Version dated 9 February 2026
This document defines the Personal Data Processing Policy (hereinafter – the “Policy”) of GMT Legal LLC (Primary State Registration Number: 5157746039897, TIN: 7728319660; hereinafter – the “Data Controller”) with respect to the Processing of Personal Data and the implementation of requirements for the protection of personal data (hereinafter – the “Personal Data”) in accordance with Article 18.1 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.
The Policy has been developed in accordance with the current legislation of the Russian Federation on Personal Data and applies to all processes of the Data Controller related to the processing of Personal Data when interacting with Users through the Website, feedback forms, electronic mail, messengers (including Telegram), as well as other communication channels used by the Data Controller for the provision of services and communication.
1. GENERAL PROVISIONS
1.1. The Policy is a publicly available document declaring the fundamentals of the Data Controller’s activities in the Processing of Personal Data and shall be published on the official website of the Data Controller in the information and telecommunication network “Internet” (hereinafter – the “Internet”) at the following address: https://gmtlegal.com/ (hereinafter – the “Website”).
1.2. The consent of the Personal Data Subject to the Processing of his/her Personal Data is confirmed by checking the box next to the wording “I give consent to the processing of personal data” when filling out the feedback form (hereinafter – the “Form”). The User unconditionally accepts the provisions of this Policy without any reservations, limitations and/or exceptions, agrees with the terms of the Processing of Personal Data specified therein. In case of disagreement with the Processing of Personal Data and/or this Policy, the User shall not use the Website to fill out the Form.
2. KEY DEFINITIONS
2.1. The following concepts, terms, and abbreviations are used in this Policy:
|
Term / Abbreviation |
Meaning |
|
Personal Data |
Any information relating to an identified or identifiable natural person (the Personal Data Subject), directly or indirectly. |
|
Data Controller |
GMT Legal LLC (Primary State Registration Number: 5157746039897, Taxpayer Identification Number / Tax Registration Reason Code: 7728319660/772801001). |
|
Website |
The official website of the Data Controller available at the following Internet address: https://gmtlegal.com/ |
|
Processing of Personal Data |
Any action (operation) or set of actions (operations) performed with Personal Data, with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, deletion and destruction of Personal Data. |
|
Personal Data Subject |
The User whose Personal Data is processed by the Data Controller. |
|
User |
A person who provides his/her Personal Data to the Data Controller. |
|
Specialist |
A person responsible for the provision of services by the Data Controller. |
2.2. All other terms occurring in the text of the Policy shall be interpreted in accordance with the legislation of the Russian Federation, including Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data,” and, in the absence of such regulation, shall be interpreted by the customary rules of interpretation applied on the Internet.
3. LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA
3.1. The Data Controller’s policy in the field of the Processing of Personal Data is determined in accordance with:
- the Constitution of the Russian Federation;
- the Civil Code of the Russian Federation;
- Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;
- Federal Law No. 149-FZ dated 27 July 2006 “On Information, Information Technologies and Information Protection”;
- Decree of the Government of the Russian Federation No. 687 dated 15 September 2008 “On Approval of the Regulation on the Specifics of the Processing of Personal Data Carried Out Without the Use of Automation Tools”;
- other regulatory legal acts of the Russian Federation relating to the issues of the Processing and protection of Personal Data;
- consent to the Processing of Personal Data.
4. RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
4.1. The Data Controller shall be entitled to:
4.1.1. Receive from the Personal Data Subject reliable information containing Personal Data;
4.1.2. In the event the Personal Data Subject withdraws consent to the Processing of Personal Data, the Data Controller shall continue the Processing of Personal Data without consent provided that the grounds established by the legislation of the Russian Federation are available;
4.1.3. Independently determine the composition and the list of measures necessary and sufficient to ensure the fulfillment of the obligations stipulated by the personal data legislation and the regulatory legal acts adopted in accordance therewith, unless otherwise provided by the personal data legislation or other federal laws.
4.2. The Data Controller shall be obliged to:
4.2.1. Provide the Personal Data Subject, upon his/her request, with information relating to the Processing of his/her Personal Data;
4.2.2. Organize the Processing of Personal Data in accordance with the procedure established by the current legislation of the Russian Federation;
4.2.3. Respond to appeals and requests of Personal Data Subjects and their legal representatives in accordance with the requirements of the personal data legislation;
4.2.4. Publish or otherwise ensure unrestricted access to this Policy with respect to the Processing of Personal Data;
4.2.5. Take legal, organizational and technical measures to protect Personal Data from unlawful or accidental access thereto, destruction, alteration, blocking, copying, provision, dissemination of Personal Data, as well as from other unlawful actions in relation to Personal Data;
4.2.6. Terminate the transfer (dissemination, provision, access) of Personal Data, terminate the Processing and destroy Personal Data in the manner and in the cases provided for by the personal data legislation;
4.2.7. Fulfill other obligations provided for by the personal data legislation.
5. RIGHTS AND OBLIGATIONS OF THE PERSONAL DATA SUBJECT
5.1. The Personal Data Subject shall have the right to:
5.1.1. Obtain information relating to the Processing of his/her Personal Data, except as provided for by federal laws. Such information shall be provided to the Personal Data Subject by the Data Controller in an accessible form, and it shall not contain Personal Data relating to other Personal Data Subjects, except where there are lawful grounds for the disclosure of such Personal Data. The list of information and the procedure for obtaining it are established by the personal data legislation;
5.1.2. Require the Data Controller to clarify his/her Personal Data, to block or destroy such Personal Data if the Personal Data are incomplete, outdated, inaccurate, unlawfully obtained, or are not necessary for the stated purpose of the Processing, as well as to take statutory measures to protect his/her rights;
5.1.3. Refuse to provide consent to the Processing of Personal Data for the purposes of promoting goods, works and services on the market;
5.1.4. Withdraw consent to the Processing of Personal Data;
5.1.5. Appeal to the authorized body for the protection of the rights of Personal Data Subjects or to a court, in the manner prescribed by law, against unlawful actions or inaction of the Data Controller in the course of the Processing of his/her Personal Data;
5.1.6. Exercise other rights provided for by the legislation of the Russian Federation.
5.2. The Personal Data Subject shall be obliged to:
5.2.1. Provide the Data Controller with accurate (reliable) data about himself/herself;
5.2.2. Notify the Data Controller of any clarification (updating, modification) of his/her Personal Data.
5.3. A person who has provided the Data Controller with inaccurate information about himself/herself, or information about another Personal Data Subject without the latter’s consent, shall bear liability in accordance with the legislation of the Russian Federation.
6. PRINCIPLES OF THE PROCESSING OF PERSONAL DATA
6.1. The Processing of Personal Data shall be carried out by the Data Controller based on the following principles:
- the Processing of Personal Data shall be carried out in accordance with the purposes of their Processing;
- the content and volume of the Personal Data being processed correspond to the declared purposes of Processing and are not excessive in relation to the declared purposes of their Processing;
- when Processing Personal Data, the accuracy of Personal Data, their sufficiency, and, where necessary, their relevance (up-to-dateness) in relation to the purposes of the Processing of Personal Data shall be ensured (necessary measures shall be taken to delete incomplete or inaccurate data);
- storage of Personal Data shall be carried out in a form that allows the identification of the Personal Data Subject, for no longer than is required by the purposes of the Processing of Personal Data, unless the period of storage of Personal Data is established by a federal law, a contract to which the Personal Data Subject is a party, beneficiary or guarantor (the Personal Data being processed, upon achievement of the purposes of Processing or in the event of loss of the necessity to achieve these purposes, unless otherwise provided by federal law, shall be subject to destruction or depersonalization).
6.2. Personal Data Subjects shall bear responsibility for providing the Personal Data with reliable information.
7. PURPOSES, GROUNDS FOR THE PROCESSING, AND CATEGORIES OF PERSONAL DATA
7.1. The Data Controller carries out the Processing of Personal Data obtained in the manner established by law and belonging to the Users.
7.2. Only such Personal Data that correspond to the purposes of their Processing shall be subject to Processing by the Data Controller. Personal Data shall not be subject to Processing in the event that their nature and volume do not correspond to the stated purposes.
7.3. The Data Controller processes the following Personal Data of Users for the purposes and on the grounds specified in this paragraph of the Policy:
| Purpose of the Processing of Personal Data | Category of Personal Data | Ground for the Processing of Personal Data |
|---|---|---|
|
Ensuring the possibility of feedback from the Data Controller’s Specialists in response to Users’ requests. |
|
Consent to the Processing of Personal Data. |
|
Ensuring the possibility of online payment for the ordered services. |
|
Consent to the Processing of Personal Data. |
|
Ensuring the fulfillment of the Data Controller’s obligations to Users. |
|
Consent to the Processing of Personal Data. |
|
Informing the Personal Data Subject about promotions, contests, special offers, new services, discounts, advertising materials and other services, as well as obtaining commercial or advertising information and free products, participation in exhibitions or events, performance of marketing research and notification of all special initiatives for clients. |
|
Consent to receiving mailings. |
7.4. The specified Personal Data may also be Processed by the Data Controller for the following purposes:
- sending notifications, requests and information relating to the use of the Website, the performance of agreements and contracts, as well as the Processing of requests and applications from the User;
- improving the quality of operation of the Website, the convenience of its use for the User, development of new services, interaction with the User;
- conducting statistical and other research based on depersonalized data;
- in other cases provided for by the Data Controller’s local acts or by an agreement with the User, where this is permitted by legislation.
The general list of Personal Data processed by the Data Controller may be approved, as well as expanded or reduced by the Data Controller, of which the Data Controller shall notify by amending this Policy.
7.5. The Data Controller does not perform the Processing of special categories of Personal Data relating to nationality, political views, religious or philosophical beliefs.
7.6. Within the framework of the rendering of services and the consideration of appeals, the User may, on his/her own initiative, provide the Data Controller with additional Personal Data (including those contained in documents and messages) necessary for the rendering of services. The Data Controller processes such Personal Data to the extent necessary for the rendering of services.
8. LIST OF ACTIONS WITH PERSONAL DATA AND METHODS OF THEIR PROCESSING
8.1. The Data Controller carries out the collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (dissemination, provision, access), depersonalization, deletion and destruction of Personal Data.
8.2. The Processing of Personal Data by the Data Controller is carried out:
- using automation tools (automated Processing of Personal Data);
- without the use of automation tools.
9. PROCEDURE FOR COLLECTION, STORAGE, TRANSFER AND OTHER TYPES OF PROCESSING OF PERSONAL DATA BY THE DATA CONTROLLER
9.1. The Data Controller receives Personal Data from the Personal Data Subjects or authorized third parties when they contact the Data Controller via electronic mail, messengers (including Telegram), telephone communication, as well as when filling out feedback forms on the Website.
9.2. Consent to the Processing of Personal Data of persons aged from 14 to 18 years shall be provided by such persons independently, subject to the authorization of parents/legal representatives (whether prior or subsequent).
9.3. The Data Controller does not carry out the Processing of Personal Data of persons under the age of 14 years, including where the authorization of parents/legal representatives is available (whether prior or subsequent).
9.4. The provision by the Data Controller of Personal Data to third parties (transfer of Personal Data) may be carried out exclusively for the achievement of the purposes declared for the Processing of Personal Data in this Policy.
9.5. When transferring Personal Data, the Data Controller complies with the following requirements:
9.5.1. The Data Controller does not disclose the Personal Data of the Personal Data Subject to a third party without explicit consent, except in cases where this is necessary for the purposes of the Processing of Personal Data, prevention of a threat to the life and health of the Personal Data Subject, as well as in cases established by law;
9.5.2. The Data Controller does not disclose Personal Data for commercial purposes without the explicit consent of the Personal Data Subject;
9.5.3. The Data Controller informs persons receiving Personal Data that such data may be used solely for the purposes for which they were disclosed, and requires such persons to take appropriate measures for the protection of Personal Data. Persons receiving the User’s Personal Data shall be obliged to comply with the confidentiality regime;
9.5.4. The Data Controller permits access to Personal Data only to authorized persons; at the same time, such persons must have the right to receive only those Personal Data that are necessary for the performance of specific functions.
9.6. For the purposes of compliance with the legislation of the Russian Federation and for the achievement of the purposes of the Processing of Personal Data, the Data Controller, in the course of its activities, provides Personal Data to the following third parties:
- authorized state authorities in cases provided for by federal laws;
- the Data Controller’s counterparties under agreements, subject to the consent of the Personal Data Subject;
- other persons – in cases and in the procedure provided for by federal legislation, and/or subject to the consent of the Personal Data Subject.
9.7. Personal Data are stored on Russian servers in accordance with the requirements of legislation and are processed until the achievement of the purpose of the Processing and for a period of 5 (five) years from such moment, unless a different Processing period follows from the requirements of the legislation of the Russian Federation.
9.8. The User may at any time withdraw his/her consent to the Processing of Personal Data by sending the Data Controller a notice via electronic mail to the Data Controller’s e-mail address info@gmtlegal.com with the subject line “Withdrawal of consent to the Processing of Personal Data”. The period for the Data Controller’s consideration of the request shall be no more than 10 (ten) business days.
9.9. Personal Data shall be subject to destruction/deletion upon achievement of the purposes of the Processing or in the event the necessity to achieve them is lost, as well as in the event of withdrawal of Consent to the Processing of Personal Data, unless otherwise established by federal laws or by the Data Controller.
9.10. The Data Controller does not carry out activities involving the cross-border transfer of Personal Data.
10. MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA DURING THEIR PROCESSING
10.1. In the Processing of Personal Data, the Data Controller takes all necessary legal, organizational and technical measures to protect them from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, as well as from other unlawful actions in relation thereto.
10.2. Ensuring the security of Personal Data is achieved by complying with the requirements of Article 18.1 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.
10.3. For the purposes of ensuring the security of Personal Data, the Data Controller, in particular, implements the following measures:
- appointment of persons responsible for the organization of Processing and ensuring the security of Personal Data;
- restriction of access to Personal Data and granting access only to authorized persons;
- application of organizational and technical information protection measures, including antivirus protection and backup;
- monitoring compliance with the requirements of legislation and the Data Controller’s local acts.
11. CONSIDERATION OF APPEALS (REQUESTS) OF PERSONAL DATA SUBJECTS
11.1. Personal Data Subjects shall have the right to receive information relating to the Processing of their Personal Data by the Data Controller to the extent provided for by this section of the Policy, in accordance with Article 14 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”.
11.2. The information shall be provided to the Personal Data Subject in an accessible form and shall not include Personal Data relating to other Personal Data Subjects, except in cases where there are lawful grounds for the disclosure of such Personal Data.
11.3. A request for information shall be made by electronic mail to the Data Controller’s e-mail address info@gmtlegal.com with the subject line “Receipt by the Personal Data Subject of information on the Processing of his/her Personal Data”. The period for the Data Controller’s consideration of the appeal shall be no more than 10 (ten) business days.
11.4. The right of the Personal Data Subject to access his/her Personal Data may be restricted in accordance with Part 8 of Article 14 of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” in the event that the Personal Data Subject’s access to his/her Personal Data violates the rights and lawful interests of third parties.
12. FINAL PROVISIONS
12.1. All proposals, questions, requests and other appeals regarding this Policy and the use of his/her Personal Data, the User shall be entitled to send to the Data Controller:
- to the e-mail address: info@gmtlegal.com;
- or to the postal address: 4404 Premises, Building 2, 6 Presnenskaya Embankment, Moscow, 123112, Russian Federation.
12.2. Any amendments to the Policy shall be reflected in this document. The Policy shall remain in force for an indefinite term until it is replaced by a new version.
12.3. The current version of the Policy is available on the Website with unrestricted access.