1.1. The Purpose of the Policy

1.1.1. This Policy regarding the processing of personal data in VOXYS Group of Companies (hereinafter referred to as the Policy) is developed in compliance with Federal Law No.152-FZ of July 27, 2006 “On Personal Data”.

1.1.2. The policy becomes effective from the date of its publication.

1.1.3. The Policy is subject to periodic review by the management of VOXYS Group of Companies (hereinafter referred to as the Group of Companies), as well as in cases of changes in the legislation of the Russian Federation in the field of personal data.

1.1.4. The Policy is subject to publication on the official website of the Company.

1.2.1. The purpose of the Policy is ensuring the protection of the rights and freedoms of personal data subjects during processing of their personal data by the Group of Companies.

1.3.1. The following concepts are used for the purposes of the Policy:

personal data - any information related to directly or indirectly identified or defined natural person (personal data subject);

personal data authorized by the personal data subject for dissemination - personal data to which an unlimited number of persons have access allowed by the subject of personal data by way of giving consent to processing of personal data authorized by the subject of personal data for dissemination in the manner prescribed by the Federal Law “On Personal Data”;

personal data subject - a physical person directly or indirectly identified or determined with the help of personal data;

operator - a state authority, or a municipal authority, a legal or natural person, independently or jointly with other persons organizing and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data to be processed, and actions (operations) performed with personal data;

processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

automated processing of personal data - processing of personal data by means of computer equipment;

distribution of personal data - actions directed to disclosure of personal data to an unspecified number of people;

provision of personal data - actions directed to disclosure of personal data to a specified person or to a specified number of people;

blocking of personal data - temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data);

destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;

depersonalization of personal data - actions, as a result of which it becomes impossible to determine the belonging of personal data to a particular subject of personal data without using additional information;

personal data information system - a combination of personal data and information technologies and technical means contained in databases of personal data and ensuring their processing;

confidentiality of information - a requirement mandatory for a person who has access to certain information not to disclose such information to third parties without the consent of its owner;

cross-border transfer of personal data - transfer of personal data to the territory of a foreign country to a foreign government authority, a foreign natural person or a foreign legal entity;

threats to personal data security - a set of conditions and factors that create a danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, provision, dissemination of personal data, as well as other illegal actions during their processing in the information system of personal data;

level of personal data protection - a complex indicator characterizing the requirements, the execution of which ensures the neutralization of certain threats to the security of personal data during their processing in personal data information systems;

company is a legal entity, a part of VOXIS Group of Companies (Voxys LLC, Voxys Lab LLC, Voxys. Kadroviye Resheniya LLC, Comfortel JSC).

1.4.1. The provisions of the Policy apply to all matters related to processing of personal data carried out by the Group of Companies:

– with the use of automation tools, including in information and telecommunication networks, or without the use of such tools, if the processing of personal data without the use of such tools corresponds to the nature of actions (operations) performed with personal data with the use of automation tools, i.e. it allows, in accordance with a given algorithm, to search for personal data recorded on a material carrier and contained in card indexes or other systematized collections of personal data, and (or) allows an access to such personal data;

– without the use of automation tools.

1.4.2. This Policy shall be followed by all employees of the Company who process or have access to personal data.

2.1. Processing of personal data is carried out by the Group of Companies for the following purposes:

– bookkeeping;

– maintaining personnel records and making payroll calculations, realization of labor and other connected relations;

– record of vacancies and recruitment requests;

– planning and accounting of employees' working hours;

– execution of orders to process personal data of a client (potential client, partner, counterparty) or of other guarantor on whose behalf personal data is processed;

– recruitment and training of personnel;

– identification of users (visitors) of the Operator’s website;

communication with users (visitors), including sending notifications, requests and information regarding the use of the Operator's website, execution of agreements and contracts, processing of requests and applications;

– ensuring access control and intra-object regimes.

3.1. The basis for processing of personal data in the Company includes the following normative acts and documents:

– The Russian Federation Tax Code;

– The Russian Federation Civil Code;

– The Russian Federation Labor Code;

– Federal Law No.402-FZ of 06.12.2011 “On Bookkeeping”;

– Federal Law No.173-FZ of 17.12.2001 “On Labor Pensions in the Russian Federation”;

– Federal Law No.35-FZ of 06.03.2006 “On Counter Terrorism”;

– Federal Law No.44-FZ of 05.04.2013 “On Contract System in the Sphere of Goods, Works and Services Procurement for State and Municipal Needs”;

– Federal Law No.27-FZ of 01.04.96 “On Individual (Personified) Accounting in the System of Compulsory Pension Insurance”;

– Federal Law No.152-FZ of 27.07.2006 “On personal data”;

– agreements concluded between the Operator and the subject of personal data;

– consents of the subjects of personal data for processing of their personal data.

3.2. In cases not expressly provided for by the legislation of the Russian Federation but corresponding to the Company's powers, personal data processing shall be carried out with the consent of a personal data subject to processing of his/her personal data.

3.3. Processing of personal data shall be terminated upon reorganization or liquidation of the Company.

4.1. Information on the categories of subjects whose personal data are processed by the Group of Companies, categories and list of processed personal data, methods, terms of their processing and storage are presented in Appendix No. 1 to this Policy.

Processing of personal data is carried out by the Group of Companies in accordance with the following principles:

– processing of personal data is carried out on legal and fair basis;

– processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes; processing of personal data incompatible with the purposes of personal data collection is not allowed;

– it is not allowed to merge databases containing personal data processed for incompatible purposes;

– only personal data that meet the purposes of their processing are subject to processing;

– the content and scope of processed personal data correspond to the declared purposes of processing; processed personal data are not excessive in relation to the declared purposes of their processing;

– when processing personal data, the accuracy of personal data, their sufficiency and, where necessary, relevance to the purposes of personal data processing shall be ensured; the Company shall take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data;

– personal data shall be stored in a form that allows identification of the personal data subject for no longer than required for the purposes of personal data processing, unless the period of personal data storage is stipulated by federal law, an agreement to which the personal data subject is a party, beneficiary or guarantor; processed personal data shall be destroyed or depersonalized upon achievement of the processing purposes or in case of loss of necessity to achieve these purposes, unless otherwise provided for by the federal law or by the contract of the personal data subject.

5.2.1. Conditions of processing the special categories of personal data

The Group does not process special categories of personal data concerning race, nationality, political opinions, religious or philosophical beliefs, state of health, intimate life.

5.2.2. Conditions of processing other categories of personal data

Processing of other categories of personal data is carried out by the Group of Companies subject to the following conditions:

– processing of personal data is necessary to achieve the goals stipulated by the international treaty of the Russian Federation or by law, to perform and fulfill the functions, powers and duties assigned to the Company by the legislation of the Russian Federation;

– personal data processing is carried out with the consent of the personal data subject to processing of his/her personal data;

– processing of personal data is necessary for the execution of a contract to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor. The contract concluded with the personal data subject may not contain provisions restricting the rights and freedoms of the personal data subject, establishing cases of processing personal data of minors, unless otherwise provided for by the legislation of the Russian Federation, as well as provisions allowing inactivity of the personal data subject as a condition for concluding the contract.

5.2.3. Assignment of personal data processing 

5.2.3.1. The Company does not assign any other person for processing of personal data.

5.2.4. Transfer of personal data

5.2.4.1. The Company shall have the right to transfer personal data to inquiry and investigation authorities and other authorized bodies on the grounds provided for by the applicable laws of the Russian Federation.

5.3.1. The Company employees who have access to personal data shall not disclose to third parties or disseminate personal data without the consent of the subject of personal data, unless otherwise provided for by federal law.

5.4.1. The Company shall create publicly available sources of personal data for the purpose of information support. Personal data is included in publicly accessible sources on the basis of the personal data subject consent to inclusion of personal data in publicly accessible sources or in order to fulfill the functions, powers and duties assigned by the legislation of the Russian Federation to federal executive authorities, executive authorities of the subjects of the Russian Federation, local self-government bodies. Information about the subject of personal data shall be excluded from publicly available sources of personal data at the request of the subject of personal data or by decision of the court or other authorized state bodies.

5.4.2. Publicly available sources of personal data include the following information:

Employees:

– Full name;

– Contact phones;

– Job title;

5.5.1. If it is necessary to ensure the conditions of processing the personal data of the subject, the consent of the personal data subject to processing of his/her personal data may be provided.

5.5.2. A subject of personal data decides to provide his/her personal data and gives his/her consent on their processing freely, using his/her own free will and his/her own interest. The consent for processing of personal data must be specific, substantive, informed, conscious and unambiguous. The consent for processing of personal data may be given by the subject of personal data or by his/her representative in the form that allows to confirm the fact if its receipt, unless otherwise provided for by federal law. In case of receipt of the consent for processing of personal data from a representative of the personal data subject, the powers of such representative for giving the consent on behalf of the subject of personal data shall be examined by the Group of Companies.

5.5.3. The consent for processing of personal data may be recalled by the subject of personal data. In case the consent for processing of personal data is recalled by the subject of personal data, the Company has right to continue the processing of personal data without the consent of the personal data subject upon the availability of grounds mentioned in pp 2-11 of part 1, article 6, pp 2-10 of part 2, article 10, and part 2 article 11 of the Federal Law “On Personal Data”.

5.5.4. The Company is obliged to provide the evidence of receiving the personal data subject’s consent for processing of his/her personal data or the proof of availability of the ground mentioned in pp 2-11 of part 1, article 6, pp 2-10 of part 2, article 10, and part 2 article 11 of the Federal Law “On Personal Data”.

5.5.5. In cases provided by the Federal Law, the processing of personal data is carried out only upon the written consent of the subject of personal data. The consent in the form of an electronic document signed in accordance with the Federal Law with an electronic signature shall be recognized as equal to the consent in written form on paper containing the handwritten signature of the personal data subject. The written consent of the personal data subject to processing of his/her personal data shall include, inter alia:

1) surname, name, patronymic, address of the personal data subject, number of the main personal identification document, information on the date of issue of the said document and the issuing authority;

2) surname, name, patronymic, address of the representative of the personal data subject, number of the main personal identification document, information on the date of issue of the said document and issuing authority, details of the power of attorney or other document confirming the powers of this representative (in case of obtaining consent from the representative of the personal data subject);

3) name or surname, name, patronymic and address of the Company;

4) the purpose of processing the personal data;

5) a list of personal data for processing of which the consent of the subject of personal data is provided;

6) name or surname, name, patronymic and address of the person, carrying out the processing of personal data under the instruction of the Company, if the processing will be commissioned to such a person;

7) a list of actions with personal data for which consent is given, general description of the methods of personal data processing used by the Operator;

8) the period during which the consent of the personal data subject is valid, as well as the method of its withdrawal, unless otherwise provided for by federal law;

9) signature of the subject of personal data.

5.5.6. In case of incapacity of the personal data subject, the consent to processing of his/her personal data shall be given by the legal representative of the personal data subject.

5.5.7. In case of death of the personal data subject, the consent to processing of his/her personal data shall be given by the heirs of the personal data subject, if such consent was not given by the personal data subject during his/her lifetime.

5.5.8. Personal data may be obtained by the Group of Companies from a person who is not the subject of personal data, at the condition that the Company is provided with confirmation of the grounds specified in paragraphs 2 - 11 of Part 1 of Article 6, paragraphs 2 - 10 of Part 2 of Article 10 and Part 2 of Article 11 of the Federal Law “On Personal Data”.

5.6.1. The Cross-border transfer of personal data is not carried out by the Group of Companies.

5.7.1. The processing of personal data for dissemination allowed by the subject of personal data, is carried out on the basis of a corresponding consent of the subject of personal data.

5.7.2. The consent for processing of personal data for dissemination given by the subject of personal data, is made separately from other consents of the subject of personal data for processing his/her personal data. 

5.7.3. The consent contains a list of personal data for each category of personal data mentioned in the consent for processing of personal data allowed by the subject of personal data for dissemination.

5.7.4. The consent for processing of personal data, allowed by the subject of personal data for dissemination, shall be presented directly to the Company.

5.7.5. Silence or inaction of the personal data subject shall not be considered a consent for processing of personal data authorized for dissemination by the personal data subject.

5.7.6. The consent for processing of personal data, given by the subject of personal data for dissemination, may contain the prohibitions on transfer (other than granting access) of these personal data by the Group of Companies to an unlimited number of persons, as well as prohibitions on processing or conditions of processing (other than access) of these personal data by an unlimited number of persons, rightfully set by the personal data subject. The Company shall not refuse the established by the subject of personal data prohibitions and conditions stipulated by Article 10.1 of the Federal Law “On Personal Data”.

5.7.7. The prohibitions established by the personal data subject on the transfer (except for granting access), as well as on the processing or conditions of processing (except for obtaining access) of personal data authorized by the personal data subject for dissemination shall not apply to cases of personal data processing in the state, public and other public interests defined by the legislation of the Russian Federation.

5.7.8. The transfer (dissemination, provision, access) of personal data authorized by the subject of personal data for dissemination shall be stopped at any time at the request of the subject of personal data. This requirement shall include the surname, first name, patronymic (if available), contact information (telephone number, e-mail address or postal address) of the personal data subject, as well as a list of personal data the processing of which is subject to termination. The personal data mentioned in this requirement may be processed only by the Group of Companies.

5.7.9. The consent of personal data subject for processing of personal data allowed for dissemination by the subject of personal data, is valid till the moment when the Company receives the corresponding requirement.

5.7.10. The above requirements shall not be applied in case of processing of personal data for the purposes of fulfillment of functions, duties and powers of the governmental, municipal and subordinate to them organizations imposed with the legislation of the Russian Federation.

5.7.11. On the basis of a written consent, the Company processes the following personal data allowed by the personal data subject for dissemination: 

– employees (full name, contact telephones, position).

5.8.1. General Provisions

5.8.1.1. Processing of personal data contained in the personal data information system or derived from such system is considered as carried out without automation tools (non-automated), if such actions with personal data as their use, specification, dissemination, elimination of personal data in respect of each subject of personal data is done at direct participation of man.

5.8.2. Specific features of organization of personal data processing carried out without the use of automation tools

5.8.2.1. Personal data, when processed without the use of automation, shall be separated from other information, in particular, by fixing them on separate material carriers of personal data (hereinafter - material carriers), in special sections or in the fields of forms (blanks).

5.8.2.2. When fixing personal data on a material carrier, it is not allowed to fix the personal data, the processing purposes of which are obviously incompatible, on the same material carrier. For processing of different categories of personal data carried out without the use of means of automation, a separate material carrier is used for each category of personal data.

5.8.2.3. The persons processing personal data without the use of automation (including the Company's employees or persons performing such processing under a contract with the Group of Companies) have been informed of the fact that they are processing the personal data processed by the Group of Companies without the use of automation, of the categories of personal data processed, as well as of the specifics and the rules of such processing established by regulatory legal acts of federal executive authorities, the executive authorities of Subjects of the Russian Federation as well as by the local legal acts of the Company.

5.8.2.4. When using standard forms of documents, the nature of information in which supposes or allows the inclusion of personal data (hereinafter - standard form), the following conditions shall be observed:

a) a standard form or related documents (instructions for its completion, cards, registers and journals) contain the information on the purpose of personal data processing carried out without the use of automation, name and address of the Company, surname, first name, patronymic and address of the personal data subject, a source of obtaining the personal data, the terms of personal data processing, the list of actions with personal data to be performed in course of their processing, and the general description of the methods of personal data processing used by the Group of Companies.

b) the standard form provides for a fill-in-the-blank field in which the personal data subject can mark his/her consent to processing of the personal data, carried out without the use of automation tools - if it is necessary to obtain a written consent to processing of personal data;

c) the standard form shall be compiled in such a way that each of the personal data subjects contained in the document has the possibility to get acquainted with his/her personal data contained in the document, without violating the rights and legitimate interests of other personal data subjects;

d) the standard form excludes the merging of fields intended for entering personal data, the processing purposes of which are obviously incompatible.

5.8.2.5. The following conditions shall be observed when keeping journals (registers, books) containing personal data required for a single entry of a personal data subject to the territory where the Company is located or for other similar purposes:

a) the necessity to keep such journal (register, book) is stipulated by the Company's act containing information on the purpose of personal data processing carried out without the use of automation, methods of recording and composition of information requested from personal data subjects, list of persons (by name or position) having access to material carriers and responsible for keeping and safekeeping of the journal (register, book), terms of personal data processing, as well as information on the procedure of personal data subject's access to the Company's premises, without confirming the authenticity of personal data reported by the subject of personal data;

b) copying of information contained in such journals (registers, books) is not allowed;

c) personal data of each personal data subject may be entered into such journal (book, register) not more than once in each case of personal data subject's access to the territory where the Company is located.

5.8.2.6. In case of incompatibility of the purposes of personal data processing recorded on one material carrier, if the material carrier does not allow processing of personal data separately from other personal data recorded on the same medium, measures shall be taken to ensure separate processing of personal data, in particular:

a) when it is necessary to use or disseminate certain personal data separately from other personal data on the same material carrier, the personal data to be disseminated or used shall be copied in a way that excludes simultaneous copying of personal data not subject to dissemination and use, and a copy of personal data shall be used (disseminated);

b) when it is necessary to destroy or block a part of personal data, the material carrier shall be destroyed or blocked with preliminary copying of data not subject to destruction or blocking in a way that excludes simultaneous copying of personal data subject to destruction or blocking.

5.8.2.7. Destruction or depersonalization of a part of personal data, if it is allowed by the material carrier, may be performed in a way that excludes further processing of these personal data, while preserving the possibility of processing other data recorded on the material carrier (deletion, erasure).   These rules are also applied when it is necessary to provide the separate processing of personal data and information, which is not the personal data, fixed on one material carrier.

5.8.2.8. Specification of personal data during their processing without the use of automation tools is carried out by updating or changing the data on a material carrier, and if this is not allowed by the technical features of the material carrier - by recording on the same material carrier of information about the changes made in them or by producing a new material carrier with the specified personal data.

5.8.3. Measures ensuring security of personal data at their processing carried out without the use of automation tools

5.8.3.1. The processing of personal data carried out without the use of automation tools shall be carried out in such a way that, in relation to each category of personal data, it is possible to determine the personal data (material media) storage places and identify the list of people who process the personal data or have an access to them.

5.8.3.2. Separate storage of personal data (material carriers) processed for different purposes shall be ensured.

5.8.3.3. At storing material carriers, the conditions providing security of personal data and excluding a non-sanctioned access to them shall be followed. The list of measures necessary for providing such conditions, the order of their assumption and the list of people responsible for implementation of the said measures is established by the Group of Companies.

6.1.1. The right of the personal data subject for access to its personal data

6.1.1.1. The subject of personal data has the right to get information (hereinafter - requested by the subject information), related to processing of its personal data, including, inter alia:

1) confirming the fact of personal data processing by the Group of Companies;

2) legal basis and goals for processing the personal data;

3) purposes and applied by the Company ways of personal data processing;

4) name and location of the Company, information about the persons (except the Company employees), who have access to the personal data or to whom the personal data may be disclosed based on an agreement with the Group of Companies or based on a Federal Law;

5) the processed personal data related to the corresponding subject of personal data, the source of their receipt, unless another way of presenting these data is provided by the Federal law;

6) the terms of personal data processing, including the terms of their storage;

7) the order of exercising the rights of the subject of personal data, as provided by the Federal Law “On Personal Data”;

8) the information on realized or suspected cross-border data transfer;

9) name or surname, name, patronymic and address of the person, carrying out the processing of personal data under the instruction of the Company, if the processing is commissioned to such a person;

10) the information on the ways in which the Group of Companies fulfills its obligations under Article 18.1 of the Federal Law “On Personal Data”;

11) other information as provided by the Federal Law “On Personal Data” or by other federal laws.

6.1.1.2. The subject of personal data is entitled to receive the requested information, excluding in the following cases:

– processing of personal data, including personal data obtained as a result of operative, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and law enforcement;

– processing of personal data shall be carried out by the authorities that detained the personal data subject on suspicion of committing a crime, or charged the personal data subject in a criminal case, or applied to the personal data subject a preventive measure prior to the indictment, except for cases provided for by the criminal procedural legislation of the Russian Federation, if the familiarization of the suspect or accused with such personal data is allowed;

– processing of personal data is carried out in accordance with legislation on combating legalization (laundering) of proceeds of crime and financing of terrorism;

– access of a subject of personal data to its personal data violates the rights and legitimate interests of third parties;

– processing of personal data is carried out in cases, stipulated by the legislation of the Russian Federation, on transport security, in order to ensure sustainable and safe functioning of the transport complex, to protect the interests of individuals, society and the state in the sphere of the transport complex from acts of unlawful interference.

6.1.1.3. A subject of personal data has a right to require from the Company a specification of his/her personal data, their blocking or elimination in case if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights.

6.1.1.4. The information requested by a subject must be provided to the subject of personal data by the Group of Companies in an accessible way and must not contain any personal data related to other personal data subjects, unless there are legitimate grounds for disclosing such personal data.

6.1.1.5. The requested information shall be provided to the subject of personal data or its representative by the Group of Companies within ten working days upon the moment of request or receipt by the Group of Companies of a personal data subject's or his/her representative's request. The specified term may be extended, but not more than for five working days in case the Group of Companies sends a motivated notice to the personal data subject indicating the reasons for extending the term of providing the requested information. The request must contain the number of the main identity document of the personal data subject or his/her representative, information about the date of issue of this document and the issuing authority, information confirming the participation of the personal data subject in relations with the Group of Companies (contract number, date of the contract, conventional word designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Group of Companies, signature of the personal data subject or his/her representative (hereinafter - necessary information for the request). The request may be sent as an electronic document signed by an electronic signature according to the Russian Federation legislation.  The Company shall provide the requested information to the personal data subject or his/her representative in the form in which the relevant appeal or request was sent, unless otherwise specified in the appeal or request.

6.1.1.6. In case the information requested by the subject, as well as the processed personal data were provided for familiarization to the personal data subject upon his/her request, the personal data subject has the right to reapply to the Company or send a repeated request in order to obtain the information requested by the subject and familiarization with such personal data not earlier than thirty days (hereinafter referred to as the standard term of the request) after the initial application or sending of the initial request, unless a shorter term is established by Federal Law, a regulatory legal act adopted in accordance with it, or an agreement to which the personal data subject is a party, beneficiary or guarantor.

6.1.1.7. The personal data subject has right to apply the Company for the second time or send a repeated request for the purpose of obtaining the information requested by the subject as well as for the purpose of familiarization with the processed personal data before the expiration of the standard term of the request, in case such information and (or) processed personal data were not provided to him/her for familiarization in full, as a result of examination of the initial request. The repeated request, along with the information necessary for the request, must contain a justification for the repeated request.

6.1.1.8. The Company has right to refuse the subject of personal data in fulfilling its repeated request, which doesn’t correspond to the conditions of repeated request. This refusal must be motivated. An obligation to provide the proof of  motivation of refusal to fulfill the repeated request rests with the Company.

6.1.2. Rights of personal data subjects at processing of their personal data for the purpose of promotion of goods, works, and services on the market, as well as for the purpose of political campaigning

6.1.2.1. The processing of personal data for the purpose of promotion of goods, works, and services on the market by way of direct contacts with potential consumers with the help of means of communication, as well as for the purpose of political campaigning is done only under the condition of prior consent of the subject of personal data. The said processing of personal data shall be recognized as being carried out without prior consent of the personal data subject, unless the Company proves that such consent was obtained. The Company shall immediately cease the said processing of personal data at the request of the personal data subject.

6.1.3. Rights of personal data subjects when making decisions on the basis of exclusively automated processing of their personal data

6.1.3.1. The Company doesn’t take any decisions on the basis of exclusively automated processing of personal data, giving rise to legal consequences in relation to the subject of personal data or otherwise affecting his/her rights and legitimate interests.

6.1.4. Right to appeal against actions or inaction of the Company

6.1.4.1. If a personal data subject believes that the Company processes his/her personal data in violation of the requirements of the Federal Law “On Personal Data” or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal the Company's actions or omissions to the authorized body for protection of the rights of personal data subjects or in court.

6.1.4.2. A subject of personal data has right for protection of his/her rights, including for reimbursement of losses and (or) compensation for moral injury in courts.

6.2.1. Obligations of the Company at collection of personal data

6.2.1.1. When collecting personal data, the Company provides the personal data subject, at his/her request, with the requested information regarding the processing of his/her personal data in accordance with part 7 of Article 14 of the Federal Law “On Personal Data”. 

6.2.1.2. If, in accordance with the Federal Law, providing personal data and (or) obtaining consent to process personal data by the Group of Companies is mandatory, the Company shall explain to the subject of personal data the legal consequences of refusal to provide his/her personal data and (or) consent to their processing.

6.2.1.3. If personal data are not received from a personal data subject, the Company shall provide the personal data subject with the following information (hereinafter referred to as the information to be communicated upon receipt of personal data not from a personal data subject) prior to the commencement of processing of such personal data:

1) name or surname, first name, patronymic and address of the Company or the Company’s representative;

2) legal basis and purposes for processing the personal data;

3) the list of personal data

4) the intended users of personal data;

5) the rights of the subject of personal data established by the Federal Law “On Personal Data”;

6) the source of personal data.

6.2.1.4. The Company shall not provide the subject with the information communicated upon receipt of personal data not from the subject of personal data, in cases where:

1) the subject of personal data is informed on processing of his/her personal data by the Group of Companies;

2) the personal data are obtained by the Group of Companies based on the Federal Law or in connection with execution of a contract to which the personal data subject is a party, beneficiary or guarantor;

3) the processing of personal data authorized by the personal data subject for dissemination shall be carried out in compliance with the prohibitions and conditions stipulated in Article 10.1 of the Federal Law “On Personal Data”;

4) The Company processes personal data for statistical or other research purposes, to carry out professional activities of a journalist or scientific, literary or other creative activities, if the rights and legitimate interests of the subject of personal data are not violated;

5) providing the personal data subject with information communicated when receiving personal data not from the personal data subject violates the rights and legitimate interests of third parties. 

6.2.1.5. When collecting personal data, including through the information and telecommunications network “Internet”, the Company shall ensure recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation, using databases located in the territory of the Russian Federation, in accordance with part 5 of article 18 of the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data”.

6.2.1.6. Location of the data processing center(s) and information about the organization responsible for data storage are determined by internal documents of the Company.

6.2.2. Measures to ensure that the Group of Companies fulfills its responsibilities 

6.2.2.1. The Company shall take measures necessary and sufficient to ensure the fulfillment of its responsibilities. The Company shall independently determine the composition and list of measures necessary and sufficient to ensure fulfillment of responsibilities, unless otherwise provided for by federal laws. Such measures, in particular, include:

1) appointment of a person responsible for organization of personal data processing;

2) issue of the Policy, the local acts related to personal data processing, as well as the local acts establishing procedures and directed to prevention and detection of violations of the legislation of the Russian Federation, and elimination of the consequences of such violations. Such documents and local acts may not contain any provisions limiting the rights of personal data subjects, as well as those imposing the Company with powers and duties not provided by the legislation of the Russian Federation;

3) application of legal, organizational and technical measures to ensure the security of personal data;

4) internal control and (or) audit of compliance of personal data processing with personal data protection requirements, Policy, and local acts of the Company;

5) assessment of the damage that may be caused to personal data subjects in case of violation of the Federal Law “On Personal Data”, the correlation between this damage and the measures taken by the Group of Companies aimed at ensuring the fulfillment of obligations under the Federal Law “On Personal Data”;

6) familiarization of the Company's employees directly involved in personal data processing, with the provisions of the Russian Federation legislation on personal data, including requirements to personal data protection, documents, Policies, local acts on personal data processing, and (or) training of such employees.

6.2.3. Measures to ensure security of personal data at their processing

6.2.3.1. When processing personal data, the Company undertakes all necessary legal, organizational and technical measures or ensures their undertaking in order to protect personal data from an unlawful or unintentional access to them, their elimination, change, blocking, copying, provision, dissemination, as well as other unlawful actions in relation to personal data.

6.2.3.2. The personal data security shall be achieved, in particular:

1) by identification of threats to personal data during their processing in personal data information systems;

2) by application of organizational and technical measures to ensure personal data security at their processing in personal data information systems, necessary to fulfill the requirements on protection of personal data, the fulfillment of which provides the levels of personal data security established by the Government of the Russian Federation;

3) by application of information protection means that have undergone the established conformity assessment procedure;

4) by the assessment of undertaken personal data security measures effectiveness before putting in operation the personal data information system;

5) by accounting machine-readable personal data carriers;

6) by monitoring the facts of unauthorized access to personal data and taking appropriate measures;

7) by restoration of personal data modified or destroyed in case of unauthorized access to them;

8) by establishing the rules of access to personal data processed in personal data information system, as well as by provision of registration and accounting of all actions performed with personal data in the personal data information system;

9) by control over the measures taken to ensure the security of personal data and the level of protection of personal data information systems.

6.2.4. Obligations of the Company at contact by a personal data subject or at receipt of a request from a personal data subject or his/her representative, as well as of an authorized body on protection of the rights of personal data subjects

6.2.4.1. The Company shall inform the personal data subject or his/her representative in accordance with the established procedure about the availability of personal data relating to the respective personal data subject, and shall provide an opportunity to familiarize with such personal data upon request of the personal data subject or his/her representative, or within ten working days from the date of receipt of the request of the personal data subject or his/her representative. The specified term may be extended, but not more than for five working days in case the Group of Companies sends a motivated notice to the personal data subject indicating the reasons for extending the term of providing the requested information.

6.2.4.2. In case of refusal to provide information on the availability of personal data on the respective personal data subject or personal data to the personal data subject or his/her representative upon their application or upon receipt of the request of the personal data subject or his/her representative, the Company shall provide a reasoned response in writing within a period not exceeding ten working days from the date of application of the personal data subject or his/her representative or from the date of receipt of the request of the personal data subject or his/her representative. The specified term may be extended, but not more than for five working days in case the Group of Companies sends a motivated notice to the personal data subject indicating the reasons for extending the term of providing the requested information.

6.2.4.3. The Company shall provide free of charge to the subject of personal data or his/her representative the opportunity to familiarize with personal data related to this subject of personal data. Within a period not exceeding seven business days from the date of submission by the personal data subject or his/her representative of information confirming that the personal data are incomplete, inaccurate or irrelevant, the Company shall make the necessary changes to them. Within a period not exceeding seven business days from the date of submission by the personal data subject or his/her representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the Company shall destroy such personal data. The Company informs the personal data subject or his/her representative on the changes made and undertaken measures and takes reasonable measures to inform the third parties, to whom the subject's personal data were disclosed.

6.2.4.4. The Company shall report to the authorized body for protection of the rights of personal data subjects at the request of this body the necessary information within ten working days from the date of receipt of such request. The specified term may be extended, but not more than for five working days in case the Group of Companies sends a motivated notice to the personal data subject indicating the reasons for extending the term of providing the requested information.

6.2.5. Obligations of the Company to eliminate violations of the law committed during personal data processing, to clarify, block and destroy personal data

6.2.5.1. In case of detection of unlawful processing of personal data at the request of a personal data subject or his/her representative or at the request of a personal data subject or his/her representative or the authorized body for the protection of the rights of personal data subjects, the Company shall block the unlawfully processed personal data related to this personal data subject, or ensure their blocking (if personal data processing is performed by another person acting on behalf of the Company) from the moment of such request or receipt of the said request for the period of verification. In case of detection of unlawful processing of personal data at the request of a personal data subject or his/her representative or at the request of a personal data subject or his/her representative or the authorized body for the protection of the rights of personal data subjects, the Company shall block the unlawfully processed personal data related to this personal data subject, or ensure their blocking (if personal data processing is performed by another person acting on behalf of the Company) from the moment of such application or receipt of the said request for the period of verification if the blocking of personal data doesn’t violate the lawful rights of the subject of personal data or of the third parties.

6.2.5.2. In case of confirmation of the fact of inaccuracy of personal data, the Company shall, on the basis of information submitted by the personal data subject or his/her representative or the authorized body for protection of the rights of personal data subjects, or other necessary documents, clarify personal data or ensure their clarification (if personal data processing is performed by another person acting on behalf of the Company) within seven working days from the date of submission of such information and remove the blocking of personal data.

6.2.5.3. In case of detection of unlawful processing of personal data by the Group of Companies or by a person acting on behalf of the Company, the Company shall, within a period not exceeding three working days from the date of such detection, stop unlawful processing of personal data or ensure termination of unlawful processing of personal data by a person acting on behalf of the Company. If it is impossible to ensure the lawfulness of personal data processing, the Company shall, within a period not exceeding ten business days from the date of detection of unlawful processing of personal data, destroy such personal data or ensure their destruction. The Company shall notify the personal data subject or his/her representative on elimination of the admitted violations or destruction of personal data, and if the personal data subject's or his/her representative's appeal or request of the authorized body for protection of the rights of personal data subjects was sent by the authorized body for protection of the rights of personal data subjects, the said body is also notified.

6.2.5.4. If the fact of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in violation of the rights of personal data subjects is established, the Company shall notify the authorized body for protection of the rights of personal data subjects from the moment such incident is detected by the Group of Companies, the authorized body for protection of the rights of personal data subjects or any other interested party:

1) within twenty-four hours, on the incident that occurred, on the alleged reasons that led to the violation of the rights of personal data subjects and on the alleged harm caused to the rights of personal data subjects, and of the measures taken to eliminate the consequences of the incident, as well as the person authorized by the Group of Companies to interact with the authorized body for the protection of the rights of personal data subjects on the issues related to the identified incident;

2) within seventy-two hours, on the results of internal investigation of the identified incident, as well as the persons whose actions caused the identified incident (if any).

6.2.5.5. If the purpose of personal data processing is achieved, the Company shall stop processing personal data or ensure its termination (if personal data processing is performed by another person acting on behalf of the Company) and destroy personal data or ensure its destruction (if personal data processing is performed by another person acting on behalf of the Company) within a period not exceeding thirty days from the date of achievement of the purpose of personal data processing, unless otherwise provided for by the agreement, to which the personal data subject is a party, beneficiary or guarantor, by other agreement between the Group of Companies and the personal data subject, or if the Company has no right to process personal data without the consent of the personal data subject on the grounds provided for by the Federal Law “On Personal Data” or other federal laws.

6.2.5.6. If the purpose of personal data processing is achieved, the Company shall stop processing personal data or ensure its termination (if personal data processing is performed by another person acting on behalf of the Company) and destroy personal data or ensure its destruction (if personal data processing is performed by another person acting on behalf of the Company) within a period not exceeding thirty days from the date of achievement of the purpose of personal data processing, unless otherwise provided for by the agreement, to which the personal data subject is a party, beneficiary or guarantor, by other agreement between the Group of Companies and the personal data subject, or if the Company has no right to process personal data without the consent of the personal data subject on the grounds provided for by the Federal Law “On Personal Data” or other federal laws.

6.2.5.7. In case the personal data subject requests the Company to stop processing of personal data within a period not exceeding ten working days from the date of receipt of the relevant request, the Company shall stop processing of personal data or ensure the cessation of such processing (if such processing is carried out by a person processing personal data), except for the cases provided for by paragraphs 2 - 11 of Part 1 of Article 6, Part 2 of Article 10 and Part 2 of Article 11 of the Federal Law “On Personal Data”. The specified term may be extended, but not more than for five working days in case the Group of Companies sends a motivated notice to the personal data subject indicating the reasons for extending the term of providing the requested information.

6.2.5.8. If it is not possible to destroy the personal data within the specified period of time, the Company shall block such personal data or ensure their blocking (if personal data processing is performed by another person acting on behalf of the Company) and ensure the destruction of personal data within a period not exceeding six months, unless another period is established by federal laws.

6.2.6. Notice of processing (of the intent to process) personal data

6.2.6.1. The Company, except for the cases provided by Federal Law “On Personal Data”, shall inform the authorized body on protection of the rights of personal data subjects on their intention to carry out the personal data processing before the beginning of personal data processing.

6.2.6.2. The notice shall be sent on paper or in the form of an electronic document and signed by an authorized person. The notice contains the following information:

1) name (surname, name, patronymic) and address of the Company;

2) the purpose of processing the personal data;

3) description of measures, including the information on availability of encryption (cryptographic) tools and the names of these tools;

4) surname, name, patronymic of a natural person or name of a legal entity responsible for the organization of personal data processing and their contact telephone numbers, postal addresses and e-mail addresses;

5) the date of beginning the processing of personal data;

6) the term or conditions for cessation of personal data processing;

7) information on absence or availability of personal data cross-border transfer in the process of their processing;

8) information on the location of information data base containing the personal data of the Russian Federation citizens.

9) surname, name, patronymic of a natural person or name of a legal entity having an access and (or) carrying out, based on a contract, processing of the personal data contained in state and municipal information systems;

10) information on ensuring of personal data security in compliance with the requirements on personal data protection established by the Government of the Russian Federation.

6.2.6.3. If the said information changes, the Company shall, not later than on the 15th day of the month following the month in which such changes appeared, inform the authorized body of personal data subjects’ rights protection about all the changes that took place within the said period. In case of cessation of personal data processing, the Company shall inform about it the authorized body of personal data subjects’ rights protection within then business days from the date of cessation of personal data processing.

7.1.1. the Company shall appoint a person responsible for organization of personal data processing.

7.1.2. The person responsible for organization of personal data processing shall be instructed directly by the executive body of the operator organization and is accountable to it.

7.1.3. The Company provides the necessary information to the person responsible for organization of personal data processing.

7.1.4. The person responsible for organization of personal data processing carries out, in particular, the following functions:

1) exercises internal control over the compliance of the Group of Companies and its employees to the Russian Federation legislation on personal data, including the requirements to personal data protection;

20 brings to the attention of the Company employees provisions of the Russian Federation legislation on personal data, of local acts on the issues of personal data processing, and the requirements to personal data protection;

3) organizes receipt and processing of applications and requests of personal data subjects or their representatives and (or) exercises control over the receipt and processing of such applications and requests.

7.2.1. Persons guilty of violating the requirements of the Federal Law “On Personal Data” shall bear the liability provided for by the legislation of the Russian Federation.

7.2.2. Moral damage caused to the subject of personal data due to violation of his/her rights, violation of the rules of personal data processing established by the Federal Law “On Personal Data”, as well as requirements to personal data protection established in accordance with the Federal Law “On Personal Data”, shall be compensated in accordance with the legislation of the Russian Federation. Compensation of moral damage shall be carried out independently from compensation of property damage and losses incurred by the subject of personal data.

In achieving the objectives, the following results are expected:

– ensuring the protection of the rights and freedoms of personal data subjects during the processing of their personal data by the Group of Companies;

– increase of the general level of information security of the Company;

– minimization of legal risks of the Company.

There are no linking policies.