collection, recording, systematisation, accumulation, storage, clarification (update, modification), retrieval, use, transfer (dissemination, provision, access to), depersonalisation, blocking, deletion or destruction of personal data.
  • special categories of personal data” means data relating to race, nationality, political views, religious or philosophic beliefs, health data and intimate life.

2. Principles of personal data processing through the Website

Personal data is processed on the basis of the principles of legitimacy, fairness and transparency.

Legitimacy of personal data processing means the processing of personal data in strict compliance with the applicable legislation, including the Law.

Fairness of personal data processing means the processing of personal data with due account of rights and legitimate interests of data subjects, as well as keeping a balance between the rights and legitimate interests of the Company and individuals.

Transparency of personal data processing means the availability to individuals of information on principles, on the purposes and means of personal data processing, on adopted measures of personal data protection and on the availability of such information for data subjects upon request.

We keep your personal data confidential and do not disclose it to any third party, unless we have your consent or another legal ground for that.

The Company ensures the confidentiality of personal data, inter alia, by implementing legal, organisational and technical measures of personal data protection from unauthorised or unlawful access, destruction, alteration, restriction, copying, transfer, dissemination and other unlawful actions in respect of personal data.

Personal data processing is carried out for specific and predetermined purposes. Personal data will not be kept after the processing purposes have been achieved, except for cases prescribed by the legislation.

Personal data processing provides for the accuracy, completeness and up-to-dateness of personal data as well as their consistency with the processing purposes.

When making any decisions affecting the interests of individuals, we do not base these decisions on automated personal data processing, unless we receive consent for this.

We do not process your biometric personal data and special categories of personal data.

3. Categories of personal data subjects

Through the Website, we collect and process personal data of the following data subjects:

  • Visitors of the Website, i.e. individuals who access our Website;
  • Applicants, i.e. individuals who have submitted a request addressed to us via the request form or email. This could include requests for a fee proposal when you would like to receive our legal services, applications to get registered for an event we organise (e.g. webinars, conferences); and
  • Subscribers, i.e. individuals who have agreed to receive our newsletters, alerts, invitations to events and other materials.

4. Personal data we process, purposes and legal grounds of personal data processing

4.1 Visitors of the Website

We process the following personal data of visitors of the Website:

  • IP-address;
  • Information about your device, OS and browser;
  • Pages of the Website you visited;
  • Day and time of your visit of the Website;
  • Information collected through cookie files.

Please note that we do not use the above data to determine your identity, such as name. This data is processed in order to manage and improve the Website.

We rely on our legitimate interest to process this personal data. We believe that the Company, as the operator of the Website, has a legitimate interest to control the use of the Website and that your rights are not violated by this personal data processing.

4.2 Applicants

We process the following personal data of applicants:

  • Name and surname;
  • Contact details;
  • Any other information indicated in the request (this could be employer’s details, job position, details of the request, etc.).

We use this information in order to respond to your request. Our response will depend on the content of your request. For instance, if you would like to receive our services, we get in contact with you to provide our quotes and further course of action. In case of registration to our events, we will include you in the list of participants.

We process personal data of applicants on the basis of consent, which you give us when submitting your request.

4.3 Subscribers

We process the following personal data of subscribers:

  • Name and surname;
  • Contact details;
  • Job position;
  • Employer’s details;
  • Preferences, i.e. specific areas of law or industry sector you would like to receive materials about.

We process this personal data to send you newsletters, alerts and other materials.

We process this personal data on the basis of your consent. You may withdraw your consent at any time, and we will provide an opt-out option in any material we send you.

5. How we process your personal data

We carry out automated and non-automated personal data processing (mixed processing).

When processing your personal data, we perform the following actions or operations on such personal data: collection, recording, systematisation, accumulation, storage, clarification (update, modification), retrieval, use, transfer (provision, access), depersonalisation, blocking, deletion or destruction of personal data.

As a general rule, we will not disseminate the personal data discussed in this Policy. If we need to carry out dissemination, we will ask for your specific consent for this.

Upon collection of your personal data, we comply with the localisation rules prescribed by the Law, which means that we ensure that the recording, systematisation, accumulation, storage, clarification (update, modification) and retrieval of your personal data are performed with the use of databases located in Russia.

6. Use of cookie files

To improve the functioning of the Website, we may use a special cookies technology.

We understand that, to a certain extent, cookies could be treated as personal data. Thus, to provide full information regarding our use of cookie files, we have adopted a separate policy, which can be found here [link to our cookie notice on the affiliate website].

7. Retention

As a general rule, we process your personal data no longer than it is necessary to achieve the purposes of personal data processing.

Once the purposes of personal data processing are achieved, we will delete and/or destroy personal data within 30 days.

We will also cease processing your personal data, and delete or destroy it, if you withdraw your consent to data processing, where we process your personal data on the basis of consent.

Please note that, in certain cases, we may continue processing your data after you have withdrawn your consent, where such processing is necessary to perform our duties arising from applicable laws or where such processing is required to exercise the rights and legitimate interest of the Company.

8. Third parties (processors) involved by the Company

Any company needs to involve some third parties for technical and other issues in order to support its business as well as to use its IT infrastructures. Such process may involve instructing such third parties to process your personal data on behalf of the Company.

When we engage such third parties, we ensure that these third parties keep your personal data confidential and implement the necessary and appropriate organisational, legal and technical measures to protect your personal data.

Third parties that we involve process your personal data solely for the purposes indicated in this Policy.

If you would like to receive more information about third parties involved in processing of your personal data, please send the relevant request to us.

9. Transfer of personal data

We may transfer your personal data in the following cases:

  • To comply with applicable laws, court rulings and requests from any state and municipal authorities.
  • In connection with any ongoing investigation by law-enforcement authorities.
  • For the purposes of investigating or assisting in preventing any violations of applicable laws and this Policy.
  • To protect rights and property, and to maintain the safety of the Company and its employees, Website users or other persons, as well as in other cases covered by applicable laws.

As a general rule, we do not perform cross-border transfer of personal data, unless it is necessary for the purpose of processing your personal data. For instance, if you would like us to instruct colleagues in other countries to provide you with services.

If you would like to receive more information about transferring your personal data, please send the relevant request to us.

10. Measures of data protection

We treat confidentiality and security of your personal data as our key principles of personal data processing. We have implemented adequate technical, legal and organisational measures in respect of your personal data, in particular:

  • We have appointed a person responsible for arranging personal data processing.
  • Regulations and policies in respect of personal data processing have been adopted.
  • We enter into agreements with entities involved in personal data processing on behalf of the Company, where they are required to ensure the confidentiality and security of personal data.
  • We evaluate harm that may be caused to individuals in case of data breach, assess such harm and take measures aimed at ensuring personal data is secure.
  • We keep our employees trained regarding personal data regulations and best practices in handling personal data.
  • We control access to personal data by our employees on a need-to-know basis.
  • We prevent uncontrolled access to the premises where the information system that processes your personal data is located.
  • We protect information with the help of special data protection means.
  • We have installed anti-virus programmes for personal data protection.
  • We have implemented procedures of duplicating and restoring personal data as well as of regular backups of personal data.
  • We prevent attempted unauthorised access to the information system of personal data.
  • We store tangible media containing personal data in fireproof metal cabinets or safes pursuant to the current Russian laws.

We undertake to take any other necessary legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, transfer, dissemination, as well as any other unlawful actions in respect of personal data, in particular, measures covered by the Law.

11. Your rights

You have the following rights in respect of personal data processing performed by us:

  • To withdraw your consent to the processing of your personal data.
  • To require the clarification, blocking and/or destruction of incomplete, inaccurate, outdated, unlawfully obtained or unnecessary personal data.
  • To access to your personal data.
  • To object against our personal data being processed, including by filing a complaint with the data protection authority or a claim with the competent court.

12. Amendments to this Policy

We reserve the right to make amendments to this Policy.

We will publish the amended Policy on the Website, so you can always get acquainted with the up-to-date version.

13. Contact us

If you would like to exercise your rights (e.g. withdraw your consent), receive certain information from us or have any other questions related to this Policy or our personal data processing, you may send us a request:

  • By email: [email protected]; and/or
  • By regular post: CMS International B.V., for the attention of the DPO, 10 Presnenskaya Naberezhnaya, block C, 123112 Moscow, Russia.