Preamble
on the Processing of Personal Data

GENERAL PROVISIONS

This Preamble on the Processing of Personal Data (hereinafter – the Preamble, the present Preamble) is developed by the company [Name of the Company] (hereinafter also – the Operator) and is applied in accordance with Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”.
This Preamble defines the Operator’s policy regarding the processing of personal data.
All issues related to the processing of personal data not regulated by this Preamble are resolved in accordance with the current legislation of the Russian Federation in the field of personal data.
This Preamble and amendments to it are approved by the head of the Operator and are introduced by order of the Operator.

In accordance with Clause 1, Article 3 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data,” personal data of clients and individuals refers to any information relating directly or indirectly to an identified or identifiable individual based on such information (hereinafter – personal data).

[Name of the Company] is the operator organizing and/or implementing the processing of personal data, as well as determining the purposes and content of personal data processing.

The purpose of personal data processing is:
- ensuring the protection of the rights and freedoms of individuals and citizens during personal data processing, including the protection of privacy, personal and family secrets;
- providing services related to the economic activities of the Operator to individuals and legal entities, including contacts with such persons via email, telephone, or address provided by the respective person;
- sending consultations, responses to inquiries via communication means and the contact details they provide;
- promoting the Operator’s goods, works, and services in the market through direct contact with potential consumers via communication means (only with prior consent of the data subject).

Processing is organized by the Operator based on the principles of:
- legality of purposes and methods of processing personal data, good faith, and fairness in the Operator’s activities;
- accuracy of personal data, their sufficiency for processing purposes, inadmissibility of processing excessive personal data beyond the stated goals at the time of collection;
- processing only personal data that meets the purposes of processing;
- compliance of the content and volume of processed personal data with the declared purposes;
- inadmissibility of merging databases containing personal data processed for incompatible purposes;
- ensuring the accuracy, sufficiency, and, where necessary, relevance of personal data regarding processing goals, with measures taken by the Operator to delete or clarify incomplete or inaccurate data;
- storing personal data in a form allowing identification of the data subject no longer than required for processing purposes.

Personal data is processed with adherence to the principles and rules set forth in Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” and this Preamble.
Personal data may be processed using automated and non-automated means.

Prior to processing personal data for the set goals and tasks, the Operator appoints a responsible person for organizing personal data processing.
The person responsible receives instructions directly from the executive body of the Operator and reports to it.
The responsible person may prepare and sign notices as provided for in Paragraphs 1 and 3 of Article 22 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”.

Employees of the Operator directly involved in processing personal data must familiarize themselves prior to starting work with the provisions of Russian Federation legislation on personal data, including requirements for personal data protection, documents defining the Operator’s policy regarding personal data processing, local acts related to personal data processing, this Preamble, and amendments thereto.

The Operator implements legal, organizational, and technical measures to ensure the security of personal data in accordance with Article 19 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”.

When collecting personal data via information and telecommunication networks, the Operator must publish in the relevant network a document defining its personal data processing policy, information on implemented data protection measures, and ensure access to this document through the means of the relevant network.

Conditions for personal data processing by the Operator include:
- processing is carried out with the consent of the data subject;
- processing is necessary to achieve goals established by an international treaty of the Russian Federation or law, for the implementation and fulfillment of functions, powers, and duties assigned to the Operator by law;
- processing is necessary for the execution of a contract in which the data subject or the beneficial owner or guarantor thereof is a party, including when exercising the Operator’s right to assign rights (claims) under such a contract, or for concluding a contract at the initiative of the data subject or in which the data subject is a beneficiary or guarantor;
- processing is necessary to protect the life, health, or other vital interests of the data subject if obtaining consent is impossible;
- processing is necessary to exercise the rights and legitimate interests of the Operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the data subject are not violated;
- processing for statistical or other research purposes, excluding the goals specified in Article 15 of Federal Law No. 152-FZ, provided that personal data are anonymized;
- processing of personal data accessible to an unlimited number of persons at the request of the data subject or at their request;
- processing of personal data subject to publication or mandatory disclosure under federal law.

Personal data must be stored in a form that allows identification of the data subject no longer than required for processing purposes, and must be destroyed upon achieving the processing goals or if there is no longer a need for their processing, in accordance with the Operator’s personal data storage policy.

Personal data processed in information systems must be protected against unauthorized access and copying. The security of personal data during processing in information systems is ensured through a data protection system including organizational measures and information security tools.
Technical and software means must meet the requirements established by Russian legislation to ensure information security.

Interaction with federal executive authorities regarding processing and protection of personal data of data subjects processed by the Operator is conducted within the framework of Russian legislation.

PROVISION OF RIGHTS OF THE DATA SUBJECT BY THE OPERATOR

Data subjects or their representatives have rights provided by Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” and other regulatory acts governing personal data processing.
The Operator ensures the rights of data subjects in accordance with Chapters 3 and 4 of Federal Law No. 152-FZ.
The Operator shall provide the data subject or their representative, free of charge, the opportunity to familiarize themselves with their personal data at the Operator’s location during working hours.
The right of the data subject to access their personal data may be limited in accordance with federal laws.
If a representative acts on behalf of the data subject, the authority of the representative is confirmed by a power of attorney issued in accordance with the law.
In cases where the data subject provides written consent for data processing, simple written form suffices.
The Operator guarantees the security and confidentiality of personal data used.

Processing personal data for the purpose of promoting goods, works, and services via direct contact with potential consumers using communication means is only permitted with prior consent of the data subject.

RECEIPT, PROCESSING, AND STORAGE OF PERSONAL DATA

The Operator establishes the following procedure for obtaining personal data:
When requesting services, the client provides the data through the appropriate forms.
The Operator does not collect or process personal data about race, political views, religious or philosophical beliefs, health status, private life, unless law provides otherwise.
In cases related to employment issues, pursuant to Article 24 of the Constitution of the Russian Federation, the organization may collect and process personal data about private life only with the client’s written consent.
If the client accepts an offer posted on the Operator’s website or concludes another agreement, processing of personal data is carried out to fulfill that agreement, which comes into force upon acceptance of the offer or conclusion of the agreement.
The Operator may also process personal data of individuals who contact the Operator with their consent to use their data.

Processing is not required where:
- personal data is publicly available;
- processing is based on federal law that establishes its purpose, conditions for obtaining data, and the scope of subjects;
- upon request of authorized state bodies as provided by law;
- processing is necessary for the performance of a contract with the Operator;
- processing for statistical or scientific purposes with mandatory anonymization;
- processing is necessary to protect life, health, or other vital interests if obtaining consent is impossible.

The Operator ensures secure storage of personal data, including:
- storage, collection, accounting, and use of documents containing personal data are organized in the form of a separate archive of the Operator.
- Storage in a form allowing identification of the data subject no longer than necessary for processing goals, with destruction or anonymization upon achieving those goals or if no longer needed, unless otherwise provided by law.

TRANSFER OF PERSONAL DATA

Personal data may be transferred subject to the following:
- Personal data shall not be disclosed to third parties without the client’s written consent, except when necessary to prevent threats to life or health, or as required by law.
- Personal data shall not be disclosed for commercial purposes without the client’s written consent.
- Recipients of personal data shall be warned that data can only be used for the purposes they were disclosed for, and confirmation of compliance with this rule shall be requested.
- Access to personal data shall be granted only to authorized persons, who shall have the right to access only those data necessary for their functions.
- Information about the client’s health status shall not be requested unless related to contract obligations.
- Personal data shall be transferred to the client’s representatives in accordance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”.

ACCESS TO PERSONAL DATA

The right to access personal data belongs to:
- the head of the Operator;
- employees working with a specific client;
- accounting staff;
- technical support staff.

Clients, for the purpose of personal data protection, have the following rights:
- full information about their personal data and processing;
- free, unrestricted access to their personal data, including the right to obtain copies of records containing personal data, except as provided by law;
- designate representatives for the protection of their personal data;
- request correction or deletion of inaccurate or incomplete data, or data processed unlawfully.

Copying and extracting personal data is allowed solely for official purposes with the permission of the head.

RESPONSIBILITY FOR VIOLATION OF NORMS REGULATING PERSONAL DATA PROCESSING

Persons responsible for violations of personal data regulations shall bear disciplinary, administrative, civil, or criminal liability as established by federal laws.
Heads of structural divisions of the Operator are personally responsible for ensuring their subordinates perform their duties properly.