Personal Data Processing and Protection Policy

I. General provisions

1. This Policy is based on the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Civil Code of the Russian Federation, the federal laws “On the Ratification of the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data”, “On Personal Data”, “On Information, Information Technologies and Information Protection” and other regulations of the Russian Federation.

2. This Policy stipulates a set of principles and rules that regulates the activities related to the processing and protection of personal data by ROSEXPERT-PERSONAL JSC (the "Company").

3. The Company shall publish this Policy or otherwise provide unlimited access to the hereto.

4. Terms and definitions used in this Policy:

Personal data – any information related to directly or indirectly identified or identifiable individual (Data Subject).

Special Categories of Personal Data– personal information of Data Subjects related to race, ethnicity, political views, religious or philosophical beliefs, state of health, and intimate life;

Biometric Personal Data – information that characterizes physiological and biological specifics of an individual, on the bases of which it is possible to identify such person and which is used by the Operator to establish the identity of the Data Subject;

Operator – a state authority, a municipal authority, a legal entity or an idividual, who individually or jointly with other persons arrange and/or perform Personal Data Processing, as well as determine the purposes of Personal Data Processing, the scope of Personal Data subject to processing and actions (operations) performed with Personal Data;

Personal Data Processing – any action (operation) or a set of actions (operations) performed with Personal Data, weather automated or non-automated, including collection, recording, systematization, accumulation, storage, modification (updating and alteration), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and distruction of Personal Data.

Automated Personal Data Processing – Personal Data Processing using computer equipment.

Personal Data Provision - actions aimed at disclosure of Personal Data to a particular person or a particular group of persons.

Personal Data Blocking - temporary suspension of Personal Data Processing (except where processing is required for Personal Data modification).

Personal Data Destruction – actions resulting in impossibility to restore the Personal Data contained in the Personal Data Information System and/or destructing the tangible carriers of Personal Data.

Personal Data Information System – a set of Personal Data contained in the personal databases, and information technologies and technical means which ensure Personal Data processing.

Cross-Border Transfer of Personal Data– a transfer of Personal Data to the territory of a foreign country, to a foreign state of authority, a foreign individual or a foreign legal entity.

User of Company Services – an individual or a legal entity that uses the services rendered by the Company;

Personal Data Confidentiality- a requirement binding for the Operator to disclose Personal Data to third parties and not to disseminate and prevent any dissemination thereof without Data Subject consent or another lawful ground;

Data Subject Representative – a Data Subject's representative as defined by applicable laws.

5. Personal Data of Personal Data Subjects are confidential information, except in cases provided for by applicable laws.

II. Purposes of Personal Data Processing

6. Personal Data of the Data Subject may be processed for the following purposes:

performance of provisions of the Labor Code of the Russian Federation, the Civil Code of the Russian Federation, the Tax Code of the Russian Federation and other regulations of the Russian Federation;
making a decision concerning the hiring of a candidate by the Company or a User of Company Services;
conclusion and performance of employment contracts, non-state pension plan contracts, and compulsory pension insurance contracts;
conclusion and performance of civil law contracts for the provision of services by the Company.

III. Principles and Terms of Personal Data Processing

7. When processing the Personal Data, the Company takes into consideration the necessity to protect the rights and freedoms of the Data Subjects, including protection of the right to privacy, personal and family secrets. Personal Data Processing is based on the following principles:

Personal Data Processing shall be carried out in a lawful and fair manner.
Personal Data Processing shall be limited to achieving specific, predefined and legitimate purposes. Personal Data may not be incompatible with purposes for which they are collected.
databases containing Personal Data processed for incompatible purposes may not be merged.
only Personal Data corresponding to the purposes of processing can be processed.
the content and scope of the processed Personal Data shall correspond to the declared processing purposes. The scope of processed Personal Data shall not be excessive for the declared purposes of their processing.
Personal Data subject to processing shall be accurate and sufficient and where appropriate relevant for the processing purposes. The Company shall take actions required to delete or modify incomplete or inaccurate Personal Data or ensure such actions are taken.
Personal Data shall be stored in such a form allowing to identify the Data Subject, for no longer than needed for the purposes of Personal Data Processing, unless the Personal Data storage period is stipulated by a federal law or a contract a party, beneficiary or a guarantor to which is the Data Subject.
the processed Personal Data shall be destructed or depersonalized upon achievement of the processing purposes or in the event it is no longer necessary to achieve these purposes, unless otherwise is provided for by the applicable federal law.

8. The Company processes Personal Data in the following cases:

when Personal Data Processing is needed to perform a contract a party, or a beneficiary, or a guarantor to which is the Data Subject, as well as to conclude a contract at the initiative of the Data Subject or a contract a beneficiary or a guarantor to which is the Data Subject.
upon the consent of the Data Subject to the processing of its Personal Data (in cases provided for by law a written form of consent shall be obtained mainly in the form as set forth in the Regulations on Personal Data Processing and Protection at ROSEXPERT-PERSONAL JSC).
Personal Data Processing is needed for the administration of justice, execution of a judicial act or that of another body or official, subject to enforcement in accordance with the laws of the Russian Federation on enforcement proceedings, and for the exercising and performance of the functions, authorities and duties imposed by the laws of the Russian Federation.
Personal Data Processing is needed to protect the life, health or other vital interests of the Data Subject if the consent from the Data Subject cannot be obtained.
Data Subject provides or requests to provide access to the processed Personal Data to an unlimited number of persons.
processed Personal Data is subject to publication or mandatory disclosure in accordance with the applicable federal law.
in other cases provided for by the laws of the Russian Federation.

9. Processing of Special Categories of Personal Data related to the race, ethnicity, political views, religious or philosophical beliefs, state of health, and intimate life is not permitted, except in the following cases:

the Data Subject has consented in writing to the processing of their Personal Data.
The Personal Data is made publicly accessible by the Data Subject.
The Personal Data is processed pursuant to the legislation on state social assistance, labor legislation, pension legislation of the Russian Federation.
Personal Data Processing is needed to protect the life, health or other vital interests of third parties and no consent of the Data Subject can be obtained.
Personal Data Processing is needed to exercise the rights of the Data Subject or third parties, as well as in connection with the administration of justice.
Personal Data is processed pursuant to the legislation on certain types of insurance and insurance legislation.
in other cases provided for by the laws of Russian Federation.

10. The Company may process Biometric Personal Data subject to a written consent of the Data Subject, except when Biometric Personal Data is processed in connection with the performance of international treaties of the Russian Federation on readmission, in connection with administration of justice and performance of judicial acts, and in cases provided for by the legislation of the Russian Federation on defense, security, countering terrorism, transport security, countering corruption, intelligence gathering activities, state service, legislation of the Russian Federation on criminal enforcement, on entering and leaving the Russian Federation, and on the citizenship of the Russian Federation.

The Company does not process Biometric Personal Data, except for the photographic image of the Data Subject, subject to compliance with the applicable laws.

11. When collecting Personal Data, including by means of the information and telecommunication network Internet, the Company ensures that Personal Data of Russian citizens is recorded, systematized, accumulated, stored, modified (updated and altered), and extracted using the databases located within the Russian Federation territory.

The Company may perform Cross-Border Transfer of Personal Data subject to the restrictions and pursuant to the procedures set forth by the applicable laws.

12. The Company may use publicly accessible sources of Personal Data (including directories, address books) for information purposes. Such publicly accessible sources of Personal Data may include, subject to written consent of the Data Subject, their surname, first name, patronymic, year and place of birth, address, telephone number, occupation and other Personal Data provided by the Data Subject.

Information about the Data Subject shall be at any time removed from the publicly accessible sources of Personal Data upon request of the Data Subject or following the ruling of the court or other authorities.

13. The Company may process Personal Data upon instruction from another person (operator), unless otherwise is stipulated by the applicable federal law, on the basis of an agreement entered into with this person (operator), including a state or municipal contract, or on the basis of the respective act adopted by a state or municipal authority (the Operator’s Instruction).

The Company when processing Personal Data upon the Operator’s Instruction shall comply with principles and rules for Personal Data Processing set forth by Federal Law No. 152-FZ «On Personal Data» dated July 27, 2006 (the «Personal Data Law»).

The Operator’s Instruction shall define a list of actions (operations) to be performed with the Personal Data by the Company, as well as the purposes of Personal Data Processing, establish the Company’s obligation to keep the Personal Data confidential and ensure the security of Personal Data when processing, list the requirements for the protection of processed Personal Data in accordance with Art. 19 of the Personal Data Law

14. The Company when processing Personal Data upon instructions of another person being an operator of Personal Data is not obliged to obtain a consent from the Data Subject to the processing of their Personal Data.

15. In the event that another party being an operator of Personal Data instructs the Company to process Personal Data, liability to the Data Subject for the Company’s actions shall be borne by this party. The Company shall be liable to the party which instructed the Company to process Personal Data.

16. When processing Personal Data, the Company shall ensure its confidentiality, i.e. not to disclose Personal Data to third parties and not to disseminate Personal Data without the consent of the Data Subject, unless otherwise is provided for by applicable federal laws.

IV. Data Subjects

17. The Company processes Personal Data of the following categories of the Data Subjects:

The Company's current and former employees and job applicants.
Users of the Company Services (individuals).
employees or job applicants at a legal entity (private entrepreneur) being the User of Company Services (employees or job applicants of the Company's counterparties), including at the instruction of the User of Company Services to the Company.
any other individual whose Personal Data become known to the Company in the course of provision of social benefits, guarantees and compensations

V. Personal Data Processed by the Company

18. The Company processes the following categories of Personal Data: surname, first name, patronymic; date, month, year of birth; residence address; family status; property status; education; occupation; tax identification number; insurance certificate details and other Personal Data processed by the Company pursuant to the Russian law and/or in accordance with the Company’s internal regulations, including Regulations on Personal Data Processing and Protection at ROSEXPERT-PERSONAL JSC.

The Company may also process other Personal Data necessary for the purposes of Personal Data Processing specified in Section 6 hereof.

19. The employees’ Personal Data processed by the Company is determined on the basis of the Labor Code of the Russian Federation and Company's regulations.

VI. Processing and Protection of Personal Data in the Company

20. Personal Data are processed upon consent of the Data Subjects, unless otherwise is provided for by the Russian Federation laws.

21. The Personal Data contained in the Personal Data Information System or extracted from such system are processed by means of computer technology; however, such operations with Personal Data as usage, modification, distribution, and destruction with respect to each of the Data Subjects, shall be performed with a direct human involvement.

22. Only those employees of the Company whose job duties include Personal Data Processing are allowed to process Personal Data. These employees may access Personal Data to the extent they need it to fulfill their duties.

23. Personal Data is processed by way of:

receiving information containing Personal Data directly from the Data Subjects in oral and written form.
obtaining the originals and copies of the documents from the Data Subjects.
receiving duly certified copies of documents containing Personal Data or copying thereof.
receiving Personal Data when making requests to public authorities, state non-budgetary funds, other state authorities, local government agencies, commercial and non-profit organizations, private individuals in cases and in the manner provided for by the Russian Federation laws.
obtaining Personal Data from the publicly accessible sources in accordance with the legislative requirements.
recording (registering) Personal Data in logs, books, registers, etc.
inputting Personal Data in the Company’s information systems.
using other means and methods of recording Personal Data obtained in the course of the Company’s operations.

24. Transfer of Personal of Data Subjects to third parties is allowed upon the consent of the Data Subject (in cases provided by law — upon written consent of the Data Subject, except for the cases where pursuant to applicable laws such transfer is allowed without such consent (including the written one) of the Data Subject. When transferring Personal Data to third parties in accordance with executed agreements, the Company shall ensure compliance with the Russian Federation laws and the Company’s regulations on Personal Data. The Company may transfer Personal Data to competent executive authorities (Federal Tax Service of the Russian Federation, Pension Fund of the Russian Federation, Federal Fund for Mandatory Medical Insurance of the Russian Federation, etc.) in accordance with the Russian Federation laws.

25. The Company shall store Personal Data in a way allowing to identify the Data Subject for no longer than needed for the purpose of processing. Upon achievement of the processing purposes or in the event such achievement is no longer necessary, Personal Data shall be destructed. The Company shall keep Personal Data for the time period established by the Russian Federation laws and the Company’s regulations.

26. The Company shall make no decisions based exclusively on the Automated Personal Data Processing if such decisions may cause legal implications to the Data Subject or may otherwise affect their rights and legitimate interests, unless otherwise is provided for by the applicable federal laws.

27. The Company takes necessary and sufficient organizational and technical measures to protect Personal Data, including the use of information security means, detection of unauthorized access, restoration of Personal Data, establishment of Personal Data access rules, as well as control over the measures undertaken to ensure security and evaluation of the effectiveness of such measures.

28. The Company comprehends the need for and aspires to provide the appropriate security level of Personal Data processed in the course of the Company’s operations as required by the regulations of the Russian Federation, as well as from the point of view of business risks assessment.

VII. Rights of Data Subjects

29. The Data Subject may:

in accordance with the Russian Federation laws, receive information concerning the processing of their Personal Data within the Company, unless otherwise is provided for by the Russian Federation laws.
require amendment of incorrect or incomplete Personal Data, as well as data processed in violation of the Russian Federation laws.
require blocking or destruction of their Personal Data in the event that the Personal Data are incomplete, obsolete, inaccurate, illegally obtained or are not needed for the stated purpose of processing.
require notifying all persons who have previously received their Personal Data, which is incorrect or incomplete, of all the changes made thereto.
withdraw their consent to the processing of their Personal Data.
appeal actions or inaction of the Company when processing their Personal Data in accordance with the Russian Federation laws.
exercise other rights provided for by the Russian Federation laws.

VIII. Obligations of the Company as a Personal Data Operator

30. When processing Personal Data, the Company shall:

take necessary actions to fulfill its duties as an Operator as stipulated by the Russian Federation laws in the field of Personal Data Processing and protection.
clarify to the Data Subject the legal implications of refusing to provide Personal Data when this is a mandatory requirement of the Russian Federation laws.
block Personal Data processed in an illegitimate way.
discontinue the Personal Data Processing in accordance with the Russian Federation laws.
notify the Data Subject of the eliminated breaches or destruction of their Personal Data.
provide, upon request of the Data Subject or Data Subject Representative, information regarding the processing of their Personal Data, in accordance with the procedure established by the Russian Federation laws and the Company's regulations.

31. In order to fulfill the obligations established by the Russian Federation laws and the Company's regulations, a person responsible for organizing the Personal Data Processing shall be appointed within the Company by General Director's order.

32. A person responsible for organizing the Personal Data Processing in the Company shall receive instructions directly from the General Director and report to the General Director.

33. A person responsible for organizing the Personal Data Processing in the Company shall:

ensure that legal, organizational and technical measures are taken to protect the Personal Data processed by the Company from unauthorized or accidental access, destruction, alteration, blocking, copying, dissemination, as well as other illegal actions in respect to Personal Data.
exercise internal control over the Company’s compliance with the Russian Federation laws and the Company's regulations in the field of Personal Data, including the requirements for Personal Data protection.
make the Company’s employees aware about the provisions of the Personal Data Law, the Company's regulations related to Personal Data Processing, as well as the requirements for Personal Data protection.
organize the handling of queries and requests from Data Subjects or Data Subject Representatives, as well as exercise control over the handling of such requests in the Company.

IX. Liability

34. The liability for breach of the Personal Data processing and protection requirements established by the Russian Federation laws and the Company's regulations shall be determined in accordance with the Russian Federation laws.