Personal Data Processing Policy
version dated March 20, 2026
This Personal Data Processing Policy hereinafter referred to as the “Policy” determines the procedure and terms for the processing of personal data by Limited Liability Company “GVA” hereinafter referred to as the “Operator”, as well as information on the measures implemented to protect personal data in accordance with Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data,” Federal Law No. 149-FZ dated July 27, 2006 “On Information, Information Technologies and Information Protection,” and other applicable laws and regulations of the Russian Federation.
This Policy applies when using the website https:/mil-team.com/, related pages, feedback forms, vacancy pages, and external forms to which the specified website expressly redirects the user.
Personal Data Operator: Limited Liability Company “GVA” LLC “GVA”, OGRN 1197746596630, INN 7708360980, KPP 770801001, address: 107140, Moscow, 1st Krasnoselsky Lane, 3, basement/premises/room/office 1/I/75/3g, email address: info@mil-team.com.
1. General Provisions and Processing Principles
1.1. This Policy applies to the personal data of:
- website visitors;
- persons submitting requests for a project, research, consultation, presentation, and other materials;
- job candidates;
- persons joining the Talent Pool;
- persons who have provided separate consent to receive informational and advertising messages;
- persons contacting the Operator in connection with the exercise of personal data subject rights.
1.3. Personal data processing shall be limited to the achievement of specific, predetermined, and lawful purposes.
1.4. The Operator shall not process personal data in a manner incompatible with the purposes of its collection.
1.5. The content and scope of the personal data processed must correspond to the stated purposes of processing. The Operator shall not allow excessive processing of personal data in relation to the stated purposes.
1.6. When processing personal data, the Operator shall ensure its accuracy, sufficiency, and, where necessary, relevance, and shall take measures to delete or clarify incomplete or inaccurate data.
1.7. Personal data shall be stored no longer than required by the purposes of processing, unless another retention period is established by the laws of the Russian Federation.
1.8. This Policy does not replace separate consents of the personal data subject in cases where such consents are required by the laws of the Russian Federation or by the selected interaction scenario.
Consent to receive informational and advertising messages, as well as the user’s choice regarding cookies that are not strictly necessary, shall be provided separately.
2. Key Terms Used in this Policy
2.1. Personal data means any information relating to an identified or identifiable individual, directly or indirectly.
2.2. Personal data subject means the individual to whom the personal data relates.
2.3. Operator means LLC “GVA,” which independently organizes and/or carries out the processing of personal data, and determines the purposes of processing, the scope of personal data, and the actions/operations performed with personal data.
2.4. Personal data processing means any action/operation or set of actions/operations performed with personal data, with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, clarification, retrieval, use, transfer including provision and access, depersonalization, blocking, deletion, and destruction.
2.5. Provision of personal data means actions aimed at disclosing personal data to a specific person or a specific group of persons.
2.6. Dissemination of personal data means actions aimed at disclosing personal data to an indefinite group of persons.
2.7. Depersonalization of personal data means actions as a result of which it becomes impossible, without the use of additional information, to determine whether personal data belongs to a specific personal data subject.
2.8. Blocking of personal data means temporary suspension of personal data processing, except where processing is necessary to clarify personal data.
2.9. Destruction of personal data means actions as a result of which it becomes impossible to restore the content of personal data in a personal data information system and/or on tangible media containing personal data.
2.10. Cross-border transfer of personal data means the transfer of personal data to the territory of a foreign state, to a foreign state authority, a foreign individual, or a foreign legal entity.
2.11. Person processing personal data on behalf of the Operator means a person engaged by the Operator under an agreement or other proper legal basis to perform certain operations with personal data in the interests of the Operator.
2.12. Cookies and similar technologies means small data fragments and other technical identifiers used to ensure the operation of the website, analyze its use, and for other purposes specified in the separate Cookie Policy.
2.13. Event logs means technical records of events and actions in information systems and forms, used to ensure security, investigate incidents, and comply with the requirements of the laws of the Russian Federation.
2.14. Personal data authorized by the personal data subject for dissemination means personal data to which access by an indefinite group of persons has been granted by the personal data subject by giving separate consent in the manner prescribed by the laws of the Russian Federation.
The Operator shall not disseminate personal data without a separate legal basis and, where required by law, separate consent of the personal data subject.
3. Main Rights and Obligations of the Operator
3.1. The Operator has the right to:
- request from the personal data subject information and documents necessary to consider a request, conclude an agreement, assess a candidate, or comply with the requirements of the laws of the Russian Federation;
- verify the accuracy of the information provided to the extent necessary for the stated purpose of processing;
- continue processing personal data after withdrawal of consent where there are other lawful grounds for such processing;
- depersonalize personal data for analytics, statistics, process efficiency assessment, and internal control, subject to compliance with the requirements of the laws of the Russian Federation;
- assign the processing of personal data to other persons under an agreement or other proper legal basis;
- restrict processing, reject requests, or terminate communication in the event of abuse of website forms, submission of inaccurate information, unlawful conduct, or in other cases permitted by law.
- process personal data on a lawful and fair basis and only for predetermined lawful purposes;
- ensure publication and continuous availability of this Policy;
- ensure the exercise of personal data subjects’ rights and provide information in response to their requests in accordance with the procedure and within the time limits established by the laws of the Russian Federation;
- take legal, organizational, and technical measures to protect personal data;
- ensure localization of personal data of citizens of the Russian Federation in cases provided for by law;
- terminate unlawful processing, clarify, block, or destroy personal data in cases provided for by the laws of the Russian Federation;
- record the receipt, amendment, and withdrawal of consents where processing is based on consent;
- fulfil obligations to document incidents and notify the authorized authority or other persons in the cases and in the manner established by the laws of the Russian Federation.
The Operator appoints a person responsible for organizing personal data processing.
Such person coordinates compliance with the requirements of the laws of the Russian Federation and the Operator’s internal regulations, organizes the consideration of requests from personal data subjects, interaction with the authorized authority, and internal control over compliance with retention periods, data destruction procedures, and application of protection measures.
For matters related to personal data processing, the following email address shall be used: info@mil-team.ru.
3.4. Document flow and processing records
The Operator maintains and stores, to the extent necessary to comply with the laws of the Russian Federation and internal processes, documents and information confirming:
- the purposes of personal data processing, categories of subjects, and scope of processed data;
- legal grounds for processing;
- personal data retention periods;
- facts of receipt, amendment, and withdrawal of consents;
- engagement of persons processing personal data on behalf of the Operator;
- facts of blocking, deletion, destruction, or depersonalization of personal data;
- information on requests from personal data subjects and the results of their consideration;
- information on incidents, where their documentation is required by the laws of the Russian Federation or by the Operator’s internal regulations.
The Operator considers requests from public authorities, courts, and other persons authorized to obtain information in accordance with the procedure established by the laws of the Russian Federation.
Personal data shall be disclosed only where there is a proper legal basis, to the minimum extent necessary, and with the fact of disclosure, legal basis, and scope of transferred information being recorded.
4. Personal Data That May Be Processed
4.1. Depending on the interaction scenario, the Operator may process:
- surname, first name, patronymic;
- email address;
- telephone number;
- username/identifier in Telegram and other messengers, where the user provides it voluntarily;
- information about the company, position, role, and professional profile;
- content of the request, description of the task, project, or research;
- files and attachments, including CV/resume, portfolio, and cover letter;
- links to repositories, portfolios, and other professional materials;
- information on experience, skills, specialization, and preferences in career scenarios;
- information on the source of the application;
- information on communication channels selected by the user, communication subject matter, and the fact of granting and withdrawing consent;
- technical data: IP address, browser identifier/user-agent, date and time of form submission, technical identifiers, cookies, and event logs.
5. Purposes of Personal Data Processing
5.1. Website operation and security
Purpose: ensuring the availability and proper operation of the website, protection against abuse, technical administration, maintaining event logs, infrastructure protection, and investigation of information security incidents.
Data: technical data, cookies, event logs.
Grounds: exercise of the rights and legitimate interests of the Operator or third parties, provided that this does not violate the rights and freedoms of the personal data subject, as well as fulfilment of obligations established by the laws of the Russian Federation.
Retention period: as a rule, up to 12 months, unless a different period is required for incident investigation, compliance with law, or protection of the Operator’s rights and legitimate interests in a specific situation.
5.2. Processing business requests and applications
Purpose: receiving and considering requests for a project, research, presentation, consultation, cases, materials, and other requests, as well as conducting subsequent business communication.
Data: surname, first name, patronymic, contact details, company, role, content of the request, description of the task, attachments, and technical metadata.
Grounds: consent of the personal data subject or actions aimed at concluding an agreement at the initiative of the personal data subject.
Retention period: as a rule, up to 24 months from the last substantive contact, unless a longer period is required for claims handling, verification, dispute resolution, or compliance with law.
5.3. Sending requested materials and presentations
Purpose: sending materials, presentations, responses to requests, and arranging a call or meeting upon the user’s direct request.
Data: contact details, company, role, subject of the request.
Grounds: consent of the personal data subject or actions aimed at concluding an agreement at the initiative of the personal data subject.
Retention period: as a rule, up to 12 months after the materials are sent, or longer if negotiations or the contractual process continue.
Sending materials expressly requested by the user does not, in itself, constitute an advertising mailing and does not replace separate consent to receive informational and advertising messages.
5.4. Considering candidates for vacancies
Purpose: assessing a candidate, verifying the relevance of experience, arranging interviews, performing a test assignment, and making a decision on possible employment or other professional cooperation.
Data: surname, first name, patronymic, contact details, CV/resume, portfolio, links to work, information on experience and skills, motivational materials, and results of communication regarding the vacancy.
Grounds: consent of the personal data subject and actions at the request of the personal data subject prior to possible conclusion of an agreement.
Retention period: until completion of consideration of the candidate for the relevant vacancy and no more than 30 days after achieving the specified purpose, unless another period is required under the laws of the Russian Federation or for protection of the Operator’s rights and legitimate interests in connection with a specific dispute, inspection, or request.
If the candidate provides separate consent to inclusion in the Talent Pool, further storage and processing of his or her data shall be carried out in accordance with the procedure and within the periods provided for in Clause 5.5 of this Policy.
5.5. Talent Pool
Purpose: maintaining contact with specialists, assessing the professional profile for future projects, vacancies, research formats, and partnership formats.
Data: contact details, information on experience, specialization, professional interests, profile materials, and communication history.
Grounds: consent of the personal data subject.
Retention period: up to 36 months from the date of completing the questionnaire or from the date of the last confirmed interaction with the Operator, unless the consent has been withdrawn earlier.
Upon expiry of the specified period, personal data shall be deleted or depersonalized, unless its further storage is required in accordance with the laws of the Russian Federation or for protection of the Operator’s rights and legitimate interests in connection with a specific request, dispute, or inspection.
5.6. Informational and advertising messages
Purpose: sending the user one-time, targeted, or occasional informational and advertising messages about the Operator’s projects, services, research, materials, vacancies, events, and other offers.
Data: the minimum necessary set of contact details, selected communication channels, and information on consent and its withdrawal.
Grounds: separate, voluntary, prior consent of the personal data subject.
Communication channels: email address, telephone calls, messages in messengers, where the relevant channel was specified by the user and selected when providing consent.
Retention period: until withdrawal of consent, termination of the relevant communication, or for the period necessary to confirm the lawfulness of communication and protect the Operator’s rights.
5.7. Considering requests from personal data subjects and fulfilling the Operator’s obligations
Purpose: considering requests from personal data subjects, their representatives, and authorized authorities, and fulfilling the Operator’s obligations under the laws of the Russian Federation on personal data.
Data: surname, first name, patronymic, contact details, information contained in the request, documents confirming the representative’s authority, and other information necessary to prepare a response.
Grounds: fulfilment of obligations imposed on the Operator by the laws of the Russian Federation.
Retention period: for the period necessary to consider the request, prepare a response, confirm fulfilment of the Operator’s obligations, and protect its rights, as a rule, at least 3 years after completion of consideration of the request, unless another period is established by law or by the specific situation.
5.8. Contract work, CRM, accounting, and protection of the Operator’s rights
The Operator also has the right to process personal data to the extent necessary for the conclusion, performance, amendment, and termination of civil-law contracts, maintaining CRM and business records, accounting and tax accounting, storage of supporting documents, and protection of the Operator’s rights and legitimate interests, where such processing arises from the user’s request, contractual interaction, requirements of the laws of the Russian Federation, or other lawful grounds.
6. Operations with Personal Data
6.1. The Operator may collect, record, systematize, accumulate, store, clarify, retrieve, use, transfer including provide and grant access, depersonalize, block, delete, and destroy personal data.
6.2. Processing shall be carried out both with and without the use of automation tools.
7. Data Transfer and Assignment of Processing
7.1. The Operator has the right to engage in personal data processing persons ensuring the functioning of websites and communications, including the website platform, external forms, CRM systems, corporate email, call tracking services, messaging services, web analytics and advertising tools, as well as individuals performing work or rendering services under civil-law contracts, provided that they are actually used or engaged by the Operator and do not entail cross-border transfer of personal data in violation of the processing regime declared by the Operator.
Depending on the actual model of interaction, such persons may act either as persons processing personal data on behalf of the Operator or as independent operators within the scope of their own rules and documents.
7.2. If personal data processing is assigned to another person, including an individual performing work or rendering services under a civil-law contract, such assignment shall be formalized by an agreement or other proper legal basis.
The assignment shall define the list of personal data, the list of actions/operations with such data, the purposes of processing, obligations to maintain confidentiality, requirements for personal data security and localization, as well as obligations to notify the Operator of breaches and incidents, where required by the laws of the Russian Federation and the terms of interaction.
7.3. When using external forms and external services, the data transfer route, scope of transferred information, place of its initial collection, and legal role of the relevant service shall be determined by the actual architecture of the solution used and must comply with this Policy, the Operator’s agreements, and the laws of the Russian Federation.
8. Storage, Localization, and Cross-Border Transfer
8.1. When collecting personal data of citizens of the Russian Federation, including via the Internet information and telecommunications network, the Operator shall ensure recording, systematization, accumulation, storage, clarification/updating/amendment, and retrieval of such personal data using databases located in the territory of the Russian Federation, except in cases expressly provided for by the laws of the Russian Federation.
8.2. The Operator shall store personal data no longer than required by the purposes of processing, the laws of the Russian Federation, contractual terms, or the need to protect the Operator’s rights and legitimate interests in connection with a specific dispute, claim, inspection, or request.
8.3. The Operator does not carry out cross-border transfer of personal data within the framework of the processing described in this Policy.
9. Rights of the Personal Data Subject
9.1. The personal data subject has the right to:
receive information concerning the processing of his or her personal data in the cases and to the extent provided for by the laws of the Russian Federation;
request clarification, blocking, or destruction of his or her personal data where the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
withdraw consent to personal data processing in whole or in the relevant part;
object to processing in the cases provided for by the laws of the Russian Federation;
appeal against actions or omissions of the Operator to the authorized authority for the protection of personal data subjects’ rights or to a court.
9.2. To exercise his or her rights, the personal data subject or his or her representative may contact the Operator at info@mil-team.ru or at the Operator’s registered address. The request must allow the applicant to be identified and, where necessary, confirm his or her authority.
9.3. The personal data subject shall provide accurate personal data and, where necessary, promptly notify the Operator of any changes thereto, if this is required for the relevant purpose of processing or performance of an agreement.
10. Personal Data Protection
10.1. The Operator shall take legal, organizational, and technical measures aimed at protecting personal data against unauthorized access, destruction, alteration, blocking, copying, dissemination, and other unlawful actions.
10.2. Such measures include, in particular, access rights differentiation, use of secure communication channels, authentication and access control for services and forms, backup copying, antivirus protection, security event logging, internal personal data processing regulations, and restriction of employee access on a need-to-know basis.
11. Cookies and Similar Technologies
11.1. The rules for using cookies and similar technologies are determined by the separate Cookie Policy.
11.2. For cookies that are not strictly necessary, a separate mechanism for user choice and consent shall apply in accordance with the procedure established by the Cookie Policy.
12. Final Provisions
12.1. The Operator has the right to amend this Policy by publishing a new version on the Website. The new version of the Policy shall apply from the moment it is published on the Website, unless otherwise expressly stated in the new version.
12.2. The current version of the Policy must remain permanently publicly available.
