Basic Concepts Used in the Policy

Automated Processing of Personal Data — processing of personal data using computer technology;

Blocking of Personal Data — temporary cessation of personal data processing (except for cases where processing is necessary to clarify personal data);

Destruction of Personal Data — actions resulting in the impossibility of restoring the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;

Personal Data Information System — a set of personal data contained in databases and information technologies and technical means ensuring their processing;

Depersonalization of Personal Data — actions resulting in the impossibility of determining the belonging of personal data to a specific personal data subject without the use of additional information;

Processing of Personal Data — any action (operation) or set of actions (operations) performed with personal data, using automation tools or without their use.

Personal Data Operator — a state body, municipal body, legal entity or individual who independently or jointly with other persons organizes and (or) carries out the processing of personal data, and also determines the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data;

Personal Data — any information relating to a directly or indirectly identified or identifiable individual (personal data subject);

Provision of Personal Data — actions aimed at disclosing personal data to a specific person or a specific circle of persons;

Personal Data Subject — an individual who is directly or indirectly identified, or identifiable using personal data;

Dissemination of Personal Data — actions aimed at disclosing personal data to an indefinite circle of persons;

Cross-Border Transfer of Personal Data — transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual or foreign legal entity.

1. General Provisions

1.1. This document (hereinafter referred to as the Policy) defines the policy regarding the processing of personal data of Individual Entrepreneur Shushpanov Anton Vladimirovich, Taxpayer Identification Number (INN) 110314238613, Primary State Registration Number (OGRN) 320911200033082, located at: 295017, Simferopol. (hereinafter referred to as the Operator).

1.2. This Policy has been developed in compliance with the requirements of Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter referred to as the Personal Data Law).

1.3. The concepts contained in Article 3 of the Personal Data Law are used in this Policy with the same meaning.

1.4. This Policy applies to all operations performed by the Operator with personal data using automation tools or without their use.

1.5. Basic rights and obligations of the Operator.

1.5.1. The Operator has the right to:

• Process personal data in accordance with the procedure established by the current legislation of the Russian Federation;
• Consider appeals of the personal data subject (his/her legal representative) regarding the processing of personal data and provide reasoned responses;
• Provide the personal data subject (his/her legal representative) with the opportunity for free access to his/her personal data;
• Take measures to clarify, destroy the personal data of the personal data subject in connection with his/her (his/her legal representative's) appeal with lawful and justified requirements;
• Organize the protection of personal data in accordance with the requirements of the legislation of the Russian Federation.

1.6. Basic rights and obligations of personal data subjects:

1.6.1. Personal data subjects have the right to:

• Complete information about their personal data processed by the Operator;
• Access to their personal data, including the right to receive a copy of any record containing their personal data, except in cases provided for by federal law;
• Clarify their personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, unlawfully obtained or are not necessary for the stated purpose of processing;
• Withdraw consent to the processing of personal data;
• Take measures provided by law to protect their rights;
• Exercise other rights provided for by the legislation of the Russian Federation.

1.6.2. Personal data subjects are obliged to:

• Provide the Operator with only reliable data about themselves;
• Provide documents containing personal data in the volume necessary for the purpose of processing;
• Notify the Operator about the clarification (update, change) of their personal data.

1.6.3. Persons who provided the Operator with false information about themselves, or information about another personal data subject without the latter's consent, bear responsibility in accordance with the legislation of the Russian Federation.

2. Scope and Categories of Processed Personal Data, Categories of Personal Data Subjects

2.1. The Operator may process personal data of the following personal data subjects:

• Employees of the Operator, former employees, candidates for vacant positions, as well as relatives of employees;
• Clients and contractors of the Operator (individuals);
• Representatives/employees of the Operator's clients and contractors (legal entities);
• Visitors of the Operator's website(s) (hereinafter referred to as the Website and Websites);
• Clients of the Operator who contacted by phone or hotline.

2.2. The personal data processed by the Operator include:

2.2.1. If the personal data subjects are employees of the Operator, former employees, candidates for vacant positions, as well as relatives of employees:

• Surname, first name, patronymic of the personal data subject;
• Date and place of birth;
• Citizenship information;
• Permanent registration address;
• Actual residence address;
• Marital status;
• Information about the passport of a citizen of the Russian Federation and foreign passports;
• Information about driver's license;
• Information about military duty status;
• Education information;
• Professional activity information;
• Information about close relatives (degree of kinship, surname, first name, patronymic, date and place of birth, home address, place of work, study);
• Mobile phone number;
• Email address (e-mail).

2.2.2. If the personal data subjects are clients of the Operator (individuals):

• Surname, first name, patronymic of the personal data subject;
• Date and place of birth;
• Citizenship information;
• Permanent registration address;
• Actual residence address;
• Information about the document confirming the identity of a citizen of the Russian Federation (series, number, issued by);
• Mobile phone number;
• Email address (e-mail);
• Health status information;
• Other personal data necessary for the performance of contractual obligations.

2.2.3. If the personal data subjects are contractors of the Operator (individuals providing services under a contract without forming a legal entity (self-employed, individual entrepreneurs)):

• Surname, first name, patronymic of the personal data subject;
• Date and place of birth;
• Citizenship information;
• Permanent registration address;
• Actual residence address;
• Information about the passport of a citizen of the Russian Federation;
• Mobile phone number;
• Email address (e-mail);
• Other personal data necessary for the performance of contractual obligations.

2.2.4. If the personal data subjects are representatives/employees of the Operator's clients and contractors (legal entities):

• Surname, first name, patronymic of the personal data subject;
• Date and place of birth;
• Permanent registration address;
• Actual residence address;
• Information about the passport of a citizen of the Russian Federation;
• Mobile phone number;
• Email address (e-mail);
• Other personal data necessary for the performance of contractual obligations.

2.2.5. If the personal data subjects are visitors of the Operator's website(s):

• Surname, first name, patronymic of the personal data subject;
• Date of birth;
• Email address (e-mail);
• Cookie files;
• Mobile phone number.

2.2.6. If the personal data subjects are clients of the Operator who contacted by phone or hotline:

• Surname, first name, patronymic of the personal data subject;
• Recording of the telephone conversation;
• Phone number;
• Email address (e-mail).

2.3. The Operator ensures that the content and volume of processed personal data correspond to the stated purposes of processing and, if necessary, takes measures to eliminate their redundancy in relation to the stated purposes of processing.

2.4. The Operator processes biometric personal data subject to the written consent of the relevant personal data subjects, as well as in other cases provided for by the legislation of the Russian Federation.

2.5. The Operator does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, intimate life.

2.6. The Operator does not carry out cross-border transfer of personal data.

3. Purposes of Personal Data Collection

Personal data are processed by the Operator for the following purposes:

• Conclusion of any contracts with personal data subjects and their further execution;
• Provision of services and products to personal data subjects, as well as information about the development of new products and services by the Operator, including advertising materials;
• Feedback with personal data subjects, including processing their requests and appeals, informing about the Operator's activities;
• Control and improvement of the quality of the Operator's services and products, including those offered on the Website (Websites);
• Personnel work and accounting of the Operator's employees, regulation of labor and other directly related relations;
• Attraction and selection of candidates for employment;
• Formation of statistical reports;
• Conducting economic activities;
• Performance of other functions, powers and duties imposed on the Operator by the legislation of the Russian Federation.

4. Legal Grounds for Personal Data Processing

4.1. The legal grounds for the processing of personal data by the Operator are:

• "Constitution of the Russian Federation" (adopted by popular vote on 12.12.1993 with amendments approved during the all-Russian vote on 01.07.2020);
• "Labor Code of the Russian Federation" No. 197-FZ dated 30.12.2001 (as amended on 30.04.2021) (with amendments and additions, effective from 01.05.2021) Civil Code of the Russian Federation (CC RF) No. 51-FZ dated 30.11.1994;
• Federal Law No. 149-FZ dated July 27, 2006 "On Information, Information Technologies and Information Protection";
• Law of the Russian Federation No. 2124-1 dated December 27, 1991 "On Mass Media";
• Federal Law No. 294-FZ dated December 26, 2008 "On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Exercise of State Control (Supervision) and Municipal Control";
• Decree of the President of the Russian Federation No. 188 dated March 6, 1997 "On Approval of the List of Confidential Information";
• Decree of the Government of the Russian Federation No. 512 dated July 6, 2008 "On Approval of Requirements for Material Carriers of Biometric Personal Data and Technologies for Storing Such Data Outside Personal Data Information Systems";
• Decree of the Government of the Russian Federation No. 687 dated September 15, 2008 "On Approval of the Regulation on the Features of Personal Data Processing Carried Out Without the Use of Automation Tools";
• Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012 "On Approval of Requirements for the Protection of Personal Data During Their Processing in Personal Data Information Systems";
• Order of the Federal Service for Technical and Export Control (FSTEC) of Russia No. 21 dated February 18, 2013 "On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data During Their Processing in Personal Data Information Systems";
• Constituent documents of the Operator;
• Contracts concluded between the Operator and personal data subjects;
• Consent of personal data subjects to the processing of personal data;
• Other grounds when consent to the processing of personal data is not required by law.

5. Procedure and Conditions for Personal Data Processing

5.1. The processing of personal data by the Operator is carried out in the following ways:

• Non-automated processing of personal data;
• Automated processing of personal data — processing of personal data using computer technology (Clause 4, Article 3 of 152-FZ).

5.2. List of actions performed by the Operator with personal data: collection, systematization, accumulation, storage, clarification (updating, modification), use, dissemination (including transfer), depersonalization, blocking, destruction, as well as performing any other actions in accordance with the current legislation of the Russian Federation.

5.3. The processing of personal data is carried out by the Operator subject to obtaining the consent of the personal data subject (hereinafter referred to as the Consent), except for cases established by the legislation of the Russian Federation, when the processing of personal data can be carried out without such Consent.

5.4. The personal data subject makes the decision to provide his/her personal data and gives Consent freely, by his/her own will and in his/her own interest.

5.5. Consent is given in any form that allows confirming the fact of its receipt. In cases provided for by the legislation of the Russian Federation, Consent is formalized in writing.

5.6. The condition for termination of personal data processing may be the achievement of the purposes of personal data processing, the expiration of the Consent validity period or the withdrawal of Consent by the personal data subject, as well as the identification of unlawful processing of personal data.

5.7. Consent may be withdrawn by written notification sent to the Operator's address by registered mail.

5.8. The Operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by Federal Law, on the basis of a concluded agreement. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing provided for by 152-FZ "On Personal Data" and this Policy.

In accordance with the requirements of 152-FZ "On Personal Data", agreements with persons processing personal data on behalf of the Operator define the list of actions (operations) with personal data that will be performed by the person processing personal data, and the purposes of processing, establish the obligations of such person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, and specify the requirements for the protection of processed personal data in accordance with Article 19 of 152-FZ "On Personal Data". The list of third parties is approved by order and provided upon written request.

5.9. When processing personal data, the Operator takes or ensures the taking of necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions regarding personal data.

5.10. Storage of personal data is carried out in a form that allows identifying the personal data subject for a period no longer than required by the purposes of personal data processing, except in cases where the storage period for personal data is established by federal law, an agreement to which the personal data subject is a party, beneficiary or guarantor.

5.11. When storing personal data, the Operator uses databases located on the territory of the Russian Federation.

5.12. The terms of personal data processing are determined taking into account:

• The established purposes of personal data processing;
• The terms of contracts with personal data subjects and consents of personal data subjects to the processing of their personal data;
• Order of the Federal Archival Agency (Rosarchive) No. 236 dated 20.12.2019 "On Approval of the List of Typical Administrative Archival Documents Generated in the Course of Activities of State Bodies, Local Self-Government Bodies and Organizations, with Indication of Their Storage Periods" (Registered with the Ministry of Justice of Russia on 06.02.2020 No. 57449);
• The storage periods for documentation established by the internal regulatory acts of the Operator.

Termination of personal data processing is carried out upon the expiration of the established terms of personal data processing, upon withdrawal of the personal data subject's consent to the processing of his/her personal data (except for cases when the Operator has the right to continue processing personal data on another legal basis), upon achievement of the purpose of personal data processing or loss of necessity to achieve the purpose, as well as upon identification of unlawful processing of personal data.

6. Updating, Correction, Deletion and Destruction of Personal Data, Responses to Requests of Personal Data Subjects for Access to Personal Data

6.1. The personal data subject has the right to contact the Operator on issues of processing his/her personal data in the following cases:

• To obtain information regarding the processing of his/her (the subject's) personal data;
• To clarify his/her personal data, block or destroy them if they are incomplete, outdated, inaccurate, unlawfully obtained or are not necessary for the stated purpose of processing;
• To file a complaint about unlawful processing of his/her (the subject's) personal data;
• To withdraw his/her consent to the processing of personal data.

6.2. According to the requirements of 152-FZ "On Personal Data", the request must contain, in particular:

• Series, number of the identity document of the personal data subject (his/her representative), information about the date of issue of the specified document and the issuing authority;
• Information confirming the participation of the personal data subject in relations with the Operator (contract number, contract conclusion date, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;
• Signature of the personal data subject (his/her representative);
• In case the request is sent by a representative of the personal data subject, it must contain a document (copy of the document) confirming the authority of this representative.

6.3. In case of withdrawal by the personal data subject of the consent given by him/her to the processing of personal data, the corresponding request must comply with the conditions specified in such consent.

The response to the request is sent to the personal data subject or his/her representative within a period not exceeding 30 (thirty) days from the date of application.

6.4. In case of refusal to provide information or perform the action reflected in the request, a reasoned response is sent to the subject containing a reference to the provision of Part 8, Article 14 of 152-FZ "On Personal Data" or another federal law that is the basis for such refusal, within a period not exceeding 30 (thirty) days from the date of application of the personal data subject or his/her representative.

6.5. The personal data subject may reapply to the Operator to obtain information regarding the processing of his/her (the subject's) personal data no earlier than 30 (thirty) days after the initial application or sending the initial request. If the personal data subject was provided with incomplete information based on the results of consideration of the initial appeal, the subject may reapply to the Operator earlier than the established period, indicating the justification for sending a repeated request.

6.6. The Operator has the right to refuse the personal data subject to fulfill a repeated request if there is evidence of the validity of the refusal.

6.7. In case of identification of unlawful processing of personal data or inaccurate personal data, the Operator ensures the blocking of personal data (including during processing of personal data by another person acting on behalf of the Operator), for the period of verification.

6.8. In case of confirmation of the fact of inaccuracy of personal data, the Operator ensures the clarification of personal data (including during processing of personal data by another person acting on behalf of), within 7 (seven) working days from the date of submission of such information and removes the blocking of personal data.

6.9. In case of identification of unlawful processing of personal data, the Operator, within a period not exceeding 3 (three) working days from the date of such identification, ensures the termination of unlawful processing of personal data (including during processing of personal data by another person acting on behalf of). If it is impossible to ensure the lawfulness of personal data processing, the Operator, within a period not exceeding 10 (ten) working days from the date of identification of unlawful processing of personal data, is obliged to destroy such personal data or ensure their destruction. The Operator is obliged to notify the personal data subject or his/her representative, or the authorized body for the protection of the rights of personal data subjects (if the request was sent by the said body) about the elimination of the violations committed or the destruction of personal data.

6.10. In case of withdrawal by the personal data subject of consent to the processing of his/her personal data, the Operator ensures the destruction of personal data (including during processing of personal data by a third party acting on behalf of), within a period not exceeding 30 (thirty) days from the date of receipt of the specified withdrawal (except for cases of reasoned refusal to withdraw consent established by the legislation of the Russian Federation).

6.11. Upon expiration of the storage periods for personal data, the Operator ensures the destruction of personal data (including during processing of personal data by a third party acting on behalf of), within a period not exceeding 30 (thirty) days.

6.12. In case of impossibility to destroy personal data within the established period, the Operator ensures the blocking of such personal data (including during processing of personal data by a third party acting on behalf of), and ensures the destruction of personal data within a period not exceeding 6 (six) months, unless another period is established by the legislation of the Russian Federation.

7. Ensuring Confidentiality and Security of Personal Data During Their Processing

7.1. The security of personal data processed by the Operator is ensured by taking legal, organizational and technical measures determined by the current legislation of the Russian Federation, as well as internal regulatory documents of the Operator in the field of information protection.

7.2. The Operator's provision of protection of personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions regarding personal data is achieved, in particular, by the following measures taken:

• Appointment of a person responsible for organizing the processing of personal data;
• Appointment of a person responsible for ensuring the security of personal data processed in personal data information systems;
• Determination of the list of employees who have access to personal data;
• Development and approval of organizational and administrative documents defining the procedure for processing personal data;
• Determination of the list of storage locations for material carriers of personal data;
• Organization of the procedure for destruction of personal data upon expiration of their processing period;
• Accounting for machine carriers of personal data;
• Determination of threats to the security of personal data during their processing, formation of a threat model based on them;
• Conducting internal checks on compliance with the requirements for ensuring the security of personal data;
• Familiarization of the Operator's employees who process personal data with the requirements of the legislation of the Russian Federation, organizational and administrative documents defining the procedure for processing and ensuring the security of personal data;
• Increasing the level of awareness of employees about the requirements for ensuring the security of personal data;
• Assessment of the harm that may be caused to personal data subjects in case of violation of 152-FZ "On Personal Data", correlation of the specified harm and the measures taken aimed at ensuring the fulfillment of the obligations provided for by 152-FZ "On Personal Data";
• Physical protection of premises where personal data processing is carried out (access control, electronic access system to premises, video surveillance);
• Ensuring antivirus protection of personal data information systems;
• Regular updating of software;
• Protection of network infrastructure (access control, network firewalling);
• Ensuring fault tolerance and backup;
• Determination of rules for access to personal data processed in personal data information systems;
• Registration and accounting of information security events;
• Determination of the procedure for responding to information security incidents;
• Conducting external penetration testing;
• Application of information protection means that have passed the conformity assessment procedure in accordance with the established procedure;
• Assessment of the effectiveness of the measures taken to ensure the security of personal data before putting the personal data information system into operation.

7.3. Ensuring the confidentiality of personal data processed by the Operator is a mandatory requirement for all employees of the Operator admitted to the processing of personal data in connection with the performance of their job duties. All employees who have current employment relations, whose activities are related to the receipt, processing and protection of personal data, sign a non-disclosure agreement, undergo briefings on ensuring information security against signature and bear personal responsibility for compliance with the requirements for processing and ensuring the security of personal data.

8. Final Provisions

8.1. All relations concerning the processing of personal data not reflected in this Policy are regulated in accordance with the provisions of the legislation of the Russian Federation.

8.2. The Operator has the right to make changes to this Policy. The new version of the Policy comes into force from the moment of its approval.