PERSONAL DATA PROCESSING AND PROTECTION POLICY
in the Joint Stock Company "Special Economic Zone of Industrial and Production Type "Alabuga""
 
1. GENERAL PROVISIONS
1.1. This Policy of the Joint Stock Company "Special Economic Zone of Industrial Production Type "Alabuga"" (hereinafter referred to as the Company/Operator, JSC "SEZ IPT "Alabuga"") with regard to personal data processing (hereinafter referred to as the Policy) is developed taking into account the requirements of the Constitution of the Russian Federation, legislative and other regulatory acts of the Russian Federation and in compliance with the requirements of paragraph 2, part 1, article 18.1 of the Federal Law dated 27.07.2006 No. 152-FZ "On Personal Data" (hereinafter referred to as the Personal Data Law) in order to ensure the protection of human and civil rights and freedoms in the course of processing of personal data, including the protection of rights to privacy, personal and family secrets.
1.2. The Policy applies to all personal data (hereinafter referred to as "Personal Data") processed by the Operator, including, but not limited to, Personal Data received via the Operator's websites: https://alabuga.ru, https://sezalabuga.ru, https://alabuga-polytech.ru and all their subdomain names (https://hr.alabuga.ru, https://rs.alabuga.ru, etc.), as well as other websites administered by the Operator, the Operator's employees or third parties with whom the Operator has a civil law contract.
1.3. Pursuant to the requirements of part 2, article 18.1 of the Personal Data Law, this Policy is published in free access in the information and telecommunication network Internet on the Operator's websites.
1.4. The provisions of the Policy shall serve as a basis for the development of local normative acts regulating the following issues.
 
2. TERMINOLOGY AND ACCEPTED ABBREVIATIONS
2.1 Personal data (PD) is any information relating to a directly or indirectly identified natural person (subject of personal data).
2.2. Personal data authorised by the subject of personal data for disclosure means personal data to which the subject of personal data has granted access to an unlimited number of persons by giving consent to the processing of personal data authorised by the subject of personal data for disclosure.
2.3. The subject of personal data is a natural person who is directly or indirectly identified or identifiable through PD.
2.4. Personal Data operator (operator) – JSC "SEZ IPT "Alabuga"" (TIN 1646019914), independently or jointly with other persons organising and (or) carrying out processing of Personal Data, as well as determining the purposes of Personal Data processing, content of Personal Data subject to processing, actions (operations) performed with Personal Data.
2.5. Processing of personal data - any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. The Personal Data processing includes, but is not limited to: collection, recording, systematisation, accumulation, storage, clarification (update, change), extraction, utilisation, transfer (distribution, provision, access), depersonalisation, blocking, deletion, destruction.
2.6. Automated processing of personal data - processing of personal data by means of computer equipment.
2.7. Provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain entity.
2.8. Blocking of personal data - temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data).
2.9. Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.
2.10. Personal data depersonalisation - actions, as a result of which it becomes impossible to determine the belonging of personal data to a particular subject of personal data without using additional information.
2.11. Personal data information system - a set of personal data contained in databases and ensuring their processing, information technologies and technical means.
2.12. Trans-border transfer of personal data - transfer of personal data to the territory of a foreign country to a foreign government authority, a foreign individual or a foreign legal entity.
2.13. Dissemination of Personal Data – actions aimed at disclosure of Personal Data to an unspecified number of persons.
2.14. Website – a collection of computer programmes and other information contained in an information system, access to which is provided via the Internet.
 
3. PROCEDURE AND CONDITIONS OF PERSONAL DATA PROCESSING
3.1. Processing of Personal Data shall be carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
3.2. Processing of Personal Data shall be carried out by the Operator solely with the consent of the data subjects to the processing of their Personal Data, as well as without such consent in cases stipulated by the legislation of the Russian Federation.
3.3. The consent to the processing of Personal Data authorised by the data subject for disclosure shall be executed separately from other consents of the data subject to the processing of his/her Personal Data.
3.4. Consent to the processing of Personal Data authorised by the data subject for disclosure may be provided to the Operator directly or by confirming the data subject's intention to consent to the processing of Personal Data and the fact of familiarisation with this Policy on the Operator's websites specified in clause 1.2 of this Policy.
3.5. The Operator's employees are allowed to process Personal Data.
3.6. Processing of Personal Data shall be carried out by means of:
- non-automated processing of Personal Data;
- automated processing of Personal Data with or without transmission of this information via information and telecommunication networks;
- mixed processing of Personal Data.
3.7. The Operator shall not disclose or distribute Personal Data to third parties without the consent of the data subject, unless otherwise provided for by the federal law.
3.8. Transfer of Personal Data to enquiry and investigation authorities, the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorised executive authorities and organisations is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
3.9. The Operator shall take the necessary legal, organisational and technical measures to protect Personal Data from unlawful or accidental access, destruction, modification, blocking, disclosure and other unauthorised actions, including:
- determines threats to the security of PD during their processing;
- adopts local regulatory acts and other documents regulating relations in the area of processing and protection of Personal Data;
- appoints persons responsible for ensuring the security of Personal Data in the
Operator's structural subdivisions and information systems;
- creates necessary conditions for work with Personal Data;
- organises accounting of documents containing Personal Data;
- organises work with information systems in which Personal Data are processed;
- stores Personal Data under conditions that ensure their safety and
prevent unauthorised access to them;
3.10. The Operator shall store Personal Data in a form that allows identifying the subject of the Personal Data for no longer than required for the purposes of processing the Personal Data, unless the period of storage of the Personal Data is established by the Federal Law, contract or agreement.
3.11. When collecting Personal Data, including via the Internet, recording, systematisation, accumulation, storage, clarification (update, change), retrieval of Personal Data using databases located outside the territory of the Russian Federation is not permitted.
3.12. Only the PD that meet the purposes of their processing shall be subject to processing.
3.13. Processed PD:
 

Purpose of Personal Data processing

Categories of Personal Data

Categories of Personal Data subjects

List of actions

1

Compliance with and fulfilment of the requirements of the current legislation of the Russian Federation (organisation of document flow and archival storage, sending relevant information to government agencies, fulfilling the requirements and orders of government agencies, enforcement of court decisions, consideration of claims of copyright holders and appeals of Personal Data subjects, consumers, etc.).

All Personal Data relating to a specific category of Personal Data subjects to the extent that the relevant requirements of the legislation of the Russian Federation apply to them.

Employees; job applicants; relatives of employees; dismissed employees; counterparties; representatives of counterparties; legal representatives.

Collection; recording; systematisation; accumulation; storage; clarification (updating, modification); retrieval; utilisation; transfer (provision, access); distribution; depersonalisation; blocking; deletion; destruction.

2

Maintaining personnel and accounting records.

Last name, first name, patronymic; place and date of birth; citizenship; gender; registration address and actual residential address; telephone number (home, personal mobile, work and official mobile); passport details; taxpayer identification number; insurance certificate code; information on education, including academic degrees and titles, on advanced training, on knowledge of foreign languages; information on work experience, on work activity prior to employment in the Operator’s organization; information on wages and equivalent income, bank account numbers and cards specified for payment of wages; information on military registration; driver’s license details; information on awards, incentives, honorary titles; disability category and medical and social expert commission (MSEK) report; personal email address; medical report on the possibility or impossibility of working in specific working conditions; information on health status (based on the results of preliminary and periodic medical examinations); information required for registration of a voluntary health insurance policy; information on private life (marital status, family composition); biometric data (photo and video images, fingerprint information).

Employees; job applicants; relatives of employees; dismissed employees; counterparties; representatives of counterparties; legal representatives.

Collection; recording; systematisation; accumulation; storage; clarification (updating, modification); retrieval; utilisation; transfer (provision, access); depersonalisation; blocking; deletion; destruction.

 

3

Assistance to employees in finding employment, obtaining education, and career advancement; attracting and selecting candidates for employment with the Operator.

Last name, first name, patronymic, date of birth, place of birth, gender, email address, residential address, registration address, telephone number, identity document details, employment history, education details.

Employees; job applicants; website visitors; legal representatives.

Collection; recording; systematisation; accumulation; storage; clarification (updating, modification); retrieval; utilisation; transfer (provision, access); depersonalisation; blocking; deletion; destruction.

4

Implementation of access control; ensuring the personal safety of employees; monitoring the quantity and quality of work performed; ensuring the safety of the Operator's property.

Last name, first name, patronymic; date of birth; gender; residential address; registration address; citizenship; identity document details; driver's license details; profession; position; biometric data (photo and video images, fingerprint information).

Employees; job applicants; relatives of employees; dismissed employees; counterparties; representatives of counterparties; clients; legal representatives; beneficiaries under contracts.

Collection; recording; systematisation; accumulation; storage; clarification (updating, modification); retrieval; utilisation; blocking; deletion; destruction.

5

Conclusion of contracts with individuals and legal entities for the provision of services and/or performance of work and/or purchase of goods; implementation of educational, training, and outreach activities.

Last name, first name, patronymic; date of birth; place of birth; email address; gender; residential address; registration address; telephone number; TIN; citizenship; details of the identity document; details of the document contained in the birth certificate; bank card details; bank account number; profession; position; information about work experience; relation to military service, information about military registration; information about education.

Employees; job applicants; relatives of employees; dismissed employees; counterparties; representatives of counterparties; clients; website visitors; legal representatives; beneficiaries under contracts; pupils; students.

 

Collection; recording; systematisation; accumulation; storage; clarification (updating, modification); retrieval; utilisation; transfer (provision, access); distribution; depersonalisation; blocking; deletion; destruction.

6

Identification of website users, provision of access to website functionality; personalization of services provided and website features; provision of information support and processing of requests; conducting research aimed at improving the quality of website products and services; creation of new website products and services.

Last name, first name, patronymic; date of birth; gender; email address; residential address; registration address; telephone number; identity document details; bank card details; employment history; information collected through metric programs.

Employees; job applicants; relatives of employees; dismissed employees; counterparties; representatives of counterparties; clients; website visitors; legal representatives; pupils; students.

 

Collection; recording; systematisation; accumulation; storage; clarification (updating, modification); retrieval; utilisation; transfer (provision, access); distribution; depersonalisation; blocking; deletion; destruction.

 
3.14. Users of the websites specified in Section 1.2 of this Policy have the right to independently limit or completely disable the functioning of cookies through the settings of the web browser used. Disabling technical cookies may lead to incorrect operation of the Operator's websites, and some of their functionality may not be available.
The Operator, using cookies, does not pursue the purpose of identifying a particular user of the website.

Types of cookies

Description

Strictly necessary (technical)

These cookies are necessary for the functioning of the Operator's websites and cannot be switched off. As a rule, they are only set in response to actions by the data subject which amount to a request for services, such as setting privacy preferences, logging in, or filling in forms. The data subject may set their browser to block or alert them about these cookies, but some parts of the website will not then work or function properly.

Performance (analytical)

These cookies allow the Operator to count visits and traffic sources in order to evaluate and improve the performance of the Operator's websites. They allow the Operator to know which pages are the most and least popular and see how visitors navigate the websites.

Targeting (marketing)

These cookies may be set through the Operator's websites by the Operator's partners and/or counterparties. They may be used by those companies to build a profile of the data subject's interests and show them relevant adverts on other websites. If the data subject does not approve the use of these cookies, they will not experience targeted advertising from the Operator on various websites.

Functional

These cookies enable the website to provide enhanced functionality and personalisation, for example, for online-chats or videos. They may be set by the Operator or third parties. If the data subject does not approve these cookies then some or all of these services may not function properly.

 
3.15. With the consent of the data subject, the Operator shall transfer the data subject's Personal Data to third parties with whom the Operator has a civil law contract.
3.16. Legal grounds for processing Personal Data:
3.16.1. Performance of functions, mandates and duties assigned to the Operator by the legislation of the Russian Federation (Labour Code of the Russian Federation, Civil Code of the Russian Federation, Federal Law-149 "On Information, Information Technologies and Information Protection");
3.16.2. Agreements concluded by the Operator with the data subjects;
3.16.3. Consents for processing of Personal Data received by the Operator for the purposes specified in clause 3.13 of this Policy;
3.16.4. Exercise of the rights and legitimate interests of the Operator.
 
4. TRANSFER TO THIRD PARTIES
 
4.1. The Operator has the right to transfer Personal Data or entrust its processing to third parties if this is necessary to achieve the Personal Data processing purposes specified in Section 3.14 of this Policy.
4.2. Transfer and Entrustment to Subsidiaries:
4.2.1. Alabuga Development LLC (PSRN: 1161690175338; TIN: 1646043699);
4.2.2. Alabuga Machinery LLC (PSRN: 1221600079623; TIN: 1674003000);
4.2.3. Stroytrest Alabuga LLC (PSRN: 1241600041528; TIN: 1674010127);
4.2.4. Other organizations that are subsidiaries or dependents of the Operator in accordance with article 6 of the Federal Law No. 14-FZ of February 8, 1998, "On Limited Liability Companies";
4.2.5. Other organizations that are subsidiaries or dependents of the organizations specified in Section 4.2.4 of this Policy.
4.3. Transfer and Assignment to Other Persons:
4.3.1. The Operator has the right to transfer Personal Data and assign the processing of Personal Data to partners and/or counterparties to the extent necessary for the conclusion and execution of civil law contracts. The Operator transfers Personal Data to government agencies in accordance with the requirements of Russian legislation.
4.4. When entrusting the processing of Personal Data to a third party, the Operator shall enter into a relevant entrustment agreement with such third party. In this case, the Operator in such an assignment agreement shall oblige the person processing Personal Data to comply with the principles and rules of Personal Data processing stipulated by the current legislation of the Russian Federation.
4.5. In cases where the Operator entrusts the processing of Personal Data to a third party, the Operator shall be liable to the Personal Data subject for the actions of the said party. The person processing Personal Data on behalf of the Operator shall be liable to the Operator in accordance with the terms and conditions of the engagement agreement.
 
 
5. STORAGE AND DESTRUCTION OF PERSONAL DATA
5.1. Personal Data of the subjects may be received, further processed and transferred for storage both on paper and in electronic form.
5.2. Personal Data recorded on paper shall be stored in lockable cabinets or in locked rooms with limited right of access to such rooms.
5.3. PD of subjects processed using automation tools for different purposes shall be stored in different folders.
5.4. PD stored in a form that allows identifying the PD subject shall be stored for no longer than required for the purposes of their processing and shall be destroyed upon achievement of the processing purposes or in the event that there is no longer a need to achieve them.
5.5. Destruction of PD.
5.6. Documents (carriers) containing Personal Data shall be destroyed by burning, crushing (shredding), chemical decomposition, transformation into a shapeless mass or powder. A shredder may be used to destroy paper documents.
5.7. PD on electronic carriers shall be destroyed by erasing or formatting the carrier.
5.8. The fact of the destruction of PD shall be confirmed by a documented act on the destruction of carriers. The act shall be drawn up and signed by the employee who actually destroyed the data. In addition, to further confirm the fact of deletion, the act shall also bear the signature of the employee's immediate supervisor.
 
6. PERSONAL DATA PROTECTION
6.1. In accordance with the requirements of regulatory documents, the Operator has established a Personal Data Protection System (hereinafter referred to as "PDPS") consisting of legal, organisational and technical protection subsystems.
6.2. The legal protection subsystem is a set of legal, organisational, administrative and regulatory documents ensuring the creation, operation and improvement of the PDPS.
6.3. The organisational protection subsystem includes the organisation of the management structure of the PDPS, the permit system, and information protection when working with employees, partners and third parties.
6.4. The technical protection subsystem includes a set of technical, hardware, and software tools that ensure the protection of PD.
6.5. The main measures of PD protection used by the Operator are:
6.5.1. Appointment of a person responsible for processing of Personal Data, who is responsible for organisation of processing of Personal Data, training and instruction, internal control over compliance of the Operator and its employees with the requirements for protection of Personal Data.
6.5.2. Identification of actual threats to the security of Personal Data during their processing in the Operator's information systems for Personal Data (hereinafter referred to as ISPD) and development of measures and activities to protect Personal Data.
6.5.3. Development of a policy on processing of PD by the Operator.
6.5.4. Establishment of rules of access to the PD processed in the Operator's ISPD, as well as ensure registration and accounting of all actions performed with the PD in the ISPD.
6.5.5. Establishment of individual passwords for employees' access to the ISPDS in accordance with their work duties.
6.5.6. The use of information protection equipment that has undergone the conformity assessment procedure in accordance with the established procedure.
6.5.7. Certified anti-virus software with regularly updated databases.
6.5.8. Observance of conditions ensuring the safety of Personal Data and excluding unauthorised access to them.
6.5.9. Detection of the facts of unauthorised access to Personal Data and taking necessary measures.
6.5.10. Restoration of PD modified or destroyed as a result of unauthorised access to them.
6.5.11. Training of the Operator's employees directly involved in the processing of Personal Data on the provisions of the Russian legislation on Personal Data, including the requirements for the protection of Personal Data, documents defining the Operator's policy with regard to the processing of Personal Data, and local acts on the processing of Personal Data.
6.5.12. Implementation of internal control and audit.
6.6. Principles of Personal Data processing:
6.6.1. Personal Data must be processed lawfully and fairly.
6.6.2. Personal Data must be processed only to achieve specific, predetermined, and legitimate purposes. Processing of Personal Data that is incompatible with the purposes for which it was collected is prohibited.
6.6.3. Databases containing Personal Data processed for incompatible purposes may not be combined.
6.6.4. Only Personal Data that is relevant to the purposes for which it is processed may be processed.
6.6.5. The content and volume of Personal Data processed must correspond to the stated purposes of processing. The Personal Data processed must not be excessive in relation to the stated purposes of processing.
6.6.6. When processing Personal Data, the accuracy, sufficiency, and, where necessary, relevance of the Personal Data in relation to the purposes for which it is processed must be ensured. The operator must take necessary measures or ensure that they are taken to delete or rectify incomplete or inaccurate data.
6.6.7. Personal Data must be stored in a form that allows identification of the Personal Data subject for no longer than required for the purposes of processing the Personal Data, unless the storage period for Personal Data is specified by a federal law or an agreement to which the Personal Data subject is a party, beneficiary, or guarantor. Processed Personal Data must be destroyed or anonymized upon the achievement of the processing purposes or when these purposes are no longer necessary, unless otherwise provided by the federal law.
7. BASIC RIGHTS OF THE PERSONAL DATA SUBJECT AND THE RIGHTS AND OBLIGATIONS OF THE OPERATOR
7.1 The data subject has the right to:
- to receive full information about his/her PD processed by the Operator;
- access to his/her personal data, including the right to receive a copy of any record containing his/her Personal Data, except for cases provided for by the Federal Law;
- obtaining information on the legal grounds and purposes of processing of Personal Data;
- obtaining information about the purposes and methods of processing Personal Data used by the Operator;
- obtaining information about the name and location of the Operator, information about persons (except for the Operator's employees) who have access to Personal Data or to whom Personal Data may be disclosed on the basis of a contract with the Operator or on the basis of Federal Law;
- obtaining information on the timeframes for processing Personal Data, including the timeframes for their storage;
- obtaining information on the procedure for exercising the rights provided for by the Federal Law;
- obtaining information about the name or surname, first name, patronymic and address of a person who processes Personal Data on behalf of the Operator, if processing has been or will be entrusted to such a person;
- contacting the Operator and sending requests to the Operator;
- appealing against the Operator's actions or inaction to an authorised body for the protection of the rights and subjects of Personal Data or to a court.
7.2 The Operator has the right to:
- independently determine the composition and the list of measures necessary and sufficient to ensure the fulfilment of obligations stipulated by the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws;
- to entrust the processing of Personal Data to another person with the consent of the Personal Data subject, unless otherwise provided for by the Federal Law, on the basis of a contract concluded with this person. The person carrying out Personal Data processing on behalf of the Operator is obliged to comply with the principles and rules of Personal Data processing stipulated by the Personal Data Law;
- in case the Personal Data subject revokes his/her consent to the processing of Personal Data, the Operator has the right to continue the processing of Personal Data without the consent of the Personal Data subject if there are grounds specified in the Personal Data Law.
7.3. The Operator shall:
- when collecting PD, provide information about the processing of PD;
- in cases where the Personal Data were not received from the data subject, notify the data subject;
- in case of refusal to provide the data to the subject, explain the legal consequences of such refusal;
- publish or otherwise provide unrestricted access to the document defining its policy with regard to processing of PDs;
- take the necessary legal, organisational and technical measures or ensure that they are taken to protect Personal Data from unlawful or accidental access to it, destruction, alteration, blocking, copying, provision, distribution of Personal Data, as well as from other unlawful actions in relation to Personal Data;
- provide answers to requests and appeals from PD subjects, their representatives and the authorised body for the protection of PD subjects' rights.
 
8. UPDATING, CORRECTION, DELETION AND DESTRUCTION
OF PERSONAL DATA, RESPONSES TO REQUESTS OF
SUBJECTS FOR ACCESS TO PERSONAL DATA
8.1. Confirmation of the fact of Personal Data processing by the Operator, legal grounds and purposes of Personal Data processing, as well as other information specified in part 7 of article 14 of the Federal Law on Personal Data shall be provided by the Operator to the data subject or his/her representative upon application or upon receipt of a request from the data subject or his/her representative.
The information provided shall not include PD related to other PD subjects, except for cases when there are legal grounds for disclosure of such PD.
The request must contain:
- the number of the main identity document of the PD subject or his/her representative, information on the date of issue of the said document and the issuing authority, as well as the original document confirming the authorisation of the PD subject's representative to make such a request and receive the requested information;
- information confirming the PD subject's involvement in relations with the Operator (contract number, date of contract conclusion, conventional verbal designation and (or) other information), or information otherwise confirming the fact of PD processing by the Operator;
- the signature of the data subject or his/her representative.
A request may be sent in writing to the Operator's legal address or in the form of an electronic document and signed with an digital signature in accordance with the laws of the Russian Federation.
If the Personal Data subject's application (request) does not contain all the necessary information in accordance with the requirements of the Federal Law on Personal Data or the subject does not have access rights to the requested information, a reasoned refusal shall be sent to him/her.
The Personal Data subject's right to access his/her Personal Data may be restricted in accordance with part 8, article 14 of the Federal Law on Personal Data, including if the Personal Data subject's access to his/her Personal Data violates the rights and legitimate interests of third parties.
8.2. In the event that inaccurate PD are detected upon application of the PD subject or his/her representative or at their request or at the request of an authorised body for the protection of the rights and subjects of PD, the Operator shall block the PD related to that PD subject from the moment of such application or receipt of the said request for the period of verification, provided that the blocking of the PD does not violate the rights and legitimate interests of the PD subject or third parties.
If the fact of inaccuracy of PD is confirmed, the Operator shall, on the basis of the information submitted by the PD subject or his/her representative or by an authorised body for the protection of the rights and subjects of PDs, or other necessary documents, clarify the PD within seven working days from the date of submission of such information and lift the PD blocking.
8.3. In case of detection of unlawful processing of Personal Data upon application (request) of a Personal Data subject or his/her representative or an authorised body for protection of rights and subjects of Personal Data, the Operator shall block the unlawfully processed Personal Data related to this Personal Data subject from the moment of such application or request.
8.4. Upon achievement of the goals of processing of Personal Data, as well as in case of withdrawal of consent to their processing by the subject of PD, the Personal Data shall be destroyed, unless:
- other is not stipulated by the contract to which the PD subject is a party, beneficiary or guarantor;
- the Operator is not allowed to carry out processing without the consent of the data subject on the grounds stipulated by the Personal Data Law or other federal laws;
- unless otherwise is provided for by another agreement between the Operator and the data subject.
8.5. Application for withdrawal of consent to processing of Personal Data shall be sent in writing to the legal address of the Operator or in the form of an electronic document signed with a digital signature in accordance with the legislation of the Russian Federation.
In case of withdrawal of consent to processing of Personal Data by the PD subject, the Operator shall be obliged to stop processing of PD or ensure termination of such processing (if processing of Personal Data is performed by another person acting on behalf of the Operator) and, if the preservation of PD is no longer required for the purposes of Personal Data processing, destroy Personal Data or ensure their destruction (if PD processing is performed by another person acting on behalf of the Operator) within the thirty day period after receiving the abovementioned withdrawal. If it is not possible to destroy Personal Data within the specified period, the Operator shall block such PD or ensure their blocking (if PD processing is carried out by another person acting on behalf of the Operator) and ensure destruction of personal data within a period not exceeding six months.
 
9. CONTROL AND RESPONSIBILITY
9.1 The person responsible for the organisation of processing of Personal Data shall organise a continuous process of control over the Operator's compliance with the requirements of the Federal Law in the field of Personal Data.
9.2 The Operator's officials guilty of violating the norms regulating processing and protection of Personal Data shall bear the responsibility stipulated by the legislation of the Russian Federation.
 
10. POLICY CHANGES. APPLICABLE LAW
10.1 The Operator has the right to make changes to this Policy without prior notification of the PD subjects. PD subjects who are users of the Operator's website may monitor changes in the Policy on their own. The new version of this Policy shall come into force from the moment of its posting, unless otherwise provided for by the new version of the Policy.
10.2 The law of the Russian Federation shall apply to this Policy and the relations between the data subjects and the Operator arising in connection with the application of this Policy.
Back to the main page